• by Ray Schultz , July 24, 2018

You can blame criminals for email ransomware attacks. But some of the fault belongs in-house — in the C suite, according to The State Of Email Security, a study from Mimecast based on research by Vanson Bourne.

Of the executives surveyed, 37% say their organization’s CEO is a weak link in their cybersecurity operation, compared to 27% who said this was the case in 2017. And 38% feel their CEO undervalues the role of email security — the same percentage as last year.

Executives may want to dump responsibility on IT — 78% say that's where it belongs, including the IT people surveyed.  

Yet that lack of focus at the top may account for the substandard training. Only 11% of firms continuously train employees in cybersecurity. However, 24% mandate monthly training, and 52% mandate training quarterly or once a year.

This failing, in turn, may be caused by an overreliance on technology. A third of the respondents see tech investments as their best defense, and 29% believe in improved business processes.

There is no doubt that a cyber threat exists. A full 92% have seenransomware delivered via email attachments in the past year, and 90% say that phishing attacks have increased or remained the same in that period.

In addition,  61% have suffered attacks in which an infected user spread malicious activity to other employees via email.  

And this has harmed companies — 59% fear they will suffer a negative business impact from an email-borne attack this year.

One of the negative effects is financial loss — 20% of the victims report it. Then there is downtime. That lasted more than one day for 78% of the victims. But 46% say it amounted to two to three days, and 27% said it lasted for four to five days.

Mimecast and Vanson Bourne surveyed 800 IT decision makers and C-level executives across the globe.

C-level types are also the most likely to mistakenly pass on malware. Asked the main types of in-house sharing, 31%, say that a member of the C-suite sent sensitive data emails to the wrong address by accident. However, that percentage has fallen from 35% in 2016 and 2017.

And for 27%, it’s that an employee sent sensitive information to the wrong address by email — also down from 25% in the 2016/17 period.

In addition, only 20% said sensitive data was sent by an employee in response to a phishing email, down from 29%.

At the same time, 38% say that none of this has happened to them — up from 31%.

Mimecast concludes that firms need a cybersecurity strategy, and reports that 80% of firms that have them in place are ready to fight ransomware. It describes the four key capabilities as threat protection, adaptability, durability and recoverability.