To supplement the protection of the SEG, organizations have turned en masse to phishing simulation training. Currently around 98% of organizations enable employee-reported phishing and about 88% use phishing simulation to train employees.5 But the math is against them.
SOC teams already dealing with a widespread cyber skills shortage manage close to 33,000 reported phishing incidents on average each year. With a false positive rate of 68% globally and around 6.4 hours to investigate each one5, they simply can’t keep up. Exploits can take months to detect, while exfiltration of sensitive data can happen in a matter of hours.
Phishing training can help, but organizations can still expect around a 3% failure rate where employees are unable to detect a phish email.8 Unfortunately, it takes only one successful attack to do serious damage. It turns out that aside from the organizational drag that comes from mass distrust of the inbox, putting employees in the direct line of defense against email-based cyber attacks is a somewhat risky proposition, particularly given the existential threats a major breach can represent.
But as ineffective as the SEG tends to be against advanced email attacks, it also presents a significant obstacle to cloud-first strategies. By placing the SEG “inline” as email passes through, the SEG obfuscates the native security features of Exchange Online Protection, preventing Office 365 from optimal function. It changes the email header information viewable by Office 365 and the feedback loop from users goes directly to the SEG, leaving Office 365 none the wiser from user-reported phishing attempts.
All the while, the SEG requires maintenance, training, and support that consumes valuable SOC team resources. Taken together, the cost and overhead of the SEG, the systemic risks to the business plan from attacks that evade it, and the negative impact it has on native security controls built into Microsoft Office 365, the SEG represents a significant hindrance to organizations looking to drive higher labor productivity and worker output.
This, of course, is a big part of the reason organizations adopt Office 365 in the first place and typically as part of their digital transformation strategies. Simplifying IT infrastructure while providing workers new and improved ways to communicate, collaborate, and perform their job functions both safely and securely is a critical objective for organizations looking to attract and retain the best talent as the new generations—the digital natives— enter the workforce.
And while Office 365 provides a level of security closely resembling what organizations would find in a traditional SEG, including the ability to detonate and identify actively malicious payloads with Microsoft Advanced Threat Protection, additional protections against the most dangerous threats are needed to safeguard the organization from advanced threats such as business email compromise, executive spoofing, and account takeovers.
5. Agari Q4’19 Email Fraud and Identity Deception Trends report
8. Verizon 2019 Data Breach Investigations Report