Going by one survey, the average time was 3.5 days—sufficient time for attackers to wreak heavy damage.

What happens after a malicious email bypasses an organization’s security measures and lands in a user’s inbox? Can the outcome be just as important as what happens to block threats in the first place?

One cybersecurity firm analyzed data from 3,500 organizations to gather some understanding of threat patterns and response practices, finding that, on average, it took those organizations three-and-a-half days (over 83 hours) to discover and take action from the time a malicious email landed in users’ inboxes.

Barracuda researchers also found that an organization with 1,100 users could experience around 15 email security incidents per month, with around 10 employees being impacted by each phishing attack that managed to get through.

Summary of findings 

According to the report, 3% of employees clicked on a link in a malicious email, exposing the entire organization to attackers. Employees in the study also forwarded or replied to malicious messages, spreading attacks further within their companies or even externally. Also:

  • In the organizations studied, it took 16 minutes for users to click on a malicious link, and hackers needed only one click or reply for an attack to be successful.
  • 67.6% of the organizations surveyed were still reliant on internal threat hunting investigations launched by IT teams to identify email threats for post-delivery remediation. Only 24% of malicious emails were discovered via user-reported emails: another 8.1% were discovered using community-sourced threat intelligence, and the remaining 0.4% through other sources such as automated or previously remediated incidents.
  • 29% of surveyed organizations regularly updated their block lists to block messages from specific senders or geographies. Only 5% updated their web security to block access to malicious sites for entire organizations.
  • Organizations that trained their users saw a 73% improvement in the accuracy of user-reported emails after only two training campaigns. Focused security training also proved to dramatically shorten the time to remediation, while deploying automated remediation tools also considerably increased an organization’s ability to automatically identify and remediate attacks in a timely manner.

Said Mark Lukie, Systems Engineer Manager, Barracuda Asia-Pacific: “Without an efficient incident response strategy, threats can often go undetected until it’s too late. People will always be your first line of defense, so continuous security awareness training is key, while deploying a post-delivery threat hunting tool or automated remediation, with integrated email and web security, can significantly reduce the time it takes to identify suspicious emails, remove them from all affected users’ inboxes, and automate processes that bolster defenses against future threats. In addition to sharing threat data from your organization and tapping into data shared by others, this is going to be your best line of defense against post-delivery email threats.”