Companies utilizing Google Workspace are solely half as prone to endure a reportable cyberattack in comparison with firms utilizing Microsoft 365, in keeping with claims knowledge collected by cyber insurance coverage companies.
In its 2023 Cyber Claims Report, insurance coverage agency Coalition discovered that firms utilizing Microsoft Workplace 365 had been greater than twice as probably (a 133% improve) to make a declare in opposition to insurance coverage, in comparison with firms utilizing Google Workspace. One other evaluation of claims knowledge by insurer At-Bay discovered that Microsoft 365 had a relative e mail claims frequency of 0.14%, precisely double that of the 0.07% for companies utilizing Google Workspace.
The insurance coverage knowledge means that Google Workspace is much less dangerous than Microsoft 365, and as such, premiums for Microsoft 365 customers are greater, says Adam Tyra, basic supervisor of safety providers for At-Bay.
“Based mostly on the findings of our e mail safety analysis, Google Workspace customers will see considerably decrease premiums in comparison with Microsoft 365 customers,” he says. “But it surely’s essential to notice that we’re pricing based mostly on precise outcomes that our insureds are experiencing with varied options, somewhat than our notion of how these options carry out based mostly on testing in a lab.”
Each Microsoft’s and Google’s platforms are standard targets for attackers. In 2022, e mail campaigns focused Microsoft 365 accounts to steal credentials and workers’ data, whereas researchers found a approach to bypass logging on Google Workspace to obtain knowledge from Google Drive with no hint.
But the relative danger of the 2 platforms has not often been measured. Whereas a number of different insurance coverage firms declined to disclose their knowledge, and the Nationwide Affiliation of Insurance coverage Commissioners (NAIC) didn’t reply to a request for remark, the info from Coalition and At-Bay means that Microsoft 365 customers are at larger danger than their Google Workspace counterparts.
Microsoft didn’t straight handle the insurers’ knowledge nor the conclusions, however did define its efforts to stymy attackers.
“Microsoft’s technique to fight e mail borne assaults is anchored on three ideas: research-informed product innovation, taking the battle to the attackers by taking down assault networks, and specializing in serving to organizations enhance their posture and person resilience,” a spokesperson instructed Darkish Studying.
E mail Stays a Main Vector
Each Coalition and At-Bay careworn that e mail continues to be a well-liked vector for attackers. Enterprise e mail compromise, or BEC, accounted for a few quarter (26%) of the cyber claims reported by Coalition’s policyholders, whereas ransomware accounted for 19%, in keeping with the agency’s 2023 Cyber Claims Report. In the meantime, e mail contributed to 41% of all claims by At-Bay’s clients within the first half of 2023, and insecure e mail continues to be a major danger issue, Tyra says.
Coalition theorized that the distinction in claims frequency for firms utilizing Microsoft 365 and Google Workspace may very well be as a result of default protections provided by the platforms. The bottom Microsoft licenses doesn’t embody Defender for Workplace 365, which gives further e mail safety features that Google has in its base providing, Coalition identified in its report.
Google touted its cloud-native providers and their safe design for its benefit in opposition to attackers. Gmail and Google Workspace have included machine studying since 2004, have a big person inhabitants of some 3 billion accounts to attract on for menace intelligence, and incorporate new protections usually, says Neil Kumaran, group product supervisor for Google’s Gmail Safety and Belief group.
“We make investments extensively — and proceed to take a position — in making use of new layers of safety on a regular basis, and I feel that is a concrete foundational distinction between us and a number of the different platforms,” he says, including that the huge person base “provides us quite a lot of menace alerts that we will use to successfully defend all of our clients.”
Cloud-Based mostly E mail Is Extra Safe
Whether or not Google Workspace needs to be the go-to e mail resolution for firms is unclear, At-Bay acknowledged in its report.
“[W]e aren’t clear if this disparity is an easy case of Google providing higher safety features than Microsoft,” the insurance coverage agency acknowledged. “It is in our opinion that each distributors seem to supply a reputable and extremely sturdy portfolio of safety management choices to accompany their e mail choices. As a substitute, it is attainable that the outcomes depicted by our knowledge could also be extra intently associated to circumstances surrounding the organizations working these respective options than concerning the effectiveness of the options themselves.”
Nevertheless, each firms careworn that utilizing any cloud-based e mail platform is healthier than an on-premises system, as a result of the cloud variations incorporate extra subtle options resembling machine studying, collect menace intelligence in actual time, and are extra attentive to ongoing threats.
“The very best factor you are able to do is to make use of a cloud-based e mail supplier,” At-Bay’s Tyra stated. “If you cannot transfer to the cloud, the following neatest thing to do is to deploy a number one e mail safety resolution.”
Firms also needs to implement multifactor authentication on all accounts, beginning with essentially the most privileged, together with executives and system directors, says Chris Hendricks, head of incident response at Coalition. To move off e mail threats, firms ought to use e mail safety applied sciences, resembling Sender Coverage Framework (SPF), DomainKeys Recognized Mail (DKIM), and Area-based Message Authentication, Reporting & Conformance (DMARC).
“As well as, organizations may also improve their e mail safety by usually coaching their groups on what phishing assaults are, how they’ll proliferate into full-scale cyber assaults, and what to search for,” Hendricks says. “Whereas they’re at it, they’ll additionally train workers the significance of excellent password practices and how you can keep away from taking finance and IT actions based mostly on suspicious emails.”
