Business email compromise attacks, which include no malicious links or attachments, have been shockingly effective; in the last three years, these attacks have resulted in losses of $26 billion.

Barracuda researchers looked at the results of email threat scans of 383,790 mailboxes across 654 organizations over a 30-day period. They used the Barracuda Email Threat Scanner, a free tool that organizations can use to analyze their Office 365 environment and detect threats that got past their email gateway.

The scans conducted in this 30-day period identified nearly 500,000 malicious messages in these inboxes. On average, each organization had more than 700 malicious emails that users could access anytime.

They also found that, on average, a business takes three and a half hours (212 minutes) to remediate an attack. In fact, 11% of organizations spend more than six hours on investigation and remediation.

Obviously, response times can add up quickly and automation is needed to speed things up. Especially in a ransomware attack where files are rapidly being encrypted.

This is why Barracuda suggests these steps:

1. Assess email vulnerabilities — Scan your organization’s inboxes to find malicious email and social engineering attacks that your email gateway missed. This will help you understand the vulnerabilities that exist in your email system and the scope of what needs to be investigated and remediated.
2. Add spear-phishing protection — Introducing an AI-based protection against phishing and account takeover will help you block these types of threats more effectively and stay ahead of attackers by using artificial intelligence to look for anomalies in real time.
3. Automate incident response — An automated incident response solution will help you quickly clean up any threats you found in users’ inboxes during the email scan and make remediation more efficient for all messages going forward.

We suggest all organizations do the following to stay secure:

1. Read cybersecurity essentials – a simple list which will help most organizations become far more secure.
2. Go to a phishing simulation vendor and sign up for one of their offerings. Phishing Box, KnowBe4 and Phish360; are all great. This is needed to train workers by testing them without their knowledge by sending real-looking emails to their inboxes. If they click, they are immediately trained on what not to do.
3. We also recommend you get a free evaluation of your cybersecurity risk from an MSP/MSSP immediately – they can also help you build in the needed compliance to reduce the risk of being fined.