At first look, a failure rate of 10.5 percent doesn’t sound like a lot, at least until you realize that that’s the percentage of emails that online security systems apparently miss when they’re looking for spam, malware and phishing. Then when you consider that most organizations of any size receive thousands of emails per day, the numbers add up.
In that 10.5 percent average false negative rate researchers at Cyren, Ltd., a provider of Software as a Service internet security company, found, that .33 percent contained malware and phishing emails. The remainder was spam.
Of the 11.7 million emails that Cyren tested recently, that means approximately 34,000 emails contained phishing scams and 5,000 contained malware after they had passed through an email security appliance or other security software.
The numbers were derived from Cyren’s Email Security Gap Analysis project which examined emails forwarded from email security systems at companies that wanted to test their email security systems. The test took place in September and October, 2017. The numbers are averages since the names of the actual companies aren’t being revealed.
Much of the problem has developed because email security had become a commodity, according to John Callon, senior director of product marketing at Cyren. As a result there wasn't a lot of new research and development going on, he said.
“But there’s a lot going on in threats over time,” Callon said, which caused the people at Cyren to wonder, “Has email security been keeping up with the threats?”
Callon said that the problem of phishing and malware has grown to the point that it’s become an industry in itself. “A whole service economy has developed around delivering and developing threats,” Callon said. “Now there’s malware as a service.”
Callon said that the barriers to entry used to be higher because would-be hackers had to develop their own malware and delivery mechanisms. That’s changed, he said. “I can rent services that will give me exploit kits that will deliver botnets.”
The problem is getting worse and there’s less time than ever to respond to a threat before it does damage.
Georgia Weidman says that while general security awareness has gotten better, preventing an attack has become more difficult. “If you want to get to a specific person, it’s not very difficult.” Weidman, who is CTO and founder of Shevirah, a security firm in Ashburn, Va., said that spending some time doing research will generally enable a hacker to create a convincing phishing email that most people, not to mention automated systems, will miss.
Weidman’s company specializes in penetration testing. She noted that while it’s still possible to spot fake emails and the imposters that create them, it pays to have training.
“A lot of companies aren’t doing that,” Weidman said. “They aren’t taking that threat seriously.”