U.S. Companies Not Doing Enough to Prevent Phishing and Email Impersonation Attacks

IT professionals are well aware of the threat from phishing and email impersonation attacks, yet even though the risk of an attack is high, U.S. companies are not doing enough to prevent phishing and email impersonation attacks according to a recent survey of U.S. IT professionals.

The survey was conducted by the Ponemon Institute on behalf of Valimail on 650 IT and IT security practitioners in the United States who play a role in protecting end users from email threats and securing email applications.

80% of respondents were very concerned about email-based threats and their ability to deal with those threats, yet only 29% of firms have taken significant steps toward blocking phishing and email impersonation attacks. At some businesses, the lack of security solutions to prevent phishing and email impersonation attacks is extremely concerning, especially considering the frequency of email-based attacks.

30% of respondents said they were certain they had experienced an email-related data breach in the past 12 months. 31% said that a data breach involving email had most likely occurred, 18% said it such an attack was likely to have occurred. Only 17% of respondents said a data breach involving email had not occurred in the past year.

Spam filters are the primary solution that businesses employ to prevent phishing emails from being delivered to their employees and they are highly effective at blocking email-based threats, yet only 69% of firms use them. 31% of companies have no spam filter in place.

Even more worrying is the lack of security awareness training. Employees cannot be expected to have the necessary skills to allow them to detect phishing emails and other email-based threats. Training is necessary to ensure employees know what signs to look for in emails so they can identify phishing emails. The survey showed only 34% of companies provide anti-phishing training to their employees. 66% of companies provide no anti-phishing training whatsoever.

In addition to spam filters and employee training, other popular cybersecurity solutions include secure email gateways, SIEM technology, DKIM, DMARC, and SPF, yet 15% of companies have not implemented any of these measures to prevent phishing and email impersonation attacks and are incredibly exposed.

Just 27% of companies said they were aware who was using their domains in the from field of emails, only 15% of organizations have created a security infrastructure or plan for email security and 21% of companies said they were taking no steps at all to prevent phishing and email impersonation attacks.  39% of respondents said their company is spending enough to protect against email-based cyberattacks and fraud.

If businesses do not invest in email security solutions to block phishing and email impersonation attacks, data breaches are likely to occur. As a previous Ponemon Institute study showed, the cost of data breaches is likely to be far in excess of the cost of paying for cybersecurity solutions to prevent breaches. In 2018, the average cost of a breach of up to 100,000 records was $3.86 million.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news