We have noticed a dramatic increase in cybercrime this year and we would like to encourage all our customers to take cybersecurity very seriously. Mimecast’s seventh annual
State of Email Security (SOES) report makes for sober reading.
As per usual, for cybercriminals, email remains the primary route of attack. Corporate reliance on email continues to grow, leading to more email-based threats. But while the increasing number of threats is a problem, their growing sophistication poses an even greater danger. Cybercriminals continue to refine and adapt their strategies… states the report, and these strategies are mostly about tricking the human beings at the other end of the inbox.
Over 95% of all data breaches are due to human error. This state of affairs leads to an obvious conclusion: The single most important step that any organisation can take to improve its cybersecurity is to foster a culture of cyber awareness.
Microsoft offers a certain level of security through Multi Factor Authentication and the Authenticator App, which we highly recommend all companies with inhouse IT support employ. However, the layer of security provided by both Microsoft 365 and Google Workspace is not believed to be good enough. Nearly half of malicious email attachments are in fact MS 365 files. So even with professional email, additional layers of protection such as Domain-based Message Authentication, Reporting and Conformance (DMARC), Microsoft Defender or Mimecast are becoming necessary.
The three main forms of email attack remain constant. Below find a short description of each and some take-homes from the SOES report:
The fraudulent practice of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
There were an estimated 255 million phishing attempts in 2022 a 61% jump over the prior year. Worse yet, more than 70% of these emails were opened by the recipient.
A type of malicious software designed to block access to a computer system until a sum of money is paid
Two-thirds of this year’s SOES respondents reported falling victim to ransomware, with the bulk of these being smaller companies with 250 to 500 employees. Specific industries such as consumer services, energy, healthcare and media and entertainment sectors were targetted.
Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source.
Email spoofing remains a serious risk and Web domain spoofing is also widespread. And while nearly nine out of 10 SOES respondents say their companies are interested in using DMARC in the next 12 months to thwart email spoofing, well under one-third have actually deployed it.
On average, it takes 212 days to detect a data breach and another 75 days to contain it. A situation in which you have been hacked can be like a slowly unfolding nightmare. It is in your best interest to educate your employees about the risks and most common types of attacks out there and they in turn should understand that cybersecurity isn’t just an IT issue, but something that affects them personally and for which they are directly responsible. Please remind all users that no serious business would ever phone or send an email asking a user
for their credentials (username and password).