SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Research finds malware will sit for around 83 hours in an employees inbox before being noticed
Thu, 3rd Jun 2021
FYI, this story is more than a year old

Research finds that malicious emails spend an average of 83 hours in employees inboxes before being noticed.

Barracuda researchers have found it takes, on average, three and half days (83 hours) from when a malicious email attack arrives in an employees inbox, to the point where it's discovered by a security team or reported by the end-user and removed

The researchers analysed threat patterns and response practices across 3,500 organisations in the companies most recent Threat Spotlight, this month the focus was on analysing what happens after a malicious email manages to bypass an organisation's security and land in a user's inbox.

They discovered that a medium-sized organisation of 1,100 users will experience around 15 email security incidents per month, and on average 10 employees will be impacted by each attack that finds its way through.

Barracuda says it finds it concerning that it observed 3% of employees will click on a link in a malicious email, exposing the entire organisation to attackers. And while this sound like a small number, Barracuda says businesses that average 1,100 users will result in around five users clicking on a link within a malicious email every month, it says it only takes one click or reply for an attack to be successful.

Two-thirds of malicious emails that arrived in an employee's primary inbox were discovered through internal threat hunting investigations launched by the IT team. These investigations can be initiated in a variety of ways. Common practices include searching through message logs or running keyword or sender searches of already delivered mail.

Another 24% of incidents were created from user-reported emails, 8% were discovered using community-sourced threat intelligence, and the remaining 0.4% through other sources such as automated or previously remediated incidents.

“There is no such thing as cybersecurity software which is 100% effective against inbound email attacks, and an organisation must prioritise security awareness training sessions for its employees,” says Barracuda VP of products, Michael Flouton.

“Our research even revealed organisations that train their users will see a 73% improvement in the accuracy of user-reported email after only two training campaigns.”

He adds that organisations should also consider automating incident response systems, adopt threat hunting tools, and share and receive threat intelligence from other companies, all for the purpose of significantly improving incident response times to post-delivery email threats, and catching these malicious attacks before they develop into something more severe.