Mimecast News

Survey Confirms Increase in Phishing and Email Impersonation Attacks

The COVID-19 pandemic has seen an increase in email impersonation attacks on businesses, according to the latest State of Email Security report from Mimecast. In the first 100 days of 2020, email impersonation attacks increased by 30%.

The report was based on a survey conducted on behalf of Mimecast by Vanson Bourne on 1,025 IT decision makers in the U.S., UK, Germany, Netherlands, Australia, South Africa, United Arab Emirates (UAE), and Saudi Arabia between February and March 2020, while businesses were battling the COVID-19 pandemic. Mimecast also analyzed more than 1 billion emails screened by the company’s email security solutions.

60% of respondents to the survey reported an increase in email impersonation attacks such as business email compromise (BEC) over the past 12 months. There were an average of 9 email or web spoofing incidents detected by respondents in the past year, although there may be many others that they did not identify.

DMARC is important for protecting against email impersonation attacks and preventing brand damage. While 97% of respondents were aware of DMARC, worryingly, only 27% of respondents said they use it.

Ransomware continues to be a problem for businesses. 51% of respondents said ransomware had impacted their business in the past 12 months, with the attacks causing an average of 3 days of downtime.

58% of respondents said there had been an increase in phishing attacks over the past 12 months. 72% of respondents said the level of phishing had stayed the same or had increased, compared to 69% when the survey was last conducted in 2019.

IT decision makers do not hold out much hope that the situation will improve. 85% of respondents said they thought email and web-based spoofing attacks will either continue at the same level or increase over the next 12 months. There is also not a great deal of confidence about repelling these attacks. 60% said it is either inevitable or likely that they will experience an email-related data breach.

The relatively bleak outlook may have been influenced by the changes that have had to be made to working practices as a result of the pandemic. Transitioning from a largely office-based workforce to one that is almost entirely home based has introduced new risks and has made it harder for IT security teams to repel attacks.

Even though there is a high risk of experiencing an attack, there is still a lack of cyber resilience preparedness, and the value of regular security awareness training for the workforce does not appear to be appreciated. Despite the risk of phishing, spear phishing, and other email-based attacks, 55% of respondents said they do not provide security awareness training to the workforce on a regular basis and 17% said they only provide security awareness training once a year.

The attacks are proving costly to businesses. 31% of respondents said they experienced data loss and business interruption as a result of an email attack, and 29% said they experienced downtime as a result of a lack of preparedness.

The report also shows that email security defenses are lacking at many businesses. 40% do not have a system for monitoring and protecting against email-based attacks or data leaks in internal emails, 39% do not monitor or protect against email-based malware, and 42% do not have a system that automatically removes malicious or unwanted emails from employee’s inboxes.

The survey revealed businesses are aware of the importance of having a cyber resilience strategy. In 2019, 75% of respondents said they either had or were rolling out such a strategy. The percentage increased to 77% this year. Considering the number of respondents that have experienced data loss, downtime, and drops in productivity due to email attacks, those strategies cannot be implemented too soon.

The post Survey Confirms Increase in Phishing and Email Impersonation Attacks appeared first on HIPAA Journal.

90% of Healthcare Organizations Have Experienced an Email-Based Attack in the Past Year

A recently published study conducted by HIMSS Media on behalf of Mimecast has revealed 90% of healthcare organizations have experienced at least one email-based threat in the past 12 months. 72% have experienced downtime as a result and one in four said the attack was very or extremely disruptive.

Healthcare organizations are a major target for cybercriminals. They hold large quantities of personal and health information that can be used for many fraudulent purposes, email-based attacks are easy to perform and require little technical skill, and they often give a high return on investment. Healthcare email security defenses also lag behind other industry sectors and security awareness training is often overlooked.

The study was conducted in November 2019 on 101 individuals that had significant involvement with email security at hospitals and health systems in the United States. 3 out of 4 respondents said they have or are in the process of rolling out a comprehensive cyber resilience program, but only 56% of respondents said they already have such a strategy in place. When asked about their current email security deployments, only half had a high level of confidence that their email security measures would block email-based threats.

When asked about the email threats they had experienced and which were the most disruptive, 61% of respondents said impersonation of trusted vendors were very or extremely disruptive, 57% rated credential-harvesting phishing attacks very or extremely disruptive, and 35% said data leaks and threats initiated by cybercriminals stealing users’ log-in credentials were very or extremely disruptive. The main losses caused by the attacks were productivity (55%), data (34%) and financial (17%).

Email security solutions can block the majority of threats, yet only 79% of respondents said that had email security controls in place or were planning to introduce them. Internet and web protection measures had only been implemented by 64% of surveyed healthcare organizations.

These technical solutions are important, but it is important not to forget the human element. Only 73% of surveyed organizations believed security awareness training was an essential part of their defenses against email-borne cyberattacks. This can partly be explained by the way that training is provided. 40% of respondents said they provide security awareness training less than quarterly and 27% only provide training once a year.

“Organizations are better off doing five minutes of training once a month, instead of 15 minutes of training once a quarter,” said Matthew Gardiner, director of enterprise security at Mimecast. “Even though it’s the same amount of time, it’s better to do the training more often so the information stays top of mind.”

It is alarming considering the number of email-based attacks that 11% of respondents said they conduct security awareness training less frequently than once a year, only during onboarding, or only after a major event such as a phishing attack or data breach.

“To better prepare, information technology and security professionals must strengthen their email security programs by combining the best technical controls with knowledgeable staff and resilient business processes to avoid disruption from email-borne attacks,” said Gardiner.

The post 90% of Healthcare Organizations Have Experienced an Email-Based Attack in the Past Year appeared first on HIPAA Journal.