Companies utilizing Google Workspace are solely half as prone to endure a reportable cyberattack in comparison with corporations utilizing Microsoft 365, in accordance with claims knowledge collected by cyber insurance coverage corporations.

In its 2023 Cyber Claims Report, insurance coverage agency Coalition discovered that corporations utilizing Microsoft Workplace 365 have been greater than twice as possible (a 133% enhance) to make a declare towards insurance coverage, in comparison with corporations utilizing Google Workspace. One other evaluation of claims knowledge by insurer At-Bay discovered that Microsoft 365 had a relative electronic mail claims frequency of 0.14%, precisely double that of the 0.07% for companies utilizing Google Workspace.

The insurance coverage knowledge means that Google Workspace is much less dangerous than Microsoft 365, and as such, premiums for Microsoft 365 customers are increased, says Adam Tyra, basic supervisor of safety companies for At-Bay.

“Based mostly on the findings of our electronic mail safety analysis, Google Workspace customers will see considerably decrease premiums in comparison with Microsoft 365 customers,” he says. “However it’s necessary to notice that we’re pricing based mostly on precise outcomes that our insureds are experiencing with varied options, somewhat than our notion of how these options carry out based mostly on testing in a lab.”

Each Microsoft’s and Google’s platforms are fashionable targets for attackers. In 2022, electronic mail campaigns focused Microsoft 365 accounts to steal credentials and staff’ info, whereas researchers found a technique to bypass logging on Google Workspace to obtain knowledge from Google Drive with out a hint.

But the relative threat of the 2 platforms has not often been measured. Whereas a number of different insurance coverage corporations declined to disclose their knowledge, and the Nationwide Affiliation of Insurance coverage Commissioners (NAIC) didn’t reply to a request for remark, the information from Coalition and At-Bay means that Microsoft 365 customers are at better threat than their Google Workspace counterparts.

Microsoft didn’t straight handle the insurers’ knowledge nor the conclusions, however did define its efforts to stymy attackers.

“Microsoft’s technique to fight electronic mail borne assaults is anchored on three ideas: research-informed product innovation, taking the struggle to the attackers by taking down assault networks, and specializing in serving to organizations enhance their posture and consumer resilience,” a spokesperson instructed Darkish Studying.

Electronic mail Stays a Main Vector

Each Coalition and At-Bay harassed that electronic mail continues to be a well-liked vector for attackers. Enterprise electronic mail compromise, or BEC, accounted for a couple of quarter (26%) of the cyber claims reported by Coalition’s policyholders, whereas ransomware accounted for 19%, in accordance with the agency’s 2023 Cyber Claims Report. In the meantime, electronic mail contributed to 41% of all claims by At-Bay’s prospects within the first half of 2023, and insecure electronic mail continues to be a big threat issue, Tyra says.

Coalition theorized that the distinction in claims frequency for corporations utilizing Microsoft 365 and Google Workspace might be because of the default protections supplied by the platforms. The bottom Microsoft licenses doesn’t embody Defender for Workplace 365, which gives further electronic mail security measures that Google has in its base providing, Coalition identified in its report.

Google touted its cloud-native companies and their safe design for its benefit towards attackers. Gmail and Google Workspace have integrated machine studying since 2004, have a big consumer inhabitants of some 3 billion accounts to attract on for risk intelligence, and incorporate new protections usually, says Neil Kumaran, group product supervisor for Google’s Gmail Safety and Belief group.

“We make investments extensively — and proceed to take a position — in making use of new layers of safety on a regular basis, and I feel that is a concrete foundational distinction between us and a number of the different platforms,” he says, including that the huge consumer base “offers us numerous risk alerts that we are able to use to successfully shield all of our prospects.”

Cloud-Based mostly Electronic mail Is Extra Safe

Whether or not Google Workspace ought to be the go-to electronic mail answer for corporations is unclear, At-Bay said in its report.

“[W]e aren’t clear if this disparity is a straightforward case of Google providing higher security measures than Microsoft,” the insurance coverage agency said. “It is in our opinion that each distributors seem to supply a reputable and extremely strong portfolio of safety management choices to accompany their electronic mail choices. As a substitute, it is doable that the outcomes depicted by our knowledge could also be extra intently associated to circumstances surrounding the organizations working these respective options than concerning the effectiveness of the options themselves.”

Nevertheless, each corporations harassed that utilizing any cloud-based electronic mail platform is best than an on-premises system, as a result of the cloud variations incorporate extra refined options similar to machine studying, collect risk intelligence in actual time, and are extra conscious of ongoing threats.

“The most effective factor you are able to do is to make use of a cloud-based electronic mail supplier,” At-Bay’s Tyra stated. “If you cannot transfer to the cloud, the following smartest thing to do is to deploy a number one electronic mail safety answer.”

Corporations must also implement multifactor authentication on all accounts, beginning with essentially the most privileged, together with executives and system directors, says Chris Hendricks, head of incident response at Coalition. To move off electronic mail threats, corporations ought to use electronic mail safety applied sciences, similar to Sender Coverage Framework (SPF), DomainKeys Recognized Mail (DKIM), and Area-based Message Authentication, Reporting & Conformance (DMARC).

“As well as, organizations may enhance their electronic mail safety by recurrently coaching their groups on what phishing assaults are, how they’ll proliferate into full-scale cyber assaults, and what to search for,” Hendricks says. “Whereas they’re at it, they’ll additionally educate staff the significance of fine password practices and the best way to keep away from taking finance and IT actions based mostly on suspicious emails.”