Why 74% of IT leaders aren't satisfied with their email security platform

Email remains the backbone of business communication, handling billions of messages daily across organizations worldwide. Despite this, 74 percent of IT leaders report they are not fully satisfied with the security features of their current email platforms, according to Paubox's 2025 Healthcare Email Security Report. 

The implications of this dissatisfaction extend beyond simple frustration with software features. When three-quarters of IT decision-makers express concerns about their email security infrastructure, it signals a problem that demands attention.

The evolution of email threats

As noted in The Cyber Corner's analysis of phishing evolution, "Phishing emails have evolved dramatically over the past few decades. What started as rudimentary and obvious scams has transformed into a complex, multi-faceted threat that challenges even the most tech-savvy individuals and organizations.” The modern threat bears little resemblance to the relatively simple spam filters and virus scanners of the early 2000s. Today's cybercriminals employ sophisticated techniques that exploit not just technical vulnerabilities, but human psychology and organizational processes.

Business email compromise

Business Email Compromise (BEC) attacks represent a dangerous evolution in email-based threats. These attacks don't rely on malware or obvious suspicious links. Instead, they leverage social engineering and impersonation to trick employees into transferring funds or sharing sensitive information. According to a 2022 article published by The Record titled "FBI: business email compromise attacks led to more than $43 billion in losses since 2016," more than $43 billion has been lost through business email compromise (BEC) and email account compromise scams since 2016. When domestic and international exposed dollar losses are combined from June 2016 through December 2021, the FBI found that $43.31 billion was taken across 241,206 incidents.

The impact continues to accelerate, with the FBI reporting that BEC crimes led to 19,954 complaints with an adjusted loss of nearly $2.4 billion in 2021 alone. Even more concerning, Andy Gill, senior security consultant at LARES Consulting, noted that "the numbers in the report are likely the low end of the actual figures given that a large number of incidents go unreported."

Advanced persistent threats 

Advanced Persistent Threat (APT) groups have also shifted their focus to email as a primary attack vector. These organizations use email to establish initial footholds in target networks, often going undetected for months or even years. 

In 2021 when a Chinese APT group, believed to be APT27 (also known as Iron Tiger, Emissary Panda, TG-3390, and LuckyMouse), conducted an extensive espionage campaign targeting critical infrastructure sectors. The campaign compromised at least 9 organizations across healthcare, energy, defense, technology, and education by exploiting a critical vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus, Zoho's enterprise password management platform.

This attack shows the multi-stage approach characteristic of APT operations. After the U.S. Cybersecurity and Infrastructure Security Agency issued a security advisory on September 17, 2021, warning that exploits were in the public domain, the attackers conducted extensive scans for vulnerable servers using leased U.S. infrastructure. Beginning September 22, 2021, they systematically attacked unpatched systems throughout October, deploying the Godzilla web shell and installing a new backdoor called NGlite on select victims.

The inadequacy of traditional email security approaches

Traditional email security solutions were designed for a simpler threat environment. They rely on signature-based detection, reputation systems, and rule-based filtering. While these approaches can handle known threats effectively, they struggle against the evolving nature of modern cyberattacks.

The Cyber Corner's research highlights this challenge: "A major turning point in phishing evolution came with the advent of spear phishing. Unlike traditional phishing, which casts a wide net, spear phishing targets specific individuals or organizations by using personal details to make the email seem more legitimate.” This shift toward personalized attacks has undermined the effectiveness of traditional security approaches.

The limitations of legacy systems

The financial burden of maintaining legacy email security systems has become a concern for organizations. According to Forbes Technology Council's analysis, "up to 80 percent of companies' IT budgets is spent keeping old IT systems afloat," while "40% of IT leaders regret their legacy technology purchases." This represents a significant drain on resources that could otherwise be invested in more effective security solutions. As RT Insights observes, "the cost of maintaining outdated technology often outweighs the investment required to modernize."

The operational impact of these legacy systems extends beyond financial considerations. Matt Murren, CEO of True North ITG, notes: "I've seen firsthand how legacy email platforms can quietly—but critically—undermine operational stability and efficiency across healthcare organizations." This quiet undermining effect makes legacy systems particularly insidious, as their negative impact may not be immediately apparent but accumulates over time.

Signature-based detection systems work by comparing incoming emails against databases of known malicious patterns. However, this approach is inherently reactive—it can only detect threats that have been previously identified and catalogued. Cybercriminals have adapted by constantly modifying their attack techniques, creating new variants that can evade signature-based detection.

Why current solutions fall short

The 74 percent dissatisfaction rate among IT leaders stems from a mismatch between the sophistication of modern threats and the capabilities of existing security solutions. As The Cyber Corner observes, "In the present day, phishing emails have become highly sophisticated, often using advanced tactics like spoofing to make them appear as though they are coming from trusted sources. Attackers often impersonate colleagues, bosses, or official entities, making it extremely difficult for recipients to differentiate between legitimate emails and malicious ones.” This gap manifests in several areas that expose organizations to risk.

Zero-day threats and novel attack techniques

Zero-day threats represent challenging aspects of modern email security. These attacks exploit previously unknown vulnerabilities or use novel techniques that have never been encountered before. Traditional security solutions, which rely on known indicators of compromise, are unable to detect these threats until after they have been identified and analyzed.

The impact of zero-day exploits became evident in May 2023 when the CL0P ransomware group (also known as TA505) began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software's MOVEit Transfer platform. According to a joint cybersecurity advisory from CISA and the FBI, the group was able to install a web shell named LEMURLOOT on internet-facing MOVEit Transfer applications, enabling them to steal data from underlying databases. 

The CL0P group's systematic approach to zero-day exploitation illustrates why traditional security measures struggle against these threats. The group has a documented history of targeting file transfer solutions with zero-day exploits, having previously conducted similar campaigns against Accellion File Transfer Appliance devices in 2020-2021 and Fortra/Linoma GoAnywhere MFT servers in early 2023. In the GoAnywhere campaign alone, the group claimed to have exfiltrated data impacting approximately 130 victims over just 10 days, demonstrating the scale at which zero-day attacks can spread.

The increasing use of legitimate services for malicious purposes creates another challenge. Attackers now commonly use trusted cloud services, legitimate file-sharing platforms, and reputable URL shorteners to deliver malicious content. This technique, known as "living off the land," makes it extremely difficult for security solutions to distinguish between legitimate business communications and malicious attacks.

The user experience problem

The technical sophistication of email security solutions means little if they create barriers to normal business operations. As Dawn Kendall, Vice President of Programs and Services for Easterseals Louisiana, shares bluntly: "We got a lot of pushback from email recipients using our previous encryption solution. Funders were asking us to resend things constantly because they weren't able to open it."

This quote shows a problem with many email security implementations: they prioritize security at the expense of usability. When security measures become so technical that they interfere with basic business communications, organizations face an impossible choice between security and operational efficiency.

The COVID-19 impact

According to the Record article, the FBI noted a 65 percent increase in identified global exposed losses between July 2019 and December 2021, attributing the increase to the COVID-19 pandemic. Remote work environments have changed how organizations operate and communicate, creating new vulnerabilities that email security solutions struggle to address.

Delinea advisory CISO Joseph Carson highlighted a challenge facing modern organizations: "it is harder than ever to verify with a colleague whether the request is legitimate." This difficulty in verification creates ideal conditions for BEC attacks, where attackers exploit the lack of in-person verification processes that were common in traditional office environments.

The evolution of social engineering

The challenge is increased by the evolution of threat detection. As The Cyber Corner points out, "While early phishing scams were easy to spot, modern attacks require greater vigilance and stronger cybersecurity practices". This evolution has outpaced the development of security solutions designed to help users navigate these more sophisticated threats.

Credential harvesting attacks exemplify this challenge. These attacks often use legitimate-looking login pages hosted on compromised or newly registered domains. The technical indicators may be subtle or absent entirely, relying instead on convincing users to voluntarily enter their credentials. Traditional security solutions may not flag these attacks as malicious, leaving users vulnerable to deception.

The concept of "security fatigue" also plays a role in the effectiveness of email security measures. Users who are constantly bombarded with security warnings and alerts may become desensitized to legitimate threats. This phenomenon can lead to decreased vigilance and increased susceptibility to attacks, undermining even the most sophisticated technical controls.

The true cost of inadequate email security

The financial impact of inadequate email security extends beyond the direct costs of security breaches: 

Direct financial losses

The FBI's latest data reveals the true scale of financial losses from email-based attacks. The $43.31 billion lost across 241,206 incidents between June 2016 and December 2021 represents an unprecedented level of financial damage. With 116,401 BEC scams targeting US citizens alone resulting in an exposed dollar loss of $14.76 billion, and an additional 5,260 complaints from non-US victims resulting in $1.27 billion in losses, the global impact is staggering.

The geographic spread of these attacks is equally concerning. The FBI noted that "the BEC scam has been reported in all 50 states and 177 countries, with over 140 countries receiving fraudulent transfers." Based on 2021 financial data, banks located in Thailand and Hong Kong were the primary international destinations of fraudulent funds, with China ranking third, followed by Mexico and Singapore.

Beyond direct losses

Regulatory compliance costs represent another financial consideration. Many industries are subject to strict data protection regulations that require organizations to implement appropriate security measures. Inadequate email security can lead to regulatory violations, resulting in substantial fines and ongoing compliance costs.

The operational impact of security incidents can be equally costly. Ransomware attacks can shut down entire organizations for days or weeks, resulting in lost productivity, missed business opportunities, and customer dissatisfaction. Even when organizations refuse to pay ransom demands, the cost of recovery can be substantial.

Reputational damage from security breaches can have long-lasting financial implications. Customers may lose trust in organizations that fail to protect their data, leading to customer churn and difficulty acquiring new business. Partners and suppliers may also reconsider their relationships with organizations that demonstrate poor security practices.

Read also: 

• Study shows the cost of data breaches at an all-time high
• Restoring lost patient trust after a cyberattack

The complexity of modern cybercrime

Understanding the sophistication of modern email threats requires recognizing the infrastructure that supports these attacks. According to a 2022 article published by The Record titled, JupiterOne's Sounil Yu noted that BEC actors have an entire support structure enabling the scams. One element of this support structure is the function of money mules, who are individuals that move the stolen funds and enable BEC actors to access the funds.

This organized approach to cybercrime shows why traditional email security solutions struggle to address the threat. The attacks involve not just technical exploitation, but entire networks of criminals working together to maximize the success and profitability of their operations.

The challenge of evidence

One of the factors contributing to the underreporting of BEC attacks is the difficulty organizations face in proving that their systems were actually compromised. Delinea advisory CISO Joseph Carson explained: "The major challenge with BEC security incidents is that you have to provide evidence that your account was indeed compromised and the incident was not just human error. With cybercriminals being really good at hiding their tracks, such evidence can sometimes be very difficult to gather. Victims sometimes prefer not to report incidents if the amount is quite small."

This challenge in evidence collection and incident reporting creates a feedback loop that undermines the effectiveness of email security improvements. When organizations cannot adequately document and report attacks, the security industry lacks the threat intelligence needed to develop effective countermeasures.

The urgent need for change

The dissatisfaction among IT leaders with current email security platforms shows a disconnect between evolving threats and existing defensive capabilities. With 74 percent of IT decision-makers expressing concerns about their email security infrastructure, the industry faces a need for innovative solutions that can address both technical and human factors in email security.

When IT teams are spending portions of their time on reactive security maintenance—as the Paubox report shows, with many organizations dedicating 11-20 hours weekly to secure email ticket resolution—there's less capacity for strategic security planning and user education initiatives.

Despite these challenges, there is reason for optimism. The same Paubox report indicates that securing email communication has improved operational efficiency by over 20 percent for half of healthcare organizations when implemented effectively. This statistic demonstrates that the problem isn't necessarily with email security itself, but with the current generation of solutions that prioritize technical features over practical usability.

The path forward requires a shift in how organizations approach email security, moving beyond traditional reactive measures to embrace next-generation solutions that can adapt to the evolving threat landscape while maintaining operational efficiency and user satisfaction.

Read also: HIPAA compliant Email

FAQs

How does Paubox address the problem of human error in email encryption?

Paubox removes the human element by automatically encrypting every outbound email with zero user interaction required.

Can Paubox protect against zero-day threats and novel attacks mentioned in the article?

Yes—Paubox uses real-time threat detection and filters that analyze behavior, helping identify and stop zero-day malware before it reaches inboxes.

What makes Paubox more effective against “living off the land” attacks that use trusted services?

Paubox’s advanced filtering detects suspicious use of reputable platforms like OneDrive or Dropbox, and stops spoofing attempts using domain age and display name verification.

How does Paubox improve upon traditional, outdated security platforms?

Unlike legacy systems that rely on portals and manual configurations, Paubox works natively with Gmail, Outlook, and mobile devices—without extra logins or plugins.

Does Paubox provide visibility and reporting to support compliance and investigations?

Yes—Paubox offers detailed message logs, audit trails, and secure archiving to support HIPAA compliance and forensic investigations.