Eighty-nine percent of businesses experienced one or more successful email breaches in the last 12 months, resulting in high costs due to successful phishing attacks exploiting Microsoft 365 credentials.


Almost all security teams believe their email security systems are ineffective against the most severe inbound threats, including ransomware. This is according to survey results commissioned by Cyren and conducted by Osterman Research, which looked at business email compromise (BEC), ransomware, and attacks that became costly incidents and customers' preparedness to handle attacks and incidents.


In general, 71 percent of successful ransomware attacks occurred in the last three years, 49 percent of Microsoft 365 credential compromises occurred, and 44 percent of successful phishing attacks occurred.


Ineffective defensive strategies


Interestingly, the firms found that users continue to report suspicious emails through email client plug-ins, reflecting an increase in the use of email client plug-ins. Organizations are now using an automated email client plug-in to report suspicious email messages, up from 37 percent in a 2019 survey.


The most common recipients of these reports are analysts from security operations centers, email administrators, and email security vendors or service providers, but 78 percent of organizations notify more than one group.


Additionally, user training on email threats is now available in most companies. According to the survey, more than 99 percent of companies offer training at least annually, and one in seven offer it monthly or more frequently. 


Furthermore, the survey revealed that organizations use at least one other security tool besides the Microsoft 365 basic email protections. However, the effectiveness of their implementation varies.


Organizations face high costs due to these kinds of holes and ineffective defences. The report states that there are also costs associated with post-incident remediation and manual removal of malicious messages from inboxes and time spent on triaging messages identified as suspicious that turn out to be benign.