Making decisions driven by data and statistics makes perfect sense. If you have evidence to support your decision, or help steer you in the right direction, then the likelihood of making a bad decision lessens. For many of us responsible for email security and administration, the data suggests that we had better make sure we have adequate controls in place to prevent against malicious emails. If you haven’t seen the numbers regarding the email threat landscape, then some of these might shock you.
To begin with, let’s take a look at security in general; take email entirely out of the equation. The reason is, the threats to data, resources and intellectual property are what concerns those writing the checks for our security budget. Once we understand what is at stake, we will have plenty of time to tie in the role email plays in the bigger picture.
Attacks are on the rise
In the fourth quarter of 2012, malicious hacking attempts passed the 1 billion mark and the number of Advanced Persistent Threat attacks doubled from 2010 to 2011. These attacks have shown no signs of slowing down. Of course not all of these attacks were successful, but those who did breach security controls cost organizations $136 for each record compromised. So if 10,000 credit card numbers or customer records were accessed by an attacker the sum total would be $1,360,000. Not many large corporations would want to have to fork over that kind of capital and small to medium sized businesses would be devastated by losing that kind of money. But 10,000 is a low end estimate; in 2010 research from the Ponemon Institute showed that the average cost for a data breach was $7.2 million.
One might expect that most attacks are launched against high profile industries like tech or finance. While they are high on the list, they were not the most targeted. In fact, more attacks were launched against the aerospace and defense industry and the energy industry than any others…
- Aerospace and defense – 17%
- Energy – 14%
- Finance – 11%
- Computer hardware/software – 8%
- Legal and consulting – 7%
- Media and entertainment – 7%
- Telecommunications – 6%
- Pharmaceuticals – 4%
- All others – 25%
What’s interesting is that the media and entertainment industry saw a jump from 2 percent to 7 percent. As evidenced by recent attacks against the Wall Street Journal, New York Times and Washington Post, advanced persistent threat attacks are sometimes looking into what is being said or investigated about their sponsors – money isn’t always the end result.
Tying email into the equation
We have shown time and time again that 91 percent of all advanced persistent threats are able to breach their target through the use of a spear-phishing email. 94 percent of these rogue emails utilize common file attachments to mask the malware that they are actually delivering to their victims. By making their file attachments look like innocuous PDFs, Word documents or Excel spreadsheets, the bad guys are able to slip past anti-spam filters set up to stop malicious emails based on file extensions alone. If the technical controls were able to scour the file for anomalies, many of these emails would be stopped.
Like any threat, malicious emails aren’t reserved for those on the Fortune 500 alone. While 56 percent of organizations with over 1000 email users believe that they have been targeted by malicious emails, 42 percent of organizations with less than 1000 email users feel the same way. Worst of all, these numbers represent those willing to admit that they believe they have been targeted. More than likely, the numbers for both are much higher.
It would be nice right about now to list some numbers that show how easy it is for an organization to recover from a successful email borne attack. Even some quotes from real life victims would be encouraging. The sad fact is, these feel good stories don’t exist. The results of a data breach can be devastating. The can cost millions, but more importantly they can cost a business their reputation; and paying off fines won’ t make customers feel any better.
Feel free to take hold of these numbers and make them part of your next presentation or proposal, but don’t stop there. Dig around through some of the other posts here on The Email Admin and you will find all the evidence you need to help support your organization’s need for the best email security solution you can afford.
Data and statistics for this post come from an infographic produced by Firmex.