Late in 2023 we started a conversation with OPSWAT, a cybersecurity vendor focused on the critical infrastructure sector, on undertaking a research project to assess the email security posture of critical infrastructure organizations. We have had the opportunity to do many research projects on email security in recent years, but while the others have included organizations in the critical infrastructure sector, this was the first project that focused exclusively on this cohort. Exciting times!
The research programme:
- Collected data from a global audience of critical infrastructure organizations, with representation across North America, EMEA, and APAC. The survey was balanced to get around 40% of responses from North America, 20% from EMEA, and 40% from APAC.
- Engaged with leaders within these organizations that have IT or security responsibility and knowledge of their email security posture.
- Drew on CISA’s list of critical infrastructure sectors, such as chemicals, commercial facilities, communications, critical manufacturing, dams, and more. CISA says there are 16 sectors classified as critical infrastructure. CISA defines these sectors on this basis: sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. While this definition is US-centric, the same principle applies in other places, too.
Once the research design was agreed, we worked on the survey questions, took this to field, and analyzed the data. You can get your copy of the results from the OPWAT website. But here’s a preview:
- Critical Infrastructure Remains a Target
80% of critical infrastructure entities fell prey to email-related security breaches within the past 12 months, highlighting their attractiveness to cyber threat actors. - Lingering Vulnerability
Despite advancements in cybersecurity, 48% of organizations lack confidence in their existing email security defenses, leaving them vulnerable to potentially devastating cyberattacks. - Noncompliance presents significant operational and business risks
Shockingly, 65% of organizations are not compliant with regulatory standards, exposing themselves to significant operational and business risks.
A major recommendation in the report is finding email security capabilities that “preclude and prevent threats” from finding their way into an organization’s email system. While this is critical for critical infrastructure organizations, it is no less so for those in other sectors.
Check out OPSWAT’s site for your copy.
Leave a Reply