66% are the problem
Email security company Mimecast released their annual “State of Email Security” report for 2021. The report is based on a survey of 1,225 information technology and security professionals from businesses around the globe. The survey participants were from businesses that spanned the industrial sectors including technology and telecommunications, financial services, manufacturing, and health care.
The report is well done and easy to digest. It is not easy to accept though. It's not that the data appears illegitimate or deceitful, but is a stark reminder of the uphill battle security practitioners face in trying to protect their organizations.
Some of the statistics are expected such as six out of ten organizations sustained a ransomware attack in the past twelve months. Threats delivered by email rose by 64% in 2020. 70% of respondents expect that their business will be harmed by an email-bourne attack in 2021 and of those 26% claim that such an event is inevitable. Of course, it makes you wonder about the 30% that don't believe they will not be afflicted by a damaging email attack this year. There is a fine line between confidence and lunacy.
But then you find the truly frightening data. The facts that make you consider where we have gone wrong as security practitioners and law enforcement partners. The dangers of having a business connected to the Internet are not the tales of academics working in the purely theoretical. The empirical evidence, on display every day, confirms the enterprise is under constant attack. It truly is not a matter of if, but of when. Your business will be the target of criminals and threat actors determined to damage your business, either financially or in reputation.
The most shocking statistic reported is only one out of five companies offer their employees continuous cybersecurity awareness training. 70% of the survey respondents expect their business will be harmed by an attack delivered by email but only 20% of the respondent's organizations offer regular training to mitigate that attack. The lack of congruence is obvious. The security professionals expect to be attacked, but are not making any effort to prevent it?
Or are they? Maybe they have spoken out until they are the proverbial “blue in the face” and no one is listening.
I am reminded of this study from Keeper Security that found 66% of small and medium business decision-makers believe a “cyber-attack” on their business is unlikely. (It seems that 66% of small to medium business decision-makers should be fired.)
So, is the problem security practitioners failing to deliver the message or business leaders failing to hear it?
Probably a little of both, but most of security folks I know have a permanent blue tint to their skin.