A staggering 94% of companies have fallen victim to phishing attacks over the last year, while 91% experienced data loss or exfiltration incidents. It’s not surprising, then, that 95% of cybersecurity leaders are increasingly stressed about email security, particularly phishing attacks originating from compromised supply chain accounts, internal account takeovers due to credential harvesting, and wire fraud.
These were two findings of the 2024 Email Security Risk Report from Egress, a KnowBe4 company. The report, based on an independent survey of 500 cybersecurity professionals, paints a grim picture of the current state of email security, revealing that traditional approaches to technology and training are struggling to keep pace with the shifting threat landscape.
Consistent and Growing Threats
The growing sophistication of attacks, fueled by the use of artificial intelligence (AI), is also a significant concern. Some 63% of respondents expressed worries about deep fakes, while 61% are alarmed by the potential misuse of generative AI and chatbots to craft more convincing phishing campaigns.
Phishing remains one of the most persistent and damaging threats to organizations. According to the report, 94% of surveyed entities have suffered phishing attacks in the last 12 months, a figure that has remained steady compared to last year’s findings. The top three attack vectors were malicious URLs, phishing emails sent from compromised third-party accounts, and malware or ransomware delivered via email.
The report underscores the continued risk posed by compromised accounts both within businesses and their supply chains. Alarmingly, 58% of respondents reported account takeover (ATO) incidents in the past year, with 79% of these attacks beginning with a phishing email that harvested an employee’s credentials. Even with multi-factor authentication (MFA) in place, 83% of companies with ATO incidents reported that MFA was bypassed, allowing attackers to gain unauthorized access.
These compromised accounts are particularly concerning because they can be used to launch further attacks within an organization or its supply chain. The report found that 51% of organizations had already been targeted by phishing attacks originating from compromised supply chain accounts. This makes it clear why phishing attacks sent from within the supply chain are the top concern for cybersecurity leaders.
The Human Cost of Phishing
The fallout from phishing attacks has become more severe, with 96% reporting negative impacts, a 10% increase from last year’s report. The human cost is significant, with nearly three-quarters (74%) of those surveyed taking disciplinary action against employees involved in phishing incidents. In fact, disciplinary measures were the most common outcome, occurring in 51% of organizations.
The financial and reputational toll of phishing is also growing. The report found that 79% experienced some form of business impact due to phishing, and 64% reported financial losses. The most common financial consequence was revenue loss from customer churn, which affected 47% of respondents. Reputational damage also remained a significant concern, impacting 42%.
Outbound Data Loss: An Ongoing Challenge
While inbound threats like phishing garner much attention, the report also highlights the persistent challenge of outbound data loss. In the last 12 months, 91% of entities reported security incidents related to outbound email data loss within their Microsoft 365 environments. These incidents were primarily due to employees breaking rules or making mistakes in their daily tasks. The top three causes were employees exfiltrating data for work purposes, accidentally sending emails and files to incorrect recipients, and exfiltrating data for personal gain.
As with phishing incidents, the consequences of outbound data loss are becoming more severe. The report found that 94% of respondents were negatively impacted by outbound security incidents, an 8% increase from last year. Disciplinary actions against employees were the most common response, with 67% of organizations taking such measures. The financial impact was also significant, with 57% of organizations experiencing losses, often due to customer churn.
A Need for Change
The report makes it clear that traditional approaches to email security are no longer sufficient. A significant 91% of respondents using secure email gateways (SEGs) expressed frustration with these tools, and 88% voiced concerns with Microsoft’s native controls. On the outbound side, 83% found static data loss prevention (DLP) rules unworkable for employees and administrators. Additionally, 91% of cybersecurity leaders questioned the effectiveness of their current security awareness training programs.
However, the report also suggests that change is on the horizon. Many organizations (87%) are considering or are already committed to replacing their SEGs with Microsoft’s controls and integrated cloud email security (ICES) solutions. This shift indicates a broader recognition that more sophisticated and integrated approaches to email security are needed to fight today’s email threats.
To learn more about these findings and explore the full range of data and insights, download the full report here.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.