80% of Organizations Experienced an Email-Related Security Breach Last Year

OPSWAT has released the 2024 Report: Email Security Threats Against Critical Infrastructure Organizations. This research was conducted with Osterman Research, known for its in-depth analysis and insights into emerging trends and technologies in IT security and data management. The study surveyed IT and security leaders working within critical infrastructure industries and revealed that 80% of organizations experienced an email-related security breach over the past year and 63.3% of respondents acknowledge that their email security approach needs to be improved.

Email is a necessary tool for communication and productivity across all sectors, but it is also the primary attack vector for cyber threats with attackers exploiting vulnerabilities through phishing attempts, malicious links, and harmful attachments. Once infiltrated, these threats can cascade through networks, jeopardizing both IT and operational technology (OT) environments. Alarmingly, more than half of respondents believed email messages and attachments to be benign by default, failing to realize inherent email risks.

Key takeaways from the research include:

Up to 80% of organizations in critical infrastructure sectors have been the victim of an email security breach in the past 12 months
Per 1,000 employees, the organizations in this research experienced 5.7 successful phishing incidents per year, 5.6 account compromises, and 4.4 incidents of data leakage, among other types of email security breaches. Organizations in critical infrastructure sectors are highly attractive to cyberthreat actors and are under constant attack.

Email is the primary cybersecurity attack vector in critical infrastructure sectors
A median of 75% of cybersecurity threats against organizations in critical infrastructure sectors arrive via email. For two out of three organizations, the share of cybersecurity threats arriving by email ranges from 61% to 100%.

Success metrics for email security are low
48% of the critical infrastructure organizations in this research are not confident that their current email security protections are sufficient against email-borne attacks. Only 34.4% are fully compliant with the email-related regulations that apply to them, e.g., GDPR and other privacy regulations. And 63.6% are not confident that their approach to email security is best in class.

Threat levels for all types of cybersecurity attacks are expected to increase, with phishing, data exfiltration, and zero-day malware attacks leading the way
Over 80% of organizations expect threat levels of all email attack types to increase or stay the same over the next 12 months.

Most organizations do not approach email as malicious by default
More than half of the critical infrastructure organizations in this research operate from the assumption that messages and files are benign by default or attempt to operate from the flawed assumption that they are both benign by default and malicious by default. Many more firms need to embrace zero trust approaches for email security.

Organizations aspire to be dramatically better—and rapidly, too
While current email security efficacy metrics are low, aspirations run high for a dramatic and rapid shift. While only 52.0% of organizations are confident in their current email security protections, it is the aspiration of 74.8% to reach this level within 12 months. In a similar vein, 84.8% of the organizations aspire to be at a place where their approach to email security protects them from emerging and as-yet-unknown email threats over the next 12 months.

“This survey findings emphasize the need to adopt a zero-trust mindset. The prevalence of email-related breaches poses a significant threat to critical infrastructure organizations, necessitating a shift to a stronger, prevention-based perimeter defense strategy against established communication and data exchange channels,” commented Yiyi Miao, Chief Product Officer at OPSWAT.

The survey responses also unveiled a major gap in advanced email security capabilities that preclude and prevent threats from reaching users’ inboxes. Essential measures such as Content Disarm and Reconstruction (CDR), URL scanning for malicious signals, and anomaly detection within email messages are notably absent in many organizations’ defenses. In response to these critical challenges, OPSWAT reaffirms its commitment to equipping critical infrastructure organizations with cutting-edge, prevention-based cybersecurity solutions.

For access to the full report and additional findings, visit https://www.opswat.com/osterman-report.