The costs of email breaches that hit over 70% of Australian companies
Email remains the most widely used business communication channel. It is also an attractive target for cybercriminals. For attackers, email is an accessible and low-cost attack tool that can be used as the starting point for cyberattacks that include ransomware, information stealers, spyware, crypto mining, other malware, and more. We have identified 13 types of email threats and expect email-based attacks to become increasingly complex, leveraging AI and advanced social engineering to evade security measures and steal sensitive data or money.
Many organisations fall victim to email-borne threats. According to a new international study, just under three-quarters (74%) of the Australian organisations surveyed report falling victim to at least one successful email attack in 2022, with those affected facing average costs of more than USD1 million (about AUD 1.4 million) to recover from their most expensive attack.
Business disruption, loss of productivity and reputation damage
The fallout from a successful email security attack can be significant and damaging. According to the study, the most widely reported effects in Australia were downtime and business disruption (which affected 42% of the organisations surveyed), loss of employee productivity (41%), and brand and company reputation damage (37%).
At a global level, the study found that different industries were affected in different ways. Financial services organisations lost valuable data and money to criminals, while for healthcare, the costs of quickly restoring systems were significant. Manufacturing was particularly affected by the disruption of business operations.
And across all respondents, smaller companies were more likely to be affected by the loss of sensitive or critical data, followed by brand reputation damage. However, for the mid-size and larger organisations surveyed, the most common impacts were downtime/business disruption and loss of employee productivity. This could suggest that larger organisations have more established brands and reputations that can withstand an attack, but they are hit harder in terms of business continuity.
The risks of remote work
Regardless of company size or industry, however, organisations with more than half their employees working remotely faced higher levels of risk and recovery costs. More than a third (39%) of Australian organisations fall into this category.
Our earlier into cyber resilience in Australia supports these findings, revealing that over a quarter (27%) of the Australian organisations surveyed faced cybersecurity challenges while working from home, including issues with VPN and remote access (14%), phishing emails and malware (14%) and general cyberattack concerns (14%).
It's often hard for organisations to enforce security policies consistently on remote workers to ensure maximum protection. They also need to enable remote access to business applications and critical data for employees to carry out their day-to-day jobs. This not only increases the attack surface available to cyber criminals, but it can also significantly delay detection, response, and recovery from cyberattacks.
Australian organisations feel under-prepared for many email-borne threats
The latest study also shows that many organisations in Australia lack confidence in their ability to fully defend the organisation against even the most basic email-borne cyberthreats. For example, while 34% feel they are under-prepared to deal with data loss (34%) and viruses/malware (33%), as many as 29% also feel this way about tackling spam.
It's not all bad news. An encouraging 91% of Australian organisations feel that their systems and data are more secure than they were in 2021. Moreover, investment in email security measures is holding steady year-on-year for the vast majority (83%) of those surveyed.
To keep organisations and employees safe, Australian organisations need to review and, where needed, adapt their security strategies and leverage AI-powered email protection to defend against the growing number and range of email-borne threats.