In late August we published a white paper called The Role of AI in Email Security. You should totally get a copy if you don’t already have one.
One of the more perplexing data points from the survey underlying the white paper is this one, on the threats that the respondents were looking to AI to address in their email security posture (see Figure 6 on page 11):
What’s perplexing is why the importance of using AI to protect against threats in inbound email (26.6% extremely important) is rated so much less than protecting against threats or risks in outbound email (46.9%) and internal email (46.5%). I wrote this in the white paper (emphasis in the original):
Protecting against threats in inbound email was rated in third place, behind the two types of threats above. This is a strange prioritization because organizations cannot ignore the threat conveyed by inbound email, as this is where many multi-stage attacks begin—and where employees are most likely to succumb. Early detection of inbound threats cancels the whole chain of subsequent malicious activity that would happen otherwise, including threats in internal email.
Osterman Research, The Role of AI in Email Security (2023)
After writing about the human element as explored in Verizon’s DBIR earlier this week, I started mulling over whether my calculation of the differential breach rate helps to explain it. Here’s the numbers again:
- When external actors (cybercriminals) seek to compromise internal actors (employees), the breach rate for 2023 was 54.5% – meaning that 45.5% of breach attempts did not become incidents. This threat case from the VDBIR essentially maps to the “threats in inbound email” threat type above.
- When internal actors (employees) make a mistake and send email to the wrong person, or otherwise accidentally expose data, the breach rate is 85.0% – meaning that only 15% of mistakes were caught and did not become incidents. This threat case is the top one in the figure above – threats in outbound email.
And hence the differential prioritization in the Figure above – current controls for the outbound threat type are significantly weaker than for the inbound threat type, and organizations are looking to AI to make a much more significant and immediate impact on reducing the breach rate for the outbound type.
In all fairness, neither breach rate / non-breach rate is wonderful. But the outbound one is much worse than the inbound one.
Leave a Reply