IRONSCALES, the Israeli-based email security firm, has announced the results of a new survey of cybersecurity professionals and business executives conducted in partnership with Osterman Research, a security market research firm.
“The Phishing Prevention Perception Gap: Robust Email Security Requires Alignment Between Security Practitioners and Decision Makers” survey, which is based on a detailed, cross-industry survey of 252 security professionals from the US and UK, found that a serious disconnect exists between how decision makers (that is CISOs, CIOs and CEOs), and security practitioners (the IT managers and directors, security architects and security operations analysts) perceive the importance of phishing prevention.
Among its key findings, the survey revealed that decision makers are four times more likely than security practitioners to consider email security the highest priority, suggesting that security personnel believe that they have a sufficient handle on phishing prevention while the C-Suite anticipates substantial business risk.
“The disconnect between security practitioners and decision makers is extraordinarily problematic for phishing prevention and incident response,” said Eyal Benishti, IRONSCALES founder and CEO. “The cause for such a predicament – whether or not security professionals on the front lines don’t fully understand the long-term business impacts of a successful phishing attack or if the C-Suite is simply over-concerned – is irrelevant. What matters is that moving forward these two important constituencies get on the same page so that the proper time and attention can be allocated towards minimizing phishing risk.”
Conducted over four weeks between late December 2019 and early January 2020, the survey was designed to determine whether or not current email security and anti-phishing technologies, practices and processes are adequate enough for mid-sized businesses and enterprises to truly reduce email phishing risk. Overall, the survey revealed that there is a critical need for real-time threat intelligence to more thoroughly address phishing risk; that the security skills shortage is having a material impact on security teams’ ability to deal with phishing properly, and that most organizations are using several tools to combat phishing, with secure email gateways remaining the most common.
Other key findings from the survey include:
- 24% of a 40-hour work week is spent by security analysts investigating, detecting or remediating phishing emails
- 1 in 5 organizations continuously updates and tweaks its corporate email security policy in a typical month
- Nearly 3 in 5 organizations train their users on proper email security protocols no more than twice per year, while only a third of organizations do so more frequently (at least monthly or continuously)
- More than 70% of organizations use only manual processes for reviewing user-reported phishing emails, making it far too labor and time-intensive to mitigate email threats at scale
The survey also found that phishing emails continue to take organizations a substantial amount of time to detect, investigate and remediate. In total:
- 70% of organizations take more than 5 minutes to remove a phishing attack from a corporate mailbox even though the average time-to-click is 82 seconds
- 75% of organizations cannot act on phishing intelligence automatically in real-time
- 90% of organizations cannot orchestrate phishing intelligence from multiple sources in real time in the context of their overall email security solution(s)
“The survey’s findings reinforce the significant challenges that email phishing attacks incur on organizations of all sizes,” said Michael Osterman, principal analyst at Osterman Research. “Most immediately, decision makers and cybersecurity practitioners must work to overcome the disconnect that exists so that time, budget and resources can be properly allocated to reduce email phishing risk.”
Osterman Research provides timely and accurate market research, cost data and benchmarking information to technology-based companies. The firm does this by continually gathering information from IT decision-makers and end-users of information technology. The company reports and analyzes information to help companies develop and improve the products and services they offer to different markets or to internal customers.