The researchers discovered that, on average, any malicious email spends 83 hours in users’ inboxes before it’s detected by the security team or reported by end users and eventually processed.
According to Barracuda researchers, it takes more than three days to discover a potentially threatening email. In this study, the researchers analyzed threat patterns and response practices across 3,500 corporate organizations. In their results, they found that an average organization with 1,100 users would experience about 15 email security incidents per month. An average of 10 employees will be affected by each phishing attack that succeeds in reaching it.
It was also discovered that 3% of employees tend to click on a link in a malicious email, exposing the entire organization to attackers, while researchers found that the majority of incidents were discovered through internal threat research investigations launched by the IT team.
Investigations have been initiated through common practices such as searching through message logs, running keywords, or sender searches for mail that has already been delivered, according to the report. Meanwhile, some incidents have been generated from user-reported emails. The rest was discovered using threat intelligence from community sources, or through other sources such as automated or pre-remediated accidents.
No security solution can prevent attacks 100%, likewise, end users do not always report suspicious emails due to lack of training or negligence, and when they do, the accuracy of the reported messages is low, wasting IT resources.
“Without an effective incident response strategy, threats often go undetected until it is too late,” said Murali Urs, India Regional Director, Barracuda Networks. “One good way to increase the accuracy of user reports is to provide consistent security awareness training. Barracuda researchers found Organizations that train their users will see a 73% improvement in user-reported email accuracy after just two training campaigns.”