A new international study highlights the significant financial cost and disruption caused by an email-based security attack.
Three-quarters (75%) of the organizations surveyed for the 2023 Email Trends Report say they have fallen victim to at least one successful email attack in the last 12 months, with those affected facing average costs of more than $1 million to recover from their most expensive attack.
Not only are these costs high; they are rising. According to 23% of those affected, the financial impact of attacks has increased dramatically over the last year.
Email remains a powerful attack channel. It is an accessible, effective, and low-cost tool for cybercriminals to use. Email-based attacks also continue to evolve, harnessing AI and advanced social engineering techniques for increasingly sophisticated and stealthy attacks. Barracuda’s research team has identified 13 types of email attack.
Disruption, damage, and loss
The findings of the study show unequivocally that the fallout from a successful email security attack can be significant and damaging.
The most widely reported effects were also the most severe — including downtime and business disruption (affecting 44% of those that had been hit); the loss of sensitive, confidential, and business-critical data (43%); and damage to brand reputation (41%).
Different industries were affected in different ways. Financial services organizations lost valuable data and money to the criminals, while for healthcare the costs of quickly restoring systems were significant. Manufacturing was particularly affected by the disruption of business operations.
Smaller companies were more likely to be affected by the loss of sensitive or critical data, followed by brand reputation damage. However, for the mid-size and larger organizations surveyed, the most common impacts were downtime/business disruption and loss of employee productivity. This could suggest that larger organizations have more established brands and reputation that can withstand an attack, but they are hit harder in terms of business continuity.
The risks of remote work
Regardless of company size or industry, however, organizations with more than half their employees working remotely faced higher levels of risk and recovery costs.
This could be because organizations can’t always consistently enforce security policies on remote workers to ensure maximum protection. They also need to enable remote access to business applications and critical data for employees to carry out their day-to-day jobs. This not only increases the attack surface available to cybercriminals, but it can also significantly delay detection, response, and recovery from cyberattacks.
Organizations feel they are not fully prepared
Most of the organizations surveyed (97%) feel they are not fully prepared to deal with top security threats. Around a third (34%) feel poorly prepared to deal with data loss or malware, and over a quarter (27%) say the same about ransomware. In fact, 28% feel they are not even prepared to deal with less complex threats such as spam. Larger organizations feel less prepared to deal with most threats across the board.
But it is not all bad news
Overall, organizations feel better prepared to deal with some of the more advanced threats like phishing, spear phishing, and ransomware than they were when we last surveyed the impact of email attacks three years ago.
The new study also found that 26% overall had increased their email security investments, and 89% felt their systems and data are more secure than 12 months ago. Growing awareness and understanding of email risks and the need for robust protection is a positive starting point for email security in 2023.
“Email is a trusted and ubiquitous communications channel, and that makes it an attractive target for cybercriminals. We expect email-based attacks to become increasingly sophisticated, leveraging AI and advanced social engineering in their attempts to get the data or access they want and evade security measures,” said Don MacLennan, SVP, Engineering & Product Management, Email Protection, Barracuda. “Email-based attacks can be the initial access point for a wide range of cyberthreats, including ransomware, information stealers, spyware, crypto mining, other malware, and more. It is not surprising that IT teams around the world don’t feel fully prepared to defend against many email-based threats. Growing awareness and understanding of email risks and the robust protection needed to stay safe will be key in keeping organizations and their employees protected in 2023 and beyond.”
The survey was conducted for Barracuda by independent research firm Vanson Bourne, and questioned IT professionals from frontline to the most senior roles in companies with 100 to 2,500 employees, across a range of industries in the U.S. and EMEA and APAC countries.
This is a great article with both fascinating AND terrifying stats! But these stats are relevant to nearly every conversation MSPs should be having with prospects and customers.
Awareness and training are key to preventing this disruption.
Great article and excellent information to create awareness.
These numbers gets peoples attention to this important issue
Great article with interesting stats.
“97%” feel they are not fully prepared to deal with top security threats” << substantial red flag and an opportunity for all of us to leverage the importance of cyber awareness training and having a plan in place.
Great article, and thank you for sharing these stats!
A lot of these points have helped us sell Barracuda Email Security products.
I have a customer that had an interesting scam happen to them, to the best of our knowledge, the scammer got into one of my customer’s vendors systems and shuffled around in their emails to see who their clients were, registered an identical domain, but replaced a lowercase L in the domain with an uppercase I so when you looked at the domain (if you looked at the domain) it appeared to be identical. Unfortunately, they were able to scam a few thousand dollars out of my customer by pretending that some open invoices had not been paid. There were multiple failures on both ends, my customer should have done more due diligence than just paying up, but still, shows the extent of what people will do for money.