Size determines type & frequency of email threats to businesses
New research from Barracuda indicates that the size of a company significantly influences the type and frequency of email threats it faces. The study, which analysed targeted email attacks from early June 2023 to the end of May 2024, highlights varying vulnerabilities between larger organisations and smaller companies.
The study reveals that larger organisations, defined as those with several thousand employees or more, are predominantly affected by lateral phishing. This form of cyber attack involves sending emails from an already compromised internal account to various mailboxes within the organisation. According to Barracuda's Threat Spotlight, lateral phishing constitutes 42% of targeted email threats for companies with 2,000 or more employees, compared to just 2% for companies with up to 100 employees.
In contrast, smaller companies with fewer than 100 employees are more frequently targeted by external phishing attacks, which account for 71% of the threats they face. For larger companies, external phishing represents 41% of their email threats.
Additionally, smaller companies experience a higher rate of extortion attacks. The study found that 7% of targeted email threats to small businesses involve extortion, in contrast to 2% for larger organisations with over 2,000 employees.
The occurrence of business email compromise (BEC) and conversation hijacking remains relatively consistent, irrespective of the size of the business.
Olesia Klevchuk, Director of Product Marketing at Barracuda, commented on the findings: "All companies, regardless of their size, are vulnerable to email threats, but they are vulnerable in different ways. Larger companies, with many mailboxes and employees, offer attackers more potential entry points, multiple communication channels to disseminate malicious messages across the business, and employees who are likely to trust email messages that appear to come from within the organisation, even if the sender is unfamiliar to them."
Klevchuk further explained the challenges faced by smaller companies: "Smaller companies, on the other hand, are less likely to have layered security in place and more likely to have misconfigured email filters due to a lack of in-house skills and resources."
To mitigate these threats, Barracuda advises organisations to implement regular security awareness training, with a focus on lateral phishing, to help employees identify and avoid suspicious emails. The company also recommends deploying multi-layered, AI-powered defences to detect and respond to advanced attacks promptly.
Barracuda suggests that smaller companies, in particular, might benefit from engaging managed service providers to bolster their security capabilities and protect against a wide range of email threats.