Because it is one of the easiest ways to distribute malware, email is one of the biggest headaches for CISOs.
But a study released this week suggests almost two-thirds of infosec pros feel whatever they do or spend on email security isn’t enough.
The study, paid for by Mimecraft, a British cloud-based email security provider, showed 65 per cent of the 600 responding IT security decision makers don’t feel fully equipped and up-to-date to cope with the risks posed by email threats.
In fact half of the 123 managers with recent, direct experience of a breach think their organization’s email infrastructures are somewhat or much more vulnerable than they were just 12 months ago. This group were more than four times as likely to feel much more vulnerable than one year ago compared to those without that experience and nearly two times as likely to feel somewhat more vulnerable.
Even respondents who said their company spends at least 10 per cent of their security budget on cybersecurity weren’t confident.
In an interview Orlando Scott-Cowley, Mimecast’s cyber security strategist, admitted that a security professional shouldn’t be confident that any attack vector has been secured. But, he admitted “one of the biggest surprises is that even regardless of the budget spend on email security they still felt email was the way they were going to be breached, because I still felt there ought to be a level comfort people get from spending, certainly on a service like email.”
The fact that 65 per cent don’t feel fully equipped to fight email attacks “does surprise me that we’re still not entirely sure we’ve done a good job no matter how much we spend.”
The online survey covered 200 IT security professionals in the U.S. and in Britain, and 100 in South Africa and in Australia.
According to Symantec, about half of all email traffic around the world is spam. In July 2015 alone one in 1,628 emails were phishing attempts.
The survey also found — perhaps understandably — that respondents whose companies had been breached through email were more likely to use additional email safeguards such as intrusion prevention, email encryption gateway and email attachment sandboxing and over and above traditional anti-virus, anti-malware, and spam filter measures.
Finally, when asking about the email threat their organization was least-equipped to deal with, internal threats were number one (48 per cent), followed by mobile devices (34 per cent).