Mimecast’s The State of Email Security Report 2022 - The Findings
Mimecast has just released its sixth annual State of Email Security Report. The recent report shows 2021 as the worst year on record for cybersecurity, with increased apprehension over what is to come. However, the insights and takeaways from the report can help you to deliver continuous improvements to your cyber resilience strategy and to be better prepared for the challenges that lie ahead. In this key findings report, we will be using statistics specific to Australia. However, if you would like to find out the global statistics, you can download the report here.
Why Cyber Threats Escalated in 2021
Cybercriminals took advantage of organisations' reliance on email and collaboration tools during the COVID outbreak in 2020. The reliance on digital communication carried over into 2021 and cybercriminals stepped up their attacks in response.
In 2021, email-based threats continued to evolve and became increasingly sophisticated. Phishing and Business Email Compromise (BEC) attacks were widespread. However, the cybersecurity threat that dominated was ransomware. As a result, the number of publicly reported data breaches soared past last year’s total and the global average cost of a data breach rose by 10%.
Key Findings in Australia
This year’s report focused on the dominance of ransomware, brand spoofing, and the importance of cyber resilience and security awareness training. The following summarises the findings in these core areas.
1. The Dominance of Ransomware
Ransomware attacks rose rapidly in Australia in 2021, up more than 10%, from 64% of respondents in 2020 to 77% in 2021, and it looks like this threat vector is here to stay. Ransomware was more pervasive for all countries and all industries than it was the previous year and analysts predict that the frequency of these attacks will continue to rise.
There were some notable differences in the response to ransomware attacks in 2021 for different countries. In Australia, when faced with a ransomware attack, six out of ten companies paid the ransom, which is similar to the global average. However, 30% of these companies failed to recover their data, which is lower than the 39% global average.
2. The Rise in Brand Spoofing and Impersonation
Online brand spoofing and impersonation rose persistently during 2021, with almost half of all participants reporting an upswell. In Australia, 59% of respondents reported misuse of their brand via spoofed email and 51% spoofed web domains and websites.
The seriousness of the rising threat is shown by the increasing defences being put in place. Common measures include in-house or third-party services to detect instances of brand mimicry and counterfeit websites. Meanwhile, companies have been readying themselves to deal with attacks. Another growth area has been the use of Domain-Based Message Authentication, Reporting and Conformance (DMARC). 90% of Australian companies are making use of DMARC to protect their brands or plan to do so over the coming year.
3. The Need for Cyber Resilience
This year’s report shows that companies are taking cyber resilience more seriously than ever before. In Australia, 95% of companies either have a cyber resilience strategy or are actively planning to put one in place. However, faced with the pervasiveness and perniciousness of current attacks, cybersecurity professionals have redefined what it means to be cyber resilient. With these new goalposts in mind, only 34% of Australian businesses currently have an effective strategy in place compared to 51% in 2020.
One reason why companies have been slow to deploy cybersecurity measures and strategies has been budgetary limitations. Around 14% of IT budgets in Australia were allocated for cyber resilience, but respondents in Australia believe that 18% should be allocated. While this might not seem like a big difference, 93% of respondents felt the budget shortfall directly impaired their cyber resilience: 52% felt it resulted in a lack of investment in cybersecurity training and 51% felt they missed out on improvements to existing cybersecurity solutions.
4. The Importance of Security Awareness
Even the most carefully planned cyber resilience strategy can fall short if the companies’ employees are unprepared to respond to threats. Australia saw a higher than average increase across all email-related attacks: 58% email-related phishing, 50% BEC, and 50% internal threats or data leaks, which makes security awareness training fundamental.
More than 80% of respondents believe their company is at risk due to inadvertent data leaks by careless or negligent employees. However, even though a large percentage of security breaches involve some degree of human error, it is unfair and unreasonable to blame the people who committed those errors. The real issue is whether they were properly prepared to deal with those threats. In Australia, only 23% of companies provide cyber awareness training to their employees on an ongoing basis, although 85% offer it at least once a quarter.
How to Prepare for Future Security Challenges
It is not only things in the physical world that need protection. As we work and live in a digital economy, digital assets must be guarded too. Whether it is account numbers, customer information or transaction data, everything has value. Unmonitored email, unencrypted data, and untrained employees are a big invitation to cybercriminals. To be prepared for the future, you need to not only be aware of the threats but to build the cyber resilience to deal with them.
To find out more about the business risks, download the 2022 State of Email Security Report. Alternatively, to find out how we can help you to secure your email ecosystem, contact InfoTrust today.
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help