Companies utilizing Google Workspace are solely half as prone to undergo a reportable cyberattack in comparison with corporations utilizing Microsoft 365, in accordance with claims information collected by cyber insurance coverage corporations.
In its 2023 Cyber Claims Report, insurance coverage agency Coalition discovered that corporations utilizing Microsoft Workplace 365 had been greater than twice as seemingly (a 133% improve) to make a declare in opposition to insurance coverage, in comparison with corporations utilizing Google Workspace. One other evaluation of claims information by insurer At-Bay discovered that Microsoft 365 had a relative e-mail claims frequency of 0.14%, precisely double that of the 0.07% for companies utilizing Google Workspace.
The insurance coverage information means that Google Workspace is much less dangerous than Microsoft 365, and as such, premiums for Microsoft 365 customers are greater, says Adam Tyra, basic supervisor of safety companies for At-Bay.
“Primarily based on the findings of our e-mail safety analysis, Google Workspace customers will see considerably decrease premiums in comparison with Microsoft 365 customers,” he says. “But it surely’s necessary to notice that we’re pricing based mostly on precise outcomes that our insureds are experiencing with varied options, reasonably than our notion of how these options carry out based mostly on testing in a lab.”
Each Microsoft’s and Google’s platforms are common targets for attackers. In 2022, e-mail campaigns focused Microsoft 365 accounts to steal credentials and staff’ data, whereas researchers found a option to bypass logging on Google Workspace to obtain information from Google Drive and not using a hint.
But the relative threat of the 2 platforms has hardly ever been measured. Whereas a number of different insurance coverage corporations declined to disclose their information, and the Nationwide Affiliation of Insurance coverage Commissioners (NAIC) didn’t reply to a request for remark, the information from Coalition and At-Bay means that Microsoft 365 customers are at higher threat than their Google Workspace counterparts.
Microsoft didn’t straight handle the insurers’ information nor the conclusions, however did define its efforts to stymy attackers.
“Microsoft’s technique to fight e-mail borne assaults is anchored on three ideas: research-informed product innovation, taking the combat to the attackers by taking down assault networks, and specializing in serving to organizations enhance their posture and person resilience,” a spokesperson informed Darkish Studying.
Electronic mail Stays a Main Vector
Each Coalition and At-Bay pressured that e-mail continues to be a well-liked vector for attackers. Enterprise e-mail compromise, or BEC, accounted for a few quarter (26%) of the cyber claims reported by Coalition’s policyholders, whereas ransomware accounted for 19%, in accordance with the agency’s 2023 Cyber Claims Report. In the meantime, e-mail contributed to 41% of all claims by At-Bay’s prospects within the first half of 2023, and insecure e-mail continues to be a major threat issue, Tyra says.
Coalition theorized that the distinction in claims frequency for corporations utilizing Microsoft 365 and Google Workspace might be because of the default protections supplied by the platforms. The bottom Microsoft licenses doesn’t embody Defender for Workplace 365, which provides extra e-mail security measures that Google has in its base providing, Coalition identified in its report.
Google touted its cloud-native companies and their safe design for its benefit in opposition to attackers. Gmail and Google Workspace have integrated machine studying since 2004, have a big person inhabitants of some 3 billion accounts to attract on for menace intelligence, and incorporate new protections usually, says Neil Kumaran, group product supervisor for Google’s Gmail Safety and Belief group.
“We make investments extensively — and proceed to speculate — in making use of new layers of safety on a regular basis, and I feel that is a concrete foundational distinction between us and a few of the different platforms,” he says, including that the large person base “offers us loads of menace alerts that we are able to use to successfully shield all of our prospects.”
Cloud-Primarily based Electronic mail Is Extra Safe
Whether or not Google Workspace must be the go-to e-mail answer for corporations is unclear, At-Bay said in its report.
“[W]e aren’t clear if this disparity is an easy case of Google providing higher security measures than Microsoft,” the insurance coverage agency said. “It is in our opinion that each distributors seem to supply a reputable and extremely sturdy portfolio of safety management choices to accompany their e-mail choices. As a substitute, it is doable that the outcomes depicted by our information could also be extra intently associated to circumstances surrounding the organizations working these respective options than in regards to the effectiveness of the options themselves.”
Nevertheless, each corporations pressured that utilizing any cloud-based e-mail platform is best than an on-premises system, as a result of the cloud variations incorporate extra subtle options corresponding to machine studying, collect menace intelligence in actual time, and are extra conscious of ongoing threats.
“The perfect factor you are able to do is to make use of a cloud-based e-mail supplier,” At-Bay’s Tyra stated. “If you cannot transfer to the cloud, the following smartest thing to do is to deploy a number one e-mail safety answer.”
Firms must also implement multifactor authentication on all accounts, beginning with essentially the most privileged, together with executives and system directors, says Chris Hendricks, head of incident response at Coalition. To move off e-mail threats, corporations ought to use e-mail safety applied sciences, corresponding to Sender Coverage Framework (SPF), DomainKeys Recognized Mail (DKIM), and Area-based Message Authentication, Reporting & Conformance (DMARC).
“As well as, organizations may also improve their e-mail safety by frequently coaching their groups on what phishing assaults are, how they will proliferate into full-scale cyber assaults, and what to search for,” Hendricks says. “Whereas they’re at it, they will additionally train staff the significance of fine password practices and how one can keep away from taking finance and IT actions based mostly on suspicious emails.”
