2018 Survey: Email Security Benchmark
In this 30-minute webinar, GreatHorn CEO and co-founder Kevin O’Brien highlights the findings from a June 2018 survey we conducted of 295 professionals to understand the current state of email security in terms of environments, threat prevalence, remediation frequency, and importance within the wider security landscape.
LORITA BA: Hello, everyone. Thank you for joining our 2018 Survey: Email Security Benchmark Webinar. My name’s Lorita Ba, and I’m the Head of Marketing at GreatHorn, and I’m joined here by Kevin O’Brien, our CEO.
KEVIN O’BRIEN: Hi there.
LB: So today we’re going to be talking a little bit about the survey that we put out last week. It was a survey of about 300 people, taken from a number of different sources. We were really taking a look to try to understand what some of the trends and challenges are, with regard to email security, within different audiences. And then understand what some of the benchmarks were with regard to it. Before we get started, though, I’m going to go ahead and switch to the next slide and talk through a few of the logistics. Specifically, you will be on mute during the call. There is, however, a Questions Panel on the Go-To-Webinar control panel, probably on the right of your screen. So please feel free at any time to enter your questions into that box. The webinar is being recorded and will be available for replay. We will be sending out an email with the recording on the slides, as well as a copy of the report, if you have not yet seen it, after this call. And with that, I’m going to go ahead and turn it over to Kevin. Kevin?
KO: Great. Thanks, Lorita. And thank you, everyone, for joining. Looking forward to having this conversation and talking a little bit about the trends that we’re tracking and the survey, the results that we had from it and some of the findings that were in some ways surprising and in others validating around what we have been seeing and saying for a number of years now.
To begin with, I think the table setting here is that phishing and the general space of email security continues to be one of the primary cyber security controls and concerns for every company for every organization worldwide. Now when we founded GreatHorn almost four years ago, there was a statistic from the Verizon Data Breach and Incident Report, the DBIR, which noted that 93 percent of all major data breaches began with an email security compromise or a phishing attack. This year, in the most recent version of the study, that number went up to 96 percent. And over the course of our time working in this space, we’ve seen the landscape of cyber threat around email security expand rather than contract. And one of the central tenets of the webinar that we’ll go over in detail today is why and how email security is a first order of concern. And why and how the various types of technologies that we’ve put in place to attempt to solve email security problems have not worked and we need to take a different approach.
When we think about what that problem looks like, obviously we have a vested interest. As a vendor who makes a cloud email security platform, focused on phishing business email, compromised credential theft, and so on, we want to see organizations using the technology that we’ve built, that uniquely is able to identify, remediate, and protect against these threats.
But the survey and the work that we’re doing is backed up by independent research and that independent research, some of which we’re going to cover here and some of which I’ll reference in the talk track, note that business email compromise — and that is a subset of the phishing problem that is impersonation on a targeted basis; we’ll go into more detail around what that means in a moment — was responsible for nearly half of all Internet crime-driven financial loss. So this problem far outstrips everything else that leads to this kind of damage to an organization’s bottom line, and yet less than a quarter of those attacks are reported. And if you were to take any given company, one in 25 people will fall for them.
There’s a very interesting statistic that wraps around this and it comes from the analysts at Gartner, which is that if you look at white collar employees, knowledge workers, they will open — maybe not interact with, but read 100 percent of their professional email. And so put the stats together that one in 25 people will fall for any given phishing attack, and that every piece of mail sent to someone who in theory has an account that has access to corporate resources, to log-in systems that lead to Intranets, to corporate file stores — you have a massive problem.
So what we said was we want to go and gather some information, and we put together a survey over the course of a period of months and worked through June and analysis happened the last month of July of 2018, looking at respondents who represented different parts of the market. These were three distinct sources for us — attendees of the Gartner Security and Risk Management Summit, so largely Information Security professionals; a wide range of end users, not necessarily Information Security professionals, from companies, of which there are many, that use GreatHorn — and an independent third party set of IT professionals, but not necessarily Information Security professionals.
And the table setting around this is that we looked at first the distribution and adoption of cloud-based email systems. When we look at these statistics, what’s notable here and it’s on the bottom left of this slide, is really a set of two things — the first, for maybe the first time in as many surveys as have been done, we see cloud email systems overtaking on from its email, literally hosted exchange or traditional on a box on a server rack exchange. That transition has taken quite a while and compared to first and second wave clouded option, initially of backend infrastructure and then of core business services, we’re now seeing that the mechanism of communication for most professionals has moved into this cloud environment.
Secondly, across the distribution of customers whom we’re interacting with, we see a nearly two-to-one adoption rate of Office 365 versus Google’s G-Suite offer. There is some distribution to be discussed there from a client basis, but in addition to our own customer set, we looked at the broader set of individuals who responded to the survey from the conferences that we attended and from third party sources and that tracks with the macro understanding of O-365 as being a tool that tends to be adopted mid-market enterprise, whereas we tend to see G-Suite being used more down-market — but both of these offer a very strong cloud-native email security — sorry, email solution with built-in security for some of the traditional email threats, and as we’ll get to in a moment, some significant gaps around targeted attacks and phishing that is not just the broad-based, generic version that many users mischaracterize today.
So if we look at that and we start thinking about what that means from a business perspective, email threats, when we asked the two different primary groups; the email security professionals and laypeople, what they thought about the frequency with which email threats reached inboxes on a weekly basis, only 20 percent of those laypeople said that they were seeing threats on a weekly basis.
That was a significantly lower number than the email security professional segment, where they were over half the time reporting that threats were coming in on a weekly basis. That division is in part likely due to whether or not an end-user who received a threatening email or an email that could lead to a data breach, characterized that email or that instance of an attack as spam. Now I have the opportunity, given the nature of my role, to interact with many of our customers and many of the chief information security officers and information security teams from the clients whom we serve and there is a nearly universal problem where end-users conflate undesired gray mail, phishing, spear-phishing and credential theft, as simply a bad email.
Email security professionals are good at differentiating and understanding and establishing a matrix of risk around these different kinds of attacks, but laypeople simply don’t. And this, if you think back to one of the earlier statistics that we laid out, that only 17 percent of phishing campaigns are reported, makes sense. In part because laypeople do not have the ability to differentiate, absent some additional context, these different kinds of threats and say, ah, this is phishing and I should report it, versus this is spam and I should just click the spam button with the junk button.
However, the problem is so [10:00] frequent that we do not, in this data set, include any threats that are quarantined, so this is just the set of mail that’s reaching end-users. And if we were to include mail that had initially been quarantined and then either deliberately or inadvertently released into an end-user’s inbox, these numbers go up even further.
The net of all of this is that if you exclude explicitly spam and ask the same question of people; how often are you seeing email threats and call out some of the subdivisions? There continues to be an incredible divergence between the general population and information security professionals, and a third data set of laypeople who aren’t involved in email in any way. And presumably people are seeing the same proportion of threats; there may be some division based on seniority, certainly the data should flatten that out across the different distribution groups — and yet it is the reporting, it’s the awareness, it’s the ability to identify these threats that’s incredibly different, depending on where, when and how someone has been exposed to the nuances of email security.
Why are we talking about this? Well, the reason that we’re spending time on this is because if you look at this problem and you begin with the knowledge gap, you’re going to have a couple of immediate points that you need to address and the first is that email security professionals understand that there’s never a day when there is not a threat reaching someone on an inbox basis, or a week where there’s not a threat, reaching someone on an inbox basis — that is getting around any existing security.
However, laypeople not involved in email think that 31 percent of the time there’s just nothing bad happening in their mail. The general population inclusive of knowledge workers is about half of that. So we start with a problem of lack of understanding. But unfortunately, much of the market has then said, well, okay, that means that what we need to do is address this because we think that there’s, you know, a simple solution. And yet, impersonation attempts, the impersonation attempts that are not payload bearing, that don’t have a link, that don’t have an attachment, are the things that nearly 64 percent of the time are reaching users.
So it’s very hard to tell a user, I realize you may not understand all the nuances — don’t click on a link and think that’s going to solve the problem. Or don’t open a file; it might have ransomware in it — and that’s going to solve the problem. Because first those users aren’t aware of the differentiation between the different kinds of attacks that they receive, and secondly, they, when they do see an attack, are generally being convinced that that is coming from someone whom they trust.
Now, there’s some nuance around the different kinds of attacks that will reach an average laypeople — impersonation of executives, very [apparent?], security professional; very hard to spot by a layperson, by someone who’s not looking at mail headers, not thinking about, is that really my colleague? Is that really my boss? Even more notable, when you start looking at wire transfer requests or credential theft, the gap between the educated professional and they typical user widens even further, and those kind of attacks are directly related to damage to the bottom line or directly related to credential theft, which can lead to vast majorities of the sorts of major implication, reportable security incidents that we see in the world.
So there’s a misnomer that then happens. There’s a belief that the answer to this problem, if we characterize the problem as being one of awareness is to simply educate people, is to spend more time that users should be told, taught, in some way informed about the generic case of how to protect themselves. It doesn’t work very well. Your users aren’t stupid. It’s that non-payload-based attacks for a typical individual is a problem that you won’t solve by simply telling them that they need to be smarter. We have to arm them, we have to equip them in some way to be able to make better decisions, not just tell them that there are problems that they don’t know about.
And that starts to lead to how we start looking at a non-binary way of thinking about email threat. Users still have a binary — it’s spam or it’s not. We think, as professionals note, there are in fact five other character — categories of threat and the ways in which we deal with them, the ways in which we articulate them mean that we are going to have a very different set of strategies.
Security professionals are moving these email systems into the cloud and focused primarily on impersonation attacks because those are the ones that are hardest for users to spot, secondarily with credential fact, because those are things where users who believe that this is an email or a document or something coming from someone who they know and they can trust to click on the link, are going to give away those credentials — be it the backend systems and only in third place do they worry about the traditional problem of process of malware, a piece of ransom.
We’ve tried, for a very long time, to solve this problem, through the use of technology. Our panel used an average of three products in conjunction to guard against these kinds of attacks. Coming as they come from a legacy of an on-premise email server, are nearly two times more likely to have a traditional mail transfer agent or secure, you know, gateway in place. And so these are problems that are getting around the technologies that have already been invested in. Right? So if we think back two slides to the fact that most security professionals see impersonation, business service spoof and wire transfer request attacks and almost parity between wire transfer and credential theft, getting around their existing security solutions and most of these companies are moving from an on-premise gateway to a cloud environment mean they’re bringing with them a legacy of an on-premises system like a SEG — these are the kinds of attacks that get around SEGs. And so we have to start thinking about a different approach to identify these attacks.
The second most common thing that we saw was that these organizations, within the margin of error, all those people we distributed, relied on core platform functionality from Microsoft or from Google, we try to solve this problem. Again, not working, because these same customers are reporting, at least from the professional side, massive numbers of impersonations and targeted attacks getting around the existing technologies. Secondly, that they’ve invested in user awareness and training; the idea that my users simply have to be told, admonished, taught not to click on things, not to do things — doesn’t work. Or say we’re using traditional firewalls and trying to manage the problem at the perimeter and fundamentally not different from a secure email gateway, which is a perimeter security control that blocks bad email from getting in, while the firewall approach tries to block bad traffic from getting — let’s stop attacks by blacklisting IP addresses of destination sites.
It’s part of a strategy that we certainly would endorse because there is a defense in that component here and in many ways, once you recognize an attack, shutting it down at the firewall level or the WAF level makes total sense, but the gap between identification and the initial attack delivery is too significant to rely on users self-reporting for an automated update of some blacklisted in the firewall to pick this up. Remember, only 17 percent of users are aware enough to report phishing attempts when they’re even able to recognize them and distinguish them.
So there’s a major problem here. And we need to acknowledge that the approach that we’re looking at from the traditional securing the gateway or perimeter security control perspective, was designed for a different era. Most securing the gateways, especially the ones that we see being used by organizations on the mid-market’s enterprise space, i.e. those that are now moving to Office 365 are built and were used 15 to 20 years ago and were designed to ensure that archiving and deliverability, schooling and mail continuity were going to be in place when you still had an on-premise exchange server from which someone could kick out the patch cable or accidentally reboot the system and prevent delivery.
All of the security functionality that began to be added onto that started with spam because spam was — you’ve been doing this as long as some of us, one of the woes of the late ’90s to early 2000s — and so these technologies evolved to first address that and then volume metric phishing, the generic “you’ve won a million dollars” or “I’m in receipt as a third world dictator of a bunch of money that I want to send to you — please give me all of your personal information” — those technological challenges have changed. The existing email security solutions are decently good at stopping those kinds of things and they’re, of course, evolving and trying to keep up with the modern threat landscape and there are companies that rely on them, but if you survey people they will say, there are some foundational problems that cannot be solved simply through the use of that approach.
The first is that cloud email is different infrastructurally from on-premise email and internal threats — a compromised user account that sends mail between two people inside of the same domain, while in a modern cloud environment, that intra-tenancy means that the mail message from the compromised account — maybe it was compromised on an end point, maybe it was compromised on the user’s phone; maybe there was a credential that they gave away at some point and a database gets compromised through a third party and now it’s letting them log into it because there are password reuse — whatever the case might be, that piece of mail is not passing the MTA perimeter and ergo is not seen by a secure email gateway.
Internal threats are not distribution of mail, is a major problem that many organizations cannot solve using traditional technologies. And the other answers, in terms of what’s being missed in fundamental technical issues that these traditional approaches are a false positive problem — once you subscribe to a binary model of saying some mail is bad, like spam and some mail is good and should be allowed through — every time you make the wrong characterization you’re going to run into a heavy-handedness issue and it’s going to lead to significant numbers of false positives, quarantined mail — ask any sales professional if they’ve ever seen a message with a contract get stuck in a quarantine at the end of quarter, most have a horror story from somewhere in their past.
That’s what we mean by the “business operation side”. And then payload free attacks, obviously we talk about the fact that information security professionals see 64 percent of their mail that’s bypassing any security solution we had in place in reaching end users and then getting by those end users who don’t know to report this, saying the report numbers are incredibly low for this attack site — that’s where we end up seeing that two-thirds of these plus are getting through because there’s nothing in them that gets picked up on a gateway perspective.
And correlated to that is that there are organizational challenges around remediation. If you’ve gone to O-365 and you identify that a user gave away their password, well, how do you deal with that? I was speaking recently [23:00] with a customer of ours where they had this exact attack happen before they brought GreatHorn in and they had a compromise and part of the story for them was that although they had been relying upon some of the foundational protections for O-365, once the account was compromised, that user was sending legitimate mail inside of O-365; it just happened to be to a credential-stealing document that wasn’t getting addressed.
They had to first write power shell scripts that were used to turn off and rotate passwords for hundreds of users; that took a few hours to write and test, if that impacted hundreds and hundreds and hundreds of users — they did it overnight because the attack happens late in the evening on a Sunday and not Monday morning, and they would have had to check their mail, couldn’t get in, the Help Desk was flooded — this sort of remediation gap is one that is related to the fact that securing all gateways can’t claw email out; there has to be secondary and tertiary systems involved to deal with a remediation scenario and it’s a foundational, technical problem; it’s not going to be solved so long as your email security approach relies on either training people or putting some up at the DNS perimeter. And then of course, 16 percent of the time people say, we just have to get better at doing this sort of adapted malware analysis that we’re looking at.
Notable here — 20 percent of our respondents have to take direct remediation actions every single week. So if every one of those take a series of hours to do, or involves two or three information security professionals and you’re roughly seeing 20 percent of the time that that’s happening within your organization, you can do the math in terms of how many man hours are being applied to this problem, what the value of that is and you can see that there’s real economic harm, even if you have an information security team that is responsible for addressing these threats.
I think it’s no surprise then that most CISOs report that email security is a top three security initiative and it is more important than almost anything else. Unsurprisingly, the issues that email security gaps lead do are credential theft and that necessitates an identity and access management component of its defense strategy and data security — because if I can get access to your credentials that are used for Office 365, I similarly have the ability to now go in and get access to your share point environment, start exfiltrating sensitive data and we need another level of protection, especially if we have regulated or financially significant information there.
So those two are both roughly 40 percent problems, but we see that email security still outstrips them and is not only more important than they are, it is more important than anything else on the chart. So where does that leave us? We’re currently at a moment where looking at the benchmark, and this is available on our website and you can go to GreatHorn.com and download a copy of this research for yourself and as Lorita mentioned, we’ll make these slides from this presentation available on SlideShare, there is a foundational information challenge in that we need to ensure that our end users have the ability to identify an advanced phishing and malware threats and see contextually, that is within their mail inbox, where they’re going to be interacting with 100 percent of their mail, some awareness when an attack actually comes up.
Doing this well cannot rely upon pure information security awareness training, nor can it rely entirely on a gateway-based perimeter security model, but rather we need to now start thinking about how a nuanced approach or a holistic approach that differentiates different attack types and applies remediation capabilities automatically when possible, but efficiently when manual interaction is required, becomes a cornerstone for a modern approach.
We’re proud that GreatHorn was one of the first companies in email security space to begin to make this argument; you’re seeing it get replicated now, which is exciting and we continue to lead the market with our anomaly detection. If you’re interested in learning more about that, we’ll be running a webinar in the near future; you can sign up for it now, where we’ll be talking about our product in specific. That said, I think we do have a few questions and I’d like to turn things back over to Lorita and we’ll get through as many as we have time for.
LB: Thanks so much, Kevin. I want to remind everybody to go ahead and submit questions in the Go To Webinar control panel on your right. A couple of questions have come in. The first is — what are some of the other ways, outside of technology that we can mitigate risk beyond just stopping phishing attacks with technology?
KO: So what’s interesting about that question is that there’s a nuanced set of answers. But the very premise, stopping phishing — we aren’t going to stop phishing and one of the things that we see is that organizations that treat phishing as if it were the same as, say, virus infections of end point — well, you can effectively stop virus infections or malware infections of end points through isolation of process, through the right kinds of adaptive anti-malware, through some of the morphological versions of A.V. and end point protection that are coming out now. And so there is a presumption that we can stop this and just catch all the bad email. It’s not true.
And it will never be true. Email, remember, is a 47-year-old system. It is, in the words of a Gartner analyst, venerable but vulnerable and will remain that way so long as we are still relying on email as a primary business communication system with no strong authentication layer and no, SPF, DKIM, and DMARC don’t count because they’re for the end user, too technical and too opaque. So what you end up with is a need to say, how do we manage the security risk and how do we manage phishing?
And when you ask that question, what you start to find is that similar to how we evolve say cloud access security broker companies or DLP companies, we create a risk metric and we make that risk metric available to an end user, so that they can make a decision in real time about whether a given message is safe to interact with — make that highly (inaudible) tool — marry that, certainly if you have one, it’s a good information security practices, but rely in addition on having a way to do remediation when something does slip through the cracks, because that will always happen — seek out from a cloud perspective, ways to do claw backs of anything that start to move through your environment that aren’t visible to traditional security products and do so as efficiently and as business operations-friendly as possible, and finally, have a strategy for implementing things like identity and access management and multi-factor authentication.
There are no silver bullets in security and there are no perfect solutions. But we can manage risk in a much better way when we acknowledge that like any other part of business risk, security is something where investment and convenience are often on opposite ends of a spectrum and depending upon role sensitive, sensitivity level of data and the number and type of workers you have, you can put risk appropriate controls in place.
LB: Given the perception gap that you’ve identified between the average user and security professionals, why wouldn’t I just use additional security awareness training to help solve this problem?
KO: So the fun thing about security awareness training is that it’s something that users will actually do. Right? If you send someone a video or you gamify the consumption of content, you will be in a position where you can get users to go and click through and take those forces or interact with their security awareness training. It feels really good. And users will do those things; they’ll pass by certain thresholds that you set for being able to operate within their organization. That’s a compliance exercise. It should absolutely be done. If — and we hope it doesn’t happen, an organization has a major data breach and they can show that they invested in security; it is similar to how, if somebody say raises a labor and employment claim against an employer and the people who are involved have been given training about HR and how to deal with these things, you can demonstrate to your regulators or to the investigative services that get involved, that your company cleared the bar of gross negligence and that you have done the requisite set of things to equip that individual to pass the threshold of they should have known better. This is good.
But if what you’re concerned about is not staying out of an orange jumpsuit, but rather it’s how do we make sure that we are protecting the core assets, the crown jewels of the business from breach? Whether that’s financial or intellectual property, now you need to say that security awareness training, which is a component of a compliance exercise, is not the same as investing in security that provides real time contextual incident identification and incident response. And we don’t take that approach in any other part of the market. Right? Can you imagine if the question was — well, I understand that people can distribute malware, but isn’t it enough that I just teach my end users not to open files they don’t recognize from the Internet? We don’t do that because we understand it’s absurd. But for some reason this market around email security, around this training, which is completely legitimate; it has a role to play — has been conflated with security control and they are fundamentally different.
LB: Okay, thanks, Kevin. You say then that, you know, the binary good/bad view is sort of the wrong way to look at it, these two extremes and that that’s where a lot of the technology has come from — but you know, how else can you reasonably expect technology to help differentiate those threats that the good, the “good” from the “best”?
KO: We’re in a very interesting time. I started my first company and was part of my first security company in 2000. I’ve had the opportunity to see really three different major waves of technology adoption and where we are today is in a world in which we have effectively infinite computing power — when you used to start a company, I remember being part of one in the Boston area 11 years ago and we were building a data science model — we had a server rack and we bought servers; we bought them from a catalogue and had them shipped to our offices and we installed Windows NT or unit systems on them — and then we ran them in the kitchen and you made sure that people didn’t accidentally bump into the power cord.
That limited the kind of technological prowess we could apply to any given problem, because server hardware was expensive and management was something that required professionals who are literally sitting in front of the machine. Today I can spin out effectively a super computing cluster on a cloud hosted infrastructure platform, like AWS or Azure or Digital Ocean and do so in seconds, replicated, no less, to all of those boxes — in fact, as we move into a no-ops model, I can even take out a serverless approach and you can get away from having to do even that level of work — containerization, the dev-ops movement — these things have commoditized processing power in a way that we couldn’t have envisioned 15 years ago.
So the binary model, the idea that I’m going to stand another server up in front of a server is kind of outdated. We can get away from that black and white approach by leveraging the cheap and nearly infinitely available computing power we have available to us and so things like — and it’s very buzz wordy today, but things like artificial intelligence and machine learning are driving innovation as well as some marketing and some noise, in part because we can now actually really do these things.
You couldn’t have done it reasonably or financially viably 15 years ago, but still you can. So imagine taping every email that a company that’s sitting in the space has ever seen and creating really detailed analytics and relationship analysis to figure out how like or unlike a safe email is this? Well, little pin drops of information — can I put together amalgamate and turn into something that I use to identify threat, and then marry that to the kinds of cloud native automation and policy-drive response actions that we’ve come to expect in other parts of the market — that’s what we look at as being the difference and you can think about it as the transition from a black and white binary model to a spectrum that runs from black to gray to dark gray, all the way through and so now you start saying — I can’t tell you categorically that this is a bad email, that it’s spam. But I can certainly tell you that there are threat indicators in here or suspicious things and as an end user, this is the moment when you should be a little bit more aware; you should be a little bit more cautious.
LB: Great. Thank you, Kevin. That’s it from a questions perspective for today. We wanted to keep this under 45 minutes, which we’ve just managed to do. I want to thank everybody for joining us for this webinar and to Kevin for presenting the data that we’ve found in the report. As I said earlier, we will be sending out these slides, as well as the report and the reporting from this webinar out to all participants after this call. But if you have any interest in learning more about how GreatHorn handles these problems, please do sign up for that webinar that Kevin mentioned earlier. We run that webinar monthly; it’s An Intro to GreatHorn Webinar; it’ll include a demonstration as well. In the meantime, we hope you have a great afternoon and good luck securing your emails. Thank you. Bye-bye.
Request a Demo
Like what you hear? Contact us to learn more about GreatHorn’s sophisticated email security platform and how easy it is to set up for your Office 365 or Google Suite platform.