Five Years of Survey Data Shows Small Gains in Cyber Preparedness

It’s not much of a news flash to declare that during the past five years, the threats to cybersecurity have grown much, much worse. The more intriguing questions are: Have the safeguards and defenses employed by companies improved? And have they kept pace with the new dangers?

Looking back and comparing the results of Mimecast’s annual State of Email Security 2021 (SOES) report with prior editions (the study was first undertaken in 2017) sheds some interesting light. Here are five key concerns and how they’ve been trending over the five-year period.

1. The Cyberthreat Landscape
   
   While the tactics used by cybercriminals and the mix of attack types has shifted, two points have remained remarkably consistent during the past five years: The volume of threats has risen dramatically from year-to-year, and email remains the primary way that these attacks are delivered.
   
   To quantify this, in 2018, 90% of the global organizations surveyed said the volume of phishing attacks increased or stayed the same over the prior 12 months compared with the year before. In 2019, 67% reported an increase over the prior year. In 2020, 58% said they saw a rise in the volume of phishing attacks. And then this year, in large measure driven by the COVID-19 pandemic, 64% reported a rise in the volume of email threats.
   
   Expectations of an email-borne attack have remained consistently high as well. In 2018, 59% of the companies surveyed anticipated their businesses would be harmed by such an attack. Two years later and caught in the grip of the pandemic, seven out of 10 companies said they expected the same in 2021.
    
2. Phishing and Other Email-Borne Dangers
   
   During this five-year period, three forms of email attacks have predominated: phishing, impersonation and business email compromise. For the past two years, with the pandemic taking place, there has also been a significant rise in spear phishing — a particular form of phishing where specific individuals are targeted. Each year, the volume of these attacks has been greater than it was the year before, and the number of companies that suffered one or more successful attacks increased as well.
   
   Year to year, these attacks have also become harder to detect. For example, in the 2021 SOES survey, 60% of the participants said they view the increasing sophistication of the attacks they face as their single greatest security challenge.
    
3. Here, There, Ransomware
   
   Over the past five years, ransomware threats have spread more than any other type of email-borne attack. The SOES survey results tell the story: In 2018, just 27% of respondents said a ransomware attack had a negative effect on their business operations during the past 12 months. That figure leapt to 53% in 2019 and remained more or less steady at 51% in 2020. But it surged again in the 2021 survey, with 61% of respondents reporting a ransomware attack had disrupted their businesses in the past year.
   
   The impact of these disruptions has been growing as well. In 2020, companies reported experiencing three days of downtime, on average, due to a ransomware attack. In 2021, downtime doubled to six days, on average; for more than a third of affected organizations (37%), it was a week or more.
    
4. Are Companies Becoming More Cyber Resilient?
   
   Despite the growing dangers of a cyberattack, the number of companies that have taken steps to safeguard themselves from such threats has remained stubbornly the same. In 2019 — the first year companies were asked in the SOES survey whether they had a cyber resilience strategy in place — fewer than half (46%) said they did. That percentage rose slightly in 2020 to 49% and then dropped again this year to 44%.
   
   Meanwhile, the number of companies that acknowledge they were hurt by their failure to develop and implement a cyber resilience strategy is growing. In 2019, 31% of SOES respondents said their lack of cyber preparedness resulted in a business disruption. That figure dropped slightly to 29% in 2020 but then spiked to 38% in the 2021 survey.
   
   Likewise, in 2019, 33% of respondents admitted their failure to prepare for a cyberattack had diminished employee productivity. That number dipped a bit again in 2020 to 29% but popped up again to more than a third (36%) of the companies in the 2021 survey.
   
   The five-year survey data also supports the notion that organizations with a cyber resilience strategy are more confident and sure-footed when it comes to dealing with an attack than those that don't have a strategy. In 2019, 85% of those without a cyber-resilience strategy said they suffered losses due to an impersonation attack during the previous 12 months, while only 61% of those with such a strategy experienced the same type of  losses. Similarly, in 2021, more than a third (35%) of the respondents from companies with a cyber-resilience strategy reported it unlikely, very unlikely or even impossible that their organizations will be harmed by an email attack. This compared with only 22% of respondents from companies without such a strategy who felt the same.
    
5. Human Error and Cybersecurity Awareness Training
   
   A key — perhaps the most decisive — element of cyber resilience is how well-prepared a company’s employees are to recognize and fend off an email-borne attack. On this front, the picture presented by the past five years of SOES data is decidedly mixed.
   
   In terms of reducing risky employee behaviors, behaviors like poor password hygiene and inadvertent data leaks are on the decline. However, the number of companies that provide their employees with ongoing cybersecurity awareness training is also dropping, even though the number of organizations that provide such training on a monthly basis is on the rise.

The Bottom Line

As the past five years of SOES data makes clear, the cyberthreats facing companies worldwide continue to mount and grow more pernicious. Especially this year and last, bad actors have been quick to capitalize on the chaos created by a global contagion and have stepped up their incursions. To meet this challenge, cyber preparedness is key. Indeed, companies with a cyber-resilience strategy in place are more confident in their ability to prevent and withstand an email-borne attack. But more than half of responding companies are still lagging on this critical front.