Data to Support the Need for Email Security

dataMaking decisions driven by data and statistics makes perfect sense. If you have evidence to support your decision, or help steer you in the right direction, then the likelihood of making a bad decision lessens. For many of us responsible for email security and administration, the data suggests that we had better make sure we have adequate controls in place to prevent against malicious emails. If you haven’t seen the numbers regarding the email threat landscape, then some of these might shock you.


To begin with, let’s take a look at security in general; take email entirely out of the equation. The reason is, the threats to data, resources and intellectual property are what concerns those writing the checks for our security budget. Once we understand what is at stake, we will have plenty of time to tie in the role email plays in the bigger picture.

Attacks are on the rise

In the fourth quarter of 2012, malicious hacking attempts passed the 1 billion mark and the number of Advanced Persistent Threat attacks doubled from 2010 to 2011. These attacks have shown no signs of slowing down. Of course not all of these attacks were successful, but those who did breach security controls cost organizations $136 for each record compromised. So if 10,000 credit card numbers or customer records were accessed by an attacker the sum total would be $1,360,000. Not many large corporations would want to have to fork over that kind of capital and small to medium sized businesses would be devastated by losing that kind of money. But 10,000 is a low end estimate; in 2010 research from the Ponemon Institute showed that the average cost for a data breach was $7.2 million.

Targeted industries

One might expect that most attacks are launched against high profile industries like tech or finance. While they are high on the list, they were not the most targeted. In fact, more attacks were launched against the aerospace and defense industry and the energy industry than any others…

  • Aerospace and defense – 17%
  • Energy – 14%
  • Finance – 11%
  • Computer hardware/software – 8%
  • Legal and consulting – 7%
  • Media and entertainment – 7%
  • Telecommunications – 6%
  • Pharmaceuticals – 4%
  • All others – 25%

What’s interesting is that the media and entertainment industry saw a jump from 2 percent to 7 percent. As evidenced by recent attacks against the Wall Street Journal, New York Times and Washington Post, advanced persistent threat attacks are sometimes looking into what is being said or investigated about their sponsors – money isn’t always the end result.

Tying email into the equation

We have shown time and time again that 91 percent of all advanced persistent threats are able to breach their target through the use of a spear-phishing email. 94 percent of these rogue emails utilize common file attachments to mask the malware that they are actually delivering to their victims. By making their file attachments look like innocuous PDFs, Word documents or Excel spreadsheets, the bad guys are able to slip past anti-spam filters set up to stop malicious emails based on file extensions alone. If the technical controls were able to scour the file for anomalies, many of these emails would be stopped.

Like any threat, malicious emails aren’t reserved for those on the Fortune 500 alone. While 56 percent of organizations with over 1000 email users believe that they have been targeted by malicious emails, 42 percent of organizations with less than 1000 email users feel the same way. Worst of all, these numbers represent those willing to admit that they believe they have been targeted. More than likely, the numbers for both are much higher.

It would be nice right about now to list some numbers that show how easy it is for an organization to recover from a successful email borne attack. Even some quotes from real life victims would be encouraging. The sad fact is, these feel good stories don’t exist. The results of a data breach can be devastating. The can cost millions, but more importantly they can cost a business their reputation; and paying off fines won’ t make customers feel any better.

Feel free to take hold of these numbers and make them part of your next presentation or proposal, but don’t stop there. Dig around through some of the other posts here on The Email Admin and you will find all the evidence you need to help support your organization’s need for the best email security solution you can afford.

Data and statistics for this post come from an infographic produced by Firmex.

Written by Jeff


  1. David Black · June 28, 2013

    I was surprised to read the list of the most targeted sectors. I also thought tech would be higher on the list. What surprises me more, though is that governmental institutions are not included in it. I think they are also common targets and there is lots of data of interest in them as well.

  2. Steve · June 29, 2013

    How about BYOD? More people are now opting for it without really considering the security risks, especially since they are bringing their mobile devices just about anywhere. It’s not just about the malware. It’s about exposing your phone to thieves or losing it while in transit. These things can already increase security threats to several fold.

  3. Angela Maire · June 30, 2013

    Like David, I was surprised to find out which sectors were the most targeted. Honestly, I did not expect to see the aerospace/defense sector in number one. I guess this is proof that spammers are really evolving and have become more unpredictable. And like what you said, the attacks are not merely for money. Reputation is at stake in most cases nowadays (especially for the media). What does this mean for us? The same thing, actually: danger. A heightened one, though. Now more than ever, companies and organizations should beef up their email security by coming up with solid countermeasures.

  4. Duncan · June 30, 2013

    Though it’s true that a lot of the IT threats these days can be tied up to e-mails, let’s also not forget that they can come in other ways. A perfect example is apps. According to recent studies, plenty of apps, especially the free ones, carry malware that can infect not only your desktop PC or laptop but even your mobile phone and tablet, and the risks don’t decrease regardless of what type of device you use.

  5. Kendra · March 3, 2014

    @Angela Marie: Like you, I was surprised to find some sectors included in this list. I always thought that if you move or work in an area that works closely with security, you’ll be extra careful. I know now that this is not the case for the aerospace/defense sector!…All these data, in my opinion, can be useless, though, if people are not well-informed about the threats to email security that are present. Those who belong to the upper strata of society may know a lot, as well as those who live and breathe IT and those who work for big companies. The “small people and communities”, however, have yet to be completely educated on spamming and phishing.

Leave A Reply