Inefficient incident response to email attacks is costing businesses billions in losses every year, says a Barracuda study. For many organizations, finding, identifying and removing email threats is a slow and manual process that takes too long and uses too many resources. As a result, attacks often have time to spread and cause more damage.
Barracuda researchers found that, on average, a business takes three and a half hours (212 minutes) to remediate an attack. In fact, 11% of organizations spend more than six hours on investigation and remediation.
Here’s a closer look at why manual incident response is inefficient, along with some solutions to help every business identify and remediate attacks more quickly.
Inefficient incident response: Suspicious emails need to be identified and remediated quickly, before they spread across the organization and cause further damage. After all, in most phishing campaigns, it takes 16 minutes for someone to click on a malicious link. With manual incident response, however, it takes about three and a half hours for organizations to respond. In many cases, by that time, the attack has spread further, requiring additional investigation and remediation.
Fast and automated incident response is more important than ever, considering spear-phishing attacks designed to evade email security are on the rise. For example, business email compromise attacks, which include no malicious links or attachments, have been shockingly effective; in the last three years, these attacks have resulted in losses of $26 billion.
Barracuda researchers looked at the results of email threat scans of 383,790 mailboxes across 654 organizations over a 30-day period. They used the Barracuda Email Threat Scanner, a free tool that organizations can use to analyze their Office 365 environment and detect threats that got past their email gateway.
The scans conducted in this 30-day period identified nearly 500,000 malicious messages in these inboxes. On average, each organization had more than 700 malicious emails that users could access anytime.
How long would it take one to identify, investigate, and remediate all these malicious messages? At 3.5 hours of clean up per campaign, it would take days, if not weeks, to clean up and make sure that many malicious messages were removed.
In addition to these attacks that are already in their mailboxes, users report suspicious messages to IT every day. Based on data from Barracuda customers, a typical organization responds to around five email-related security incidents each day. With an average of 3.5 hours to respond to each incident, it takes more than 17 hours, or the equivalent of two full-time employees, to respond to what’s being reported each day. That’s time that could be spent on more proactive security measures, such as training employees, managing security patches, or investigating delivered mail for malicious content, which will help them stay ahead of attackers.
How can one improve incident response times
Organizations rarely have this kind of time and resources, so not all incidents are handled according to best practices. Often, IT departments need to prioritize which malicious messages need to be addressed first, leaving organizations, users, and data exposed.
This is where automated incidence response can help. Barracuda research shows that, with automated incident response, one can reduce their response time by 95% on average. For example, for 78% of our customers, incident response now takes less than 10 minutes. That means the five incidents reported by users each day would take less than an hour to remediate.
Automated incident response solutions let one easily identify all internal users who have received a malicious email and remove all instances of it. One can also automatically deliver alerts to affected users to warn them about the threat or provide other instructions.
Improving incident response time makes organizations more secure, helps limit damage, and saves valuable time and resources for IT teams.
Here are three steps that can be taken to improve incident response:
- Assess email vulnerabilities — Scan the organization’s inboxes to find malicious email and social engineering attacks that their email gateway missed. This will help users understand the vulnerabilities that exist in their email system and the scope of what needs to be investigated and remediated.
- Add spear-phishing protection — Introducing an AI-based protection against phishing and account takeover will help block these types of threats more effectively and stay ahead of attackers by using artificial intelligence to look for anomalies in real-time.
- Automate incident response — An automated incident response solution will help quickly clean up any threats found in users’ inboxes during the email scan and make remediation more efficient for all messages going forward.