Minding the (Email Security) Gap During the Pandemic

Digital transformation isn’t a new concept. But when the pandemic struck in early 2020, it turbocharged business’ digital transformations as organisations— and their workforces — scrambled to adapt. As throngs of professionals began working from home, their actions and behaviours suddenly became a new concern for enterprise IT security teams.

At the centre of everything: email.

Over a few short months, wave after wave of attacks appeared — many using clever and varied methods to exploit vulnerabilities. It soon became apparent that email security is mission-critical in the age of coronavirus. IT directors and cybersecurity teams require a high degree of confidence that they can repel the cyberattacks that are inevitable.

A recent Censuswide survey of 509 UK IT directors, commissioned by Mimecast, shows that these enterprise leaders recognise how the environment is changing and how accelerated adoption of digital technology has introduced email security gaps and potential weaknesses. Many have taken steps to ratchet up protection.

On the downside, however, it’s apparent that their perceptions of the protection afforded by their platforms’ embedded security don’t always match reality. And that gap highlights the fact that many UK enterprises may not be adequately protected.

New Table Stakes for Basic Cybersecurity

One of the things that stands out in the survey data is just how much the situation has changed since the pandemic appeared. Consider:

• 75% of businesses have seen some acceleration of their digital transformation initiatives because of COVID-19.
• 50% identified future-proofing against further lockdowns as a reason for this, but 47% also highlighted the need to be better protected against cyberattacks.
• 56% say they have witnessed more attempts at cyberattacks via email.
• 51% report that countering email cyberattacks occupies more of their organisation’s time than it did before the pandemic hit.

Meanwhile, a joint statement from the UK National Cyber Security Centre (NCSC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirm that ransomware, payment fraud, corporate espionage, intellectual property theft, and disinformation campaigns have all surged in recent months.[1] A greater volume of attacks and increasingly sophisticated methods leads to an increased risk of a breach, of course. However, that’s only part of the problem. More time fighting fires means that enterprise security teams are stretched even thinner — at a time when they’re being asked to reduce cost and complexity — and it becomes even harder for them to get ahead of the cybersecurity curve.

The problem is magnified by the nature of working from home. The survey spotted a couple of important trends:

• 52% of respondents said that employees have increased their use of work email for personal reasons.
• 57% reported that employees use their work email to make personal purchases or transactions.

This co-mingling of activities is a problem. It increases the risk of a breach. As a result, 53% said that employees are now their organisation’s biggest vulnerability on the cybersecurity front and 54% said their email platform has become the core of their organisation’s cybersecurity defences.

Gaps Between Perception and Reality in Email Security

Although IT directors are concerned about the ability of their email platforms to deter cyberattacks, they believe that these platforms provide an adequate layer of protection. But in the case of mega-platforms such as Microsoft 365—which is used by 86% of the survey respondents — their greatest strength is also their Achilles’ heel: their ubiquity makes them a high-value target of cyberattacks, while their mono-culture creates difficulty in preventing the full range of potential attacks. According to the State of Email Security 2021, 42% of UK respondents experienced a Microsoft 365 email outage that severely or moderately impacted their organisations, leading more than a quarter (27%) to add a layer of security on top of MS 365.

That dichotomy becomes apparent in the survey results. Digging deeper, UK IT directors’ perceptions don’t appear to be in sync with current events. For example:

• 56% believe their email platform has them fully protected.
• 58% think their email platform protects their suppliers, customers, and partners from attackers who seek to impersonate their organisation.

But:

• 56% noted that their email platform doesn’t provide ransomware or anti-phishing protection.
• 64% said the platform lacks protection against business email compromise attacks.
• 65% reported they don’t have zero-day threat protection in place.

More astonishing is the fact that fewer than half of all IT directors reported that their current email platform provides essential functionality such as anti-virus (40%), malware protection (42%), spam-filters (45%), and email backup (42%).

Effective Email Security Has Become Mission-Critical

While some IT directors are actively trying to improve their email cyber resilience strategy, substantial barriers remain. These include difficulty persuading leadership to invest more in security and concerns over employee confusion. Again, from the UK survey:

• 49% of IT directors worry that deploying new cybersecurity software will confuse their employees.
• 42% said they don't know enough about third-party security solutions to invest in them.
• 35% find it hard to justify spending budget on these solutions to leadership.

Only 54% of IT directors agreed that should a breach take place, their organisation would be able to recover its email data within 24 hours. Only 53% of IT directors agreed that security was a top three factor in their organisation’s choice of email platform. And, this is compounded by a gap in security awareness training: Only a quarter (26%) of UK respondents from the State of Email Security noted their organisations train employees to spot cyberattacks.

The Bottom Line

Many organisations are playing Russian Roulette with cybersecurity. Their email platforms aren’t keeping their organisations secure. Through wholesale migration to a monoculture approach to email security (and attempting to reduce complexity and extend the value of their existing investments), they’re actually undermining security and increasing cyber risk.

They confessed that they couldn’t identify and counter such an attack before it might do further damage to their network and put their wider business ecosystem in jeopardy. The challenge here is a mono-culture approach emerging from a growing reliance on business software mega-platforms. The solution is cybersecurity defence-in-depth, a layered, multi-cultural approach that enhances a platform’s native security capability with a more pervasive approach to email security that engages the wider security ecosystem. That more holistic approach will help security professionals mind the gaps.

[1] “COVID-19 Exploited by Malicious Cyber Actors,” Cybersecurity and infrastructure Security Agency, UK.