State of Email Security 2022: Have Companies Begun Taking Cybersecurity More Seriously?
 

Email threats are rising at three out of four companies. Seventy-six percent report they have been victimized by ransomware. More than eight out of 10 are bracing for the next email-borne attack. 

The picture that emerges from Mimecast’s State of Email Security 2022 (SOES ’22) report is one of markedly increased apprehension over the dire consequences of cybercrime. The sixth annual study of its kind, the SOES report details what can only be described as a digital pandemic, where businesses and public institutions find themselves in the crosshairs of a growing legion of cyber criminals.

But something else is also revealed in the newly released SOES ’22 report, which is based on survey responses from 1,400 information technology and cybersecurity professionals in 12 countries. Along with mounting anxiety over a torrent of cyber threats, companies are becoming much more serious about building cyber resilience, by implementing strategies for identifying, preventing and recovering from these threats.

Endangered by Phishing, Ransomware and Spoofing

The many dire revelations in the SOES ’22 report include these:

• Most companies are bracing for an email-based attack that could cause them considerable harm. Nearly three out of four respondents reported that the already sky-high level of cyber threats is continuing to rise, and the majority said these attacks are increasingly sophisticated.
• During the past year, virtually every company surveyed was the target of a phishing attack, with the majority reporting that these are occurring more frequently. And while phishing is the most common email-borne threat, data leaks and business email compromise attacks are not far behind. More than nine out of 10 respondents acknowledged that their organization had been subjected to these types of incursions.
• In 2020, fewer than two in three companies suffered a ransomware attack; during 2021, per the SOES respondents, it was more than three out of four. As a result of these attacks, more than a third of these companies experienced downtimes of a week or more. To recover their data, nearly two out of three were forced to pay the ransom.
• The security defenses that come with the dominant Microsoft 365 productivity platform afford some protection from email-borne attacks, but nine out of 10 SOES respondents find them insufficient. Underscoring their argument that additional safeguards are needed, nearly as many said that their company had experienced an MS 365 email outage during the past 12 months.
• Efforts to spoof companies’ web sites and email domains are also on the rise, and respondents reported that their companies experienced an average of 10 such attacks this past year. 

More Awareness and Money for Cyber Resilience

Along with the dangers and mounting risks, however, the SOES ’22 report unearthed a more hopeful development: Senior managers at companies and public agencies are increasingly aware of and willing to spend more on cyber resilience. Their input reveals the following trends:

• There is heightened awareness that a lack of cyber preparedness is a major risk factor. Virtually all respondents (96%) reported that their organization either already has or is well into the process of developing a strategy for cyber defense.
• Most cybersecurity professionals are not pleading poverty, but see only a small difference between the budget they need and the budget they are receiving. When asked what portion of their company’s IT budget was allocated to cyber resilience versus how much should be allocated, SOES respondents indicated that on average 14% of their organization’s IT budget was set aside for cybersecurity, although they noted that a 17% allocation would be optimal. There are also signs, including several recent industry surveys, that many companies are planning to increase their cybersecurity budgets in 2022.
• The response to brand and email domain spoofing has been robust. Nearly every company surveyed is using or planning to use a service to monitor these threats, and the great majority feel at least somewhat prepared to deal with them. Nine out of 10 companies are also employing the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol to protect their brands.
• Nearly half of the SOES respondents have already incorporated some type of machine learning or artificial intelligence into their cybersecurity defenses, and close to the other half are preparing to do so. The benefits ascribed to these technologies include better threat detection and fewer human errors.

The Bottom Line

As the SOES ‘22 report makes clear, email-based cyber threats have become pervasive and a great many companies are suffering the consequences. But while this reality may be grim, there is definitely a bright side as an increasing number of organizations come to terms with these risks, devoting more attention and resources to their cyber defense. 

Download the report to read more.