SlideShare a Scribd company logo

Report_Business_Email_Threat_Report (1) (2) (1)

X
Xola Adons
1 of 13
Download to read offline
Mimecast Business Email Threat Report Email Security Uncovered
www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | 2 Executive Summary While information systems may use increasingly complex security measures, these updates continue to leave one significant vulnerability unaddressed: employees themselves. Email, in particular, represents one of the largest threats that employees can unintentionally pose to their network’s integrity. To explore the email security threat landscape and identify best practices for countering the threat, Mimecast surveyed 600 IT security decision makers in four countries about their email security attitudes and behaviors. In general, most IT security managers recognize the threat that email attacks pose to their organizations, but aren’t confident about their ability to prevent those attacks: l 83% think email is one of the most common sources of attack. l 64% believe email attacks pose a high – or extremely high – threat to their organization. l 65% don’t feel fully equipped and up-to-date to cope with the risks posed by email threats. Two variables emerged during the research analysis to guide the report: confidence and experience. Mimecast sought to answer two questions: 1. How can IT security managers achieve the high confidence of some of their peers? 2. Whatcantheylearnfromthosewithrecent,direct experiencewithemailhacksandbreaches? Helping IT security managers understand where they are – so they can focus on the specific insights that will help improve their security position – was one of the key goals that drove Mimecast to conduct this research. To help do just that, Mimecast employed statistical analysis to translate the survey data into five distinct personas that IT security managers can relate to. Categorized broadly, based on confidence and experience, the five personas comprise the Cyber-Security Shiver Grid. They are: l The Apprehensive (31%) - No experience with an email hack or breach; not equipped to prevent or deal with one. l The Nervous (6%) - Has some experience with an email hack or breach, but feels unequipped to deal with one. l The Battle-Scarred (28%) - Has direct, recent experience with an email hack or breach; doesn’t feel confident in ability to prevent or cope with the next one. l The Vigilant (16%) - Has never experienced an email hack or breach; feels equipped regardless. l The Equipped Veteran (19%) - Has personally experienced a hack or breach; feels equipped and ready for the next one. MimecastBusinessEmailThreatReport
www.mimecast.com | © 2015 Mimecast ALL RIGHTS RESERVED | CON-WP-293-001 Mimecast Business Email Threat Report 3 3 www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | Based on these personas, Mimecast has created a Confidence Checklist for IT teams designed to boost – or maintain – confidence in their security measures. The Mimecast Confidence Checklist: ü Don’t overlook new threats ü Engage with the C-suite ü Hit the security spend sweet spot ü Upgrade on-premises software or go to the cloud ü Learn from experienced pros: use advanced tactics ü Protect against internal threats, not just external ones Full Report Introduction IT security is a game of cat-and-mouse. Security managers and threat actors – be they cyber-criminals, state-sponsored hackers, malicious insiders, hacktivists, corporate spies, or others – constantly jockey for primary position and the ability to outmaneuver the other. While information systems may use increasingly complex security measures, these updates continue to leave one significant vulnerability unaddressed: employees themselves. Email, in particular, represents one of the largest threats that employees can unintentionally pose to their network’s integrity. New terms arise daily to describe emerging techniques in email threats: spoofing, phishing, clone-phishing, spear-phishing, whaling, link manipulation, social engineering. Email breaches run from the mundane and undetected to the provocative and public, and many cost thousands or millions of dollars to address. To gather insight into the threat inherent to email, and collect best practices for preventing and deterring email breaches, Mimecast commissioned a survey of 600 IT security decision makers in four countries. The study, designed by Mimecast and March Communications and fielded by Vanson Bourne, surveyed 200 IT security decision makers in the U.S. and UK each, as well as 100 in Australia and South Africa each. The State of Email Security Overall, Mimecast found that, most managers recognize the threat that email attacks pose to their organizations. 83% think email is one of the most common sources of attack, and 64% believe email attacks pose a high – or extremely high – threat to their organization. It is altogether troubling, then, that so many managers lack strong confidence in their ability to cope with the email security risks they face. Mimecast found that two-thirds of IT security decision makers don’t feel fully equipped to cope with the risks of email security. Overall, most managers feel somewhat secure, but the lack of confidence is disconcerting given the level of threat. The impact of email hacks should not be understated. Though a plurality of respondents with direct experience indicate that the cost of the most recent breach at their organization was under $100 thousand, a full 37% of respondents reported experiencing email hacks that cost over $1 million in total. So, How Secure Is Your Infrastructure? Somewhat secure 63% Extremely secure 24% Extremely unsecure 1% Somewhat unsecure 3% Neither secure nor unsecure 9% Fig. 1
www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | 4 Past experience can be a key tool to inform strategies to combat future threats, so special attention should be paid to IT security managers who have direct experience of an attack. Mimecast was able to gather insights from 123 experienced managers whose organizations had suffered an email hack or breach during their tenure as decision makers. There are three major impacts hacks or breaches can have on the confidence of IT security managers. They can either: 1. Learn a lesson. By gaining valuable knowledge about their systems’ weaknesses after an attack, managers can emerge feeling less vulnerable. 2. Remain unchanged. Even after an attack, some managers can emerge with a roughly unchanged perspective on their level of vulnerability. 3. Feel more vulnerable. Experiencing an attack, and learning first-hand the reality that the threat poses, can leave managers feeling more vulnerable to cyber-threats than before. Unfortunately, as Mimecast found, most surveyed experienced the third reaction. Fully half of IT security managers with recent, direct experience think their organizations’ email infrastructures are somewhat or much more vulnerable than they were just twelve months ago. Those experienced respondents are more than four times as likely to feel much more vulnerable than one year ago compared to those without that experience (18% with experience vs. 4% without), and nearly two times as likely to feel somewhat more vulnerable (32% with experience vs. 18% without). What’s more, Mimecast found that IT security managers with email hack or breach experience are two times as likely to think that email poses the number one entry point of attack for their organization (19% with experience, 8% without). With all of this in mind – the overall lack of confidence in email security, the high cost of email breaches, and the respect that experienced decision makers have for email breaches – what can IT security professionals do to increase their confidence and ability to prevent or combat an email attack? Mimecast Business Email Threat Report 5 The Nervous, the Vigilant and the Battle-Scarred: IT Security Personas Revealed Hacks or breaches can have three major impacts on the confidence of IT security managers. They can either: Learn a lesson. By gaining valuable knowledge about their systems’ weaknesses after an attack, managers can emerge feeling less vulnerable. Remain unchanged. Even after an attack, some managers can emerge with a roughly unchanged perspective on their level of vulnerability. Feel more vulnerable. Experiencing an attack, and learning first-hand about the reality of the threat, can leave managers feeling more vulnerable to cyber-threats than before. Managers with recent, direct experience of a breach or hack are more than four times as likely to feel more vulnerable than one year ago compared to those without experience. These managers are two times more likely to see email as the number one entry point of attack. 1 2 3 Email Hacks Increase Vulnerability Perceived Vulnerability vs. 12 Months Ago Respondents with recent, direct experience of an email breach Somewhat more vulnerable 32% Much more vulnerable 18% About the same risk level 32% Somewhat less vulnerable 11% Much less vulnerable 7% Fig. 3Fig. 3 aled Overall Cost of Most Recent Hack/Breach to Organization 39% 16% 12% 15% 7% 3% 50% 40% 30% 20% 10% 0% Under $100,000 $100,000 - $1m $1.1m - $10m $10.1m - $50m $50.1m - $100m $100m+ 37% reported breaches cost over $1m Fig. 2Fig. 2
www.mimecast.com | © 2015 Mimecast ALL RIGHTS RESERVED | CON-WP-293-001 5 5 www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | The Cyber-Security Shiver Grid Introduction Helping IT security managers understand where they are – so they can focus on the specific insights that will help improve their security position – was one of the key goals that drove Mimecast to conduct this research. To help do just that, Mimecast employed statistical analysis to translate the survey data into five distinct personas that IT security managers can relate to. Each persona is defined by a set of attitudinal and behavioral data that describe where they are today. Factors like C-suite involvement, email security spend, top vulnerabilities, security tactics, and company size all impact confidence in email security. Using the data included in the personas, IT security professionals help learn where they are, where they want to go, and how to maintain their confidence once they get there. By plotting based on two defining factors – experience with email hacks/breaches, and confidence in one’s email security infrastructure – Mimecast aligned the five personas in an easy-to-understand grid. Enter: The Cyber-Security Shiver Grid. The Vigilant The Equipped Veteran The Apprehensive The Nervous The Battle-Scarred 28% of total 6% of total 19% of total 16% of total • Never experienced hack or breach • Feels equipped regardless • Has personally experienced a hack or breach • Equipped and ready for the next threat • Has experience with hack or breach • Isn't prepared for the next one • Feels totally unequipped Highconfidence inemailsecurity Lowconfidence inemailsecurity 31% of total • No experience with hack or breach • Not equipped to prevent or deal with one No experience with hacks/breaches Some experience with hacks/breaches High experience with hacks/breaches Mimecast Business Email Threat Report
www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | 6 Regardless of where IT security managers currently fit on the grid, the desired positions are clear – the Vigilant or the Equipped Veteran, both of whom have high confidence in their systems’ abilities to prevent or combat an email hack. Unfortunately, they are in the minority – 75% of IT managers are Apprehensive, Nervous or Battle-Scarred. Where do you fit on the Shiver Grid? And what can you learn from those in your position – or those in the positions you want to be in? Meet the Personas: The Apprehensive 31% of all IT security pros Not equipped for: Malicious insiders Mobile device threats Spear-phishing The Nervous 6% of all IT security pros • No direct experience with an email hack or breach; doesn’t feel equipped to prevent one in the future. • Tends to work at midsized companies (~400 employees). • C-suite involvement is varied; security spend is a comparatively low proportion of overall IT spend (averaging 6.9 percent). • More likely to have multiple security technologies in place, but this doesn’t translate into increased confidence. • Has some experience with an email hack or breach, but feels completely ill-equipped to prevent a future one. • Tends to work at midsized companies (~450 employees). • C-suite involvement is more likely to be low; security spend as proportion of IT spend is similarly low at (7.3 percent). Mimecast Business Email Threat Report Not equipped for: l Denial of Service attack l Mobile device threats l Spear-phishing
www.mimecast.com | © 2015 Mimecast ALL RIGHTS RESERVED | CON-WP-293-001 7 7 www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | The Battle-Scarred 28% of all IT security pros The Vigilant 16% of all IT security pros The Equipped Veteran 19% of all IT security pros • Has direct experience with an email hack or breach, but unable to translate that experience into confidence. • Tends to work at a large company (~1,400 employees). • More likely to see cyber-criminals as a major threat. • Only 50% enjoy C-suite engagement. • Organizations exhibit lower than average IT security spend (9.7 percent), but still more than the Apprehensive or Nervous. • Doesn’t have direct experience with an email hack or breach, but feels equipped to prevent or deal with one. • Tends to work at large companies (~800 employees). • On average, C-suite engagement in their department is high; security spend as a percentage of overall IT spend is higher than average at 11.5 percent. • Had direct experience with an email hack or breach, and has come out of it with the confidence to handle future incidents. • Tends to work at large organizations (~1,200 employees) that have high C-suite involvement and high security spend to match. • Respects the threat; having experienced an email incident before, is more likely to see email as the number one point of vulnerability for their organization. Mimecast Business Email Threat Report Not equipped for: l Malicious insiders l Mobile device threats l Network-based attacks Not equipped for: l Malicious insiders l PC-based malware l Mobile device threats Not equipped for: l Malicious insiders l Compromised partners l PC-based malware
Implications – So What? Mimecast has created a Confidence Checklist designed to boost or maintain confidence in their security measures. Follow these best practices to become the IT security pro you want and need to be. 1. Don’t overlook new threats Viruses and malware; these are the main threats that come to mind when discussing email security. They are also the top threats cited by respondents as areas of concern. It is notable, then, that Mimecast found that IT security managers who have direct, recent experience with an email hack are more open-minded in the threats that give them pause. 2. Engage with the C-suite As part of the survey, Mimecast explored two related topics among IT security professionals: the amount to which their C-suite is currently involved in matters of email security, and how appropriate respondents think it is for their C-suite to be involved in email security. Based on the responses given, it is clear that C-suite executives are less involved in email security than their IT security decision makers would prefer. www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | 8 www.mimecast.com | © 2016 Mimecast Mimecast Business Email Threat Report Fig. 4 Concerns Posed by different Email Threats - % Who Ranked them in their Top 3 Concerns KEY: No direct experience with hack Has direct experience with hack 0% 20% 40% 60% 80% 100% Viruses Malware Spam Insider Threat/ Employee Data Leakage Financial Fraud/ 419 Crime Spear-phishing Ransomware Social Engineering Offensive/ Inappropriate content Cyber-bullying and Harassment 51% 65% 51% 64% 31% 32% 34% 29% 24% 27% 21% 25% 20% 24% 24% 15% 20% 11% 24% 10% ...While those with recent, direct experience are more likely to be concerned by social engineering and other threats IT security pros without direct hack experience are more likely to rank viruses and malware among their top three email security concerns...
Mimecast looked specifically at the responses of IT pros who are confident in their email security infrastructure and found an even clearer connection. Confident IT security managers are 2.7 times more likely to have a C-suite that is extremely or very engaged in email security; they are also 1.6 times more likely to see C-suite involvement in email security as extremely or very appropriate. 9 www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | 3. Hit the security spend sweet spot Bigger budgets bring increased confidence. This perceived truism is supported by our data: Mimecast Business Email Threat Report Level of Current C-suite Engagement in Email Security Perceived Appropriateness of C-suite Involvement Very appropriate 50% Extremely appropriate 20% Somewhat appropriate 24% Very engaged 41% Extremely engaged 15% Somewhat engaged 30% Not very engaged 12% Not at all engaged 3% Not very appropriate 4% Not at all appropriate 2% % of IT Budget Devoted to Email Security 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 41% 24% 31% 28% 10% 23% 8% 14% 8% 7% 0 - 5% 5 - 10% 10 - 15% 15 - 20% 20 - 25% KEY: Not Confident in current level of Email Security Confident in current level of Email Security IT professionals who spend least on email security don't feel secure The Cyber-Security Shiver Grid Personas KEY: N H Insi Employee Da Finan Spe R Social E Inappropri Cyb and H Fig. 5 Fig. 6Fig. 6 Level of Current C-suite Engagement in Email Security Perceived Appropriateness of C-suite Involvement Very appropriate 50% Extremely appropriate 20% Somewhat appropriate 24% Very engaged 41% Extremely engaged 15% Somewhat engaged 30% Not very engaged 12% Not at all engaged 3% Not very appropriate 4% Not at all appropriate 2% % of IT Budget Devoted to Email Security 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 41% 24% 31% 28% 10% 23% 8% 14% 8% 7% 0 - 5% 5 - 10% 10 - 15% 15 - 20% 20 - 25% KEY: Not Confident in current level of Email Security Confident in current level of Email Security IT professionals who spend least on email security don't feel secure The Cyber-Security Shiver Grid Personas KE Empl Ina Fig. 5 Fig. 6 Fig. 5
Of course, email security is only one part of the overall IT security toolkit, and managers need to have flexibility in how they allot their resources. Based on the relationship between email security spend and manager confidence, Mimecast found that IT managers should strive to devote 10.4% of the overall IT budget to email security to hit the email security spend sweet spot. 4. Upgrade on-premises software or go to the cloud One quarter of respondents are still using Exchange 2010, which ended mainstream support from Microsoft in January 2015. Exchange 2010 is also more likely to be the platform used by two unconfident personas – the Apprehensive and the Battle-Scarred. Alternately, managers with the most confidence are more likely to be using Exchange Server 2013. While Office 365 usage isn’t a predictor of where IT security managers fall in the Shiver Grid, that might not be the case in the future – Mimecast discovered that managers with recent, direct experience with an email hack or breach are more likely to have plans to migrate to Microsoft’s cloud option in the next two years. 5. Learn from experienced pros: use advanced tactics IT security managers who experience an email hack or breach may emerge feeling more vulnerable than before, but their tendency to employ additional safeguards may make them better prepared. Mimecast found that experienced IT security professionals are more likely to utilize a variety of additional email safeguards over and above traditional anti-virus, anti-malware, and spam filter measures. These measures are listed in order of proliferation: l Intrusion prevention (HIPS, NIDS, IPS, IDS) within the email infrastructure (78%) l Email encryption gateway (push encryption) (75%) l Email attachment sandboxing (70%) l Data leak prevention (69%) l Anti-spear-phishing or targeted attack gateway (69%) l URL rewriting (61%) l Separate content control gateway (60%) l DLP gateway (56%) 10 Microsoft Office 365 Exchange Server 2013 Exchange Server 2010 Google Apps Exchange Server 2003 or 2007 IBM Lotus Domino Other 35% 30% 25% 20% 15% 10% 5% 0% 30% 28% 25% 6% 4% 4% 4% Fig. 7 Primary Email Platform Mimecast Business Email Threat Report www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED |
Fig. 8 6. Protect against internal threats, not just external ones For most IT security professionals, the first priority is securing the perimeter. This makes sense; as shown earlier in this report, the threats that IT security professionals are most concerned about are external. Perimeter security is a well-established practice, as indicated by the proliferation of anti- virus, anti-malware, and anti-spam products on the market today. IT security professionals should take care, however, to ensure that the pendulum does not swing too far towards a focus on external threats. When asking about the vulnerabilities that organizations are least-equipped to deal with, Mimecast found that the top source of worry for IT security professionals is internal. Mimecast also found that direct, recent experience with an email hack or breach also brings increased concern for internal threats. IT security professionals who have that experience are twice as likely to categorize malicious insiders as high threats compared to their less experienced colleagues. Malicious insiders are also the top worries for both Vigilant and Equipped Veterans, the two most confident Shiver Grid personas. It is clear that while external threats may be most prominent, internal threats cannot be ignored. There is a reason why 69% of IT security professionals that have experience with an email hack have data leak prevention and other internal threat mitigation protocols in place; they know that email threats don’t just come from the perimeter. 11 www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | CON-WP-293-001 Perceived Vulnerabilities Email doesn’t have to be scary. And, regardless of how confident, experienced or prepared you truly are to navigate the world of cyber-crime, you don’t have to do it alone. Learn more about the state of email security and ways to cope with impending threats. LEARN MORE Mimecast Business Email Threat Report 45% 50% 40% 35% 30% 25% 20% 15% 10% 5% 0% 45% Malicious insider attacks 34% Mobile device compromise or malware 27% PC-based malware 26% Spear-phishing or targeted attacks 26% Network, host and server (Internet facing) attacks 25% Denial of Service Attacks 25% Partner or supply chain compromise 24% Social Engineering
www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | CON-WP-293-001 12 www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | CON-WP-293-001 12 www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | CON-WP-293-001 12 Let us demonstrate how to make email safer in your organization. www.mimecast.com/request-demo Got a question? Get it answered by a Mimecast expert. www.mimecast.com/contact-sales Tell us what you need and we’ll craft a customized quote. www.mimecast.com/quote Mimecast (NASDAQ: MIME) makes business email and data safer for 16,200 customers and millions of employees worldwide. Founded in 2003, the Company’s cloud-based security, archiving and continuity services protect email, and deliver comprehensive email risk management in a single, fully-integrated subscription service. Mimecast reduces email risk and the complexity and cost of managing the array of point solutions traditionally used to protect email and its data. For customers that have migrated to cloud services like Microsoft Office 365, Mimecast mitigates single vendor exposure by strengthening security coverage, combating downtime and improving archiving.  Mimecast Email Security protects against malware, spam, advanced phishing and other emerging attacks, while preventing data leaks. Mimecast Mailbox Continuity enables employees to continue using email during planned and unplanned outages. Mimecast Information Archiving unifies email, file and Instant Messaging data to support e-discovery and give employees fast access to their personal archive via PC, Mac and mobile apps. Survey methodology Mimecast and March Communications designed a 15-minute, online survey that went into field in October 2015. The survey, facilitated by Vanson Bourne, was completed by IT security decision makers in the following countries: l n=200 in the United States l n=200 in the United Kingdom l n=100 in South Africa l n=100 in Australia The overall margin of error is ± 4% at the 95% confidence level. Charted data l Fig. 1: Q10. Which of the following best describes how you feel about the level of security your current email technology infrastructure offers? l Fig. 2: Q23a. Please estimate the overall cost of the email hack or breach for your organization? (Base: n=123) l Fig. 3: Q18. Do you feel your email security is more or less vulnerable to risk today than it was 12 months ago? (Base: n=123) l Fig. 4: Q4a. How much of a concern are the following email security threats?(SHOWN: % OF RESPONDENTS WHO RANKED ITEM AMONG TOP THREE CONCERNS) (Base: No recent, direct experience n=477; With recent, direct experience n=123) l Fig. 5: Q17. How engaged is your organization’s C-suite with your email security and risk management practices? Q17a. How appropriate do you think it is for your organization’s C-suite to be involved with your email security and risk management practices? l Fig. 6: Q5. What percentage of your annual IT budget is spent on email security safeguards/technology? (BASE: CONFIDENT n=522; NOT CONFIDENT n=78) l Fig. 7: D4. What is your organization’s primary email platform? l Fig. 8: Q13. What email security risks do you believe your organization is ill-prepared to cope with? Appendix: Methodology www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED Mimecast Business Email Threat Report
Mimecast (NASDAQ:MIME) makes business email and data safer for thousands of customers and millions of employees worldwide. Founded in 2003, the Company's next-generation cloud-based security, archiving and continuity services protect email and deliver comprehensive email risk management. www.mimecast.com | © 2016 Mimecast

Recommended

Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingwardell henley
 
Cybersecurity for IAEM Region 4
Cybersecurity for IAEM Region 4Cybersecurity for IAEM Region 4
Cybersecurity for IAEM Region 4Sarah K Miller
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesCSNP
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3Lumension
 
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2011
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2011The Shifting State of Endpoint Risk: Key Strategies to Implement in 2011
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2011Lumension
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boardsPaul McGillicuddy
 
ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017ISACA
 
Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010
Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010
Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010Jason Hong
 

Recommended

Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingwardell henley
 
Cybersecurity for IAEM Region 4
Cybersecurity for IAEM Region 4Cybersecurity for IAEM Region 4
Cybersecurity for IAEM Region 4Sarah K Miller
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesCSNP
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3Lumension
 
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2011
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2011The Shifting State of Endpoint Risk: Key Strategies to Implement in 2011
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2011Lumension
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boardsPaul McGillicuddy
 
ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017ISACA
 
Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010
Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010
Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010Jason Hong
 
Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010
Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010
Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010Jason Hong
 
The software-security-risk-report
The software-security-risk-reportThe software-security-risk-report
The software-security-risk-reportКомсс Файквэе
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3Lumension
 
Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011Atlantic Security Conference
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security indexsukiennong.vn
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141sraina2
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware IBM Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident ResponseIBM Security
 
Bridging the Cybersecurity Gap
Bridging the Cybersecurity GapBridging the Cybersecurity Gap
Bridging the Cybersecurity GapFidelis Cybersecurity
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) Eoin Keary
 
STUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability AssessmentSTUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability AssessmentSymantec
 
Cloud activ8 state of ransomware report_2021-dec
Cloud activ8 state of ransomware report_2021-decCloud activ8 state of ransomware report_2021-dec
Cloud activ8 state of ransomware report_2021-decgusbarrett
 
Cybersecurity in the Cognitive Era: Priming Your Digital Immune System
Cybersecurity in the Cognitive Era: Priming Your Digital Immune SystemCybersecurity in the Cognitive Era: Priming Your Digital Immune System
Cybersecurity in the Cognitive Era: Priming Your Digital Immune SystemIBM Security
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSantiago Cavanna
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
 
Proofpoint Understanding Email Fraud in 2018
Proofpoint Understanding Email Fraud in 2018 Proofpoint Understanding Email Fraud in 2018
Proofpoint Understanding Email Fraud in 2018 Proofpoint
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3Lumension
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3Lumension
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 

More Related Content

What's hot

Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010
Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010
Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010Jason Hong
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3Lumension
 
Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011Atlantic Security Conference
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security indexsukiennong.vn
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141sraina2
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware IBM Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident ResponseIBM Security
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) Eoin Keary
 
STUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability AssessmentSTUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability AssessmentSymantec
 
Cloud activ8 state of ransomware report_2021-dec
Cloud activ8 state of ransomware report_2021-decCloud activ8 state of ransomware report_2021-dec
Cloud activ8 state of ransomware report_2021-decgusbarrett
 
Cybersecurity in the Cognitive Era: Priming Your Digital Immune System
Cybersecurity in the Cognitive Era: Priming Your Digital Immune SystemCybersecurity in the Cognitive Era: Priming Your Digital Immune System
Cybersecurity in the Cognitive Era: Priming Your Digital Immune SystemIBM Security
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSantiago Cavanna
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
 

What's hot (17)

Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010
Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010
Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010
 
The software-security-risk-report
The software-security-risk-reportThe software-security-risk-report
The software-security-risk-report
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3
 
Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security index
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident Response
 
Bridging the Cybersecurity Gap
Bridging the Cybersecurity GapBridging the Cybersecurity Gap
Bridging the Cybersecurity Gap
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
 
STUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability AssessmentSTUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability Assessment
 
Cloud activ8 state of ransomware report_2021-dec
Cloud activ8 state of ransomware report_2021-decCloud activ8 state of ransomware report_2021-dec
Cloud activ8 state of ransomware report_2021-dec
 
Cybersecurity in the Cognitive Era: Priming Your Digital Immune System
Cybersecurity in the Cognitive Era: Priming Your Digital Immune SystemCybersecurity in the Cognitive Era: Priming Your Digital Immune System
Cybersecurity in the Cognitive Era: Priming Your Digital Immune System
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
 

Similar to Report_Business_Email_Threat_Report (1) (2) (1)

Proofpoint Understanding Email Fraud in 2018
Proofpoint Understanding Email Fraud in 2018 Proofpoint Understanding Email Fraud in 2018
Proofpoint Understanding Email Fraud in 2018 Proofpoint
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3Lumension
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3Lumension
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3Lumension
 
Email: still the favourite route of attack
Email: still the favourite route of attackEmail: still the favourite route of attack
Email: still the favourite route of attackClaranet UK
 
Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013EY
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
 
2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summarypatmisasi
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Sarah Nirschl
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...Symantec
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise The Economist Media Businesses
 
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usenProtecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usenCMR WORLD TECH
 
Keys to Network Security & Shocking Statistics
Keys to Network Security & Shocking StatisticsKeys to Network Security & Shocking Statistics
Keys to Network Security & Shocking StatisticsChristine Spicuzza
 
Achieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress ReportAchieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress ReportGov BizCouncil
 
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_SurveyTripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_SurveyMelloney Jewell
 

Similar to Report_Business_Email_Threat_Report (1) (2) (1) (20)

Proofpoint Understanding Email Fraud in 2018
Proofpoint Understanding Email Fraud in 2018 Proofpoint Understanding Email Fraud in 2018
Proofpoint Understanding Email Fraud in 2018
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3
 
Email: still the favourite route of attack
Email: still the favourite route of attackEmail: still the favourite route of attack
Email: still the favourite route of attack
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attack
 
Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security Study
 
2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise
 
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usenProtecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
 
Nonprofit Cybersecurity Incident Report
Nonprofit Cybersecurity Incident ReportNonprofit Cybersecurity Incident Report
Nonprofit Cybersecurity Incident Report
 
Keys to Network Security & Shocking Statistics
Keys to Network Security & Shocking StatisticsKeys to Network Security & Shocking Statistics
Keys to Network Security & Shocking Statistics
 
Achieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress ReportAchieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress Report
 
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_SurveyTripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
 

Report_Business_Email_Threat_Report (1) (2) (1)

  • 1. Mimecast Business Email Threat Report Email Security Uncovered
  • 2. www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | 2 Executive Summary While information systems may use increasingly complex security measures, these updates continue to leave one significant vulnerability unaddressed: employees themselves. Email, in particular, represents one of the largest threats that employees can unintentionally pose to their network’s integrity. To explore the email security threat landscape and identify best practices for countering the threat, Mimecast surveyed 600 IT security decision makers in four countries about their email security attitudes and behaviors. In general, most IT security managers recognize the threat that email attacks pose to their organizations, but aren’t confident about their ability to prevent those attacks: l 83% think email is one of the most common sources of attack. l 64% believe email attacks pose a high – or extremely high – threat to their organization. l 65% don’t feel fully equipped and up-to-date to cope with the risks posed by email threats. Two variables emerged during the research analysis to guide the report: confidence and experience. Mimecast sought to answer two questions: 1. How can IT security managers achieve the high confidence of some of their peers? 2. Whatcantheylearnfromthosewithrecent,direct experiencewithemailhacksandbreaches? Helping IT security managers understand where they are – so they can focus on the specific insights that will help improve their security position – was one of the key goals that drove Mimecast to conduct this research. To help do just that, Mimecast employed statistical analysis to translate the survey data into five distinct personas that IT security managers can relate to. Categorized broadly, based on confidence and experience, the five personas comprise the Cyber-Security Shiver Grid. They are: l The Apprehensive (31%) - No experience with an email hack or breach; not equipped to prevent or deal with one. l The Nervous (6%) - Has some experience with an email hack or breach, but feels unequipped to deal with one. l The Battle-Scarred (28%) - Has direct, recent experience with an email hack or breach; doesn’t feel confident in ability to prevent or cope with the next one. l The Vigilant (16%) - Has never experienced an email hack or breach; feels equipped regardless. l The Equipped Veteran (19%) - Has personally experienced a hack or breach; feels equipped and ready for the next one. MimecastBusinessEmailThreatReport
  • 3. www.mimecast.com | © 2015 Mimecast ALL RIGHTS RESERVED | CON-WP-293-001 Mimecast Business Email Threat Report 3 3 www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | Based on these personas, Mimecast has created a Confidence Checklist for IT teams designed to boost – or maintain – confidence in their security measures. The Mimecast Confidence Checklist: ü Don’t overlook new threats ü Engage with the C-suite ü Hit the security spend sweet spot ü Upgrade on-premises software or go to the cloud ü Learn from experienced pros: use advanced tactics ü Protect against internal threats, not just external ones Full Report Introduction IT security is a game of cat-and-mouse. Security managers and threat actors – be they cyber-criminals, state-sponsored hackers, malicious insiders, hacktivists, corporate spies, or others – constantly jockey for primary position and the ability to outmaneuver the other. While information systems may use increasingly complex security measures, these updates continue to leave one significant vulnerability unaddressed: employees themselves. Email, in particular, represents one of the largest threats that employees can unintentionally pose to their network’s integrity. New terms arise daily to describe emerging techniques in email threats: spoofing, phishing, clone-phishing, spear-phishing, whaling, link manipulation, social engineering. Email breaches run from the mundane and undetected to the provocative and public, and many cost thousands or millions of dollars to address. To gather insight into the threat inherent to email, and collect best practices for preventing and deterring email breaches, Mimecast commissioned a survey of 600 IT security decision makers in four countries. The study, designed by Mimecast and March Communications and fielded by Vanson Bourne, surveyed 200 IT security decision makers in the U.S. and UK each, as well as 100 in Australia and South Africa each. The State of Email Security Overall, Mimecast found that, most managers recognize the threat that email attacks pose to their organizations. 83% think email is one of the most common sources of attack, and 64% believe email attacks pose a high – or extremely high – threat to their organization. It is altogether troubling, then, that so many managers lack strong confidence in their ability to cope with the email security risks they face. Mimecast found that two-thirds of IT security decision makers don’t feel fully equipped to cope with the risks of email security. Overall, most managers feel somewhat secure, but the lack of confidence is disconcerting given the level of threat. The impact of email hacks should not be understated. Though a plurality of respondents with direct experience indicate that the cost of the most recent breach at their organization was under $100 thousand, a full 37% of respondents reported experiencing email hacks that cost over $1 million in total. So, How Secure Is Your Infrastructure? Somewhat secure 63% Extremely secure 24% Extremely unsecure 1% Somewhat unsecure 3% Neither secure nor unsecure 9% Fig. 1
  • 4. www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | 4 Past experience can be a key tool to inform strategies to combat future threats, so special attention should be paid to IT security managers who have direct experience of an attack. Mimecast was able to gather insights from 123 experienced managers whose organizations had suffered an email hack or breach during their tenure as decision makers. There are three major impacts hacks or breaches can have on the confidence of IT security managers. They can either: 1. Learn a lesson. By gaining valuable knowledge about their systems’ weaknesses after an attack, managers can emerge feeling less vulnerable. 2. Remain unchanged. Even after an attack, some managers can emerge with a roughly unchanged perspective on their level of vulnerability. 3. Feel more vulnerable. Experiencing an attack, and learning first-hand the reality that the threat poses, can leave managers feeling more vulnerable to cyber-threats than before. Unfortunately, as Mimecast found, most surveyed experienced the third reaction. Fully half of IT security managers with recent, direct experience think their organizations’ email infrastructures are somewhat or much more vulnerable than they were just twelve months ago. Those experienced respondents are more than four times as likely to feel much more vulnerable than one year ago compared to those without that experience (18% with experience vs. 4% without), and nearly two times as likely to feel somewhat more vulnerable (32% with experience vs. 18% without). What’s more, Mimecast found that IT security managers with email hack or breach experience are two times as likely to think that email poses the number one entry point of attack for their organization (19% with experience, 8% without). With all of this in mind – the overall lack of confidence in email security, the high cost of email breaches, and the respect that experienced decision makers have for email breaches – what can IT security professionals do to increase their confidence and ability to prevent or combat an email attack? Mimecast Business Email Threat Report 5 The Nervous, the Vigilant and the Battle-Scarred: IT Security Personas Revealed Hacks or breaches can have three major impacts on the confidence of IT security managers. They can either: Learn a lesson. By gaining valuable knowledge about their systems’ weaknesses after an attack, managers can emerge feeling less vulnerable. Remain unchanged. Even after an attack, some managers can emerge with a roughly unchanged perspective on their level of vulnerability. Feel more vulnerable. Experiencing an attack, and learning first-hand about the reality of the threat, can leave managers feeling more vulnerable to cyber-threats than before. Managers with recent, direct experience of a breach or hack are more than four times as likely to feel more vulnerable than one year ago compared to those without experience. These managers are two times more likely to see email as the number one entry point of attack. 1 2 3 Email Hacks Increase Vulnerability Perceived Vulnerability vs. 12 Months Ago Respondents with recent, direct experience of an email breach Somewhat more vulnerable 32% Much more vulnerable 18% About the same risk level 32% Somewhat less vulnerable 11% Much less vulnerable 7% Fig. 3Fig. 3 aled Overall Cost of Most Recent Hack/Breach to Organization 39% 16% 12% 15% 7% 3% 50% 40% 30% 20% 10% 0% Under $100,000 $100,000 - $1m $1.1m - $10m $10.1m - $50m $50.1m - $100m $100m+ 37% reported breaches cost over $1m Fig. 2Fig. 2
  • 5. www.mimecast.com | © 2015 Mimecast ALL RIGHTS RESERVED | CON-WP-293-001 5 5 www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | The Cyber-Security Shiver Grid Introduction Helping IT security managers understand where they are – so they can focus on the specific insights that will help improve their security position – was one of the key goals that drove Mimecast to conduct this research. To help do just that, Mimecast employed statistical analysis to translate the survey data into five distinct personas that IT security managers can relate to. Each persona is defined by a set of attitudinal and behavioral data that describe where they are today. Factors like C-suite involvement, email security spend, top vulnerabilities, security tactics, and company size all impact confidence in email security. Using the data included in the personas, IT security professionals help learn where they are, where they want to go, and how to maintain their confidence once they get there. By plotting based on two defining factors – experience with email hacks/breaches, and confidence in one’s email security infrastructure – Mimecast aligned the five personas in an easy-to-understand grid. Enter: The Cyber-Security Shiver Grid. The Vigilant The Equipped Veteran The Apprehensive The Nervous The Battle-Scarred 28% of total 6% of total 19% of total 16% of total • Never experienced hack or breach • Feels equipped regardless • Has personally experienced a hack or breach • Equipped and ready for the next threat • Has experience with hack or breach • Isn't prepared for the next one • Feels totally unequipped Highconfidence inemailsecurity Lowconfidence inemailsecurity 31% of total • No experience with hack or breach • Not equipped to prevent or deal with one No experience with hacks/breaches Some experience with hacks/breaches High experience with hacks/breaches Mimecast Business Email Threat Report
  • 6. www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | 6 Regardless of where IT security managers currently fit on the grid, the desired positions are clear – the Vigilant or the Equipped Veteran, both of whom have high confidence in their systems’ abilities to prevent or combat an email hack. Unfortunately, they are in the minority – 75% of IT managers are Apprehensive, Nervous or Battle-Scarred. Where do you fit on the Shiver Grid? And what can you learn from those in your position – or those in the positions you want to be in? Meet the Personas: The Apprehensive 31% of all IT security pros Not equipped for: Malicious insiders Mobile device threats Spear-phishing The Nervous 6% of all IT security pros • No direct experience with an email hack or breach; doesn’t feel equipped to prevent one in the future. • Tends to work at midsized companies (~400 employees). • C-suite involvement is varied; security spend is a comparatively low proportion of overall IT spend (averaging 6.9 percent). • More likely to have multiple security technologies in place, but this doesn’t translate into increased confidence. • Has some experience with an email hack or breach, but feels completely ill-equipped to prevent a future one. • Tends to work at midsized companies (~450 employees). • C-suite involvement is more likely to be low; security spend as proportion of IT spend is similarly low at (7.3 percent). Mimecast Business Email Threat Report Not equipped for: l Denial of Service attack l Mobile device threats l Spear-phishing
  • 7. www.mimecast.com | © 2015 Mimecast ALL RIGHTS RESERVED | CON-WP-293-001 7 7 www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | The Battle-Scarred 28% of all IT security pros The Vigilant 16% of all IT security pros The Equipped Veteran 19% of all IT security pros • Has direct experience with an email hack or breach, but unable to translate that experience into confidence. • Tends to work at a large company (~1,400 employees). • More likely to see cyber-criminals as a major threat. • Only 50% enjoy C-suite engagement. • Organizations exhibit lower than average IT security spend (9.7 percent), but still more than the Apprehensive or Nervous. • Doesn’t have direct experience with an email hack or breach, but feels equipped to prevent or deal with one. • Tends to work at large companies (~800 employees). • On average, C-suite engagement in their department is high; security spend as a percentage of overall IT spend is higher than average at 11.5 percent. • Had direct experience with an email hack or breach, and has come out of it with the confidence to handle future incidents. • Tends to work at large organizations (~1,200 employees) that have high C-suite involvement and high security spend to match. • Respects the threat; having experienced an email incident before, is more likely to see email as the number one point of vulnerability for their organization. Mimecast Business Email Threat Report Not equipped for: l Malicious insiders l Mobile device threats l Network-based attacks Not equipped for: l Malicious insiders l PC-based malware l Mobile device threats Not equipped for: l Malicious insiders l Compromised partners l PC-based malware
  • 8. Implications – So What? Mimecast has created a Confidence Checklist designed to boost or maintain confidence in their security measures. Follow these best practices to become the IT security pro you want and need to be. 1. Don’t overlook new threats Viruses and malware; these are the main threats that come to mind when discussing email security. They are also the top threats cited by respondents as areas of concern. It is notable, then, that Mimecast found that IT security managers who have direct, recent experience with an email hack are more open-minded in the threats that give them pause. 2. Engage with the C-suite As part of the survey, Mimecast explored two related topics among IT security professionals: the amount to which their C-suite is currently involved in matters of email security, and how appropriate respondents think it is for their C-suite to be involved in email security. Based on the responses given, it is clear that C-suite executives are less involved in email security than their IT security decision makers would prefer. www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | 8 www.mimecast.com | © 2016 Mimecast Mimecast Business Email Threat Report Fig. 4 Concerns Posed by different Email Threats - % Who Ranked them in their Top 3 Concerns KEY: No direct experience with hack Has direct experience with hack 0% 20% 40% 60% 80% 100% Viruses Malware Spam Insider Threat/ Employee Data Leakage Financial Fraud/ 419 Crime Spear-phishing Ransomware Social Engineering Offensive/ Inappropriate content Cyber-bullying and Harassment 51% 65% 51% 64% 31% 32% 34% 29% 24% 27% 21% 25% 20% 24% 24% 15% 20% 11% 24% 10% ...While those with recent, direct experience are more likely to be concerned by social engineering and other threats IT security pros without direct hack experience are more likely to rank viruses and malware among their top three email security concerns...
  • 9. Mimecast looked specifically at the responses of IT pros who are confident in their email security infrastructure and found an even clearer connection. Confident IT security managers are 2.7 times more likely to have a C-suite that is extremely or very engaged in email security; they are also 1.6 times more likely to see C-suite involvement in email security as extremely or very appropriate. 9 www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | 3. Hit the security spend sweet spot Bigger budgets bring increased confidence. This perceived truism is supported by our data: Mimecast Business Email Threat Report Level of Current C-suite Engagement in Email Security Perceived Appropriateness of C-suite Involvement Very appropriate 50% Extremely appropriate 20% Somewhat appropriate 24% Very engaged 41% Extremely engaged 15% Somewhat engaged 30% Not very engaged 12% Not at all engaged 3% Not very appropriate 4% Not at all appropriate 2% % of IT Budget Devoted to Email Security 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 41% 24% 31% 28% 10% 23% 8% 14% 8% 7% 0 - 5% 5 - 10% 10 - 15% 15 - 20% 20 - 25% KEY: Not Confident in current level of Email Security Confident in current level of Email Security IT professionals who spend least on email security don't feel secure The Cyber-Security Shiver Grid Personas KEY: N H Insi Employee Da Finan Spe R Social E Inappropri Cyb and H Fig. 5 Fig. 6Fig. 6 Level of Current C-suite Engagement in Email Security Perceived Appropriateness of C-suite Involvement Very appropriate 50% Extremely appropriate 20% Somewhat appropriate 24% Very engaged 41% Extremely engaged 15% Somewhat engaged 30% Not very engaged 12% Not at all engaged 3% Not very appropriate 4% Not at all appropriate 2% % of IT Budget Devoted to Email Security 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 41% 24% 31% 28% 10% 23% 8% 14% 8% 7% 0 - 5% 5 - 10% 10 - 15% 15 - 20% 20 - 25% KEY: Not Confident in current level of Email Security Confident in current level of Email Security IT professionals who spend least on email security don't feel secure The Cyber-Security Shiver Grid Personas KE Empl Ina Fig. 5 Fig. 6 Fig. 5
  • 10. Of course, email security is only one part of the overall IT security toolkit, and managers need to have flexibility in how they allot their resources. Based on the relationship between email security spend and manager confidence, Mimecast found that IT managers should strive to devote 10.4% of the overall IT budget to email security to hit the email security spend sweet spot. 4. Upgrade on-premises software or go to the cloud One quarter of respondents are still using Exchange 2010, which ended mainstream support from Microsoft in January 2015. Exchange 2010 is also more likely to be the platform used by two unconfident personas – the Apprehensive and the Battle-Scarred. Alternately, managers with the most confidence are more likely to be using Exchange Server 2013. While Office 365 usage isn’t a predictor of where IT security managers fall in the Shiver Grid, that might not be the case in the future – Mimecast discovered that managers with recent, direct experience with an email hack or breach are more likely to have plans to migrate to Microsoft’s cloud option in the next two years. 5. Learn from experienced pros: use advanced tactics IT security managers who experience an email hack or breach may emerge feeling more vulnerable than before, but their tendency to employ additional safeguards may make them better prepared. Mimecast found that experienced IT security professionals are more likely to utilize a variety of additional email safeguards over and above traditional anti-virus, anti-malware, and spam filter measures. These measures are listed in order of proliferation: l Intrusion prevention (HIPS, NIDS, IPS, IDS) within the email infrastructure (78%) l Email encryption gateway (push encryption) (75%) l Email attachment sandboxing (70%) l Data leak prevention (69%) l Anti-spear-phishing or targeted attack gateway (69%) l URL rewriting (61%) l Separate content control gateway (60%) l DLP gateway (56%) 10 Microsoft Office 365 Exchange Server 2013 Exchange Server 2010 Google Apps Exchange Server 2003 or 2007 IBM Lotus Domino Other 35% 30% 25% 20% 15% 10% 5% 0% 30% 28% 25% 6% 4% 4% 4% Fig. 7 Primary Email Platform Mimecast Business Email Threat Report www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED |
  • 11. Fig. 8 6. Protect against internal threats, not just external ones For most IT security professionals, the first priority is securing the perimeter. This makes sense; as shown earlier in this report, the threats that IT security professionals are most concerned about are external. Perimeter security is a well-established practice, as indicated by the proliferation of anti- virus, anti-malware, and anti-spam products on the market today. IT security professionals should take care, however, to ensure that the pendulum does not swing too far towards a focus on external threats. When asking about the vulnerabilities that organizations are least-equipped to deal with, Mimecast found that the top source of worry for IT security professionals is internal. Mimecast also found that direct, recent experience with an email hack or breach also brings increased concern for internal threats. IT security professionals who have that experience are twice as likely to categorize malicious insiders as high threats compared to their less experienced colleagues. Malicious insiders are also the top worries for both Vigilant and Equipped Veterans, the two most confident Shiver Grid personas. It is clear that while external threats may be most prominent, internal threats cannot be ignored. There is a reason why 69% of IT security professionals that have experience with an email hack have data leak prevention and other internal threat mitigation protocols in place; they know that email threats don’t just come from the perimeter. 11 www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | CON-WP-293-001 Perceived Vulnerabilities Email doesn’t have to be scary. And, regardless of how confident, experienced or prepared you truly are to navigate the world of cyber-crime, you don’t have to do it alone. Learn more about the state of email security and ways to cope with impending threats. LEARN MORE Mimecast Business Email Threat Report 45% 50% 40% 35% 30% 25% 20% 15% 10% 5% 0% 45% Malicious insider attacks 34% Mobile device compromise or malware 27% PC-based malware 26% Spear-phishing or targeted attacks 26% Network, host and server (Internet facing) attacks 25% Denial of Service Attacks 25% Partner or supply chain compromise 24% Social Engineering
  • 12. www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | CON-WP-293-001 12 www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | CON-WP-293-001 12 www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED | CON-WP-293-001 12 Let us demonstrate how to make email safer in your organization. www.mimecast.com/request-demo Got a question? Get it answered by a Mimecast expert. www.mimecast.com/contact-sales Tell us what you need and we’ll craft a customized quote. www.mimecast.com/quote Mimecast (NASDAQ: MIME) makes business email and data safer for 16,200 customers and millions of employees worldwide. Founded in 2003, the Company’s cloud-based security, archiving and continuity services protect email, and deliver comprehensive email risk management in a single, fully-integrated subscription service. Mimecast reduces email risk and the complexity and cost of managing the array of point solutions traditionally used to protect email and its data. For customers that have migrated to cloud services like Microsoft Office 365, Mimecast mitigates single vendor exposure by strengthening security coverage, combating downtime and improving archiving.  Mimecast Email Security protects against malware, spam, advanced phishing and other emerging attacks, while preventing data leaks. Mimecast Mailbox Continuity enables employees to continue using email during planned and unplanned outages. Mimecast Information Archiving unifies email, file and Instant Messaging data to support e-discovery and give employees fast access to their personal archive via PC, Mac and mobile apps. Survey methodology Mimecast and March Communications designed a 15-minute, online survey that went into field in October 2015. The survey, facilitated by Vanson Bourne, was completed by IT security decision makers in the following countries: l n=200 in the United States l n=200 in the United Kingdom l n=100 in South Africa l n=100 in Australia The overall margin of error is ± 4% at the 95% confidence level. Charted data l Fig. 1: Q10. Which of the following best describes how you feel about the level of security your current email technology infrastructure offers? l Fig. 2: Q23a. Please estimate the overall cost of the email hack or breach for your organization? (Base: n=123) l Fig. 3: Q18. Do you feel your email security is more or less vulnerable to risk today than it was 12 months ago? (Base: n=123) l Fig. 4: Q4a. How much of a concern are the following email security threats?(SHOWN: % OF RESPONDENTS WHO RANKED ITEM AMONG TOP THREE CONCERNS) (Base: No recent, direct experience n=477; With recent, direct experience n=123) l Fig. 5: Q17. How engaged is your organization’s C-suite with your email security and risk management practices? Q17a. How appropriate do you think it is for your organization’s C-suite to be involved with your email security and risk management practices? l Fig. 6: Q5. What percentage of your annual IT budget is spent on email security safeguards/technology? (BASE: CONFIDENT n=522; NOT CONFIDENT n=78) l Fig. 7: D4. What is your organization’s primary email platform? l Fig. 8: Q13. What email security risks do you believe your organization is ill-prepared to cope with? Appendix: Methodology www.mimecast.com | © 2016 Mimecast ALL RIGHTS RESERVED Mimecast Business Email Threat Report
  • 13. Mimecast (NASDAQ:MIME) makes business email and data safer for thousands of customers and millions of employees worldwide. Founded in 2003, the Company's next-generation cloud-based security, archiving and continuity services protect email and deliver comprehensive email risk management. www.mimecast.com | © 2016 Mimecast