State of Email Security 2023: U.S. and Canada Step Up

U.S. and Canadian companies are at a critical juncture in cybersecurity. North America is a prime target for cyberattackers. This attack surface has only grown in recent years, with rapid uptake of the newer modes of communications and collaboration that now define the modern working world. As a result, American and Canadian businesses continued to be outrun by cyberattackers in 2022. But they’re looking to turn the tide in 2023, by spending smarter on the latest security technologies while under new budget scrutiny from the board.

Mimecast’s new State of Email Security 2023 (SOES 2023) report tells this story by analyzing the point of origin for most cyberattacks — email — and the rapid spread of similarly high cyber risk across text, cloud productivity platforms, and other tools that have become the norm in business communications and collaboration. SOES 2023 details the specific threats and how companies are addressing them, drawing on a survey of CISOs and other IT professionals in late 2022 across 12 industrial sectors and 13 countries. This regional analysis drills down into findings on the U.S. and Canada. To get this information, 400 IT professionals in North America were interviewed by phone in October and November 2022. Participants included CIOs, CTOs, CISOs, IT Directors, IT Security Directors, IT and SOC managers, as well as security architects and analysts.

Top-Level SOES 2023 Findings: Challenges Ahead

Overall global findings reveal that nearly eight in 10 security professionals expect their company will suffer a negative business impact from an email-borne attack in 2023. Risk is always a matter of degree, though, and a total of 42% of U.S. security pros feel that such an impact is either “extremely likely” or “inevitable,” whereas only 17% of Canadians share those views. Eight in 10 U.S. companies and six in 10 Canadian companies are also expecting to incur damages from attacks on their collaboration platforms.

A solid majority of security professionals in both countries view the growing volume and sophistication of attacks among their biggest email security challenges. It’s no wonder, with attackers combining multiple techniques to invade and persist in companies’ networks and employing more machine learning to accelerate and target their malicious email campaigns. That said, Canadians’ concern about fending off the more sophisticated attacks is higher than in the U.S., by more than 10 percentage points.

As these risks materialize, both countries are experiencing slightly more cases of business email compromise than many other countries included in the report, and the U.S. is being hit with more misuse of their brands in spoofed emails than Canada. 

The good news is that the ransomware surge seems to have abated somewhat in the past year. One-third (33%) of U.S. companies report that their businesses were significantly impacted by ransomware in 2022 (vs. 41% in 2021), and only 7% of Canadians say they were significantly harmed by cyber-extortionists in the past year (down from 17% in 2021).

Risk Compels Board-Level, Strategic Response

Until new security measures become more firmly established, the increasing volume and sophistication of cyberattacks could well continue to overwhelm security systems now in place. SOES 2023 describes an environment in which the financial impact of cyber breaches is increasingly well-understood, in turn commanding serious attention from the board and C-suite executives.

U.S. board members surveyed by the National Association of Corporate Directors (NACD) ranked cybersecurity among their top five concerns in 2022. In addition, more than eight in 10 directors said their board's comprehension of cyber risk had substantially improved since 2020.[1] In Canada, a new report sponsored by the Institute of Corporate Directors concluded emphatically that, “Virtually every company needs to specifically address the risks and remediation measures related to cybersecurity.”[2]

In SOES 2023, the need for boards to move from cyber awareness to action is suggested by findings on the budgets over which they hold sway. In the U.S., an average of just over 15% of the overall IT budget is specifically allocated to cybersecurity, and in Canada, nearly 12% is earmarked. Both American and Canadian security professionals would like the board and C-suite to approve a budget that’s on average around 3% bigger, including more for securing collaboration tools as described below.

The Big Change in SOES 2023: Rising Collaboration Risk

Companies across the world are facing greater security risks as they rely more on collaboration platforms to support hybrid work environments. U.S. and Canadian companies are among the biggest users of these tools and express some of the highest levels of urgency about related risks. Security professionals surveyed for this year’s report describe collaboration as:

• Essential: Over nine in 10 respondents in both the U.S. (92%) and Canada (95%) “somewhat agree or strongly agree” that collaboration tools are essential to day-to-day operations. The U.S. has seen more of an increase in their use than most other countries in the survey.
• Overwhelming: Trying to keep pace with the number of collaboration tools used in their companies is overwhelming, security pros say. This is a particular pain point among Americans (37% of whom “strongly agree” with this statement vs. 12% in Canada and 25% worldwide). 
• Risky: The finding above could explain why many more U.S. security professionals strongly agree that their company’s use of collaboration tools poses new threats and security loopholes that urgently need to be addressed (39% in the U.S. vs. 21% in Canada and 28% worldwide). U.S. respondents to our previous SOES 2022 survey expressed less alarm than they do this year. When asked about collaboration risk in a different way in the SOES 2022 poll, only 22% of Americans foresaw an “extremely high” risk that their employees would make a serious mistake on a collaboration platform.

Despite the degrees of difference noted above, securing collaboration tools is a global priority, with 75% of respondents worldwide agreeing either “somewhat” or “strongly” that these new threats need to be urgently addressed. And while many collaboration platforms incorporate native security measures, 62% of respondents globally say these built-in measures are insufficient to meet their needs. 

AI and Integration Pave a Path Forward

The U.S. ranks as an SOES 2023 leader in rolling out AI for cybersecurity, with about six in 10 American respondents saying they use it today. The global average is around five in 10, and Canada falls slightly below that ranking. In both countries, though, security professionals are using more cyber AI over time. In the U.S., where 51% said they used cyber AI in 2020, 59% use it today. In Canada, where 21% of companies were using it in 2020, 44% do so today. Globally, about one-third of those companies that are not currently using AI say they have plans to do so in the coming year. 

Early adopters’ experiences with AI provide a preview of how others might benefit. U.S. users report the following as their biggest gains as a result of AI capabilities:

• Increased Accuracy: 55% see more accurate threat detection.
• Faster Remediation: 52% report they respond more quickly and effectively.
• Better Prevention: 46% say they’re better at stopping problems before they start.
• Reduced Workload: 44% report that their security teams work fewer hours.
• Fewer Errors: 42% say their security team’s rate of errors has dropped while half report reduced human error within the wider company as a result of contextual in-email warning banners, for example.

AI works to automate security tasks across integrated platforms, and many security teams are also developing and deploying integration strategies to coordinate detection, prevention, and response by their many different security tools. U.S. security teams are leaning into this trend more than Canadian teams, but a large majority in both countries express a preference for using cybersecurity platforms linked by application programming interfaces (APIs).

As AI and integration capabilities advance, even security awareness training is coming due for an upgrade. Conventional group training continues to dominate in both the U.S. and Canada, although online, interactive video is considered best practice, with training scores and “real world” behavioral statistics integrated back into security systems. Looking ahead, the near-unanimous view in both countries is that applying contextual warnings to email or collaboration tools could go a long way to reinforce training and help users recognize risks in real time. Yet fewer than half of SOES 2023 respondents in the U.S., Canada, and worldwide send these kinds of prompts today.

The Bottom Line

The U.S. and Canada have invested considerable time and money in trying to turn back the cybercrime wave that has threatened to swamp so many of their businesses. And both countries were recently recognized in the top echelon of the MIT Technology Review’s Cyber Defense Index, ranking fourth and fifth (respectively) among the world’s major economies on the strength of their collective cybersecurity assets, organizational capabilities, and policies.[3] But relentless cyberattacks continue to break through and damage their economies. At an individual business level, the State of Email Security 2023 report details how this harm is being done and which steps companies are taking to limit it. You can read the full, global report here.

[1]“NACD Annual Public Company Survey Reveals Key Boardroom Trends for 2022,” National Association of Corporate Directors

[2] “Charting the Future of Canadian Governance,” Institute of Corporate Directors

[3] “The Cyber Defense Index 2022/23,” MIT Technology Review