Our latest report on email security is now available. It was commissioned by TitanHQ and is called The State of Email Security in 2025. It’s the first of what could become an annual series by TitanHQ, although as with all annual reports we undertake, the focus in future years is responsive to the issues and trends of each year. An annual report offers a framework for what’s important aligned with an overarching theme, not a tomb for what isn’t relevant anymore.
For the 2025 annual report, we analyze email security realities at organizations with up to 1,000 employees in the United States, Canada, United Kingdom, and the European Union. If this describes your organization, please get a copy hot off the press from the TitanHQ web site.
Worse outlook for their own organization versus everyone else
When you get a copy of the report, have a look at Figure 2 (on page 4). It presents the comparison of answers to two questions – how threats will intensify against all organizations in general, and how threats will intensify against the respondent’s organization specifically. Asking the question pair is a test of how the respondents view the likelihood that their organization is under attack versus everyone else. For every threat type we asked about (e.g., phishing, zero-day exploits, ransomware, and 9 others), respondents saw their organization as being more directly in the line of fire than everyone else. It’s more normal for a sense of bravado to reign in such answers, with other organizations in general being more at risk. But for the respondents to this survey, that didn’t happen. Respondents acknowledge full ownership of the fact that they are under attack and expect to be under increasing levels of attack over the next 12 months. We use this acknowledgment to lay out a decision matrix for email security readiness (see Figure 3 in the report) for organizations.
The top investment priorities are the newest threats
We use a three question series in our Cybersecurity Investment Priorities programs (see 2023 and 2025) to assess the correlation across concern about current posture for a given area, the investment required to bring a given area up to the organization’s desired standard, and the spending priority for that area over the next 12 months. We used the same approach for TitanHQ’s annual report to assess the priorities for 10 areas related to email security. We’re pretty happy with the shape of the dominant patterns that our research found, with protecting against AI-enhanced attacks at the top of the list, followed by protecting against attacks that use deepfake audio or video in second place. These are both new and emerging types of threats that many organizations are less prepared to mitigate / address / deal with, and seeing them at the top of the list is right where we’d hope they’d be. Coming back to the idea above about taking ownership, indeed, there is work to be done on these by most.
These two emerging attack types are followed closely by continued investment in various enduring threat types that we talk about throughout the research, such as phishing. Phishing attacks were the most common incident type for the organizations in this research, and yes, given how threat actors are always exploring new approaches to make phishing attacks more nefarious, more effective anti-phishing protections are essential.
Other topics
There are multiple other topics explored in this year’s annual report, including deep dives on BEC attacks, QR code phishing, and generative AI. There’s also a major section on email security strategies, covering human risk management, priorities for 2025, and buying criteria for email security products / services. As above, please get a copy hot off the press from the TitanHQ web site for more.