Mimecast’s State of Email Security 2021 Reveals Pandemic Email Threats

The human health toll of the COVID-19 pandemic is, of course, bad enough. But it has also caused devastation by the way in which it has amplified many of the threats businesses already faced. Supply chain fragility, for instance. Or infrastructure limitations. Or the many increased ways in which corporate email and computer systems are being compromised.

Shedding light on the latter, Mimecast today released the results of its State of Email Security 2021 report (SOES). The fifth annual study of its kind, the 2021 report’s findings provide important insights into the dramatic upsurge in cyberattacks since the global pandemic began. Based on interviews with 1,225 information technology and cybersecurity professionals from 12 industries across 10 countries, it also documents how companies large and small are defending themselves — and where they’re falling short in those efforts.

A New Torrent of Email-Borne Threats

The story begins with the startling revelation that during 2020, as businesses worldwide were becoming more dependent than ever on digital communications, email-based threats soared by 64%. Worse still, by taking advantage of all the apprehension surrounding the pandemic and the sudden shift to home-based work that it required, common ploys used by cybercriminals have been increasingly successful. The Mimecast researchers found, for example, that as the pandemic took hold, employees began clicking on three times as many malicious emails as they had before.

Many companies realize that cyber risks are on the rise, and 70% of those surveyed expect their business to be disrupted by an email-borne threat during 2021. Of these, phishing attacks are the most prevalent, having soared by 63% since the pandemic started, but other threats — most notably ransomware — are proliferating as well.

And while email remains the most widely used avenue for a cyberattack, it is by no means the only form of digital communication that threat actors are attempting to exploit. With travel severely restricted and both employees and customers working from home, collaboration tools such as Slack and Microsoft Teams have become increasingly popular — but also increasingly targeted by cybercriminals, and more than two-thirds of the 2021 survey respondents (70%) expressed concerns about the risks posed by these programs.

Some Companies Are Coping, But Others Are Struggling

So how are companies coping with a threat landscape that’s become even more onerous? The 2021 SOES report points to some progress but also a number of deficiencies.

The good news is that 44% of the companies surveyed have a cyber resilience strategy in place that is helping them adapt to new threats. These organizations are more confident in their ability to withstand an email-borne attack, with only 63% characterizing such an attack as likely, extremely likely or inevitable, compared with 76% of the respondents from companies without such a strategy.

Similarly, companies with a cyber resilience strategy were less likely to have been negatively affected by ransomware than those without a strategy (53% to 68%). Moreover, 35% of respondents from companies with a cyber resilience strategy consider it unlikely, very unlikely or even impossible that their organization will be harmed by an email attack, while only 22% of respondents from organizations without a cyber resilience strategy feel that this is the case.

A less fortunate finding is that 79% of the SOES respondents acknowledge that their company experienced a business disruption, a financial loss or some other setback in 2020 due to their lack of cyber preparedness. However, nearly all (97%) had already deployed various email security systems, were in the process of rolling out such systems or were considering doing so. But fewer than six in 10 already have them in place for each of four key areas of email security asked about in the survey. Only 26% guard against all four — and 13% of respondent companies are still operating without any dedicated email security system.

This mixed state of affairs is especially pronounced when it comes to training their employees to identify and deal with a cyberattack. While seven out of 10 respondents believe that employee behaviors such as poor password hygiene are putting their companies at risk, ongoing cyber awareness training is provided by only one out of five companies.

Other important issues addressed by SOES 2021 include the email vulnerabilities facing Microsoft 365 users, the growing threat of corporate email spoofing and brand impersonation, and how companies are increasingly turning to AI to bolster their cyber defenses.

The Bottom Line

As the 2021 SOES report states: “In 2020, companies and their cybersecurity teams worldwide confronted a digital pandemic of email-borne malware, phishing attacks and ingenious uses of social engineering to compromise their systems. Bad actors were quick to capitalize on the chaos created by a global contagion, targeting millions of suddenly remote and disoriented workers.” To meet these and other challenges, cyber preparedness is key, and companies with a cyber resilience strategy in place are more confident in their ability to prevent and withstand an email-borne attack than those that haven’t yet made that investment.