Recently we teamed up with research-firm Aberdeen Group to host a webinar discussing the obstacles email security currently faces as well as solutions that include a blend of advanced technology and human intelligence. In part two of a guest post series, Derek Brink, CISSP, vice president and research fellow at Aberdeen Group, argues why effective email security truly matters in today’s cybersecurity landscape.
Part one of Brink’s guest post series can be found here.
Yes, email security really matters.
At least, that would be my own assessment of the answer to this question. It’s really a question about the risk related to email security — and that means that the answer has to be framed in terms of both how likely it is for an undesirable outcome related to email security to happen in a given period of time, and how much business impact it could have if it does in fact occur. That’s just the proper definition of risk.
If we’re not talking about email security in terms of both how likely and how much business impact, we’re not really talking about risk. Too much of the time, IT and Security professionals tend to focus intensely on the technology-oriented details of “who, what, and how” regarding the latest threats, vulnerabilities, and exploits. The senior leadership team, however, is primarily interested in the business-oriented details of “how likely,” and “why it matters.”
The actual question is: Is the current risk related to email security unacceptably high? If yes, then the reason email security matters is that it can help to reduce the risk to an acceptable level.
Too Many Statistics, Not Enough Actual Discussion About Risk
This is the point where most IT and Security professionals — along with most solution providers, and even most analysts — tend to start sharing statistics. For example:
- Attackers — who are financially motivated, and technically sophisticated — continue to leverage phishing attacks to achieve their criminal objectives. Most (83%) organizations report having experienced phishing attacks over the last year, nearly all (94%) of which continue to use email as the most common attack vector.
- Email security, in the form of technology used in combination with human intelligence, is designed to detect and protect against phishing email attacks — yet inevitably, some attacks go undetected. Phishing relies on getting users to click on malicious attachments or links; pretexting relies on convincing users to voluntarily give up information or take action, for example by responding to the urgent request of an impersonated executive or business partner. Almost all (>95%) confirmed data breaches involved phishing and pretexting.
- User behaviors are another critical component to effective email security, representing the last line of defense for phishing attacks that evade detection and make their way into enterprise inboxes. Over the last year, user click rates on phishing email attacks ranged between 6% and 16%, depending on industry.
- Business impact, i.e., the directly observable consequences of successful phishing email attacks, is a critical part of what makes any of the above discussion really matter. Over the last year, half (49%) of successful phishing attacks resulted in malware infections, and two thirds (65%) resulted in compromised accounts — both of which negatively impact the productivity of users, as well as any technical staff required for remediation. One in four (24%) successful phishing attacks resulted in data breaches, i.e., the confirmed disclosure of an enterprise information asset to an unauthorized party.
Statistics like these are interesting, but they aren’t very effective at all in communicating risk properly — that is, in terms of both “how likely” and “how much impact.”
If phishing email attacks are highly likely but rarely successful, the current level of risk may be acceptable. If successful phishing attacks are fairly common but the business impact of a data breach is relatively small, better email security may not really matter.
How to Frame and Answer the Question
In my day job at Aberdeen, I continue to make use of the growing body of empirical data regarding the likelihood and business impact of phishing email attacks to make a quantitative estimate of the risk, as risk is properly defined — i.e., not as a misleading, falsely precise, single-point estimate, but as a range of possible outcomes and their associated likelihoods.
In a quantitative analysis of this nature, several factors (e.g., click rates, likelihood of a data breach, total cost of a data breach) vary based on industry. Across the private sector as a whole (all industries), for an organization with 1,000 users and an information asset of 10M records, a straightforward Monte Carlo analysis shows that under the current approach to email security:
- The median total business impact of phishing email attacks is about $8.2M per year. However, there’s also a 10% likelihood that the total business impact of phishing email attacks in this scenario will be more than $37M per year.
The latter figure is the “long tail” aspect of the risk of phishing email attacks that is so important for IT and Security professionals to communicate effectively to the senior leadership team, to help them make a well-informed business decision regarding what to do about it.
- In the healthcare sector, the median total business impact of phishing email attacks is about $26M per year, with a 10% likelihood of exceeding $112M.
- In the financial sector, the median total business impact of phishing email attacks is about $9M per year, with a 10% likelihood of exceeding $56M.
- For the education sector, the median total business impact of phishing email attacks is about $10M per year, with a 10% likelihood of exceeding $46M.
To the extent that the senior leadership team finds this level of risk to be unacceptably high, this kind of quantitative analysis also explains — in straightforward business terms — why more effective email security really matters.
It also helps to explain why the deployment of an advanced email security solution, from a specialist service provider such as IRONSCALES, is worth the incremental investment.
Derek E. Brink, CISSP, is a vice president and research fellow at Aberdeen Group based in Boston, where he covers all aspects of cyber security and IT GRC. He is also adjunct faculty at Harvard University and Brandeis University, where he teaches graduate-level courses on cyber security risk.