Survey Reveals Lack of Anti-Phishing Measures at U.S. Businesses

Phishing is now the number one cyber threat faced by businesses but in spite of a high risk of phishing attacks occurring, businesses have been slow to respond to the threat and implement cybersecurity solutions to reduce the risk of email-related data breaches.

A recent Valimail sponsored survey has shown that anti-phishing defenses are lacking at many U.S. businesses. The survey was conducted on 650 IT/IT security professionals by the Ponemon Institute. The companies had an average of 1,000 employees with average annual email security and fraud prevention budget of $2.5 million.

The high risk of email-based attacks was made abundantly clear. 79% of respondents said that they had experienced a data breach or cyberattack in the past 12 months that certainly or likely involved email, such as a business email compromise attack or a phishing incident.

80% of respondents said they were very concerned about their organization’s ability to prevent or reduce email-based attacks and 53% of respondents admitted that preventing phishing attacks was very difficult.

Even though the risk of attack is high and breaches have been experienced, only 29% of respondents said their organization had taken significant steps to tackle the threat from phishing and email impersonation attacks. More than one fifth of firms (21%) said they had taken no steps to reduce the risk of phishing attacks.

When asked about the anti-phishing defenses that had been implemented, 69% of respondents said they had implemented anti-spam or anti-phishing filters and 56% used secure email gateway technology. Only a third of respondents (34%) said they provide anti-phishing training for employees. Even fewer (29%) have implemented Domain-Based Message Authentication and Conformance (DMARC) and Sender Policy Framework (27%) to detect and prevent email impersonation attacks.

The high number of phishing attacks and data breaches appears to have spurred many businesses to make improvements to email security. In the next 12 months, 65% of respondents said their company will be investing in anti-spam filters, 63% will be using secure email gateway technology, 47% will be using SIEM technology, and 57% will be providing anti-phishing training to employees.

Only 35% will be adopting DMARC and 23% said they planned to implement SPF. Approximately two thirds of companies would consider implementing an automated DMARC enforcement solution if it could completely stop impersonation attacks that spoof email domains and block inbound email from unknown and untrustworthy senders.

39% of respondents said their company was not spending enough on email security to stop phishing and email impersonation attacks with budget constraints a major hurdle that must be overcome.

56% of respondents said that it would likely take a serious hacking incident to get a budget increase to pay for improvements to email security. 65% said that the board would likely be swayed by concern over the loss of customers due to a security incident and 47% said concern over loss of revenue due to a security incident could result in a budget increase.

When asked how much difference a 20% increase in their email security budget would make, respondents estimated it would improve the email threat detection rate by 45% and the phishing/impersonation attack prevention rate by 33%. Without sufficient investment in email security, costly email-related data breaches are likely to continue.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.