Researchers have found that any malicious email, on an average, spends 83 hours in users’ inboxes before they are discovered by a security team or reported by end users and finally remediated.
According to Barracuda researchers, it takes over three days for a potential threatening email to be discovered.
For this study, the researchers analysed threat patterns and response practices across 3,500 organisations in the companies. In their results, they found that an average organisation with 1,100 users will experience around 15 email security incidents per month, and on average 10 employees will be impacted by each phishing attack that manages to get through.
It was also discovered that 3% of employees will have the tendency to click on a link in a malicious email, exposing the entire organisation to attackers.
Researchers found that the majority of incidents were discovered through internal threat hunting investigations launched by the IT Team.
The investigations were initiated through common practices like searching through message logs or running keyword or sender searches of already delivered mail, according to the report.
Meanwhile, some of the incidents were created from user-reported emails, while the rest were discovered using community-sourced threat intelligence, or through other sources such as automated or previously remediated incidents, the report added.
“There is no security solution that can prevent 100% of attacks. Likewise, end-users don’t always report suspicious emails due to lack of training or negligence, and when they do, the accuracy of reported messages is low, leading to wasted IT resources. Without an efficient incident response strategy, threats can often go undetected until it’s too late,” said Murali Urs, Country Manager-India, Barracuda Networks.
“A good way to increase the accuracy of user reports is to provide consistent security awareness training. Barracuda researchers found that organizations that train their users will see a 73% improvement in the accuracy of user-reported email after only two training campaigns,” added the report.