Survey Reveals Insufficient Anti-Phishing Controls in Place in U.S. Businesses

Phishing is currently the top cyber threat encountered by companies; however, regardless of a high probability of phishing attacks happening, companies are failing to implement sufficient security measures to reduce the risk of cybercriminals gaining access to email accounts.

A recent survey has shown that many U.S. businesses have not implemented sufficient anti-phishing defenses to prevent attack. The Ponemon Institute survey conducted on 650 IT and IT security professionals from companies with an average of 1,000 employees.

The Valimail sponsored survey showed just how often these attacks are occurring. 79% of respondents confirmed they had experienced a data breach that definitely or probably involved email in the past 12 months. 80% of respondents said they were concerned about their company’s ability to avoid or minimize email cyberattacks and 53% of survey respondents said protecting against phishing attacks was very hard.

Only 29% of survey respondents said their company has already taken significant steps to reduce the risk of successful phishing and email impersonation attacks.  21% of respondents said their company had not taken any steps to minimize the risk of a phishing attack resulting in a data breach.

When questioned regarding the anti-phishing solutions that had been put in place, 69% of respondents stated they had anti-spam or anti-phishing controls in place and 56% utilized secure email gateway technology. 34% of respondents said they have developed anti-phishing training programs for employees. Just 29% use Domain-Based Message Authentication and Conformance (DMARC) and only 27% use Sender Policy Framework to identify and stop email impersonation attacks.

The large number of phishing attacks and security breaches seems to have prompted a lot of organizations to improve email security. In the coming year, 65% of survey respondents said their organization will be committing more money into anti-spam filters, 47% will purchase SIEM technology, 63% will spend more on secure email gateway technology, and 57% will implement an anti-phishing training program. 35% of the companies surveyed said they will be using DMARC and 23% claimed they are planning to use SPF.

The main reason why email security cannot be improved is a lack of funding. 39% of survey respondents said there is not enough money available to make significant improvements to anti-phishing defenses. 56% of survey respondents said it will probably take a severe hacking incident to convince the board to make more money available for email security, although 65% said that if it was possible to convince the board that clients would be lost as a result of a security breach, more investment may be made in email security solutions.