The third annual Cyren-Osterman Research U.S. security survey shows a significant increase in phishing emails getting through to users and in the number of successful phishing attacks suffered by businesses during the past 12 months, among many topics covered in the 16-page report, "IT Security at SMBs: 2017 Benchmarking Survey," available for free download.
The survey, which was concluded in September, focuses on the current web and email security status and priorities of IT and security managers at organizations with 100 to 5,000 employees. The survey results allow security personnel to benchmark their own security posture and planning against their peers, including data on the priority placed on different email and web security features, what capabilities organizations have deployed, and how successfully—or unsuccessfully—their current security is performing across different threat types.
Phishing emails and successful attacks a rising tide
Nearly half of respondents to the survey said that more mass phishing and spear-phishing emails are getting through their security and reaching users' inboxes, with an estimated increase during the past 12 months of 23% for general phishing and 25% for spearphishing. This increase in phishing emails reaching users appears to be having serious consequences—44% or organizations said that they suffered a successful phishing attack in the past year, up from 30% in the 2017 survey. And not just one attack—respondents said that they suffered an average of 11.7 successful phishing attacks during the period. Not surprisingly, phishing was ranked as the second-highest threat concern by the managers surveyed, with ransomware retaining its position from 2017 as the threat type of greatest concern.
Security spending up for half
Forty-nine percent of organizations reported that their IT security budgets grew a robust 18% over the prior year, essentially matching the 17% increase reported in 2017. No organization surveyed reported a decrease in their security budget. The combination of poorer security performance and increased spending appears to be feeding an interest in new solutions, with two-thirds of respondents indicating an extremely strong interest in deploying specialized new services capable of improving phishing and ransomware protection, as well as providing improved sandboxing protection from increasingly evasive threats.
Figure 1: "Other" malware infections were the top source of breaches, with phishing in second.
Preference for cloud-based SaaS surpassed on-premises in 2018
The preference in terms of deployment model for security solutions was nearly equally divided in 2017, but the momentum has clearly shifted towards cloud-based security, with 42% of respondents preferring SaaS security, up from 29% in 2017 and 21% in 2016. Twenty-eight percent said they preferred on-premises solutions this year.
Figure 2: Preference for cloud-delivered security has surpassed on-premises appliances.
Other conclusions from the survey data which are covered in the report include:
Nearly two-thirds have an email security layer in the cloud
Sixty-two percent of businesses rely on SaaS security for their email, up from 57% a year ago, considering together those who reported using a third-party SaaS secure email gateway (35 percent, compared to 28 percent in 2017) and those who have contracted an advanced security module from their hosted email service provider (27 percent).
Cloud-based web security is moving up the adoption curve
Thirty-seven percent reported that they subscribe to SaaS web security, up from 34 percent in 2017.
Security effectiveness and speed of defenses are most desired capabilities
The misgivings around security performance were also apparent in the rankings of desired capabilities in new security solutions. “Security effectiveness” (82% indicating highest importance) and “speed of defenses applied to new threats” (72%) were given significantly more weight by managers than cost and other considerations like visibility and reporting features.
The report is available for free download.