Mimecast Limited, a leading email and data security company, has announced the results of its third quarterly Email Security Risk Assessment (ESRA), a report of the results of tests which measure the effectiveness of incumbent email security systems. This quarter’s assessment noted a continued challenge of securing organisations from malicious attachments, dangerous files types, impersonation attacks, as well as spam – with nearly a quarter of ‘unsafe’ email being delivered to users’ inboxes.
Among the email security services assessed, the tests found that using Mimecast in conjunction with prominent cloud-based email service providers, including Google G Suite and Microsoft Office 365, would substantially improve results by blocking thousands more email-borne attacks. The report indicates the need for organisations to enhance their cyber resilience strategies for email with a multi-layered approach that includes a third-party security service provider.
“To achieve a comprehensive cyber resilience strategy, organisations need to first assess the actual capabilities of their current email security solution. Then, they should ensure there’s a plan in place that covers advanced security, data management and business continuity, as well as awareness training to the end user, which when combined helps to prevent attacks and mitigate business impact,” said Ed Jennings, Chief Operating Officer at Mimecast. “These quarterly Mimecast ESRA reports highlight the need for the entire industry to work toward a higher standard of email security.”
Malware attachments, impersonation attacks and dangerous file types still on the rise
The risks to email remain whether delivered to a cloud-based, on-premises, or to a hybrid email environment. Email remains the top attack vector for delivering security threats such as ransomware, impersonation and malicious files or URLs. Attackers motives include credential theft, extracting a ransom, defrauding victims of corporate data and funds and in several recent cases, sabotage with data being permanently destroyed. To date, Mimecast’s ESRA reports have inspected the inbound email received for 62,323 email users over a cumulative 428 days. More than 45 million emails were inspected, all of which had passed through the incumbent email security system in use by each organisation – of this, 31% were deemed ‘unsafe’ by Mimecast. These assessments have uncovered more than 10.8 million pieces of spam, 8,682 dangerous file types, 1,778 known and 503 unknown malware attachments and 9,677 impersonation emails to date.
Top cloud email service providers missing advanced, but very common threats
When the data was sliced by incumbent email security vendors, the report found that even some of the top email cloud players were missing commonly found advanced security threats, highlighting the need for a multi-layered approach to email security. Notably these cloud vendors are leaving organisations vulnerable by missing millions of spam emails and thousands of threats and allowing them to be delivered to the users’ email inboxes. Many organisations have a false sense of security believing that a single cloud email vendor can provide the appropriate security measures to ensure protection from email threats. This quarterly ESRA report strongly indicates the need for organisations to consider third party email security services to more effectively secure their email and increase their overall cyber resilience.
Late last year, Mimecast commissioned Forrester Consulting to evaluate drivers of cloud-based email adoption and to evaluate their related business concerns and expectations. The report, titled ‘Closing The Cloud Email Security Gap’, revealed that only 5% of respondents are very confident in the overall security capabilities of their chosen email cloud provider. In fact, 44% of respondents said they would review the security implications of their cloud provider more thoroughly if they were to deploy a cloud-based email platform again. In this report, Forrester Consulting recommended that to enhance their cyber resilience, these organisations should leverage a third-party security services provider to defend against all forms of email-borne threats.