ESG Survey Explores Gaps in Business Email Compromise (BEC) Controls in Cloud Email Platforms

February 27, 2020

Abnormal Security

Abnormal Security

To track the history of email security, there’s no better gauge than the FBI Internet Crime Complaint Center (IC3)’s annual Internet Crime Report. Prior to 2015, phishing and spoofing were included among several other online crimes reported to the bureau, noted as part of Nigerian prince email scams and in footnotes. 

It wasn’t until 2015 that business email compromise (BEC) became a “hot topic” when the IC3 received 7,838 BEC complaints with losses of over $263 million. In its 2019 annual report released on February 11, 2020, BEC once again topped the list with adjusted losses of over $1.7 billion. 

Despite the prevalence of secure email gateways, which do a really good job identifying malicious attachments and high-volume email attacks, BEC is still growing. Why is this the case?

Lower Volumes, Higher Quality

BEC attacks are extremely difficult to detect because they come in low volumes. Simultaneously, the quality of the attack has increased significantly. Attackers are doing the research to identify specific targets and then crafting very customized, personalized messages for those specific users, and they come across as legitimate business requests, often with malicious pretext and malicious requests behind them.

They’re very difficult to detect because they lack any of the traditional threat indicators that email security tends to use. This challenge is exacerbated by the move to cloud email platforms like Office 365. When it comes to managing email security as part of the O365 investment, organizations are still feeling the pain of business email compromise (BEC).

The Desire of Third-Party BEC Controls

This was one of the central issues that ESG explored in partnership with Abnormal Security in a survey of 403 IT and security professionals responsible for evaluating, purchasing, and managing email security technology products and services. 

Among the research highlights, the survey found that email is a top-5 security concern for more than half of organizations. A majority run cloud-delivered email, but report gaps in native email security controls. Furthermore, most plan to use third-party controls to fill these gaps – with specific BEC controls desired by most.

The survey found that most organizations believe email security is going through a significant transformation and will reevaluate all available security controls currently available natively in cloud mail platforms and via third-party solutions. Notably, the survey found that 53% say that controls are missing from native solutions and 87% use or intend to use third-party security controls.

When it comes to BEC, 59% of survey respondents experienced it in the past 12 months, with email account compromise and account takeover as the biggest target. Of those who have experienced BEC attacks in the past 12 months, 42% want separate 3rd-party controls.

What’s at issue?

Exchange Online Protection (EOP) is addressing most of the email security issues that the secure email gateway (SEG) solutions provide, which compelled many companies to drop their SEG solution. However, many are now feeling less protected against BEC attacks. 

O365 Advanced Threat Protection (ATP) expands on the email security capabilities provided in EOP to support additional protection capabilities, plus automated response, and attack simulations to build user awareness. Microsoft describes ATP as a solution that protects organizations against sophisticated threats, such as phishing and zero-day malware, and enables companies to automatically investigate and remediate attacks. But the ESG survey found that 42% of organizations are not leveraging ATP.

As companies look for a sure-fire approach to shore up their BEC security risk with O365, it’s important to start by identifying current email security capabilities the company has in place, based on their O365 investment. The best BEC protection solution should supplement the existing investments, and not duplicate them or render them ineffective. Simply adopting another SEG solution again means companies are “double paying” for the same capabilities and are not achieving security budget efficiencies.

And companies should consider an architectural approach for BEC protection that best complements the cloud-native O365 model. The ideal architecture will take a cloud API approach that preserves the benefits the company has gained by adopting cloud-based hosted email.
For more detail on what to look for in an ideal architecture, please read our whitepaper, “Closing the BEC Gap in Your Modern O365 Email Infrastructure.” And stay tuned to this blog for more detail on the ESG survey.

Like our article? Share our content