The Widening Disconnect Between Email Security and Risk Management

81% of employees say security practices and technologies that are more user-friendly will result in better security outcomes

26% of IT leaders say keeping up with data security threats is among the biggest security vulnerabilities in organizations

34% of IT leaders say too many separate security solutions - lack of integration, security gaps a, and / or duplication is among the biggest security vulnerabilities in organizations

38% of IT leaders say lack of awareness and understanding of security by employees is among the biggest security vulnerabilities in organizations

93% of employees identify email as “important” or “very important” to their day-to-day work

23% of employees say classroom training is the most engaging/effective email security training format

50% of employees said they would inform the recipient if they made an email error, 44% would notify their IT team or line manager, 31% would tell a friend or colleague, and 9% admitted they wouldn't tell anyone.

42% of IT leaders prioritize email encryption for email security investment.

41% of employees in France say they frequently use IT policy workarounds to “get the job done” and save time or effort.

55% of employees in government say they frequently use IT policy workarounds to “get the job done” and save time or effort.

66% of IT leaders agree outbound email security doesn’t get as much attention beyond compliance, but it is the silent security killer

Employees frequently send the wrong attachment (33%), misaddress emails to unintended recipients (32%), or misuse CC and BCC fields (20%). These mistakes are more likely to happen when employees are tight on time (54%), when they are stressed (40%), or when they feel overwhelmed by too many messages (40%).

Only 34% of email incidents are formally reported.

70% of IT leaders in Netherlands agree that outbound email security doesn’t get as much attention beyond compliance, but it is the silent security killer

15% of IT leaders say lack of visibility or reporting of security incidents in your organization is among the biggest security vulnerabilities in organizations

78% of IT leaders in Germany admit that employee mistakes in outbound emails result in more significant data loss than malicious inbound attacks.

67% of IT leaders agree that outbound email security doesn’t get as much attention beyond compliance, but it is the silent security killer

38% of leaders cite increased focus on growth / innovation - need for employees to get on with their jobs as their motivation for change in their security focus

More than two thirds (67%) of IT leaders believe vendors are not innovating fast enough to keep up with emerging risks, leaving a critical gap in the market

66% of IT leaders in France admit that employee mistakes in outbound emails result in more significant data loss than malicious inbound attacks.

Only 26% of IT leaders believe it drives significant improvements in employee behavior to safeguard data, and nearly half (46%) acknowledge that there is room for improvement

47% of IT leaders say inbound email threats presents a big risk in their organization in terms of potential data loss

63% of employees in the UK say they frequently use IT policy workarounds to “get the job done” and save time or effort.

53% of employees in legal services say they frequently use IT policy workarounds to “get the job done” and save time or effort.

39% of IT leaders prioritize human error prevention / DLP for email security investment.

Only 24% of IT leaders believe their security spending is "very well aligned" with actual risks, while 53% think it is "quite well aligned," 20% feel it is "not particularly aligned," and 3% say it is "not at all aligned."

When asked about their primary email security focus for the next two to three years, 13% will focus more on inbound security solutions

Organizations recognize the importance of email security training, with 95% of IT leaders confirming its availability within their companies

More than a third (36%) of employees across large organizations describe email security training as ineffective or a waste of time, and dissatisfaction increases to 54% among those who frequently make email mistakes

50% of IT leaders prioritize Advanced Threat Protection (ATP) and malware detection for email security investment.

24% of IT leaders prioritize post-delivery protection for email security investment.

When asked about their primary email security focus for the next two to three years, 31% prioritized compliance with data protection regulations

When asked about their primary email security focus for the next two to three years, 17% spoke about protecting data within other collaboration tools

61% of IT leaders in the US agree that outbound email security doesn’t get as much attention beyond compliance, but it is the silent security killer

IT leaders identify the biggest risks for potential data loss as inbound email threats (47%), outbound email threats (20%), and both presenting an equally significant risk (33%).

35% of IT leaders say increasing number of data sharing and collaboration tools being used by employees is among the biggest security vulnerabilities in organizations

21% of IT leaders say employees/human error is among the biggest security vulnerabilities in organizations

58% of employees say it’s too easy to make errors when using email

30% of leaders cite changing employee behaviours/working patterns as their motivation for change in their security focus

Almost 8 in 10 (78%) of IT leaders agree that it is vital to empower employees with tools and processes that allow them to share data securely and compliantly

70% of employees in the US say they frequently use IT policy workarounds to “get the job done” and save time or effort.

30% of employees said they would be able to focus more on the quality of their work, 28% stated they would be more productive, and another 28% mentioned they would feel trusted by their employer invested in email security technology

Only 24% of IT leaders are highly confident in the current alignment of security investments with the most pressing threats facing their organization

33% of IT leaders say inbound and outbound email threats both present an equally big risk in their organization in terms of potential data loss

60% of employees in financial services say they frequently use IT policy workarounds to “get the job done” and save time or effort.

33% of employees say online training that uses real-life scenarios, prompts and notifications at the relevant time is the most engaging/effective email security training format

65% of IT leaders agree they lose more data every year through employee error than through any kind of malicious inbound threat

58% of IT leaders in Germany agree that outbound email security doesn’t get as much attention beyond compliance, but it is the silent security killer

Only 77% of IT leaders were aware of whether their emails were encrypted.

52% of employees say they are clear on their company's policy around email security, 45% say they are not clear, and 3% say they don't know

45% of leaders cite increasing threat levels with AI as their motivation for change in their security focus

59% of employees in healthcare say they frequently use IT policy workarounds to “get the job done” and save time or effort.

While 64% of employees report receiving training on email security, more than a third in large organizations find it ineffective or are dissatisfied with how training is delivered

58% of employees in Netherlands say they frequently use IT policy workarounds to “get the job done” and save time or effort.

67% of IT leaders in the UK admit that employee mistakes in outbound emails result in more significant data loss than malicious inbound attacks.

29% of IT leaders say expanding and more complex data security threats is among the biggest security vulnerabilities in organizations

49% of employees in Germany say they frequently use IT policy workarounds to “get the job done” and save time or effort.

6% of IT leaders have email security training on outbound threats only

5% of IT leaders don't have email security training

41% of IT leaders prioritize certified email authentication and access control for email security investment.

59% of employees say that they are worried that AI will make it harder for them to know if an incoming email or link is legitimate.

More than half of employees admit to making email mistakes at least once every few months, with 30% saying they make errors on an almost weekly basis

While IT leaders estimate that only 34% of outbound email incidents are formally reported, many employees handle mistakes informally—50% say they would notify the unintended recipient directly, while just 9% would report the incident to IT

38% of IT leaders say employees using unauthorised platforms is among the biggest security vulnerabilities in organizations

23% of IT leaders have email security training on inbound threats only

On average, an organization will experience 212 outbound email security incidents per month, yet only half (52%) of employees follow outbound email security policies to ensure compliance.

65% of IT leaders in the US admit that employee mistakes in outbound emails result in more significant data loss than malicious inbound attacks.

75% of IT leaders in the UK agree that outbound email security doesn’t get as much attention beyond compliance, but it is the silent security killer

66% of IT leaders in Belgium agree that outbound email security doesn’t get as much attention beyond compliance, but it is the silent security killer

IT leaders prioritize inbound threats like phishing, with 47% citing it as a top concern. However, two-thirds acknowledge that outbound breaches from human errors cause more data loss than social engineering attacks.

32% of leaders cite increased focus on risk mitigation as their motivation for change in their security focus

67% of IT leaders claim that email doesn’t get the security attention it deserves.

While 73% of employees are aware of the security policies pertaining to email, only 52% adhere to them

Advanced threat protection and malware detection (50%), employee training and awareness programs (48%), and phishing prevention (43%) are the top priorities for email security investment, according to IT leaders. These are followed by email encryption (42%), certified email authentication and access control (41%), human error prevention/data loss prevention (DLP) (39%), and post-delivery protection (24%).

While 47% of IT decision-makers identify phishing and malware as top threats to their data, only 20% prioritize outbound risks and just 39% of IT leaders point to data loss prevention/human error as an investment priority for email security

Among employees who frequently make email mistakes, 52% say they are not clear on their company's policy around email security

Averagely, 66% of IT leaders admit that employee mistakes in outbound emails result in more significant data loss than malicious inbound attacks.

67% of IT leaders claim that email doesn’t get the security attention it deserves.

54% of employees say that email accidents are most likely to happen when they are busy or tight on time, followed by feeling overwhelmed by too many messages or communication tools at 40%.

28% of employees say online training modules you complete at your own pace is the most engaging/effective email security training format

20% of IT leaders say outbound email threats presents a big risk in their organization in terms of potential data loss

48% of IT leaders prioritize employee and awareness programs for email security investment.

43% of IT leaders prioritize phishing prevention for email security investment.

49% of employees in Germany say they frequently use IT policy workarounds to “get the job done” and save time or effort.

54% of employees in Belgium say they frequently use IT policy workarounds to “get the job done” and save time or effort.

53% of employees in legal services say they frequently use IT policy workarounds to “get the job done” and save time or effort.

60% of employees in financial services say they frequently use IT policy workarounds to “get the job done” and save time or effort.

59% of employees in healthcare say they frequently use IT policy workarounds to “get the job done” and save time or effort.

33% of employees say online training that uses real-life scenarios, prompts and notifications at the relevant time is the most engaging/effective email security training format

23% of employees say classroom training is the most engaging/effective email security training format

16% of employees say group training sessions over Zoom/Teams is the most engaging/effective email security training format

Employees frequently send the wrong attachment (33%), misaddress emails to unintended recipients (32%), or misuse CC and BCC fields (20%). These mistakes are more likely to happen when employees are tight on time (54%), when they are stressed (40%), or when they feel overwhelmed by too many messages (40%).

55% of employees in government say they frequently use IT policy workarounds to “get the job done” and save time or effort.

Malicious attacks, or “inbound” threats, are considered the biggest threat vector to email amongst IT leaders, with 47% stating that inbound threats are a bigger concern to them than outbound email security

Phishing continues to dominate as one of the most prevalent and sophisticated cyber threats, accounting for over 80% of reported security incidents in 2024

56% of IT leaders in Netherlands admit that employee mistakes in outbound emails result in more significant data loss than malicious inbound attacks.

62% of IT leaders in Belgium admit that employee mistakes in outbound emails result in more significant data loss than malicious inbound attacks.

68% of IT leaders in France agree that outbound email security doesn’t get as much attention beyond compliance, but it is the silent security killer

38% of IT leaders rank "employee misunderstanding of security policies" among their top vulnerabilities, while 60% of employees report using workarounds to bypass policy measures, highlighting a potential gap between IT leaders’ assumptions and the reality on the ground

33% of IT leaders say increase in data access points is among the biggest security vulnerabilities in organizations

25% of IT leaders say limited security resources / lack of security skills is among the biggest security vulnerabilities in organizations

When asked about their primary email security focus for the next two to three years, 28% aimed to find an "all-encompassing" solution for both inbound and outbound security.

When asked about their primary email security focus for the next two to three years, 11% will focus more on outboud security solutions

37% of leaders cite regulations and compliance as their motivation for change in their security focus

38% of leaders cite increased sharing of data and sensitive information over email as their motivation for change in their security focus

26% of leaders cite cost reduction pressures as their motivation for change in their security focus

54% of employees in Belgium say they frequently use IT policy workarounds to “get the job done” and save time or effort.

More than a third (34%) of workers in large organizations with more than 1,000 employees agree, “I’m not clear on our company policy around email security,” increasing to 41% among smaller businesses with 250-999 employees.

85% of employees say they like email and want to feel safe using it

16% of employees say group training sessions over Zoom/Teams is the most engaging/effective email security training format

Around 60% of employees say they frequently use IT policy workarounds to “get the job done” and save time or effort.

66% of IT leaders have email security training on both inbound and outbound threats

28% of employees say online training modules you complete at your own pace is the most engaging/effective email security training format

81% of employees say security practices and technologies that are more user-friendly will result in better security outcomes

this is a test stat to see if synching works

Around 60% of employees say they frequently use IT policy workarounds to “get the job done” and save time or effort.

70% of employees in the US say they frequently use IT policy workarounds to “get the job done” and save time or effort.

63% of employees in the UK say they frequently use IT policy workarounds to “get the job done” and save time or effort.

58% of employees in Netherlands say they frequently use IT policy workarounds to “get the job done” and save time or effort.

41% of employees in France say they frequently use IT policy workarounds to “get the job done” and save time or effort.