What happens after a malicious email bypasses an organisation’s security measures and lands in a user’s inbox can be just as important as what happens to block threats in the first place, according to Barracuda, a provider of cloud-enabled security solutions.
Analysing data from 3,500 organisations to better understand threat patterns and response practices, Barracuda researchers found that on average, it takes organisations a lengthy three and a half days (over 83 hours), from when an attack lands in users’ inboxes, to when it is discovered and can finally be remediated.
They also found that an average organisation with 1,100 users will experience around 15 email security incidents per month, with around 10 employees being impacted by each phishing attack that manages to get through.
According to the report, 3% of employees will click on a link in a malicious email, exposing the entire organisation to attackers. Employees will also forward or reply to malicious messages, spreading attacks further within their companies or even externally.
Though these numbers may appear small, the report reveals that it only takes 16 minutes for users to click on a malicious link, and hackers need only one click or reply for an attack to be successful, underlining the need for fast investigation and remediation in order to keep organisations safe.
“There is no security solution that can prevent 100% of attacks, and end-users don’t always report suspicious emails due to lack of training or negligence, and when they do, the accuracy of reported messages is low, leading to wasted IT resources. Without an efficient incident response strategy, threats can often go undetected until it’s too late,” said Mark Lukie, Systems Engineer Manager, Barracuda, Asia-Pacific.
The research also revealed that most organisations are still reliant on internal threat hunting investigations launched by IT teams to identify email threats for post-delivery remediation (67.6%), with only 24% being discovered via user-reported emails. 8.1% were discovered using community-sourced threat intelligence, and the remaining 0.4% through other sources such as automated or previously remediated incidents.
And while 29% of organisations will regularly update their block lists to block messages from specific senders or geographies, only 5% will update their web security to block access to malicious sites for entire organisations, usually due to the lack of integration between incident response and web security.
Interestingly, Barracuda researchers found that organisations that train their users saw a huge 73% improvement in the accuracy of user-reported emails after only two training campaigns. Focused security training also proved to dramatically shorten the time to remediation, while deploying automated remediation tools also considerably increased an organisation’s ability to automatically identify and remediate attacks in a timely manner.
“People will always be your first line of defense, so continuous security awareness training is key, while deploying a post-delivery threat hunting tool or automated remediation, with integrated email and web security, can significantly reduce the time it takes to identify suspicious emails, remove them from all affected users’ inboxes, and automate processes that bolster defenses against future threats. In addition to sharing threat data from your organisation and tapping into data shared by others, this is going to be your best line of defense against post-delivery email threats,” he added.