No phishing in this pond
“We have an email security system so we’re safe.”
The famous last words of many business owners throughout the UK. Cyber security has cost the UK an estimated £26 billion, with phishing being the most common type of attack affecting more than 1 million businesses last year.
Phishing is a popular choice among cyber-criminals for many reasons:
- It is an easy method for targeting a lot of people, with many recipients unknowingly forwarding the phishing email to colleagues and friends
- There are many phishing tools available online for little cost, enabling novice hackers to perform phishing attacks
- It can be used alongside ransomware and malware, relying on human errors rather than system vulnerabilities
The most effective way of preventing phishing attacks, impersonation attacks and other malicious email attacks is to block them from reaching employee inboxes. There are a number of software products that have been designed to perform this function, leading many organisations think that their current email security system is sufficient in protecting them.
However, a recent report by unified email management provider, Mimecast, highlighted that not all email security systems perform equally. Unfortunately, many of these systems fall short and leave businesses wide open to attacks from malicious sources.
Working with 26,000 customers, the Mimecast ESRA (Email Security Risk Assessment) tested the Mimecast cloud security service against individual organisation’s existing email security systems. This test would allow organisations to see the relative effectiveness of both systems and become aware of the number, type and severity of any email-borne threats passing through the existing email security system.
It is critical to understand that the Mimecast security inspections occurred passively after the existing email security system executed all of its security filters. Therefore, all emails that Mimecast inspected had been deemed safe by other systems.
The findings of this study were highly concerning.
In total, 45,095,991 emails were inspected by Mimecast after passing the security systems of other providers. Of these emails:
- Almost 11 million of these emails were caught by Mimecast as spam
- Over 8500 were caught by Mimecast as dangerous file types
- In excess of 2000 were noted by Mimecast as having malware attachments
- More than 9,700 impersonation attacks were also detected by Mimecast
45,095,991 emails were deemed safe by existing email security systems. After being inspected by Mimecast, just 34,203,562 emails were deemed safe to reach the user inboxes. That is a huge difference, which could have even bigger implications for businesses.
These findings go to show that whilst many organisations think their current email security systems are able to protect them, in particular from more sophisticated attacks, this is not always the case. It is important for businesses to seek specialist advice, from experts who understand email security software and how best to protect the organisation. Mimecast has committed to continuing the ESRA tests and it will be interesting to follow any future reports, looking at how the industry responds to the ESRA test findings.