Osterman Research came out with their Office 365 Email Security 2019 Benchmarking Survey and the results are scary for organizations using Office 365 for email. The results are based on 318 in-depth surveys with IT and security managers of enterprises using Office 365 in the United States and the United Kingdom. According to Osterman, the purpose of the survey was to gain a better understanding of the security management issues faced by organizations using Office 365.

The first thing that stands out is the prevalence of successful phishing attacks. According to the report, “Seventy-eight percent of enterprises suffered at least one email-related security breach during the previous 12 months, whether phishing, ransomware, or some other malware, and the average for all enterprises during that period was 11.3 such successful attacks—almost one a month.”

 “Enterprises on average suffered 4.2 phishing related breaches, and 40 percent report that Office 365 login credentials were compromised; this happened on average 3.7 times per organization.”

The other thing that really stands out is not the direct cost of a successful phishing attack (i.e., what was lost or compromised), but the indirect cost. The indirect cost includes all the effort to restore service and get things back up and running.

According to the report, “Security staff is easily overwhelmed by the frequency and severity of breaches – following a successful attack, companies estimated that their security staff on average expended 133 person-hours addressing the problem.” That’s one person working almost a month to fix the problem.

“To address email-related attacks that bypass current defenses and arrive at user inboxes, including removing malicious content from inboxes, US-based enterprises spend about $104 per user per year.” Contrast that to the cost of email security service which keeps phishing emails out of inboxes that costs less than $4 per user per year. It’s 29 times cheaper to keep phishing emails out of inboxes.

The one bright spot in the report is that IT and security folks seem to understand the limitations of Office 365 security and are doing something about it. “Eighty percent of enterprises use additional security capabilities beyond what is provided natively in Office 365.”

“If presented with the option of deploying additional layers of security to address the specific problems around phishing, ransomware, and other malware, 43 percent of enterprise decision makers said they definitely or would be extremely likely to do so.”

The bottom line is that if you use Office 365 for your email, their native security is insufficient. You need something more, and almost any amount you spend is worth it if it keeps phishing emails out of inboxes.

If you are using Office 365 for your email and you’d like to add phishing protection to keep phishing emails out of your inboxes, check out Phish Protection with Advanced Threat Defense. It seamlessly integrates with Office 365. You’ll be up and running in 10 minutes.