Email Security by the Numbers

statsAny organizations spend a considerable amount of time, resources and dollars to secure the perimeter of their organization’s network. When it comes to email, however, the same fervor that came with ordering firewalls, intrusion detection and prevention systems, web application firewalls, penetration tests, end point security and even data encryption comes up short when email security is concerned.

From the network security expert’s point of view the mail servers exist behind the firewall or in the DMZ so they are secured as much as they need be. The operating systems are patched and the machines are running anti-virus software with the latest signature database so what more could you ask for? Anti-spam filtering? No need for anything more than a list of words to filter and domains to block right? After all, spam is dead.

Its unfortunate, but true, that a majority of managers and executives understand security threats when they are glamorized or newsworthy. Anonymous launching a large scale distributed denial of service attack against major credit card companies make the mainstream news so what do people look for? Ways to prevent DDoS attacks from taking down their business web site. Social networking accounts are compromised so what is the immediate reaction? Two-factor authentication becomes the silver bullet.

But when you look at the root of most of the recent attacks, email is the source. Whether the attack tricked a user into giving up their login credentials, or an attachment loaded malware onto the victim’s computer odds are an email message was used to deliver the payload.

If you find that you are having trouble getting your bosses to understand the need for greater email security due to a lack of sensationalized news stories, try running these statistics by them to see if they still shrug it off as not important:

91 percent of Advanced Persistent Threat attacks start with a spear-phishing email

Just as we stated earlier, almost every serious breach can be traced back to an employee falling for a spear-phishing scam. Using anti-spam filtering solutions that aren’t up to par are useless when it comes to identifying these carefully crafted malicious email messages that carry dangerous payloads. A simple content filter won’t do the trick if it is only looking for misspelled words, all caps and the names of common pharmaceuticals. Anti-spam filters have to be intelligent enough to analyze the message and compare it to common attack vectors in order to be effective.

63 percent of malware delivered to large enterprises came through email

Scanning USB drives and banning portable hard drives from the office helps, but it is not addressing the larger issue. Emails are delivering malicious software into your organization everyday through attachments. Not included in this 63 percent is the number of emails that contain links to malicious web sites that infect visitors via drive by download and other malicious scripts housed on the site. Unless these issues are addressed with solutions that can help identify malicious attachments and links your organization will continue to be at serious risk of a breach.

76 percent of network intrusions exploited weak or stolen credentials

When your users are sent emails that look legitimate and take them to a site that looks legitimate, odds are they will offer up their username and password with no reservations. Many spear-phishing attacks are created to do just this. By carefully crafting their emails and login pages to look identical to your organization or partners criminals can easily dupe even the most savvy user into offering up their credentials if the right emotional triggers accompany the request.

75 percent of all attacks were opportunistic

The targets of these attacks are not just the IT administrator with access to the servers or the Chief Financial Officer who can see all of the organization’s financial data. Victims are chosen at random from all levels in the organization because all the attacker is looking for is a way in to establish a foothold. Once inside, they can work their way through until they find what they are looking for, even if it takes months. That’s whey they are called Advanced Persistent Threats.

The fact of the matter is that unless an organization treats email security as, if not more, important as they do securing assets that just aren’t viable targets anymore then that organization will always be at risk.

Written by Jeff


  1. Nerissa · May 16, 2013

    An interesting way of presenting these statistics to your big bosses is by coming up with a visual presentation. Let their eyes feast on the numbers and facts. You can even include simple illustrations that point out incidents that have happened to your company or to another group or individual you know. Also paint a picture of a worst case scenario so that they’ll have an idea what can really happen if they continue to take email security for granted. It’s better this way so that the big bosses will understand what the fuss about email security is all about.

  2. Alvin · May 23, 2013

    The numbers are saddening, but what makes things a lot worse is the fact that these companies are not spending enough for protection. On the one hand, though, I cannot completely blame them. For one, the costs of IT security are very high. Second, most of those who control the budget don’t have enough idea how serious these threats are and their possible impact to their business functions.

  3. Donnie · May 29, 2013

    I wish there’s also clear statistics on the impact of non-education to spam. I think proper knowledge about what spam is and how to handle it is very important as far as fighting security threats goes. In fact, all those IT technologies are worthless if the users don’t know how to maximize them.

  4. Collins · June 2, 2013

    63 percent of malware delivered to large enterprises came through email — there are two things enterprises can do about this. One, educate the users about the harmful effects of wrongful e-mailing, especially if they use corporate mail. Second, create policies about e-mailing and secure the network. You won’t make a lot of employees happy, but it protects your business and important assets.

  5. Cons · March 3, 2014

    @Nerissa: I love your idea of a visual presentation. I think it is an effective (and attractive) way of showing the real story of spam. One can even use real photos for the presentation. Or, if you want to go a step further, go for a simple dramatization. This will definitely open the eyes – and minds – of the big bosses! Then go on and suggest an awareness campaign or a seminar to help educate employees. Creating email policies should then be the final step. All these should be done in the presence of the big bosses so they will know what the real picture really is.

Leave A Reply