Email Security

    Incumbent Security Systems Missing Millions of Email Threats

    April ESRA Report Shows Continued Vulnerabilities to Email-Borne Threats

    by Matthew Gardiner

    We recently announced the fifth in our series of quarterly reports aggregated from our Email Security Risk Assessment (ESRA) testing program.  For those new to these tests, in an ESRA test Mimecast uses our cloud-based email security service, including our Targeted Threat Protection services, to assess the effectiveness of incumbent email security systems in use by individual organizations.  An ESRA test passively inspects emails that have already been inspected and delivered—not blocked—by the organization’s existing email security system.

    With an ESRA, the Mimecast service re-inspects the emails deemed safe by the incumbent email security system, thus looking for potential false negatives, such as missed spam, malicious files, and impersonation emails that were passed through by the existing security system for delivery.

    Now to the latest ESRA report.

    To date, in aggregate, Mimecast has inspected:

    • 95,915,659 emails inspected
    • 931 days of testing
    • More than 165,000 email users
    • Live email for 37 organizations covering 20 industries

    The false negative rate for all the incumbent email security systems that have been tested to date is 15%, meaning that 15% (or more than 14 million) of the nearly 96 million emails that were allowed through should have been determined to be spam or contain malicious files or an attempt at impersonations. That’s a lot of annoying and potentially malicious email getting through! 

    New for 2018’s ESRA quarterly reports, we have broken out the results we have witnessed for two specific incumbent vendors, namely Microsoft Office 365™ and Proofpoint.  Given that together they make up more than 80% of the analyzed emails to date, it made sense to break out the results individually for them.

    While no security solution is perfect, I’ll let you determine what you consider to be “good enough” for your organization’s email security!


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top