300 Billion Emails, Infinite Risk: Email Security Evolution

TOGETHER WITH

Table of Contents

• TL;DR

• Email as the Language of Business

• The Importance of Email in Business Operations

• It’s Always Been About More Than Email

• The Email Threat Landscape

• Breaking Down the Email Security Market

• Double-Clicking into Email Security Capabilities

  • What’s Not Covered

• The Future of Email and Collaboration Security

• References

• About Return on Security

TL;DR

Here’s the TL;DR (too long, didn’t read):

• Email is critical to business operations but remains one of the biggest cybersecurity vulnerabilities.

• Phishing, business email compromise (BEC), and malware continue to exploit email as both an attack vector and target.

• Despite efforts from major players like Google and Microsoft, email security alone is insufficient to combat evolving threats.

• The broader collaboration workspace must also be secured, including attachments and cloud-based file shares.

• The email security market is fragmented, reactive, and reliant on outdated tools like endpoint detection and response (EDR), which aren’t fully effective for email-based threats.

• To address these challenges, we need proactive security measures that treat email as both an identity provider and an unstructured data store, focusing on structural changes to protect the entire digital workspace.

Email as the Language of Business

Email is the cornerstone of business operations, yet it remains one of the weakest links in our cybersecurity defenses.

Email is more than just a communication tool—it's the backbone of modern business. From single-person startups to Fortune 500 companies, email is the primary medium for exchanging contracts, negotiating deals, coordinating teams, and communicating with customers. It’s how businesses stay connected internally and externally, manage day-to-day operations, communicate strategy, and share updates.

The Importance of Email in Business Operations

Beyond simple communication, email now serves as a key element in identity management. It's often the gateway to an individual’s digital identity, used to verify access across countless services. Whether logging into cloud-based platforms or resetting passwords, the email inbox has become the hub for managing access to essential business applications. 

In many ways, email has become the digital equivalent of a physical office—it’s where sensitive information resides, trust is built, and relationships are maintained.

With over 300 billion emails sent and received daily, the sheer volume alone presents an overwhelming challenge to security teams. Email is the primary vector for phishing attacks, malware distribution, and business email compromise (BEC), making it one of cybercriminals' most exploited entry points. And as businesses continue to rely on email for critical functions, the stakes have never been higher.

This is why the email security market has been booming for the past several years.

It’s Always Been About More Than Email

The challenge is that email security alone isn’t enough anymore. The entire workspace must be secured, including attachments, cloud-based file shares, and shared drives. This shift mirrors the evolution of the SaaS Governance or Security Posture Management (SSPM) space, where the industry realized that far more nuance is required for managing and securing SaaS services.

One way of framing how to solve this problem better is to look at email as more than “just email.” Email is a unique platform in that it is a combination of an organization's Identity Provider (IdP) and an unstructured data store.

Email is an identity source in that it can be used as an initial access method to access many other applications, accounts, and services once it is compromised. One way to do that is to create password resets for other accounts once the email is compromised. Think of it as any platform, be it Slack, GitHub, or other SaaS application, that a compromised email account has access to, which is just one password reset away from being taken over.

Email is also an unstructured data store that provides historical data and context from every email sent or received by the account and any attachments therein. Unstructured data is a cornerstone of modern business operations, just like email, and forms the backbone of organizational communication and decision-making. Email is both a communication channel and an access point to sensitive data and services.

So now that we are all on the same page about how critical email is and what’s at stake, how is it that in 2024, securing email and eliminating phishing are not solved problems? 

For that, we’ll have to dig into how the email threat landscape has evolved so far.

The Email Threat Landscape

As I’ve written about before, phishing has arguably been the single most devastating cybersecurity threat to the world since email came into the public purview in the late 1980s to early 1990s.

Even today, in 2024, email is still the primary method for delivering malware.

Why? Simply because, 60% of the time, it works every time it still works. A compromised email account can have more value than other sources, as seen in this diagram from Brian Krebs:

Although this post is over ten years old, The Value of a Hacked Email Account is just as relevant today as it was then. Using email to defraud, steal login credentials and confidential data, and send malicious payloads to compromise companies is good business for cybercriminals because it continues to work. If it ain’t broke, don’t fix it.

The World Economic Forum (WEF) now even ranks cybercrime eighth among the world’s top 10 global risks, just after climate change and ahead of large-scale human migration.

Humans are at the center of all of it. According to the 2024 Verizon Data Breach Investigation Report (DBIR), 68% of breaches they identified involved a human component.

While there has been a positive increase in the number of phishing emails reported (people and technology are better at spotting phishing emails), there has been a corresponding increase in the number of “successful” phishing emails. One stat from the Verizon DBIR report shows that the median time users fall victim to phishing emails is less than 60 seconds.

Material’s data echoes the prevalence of the human element. Of the malicious emails detected so far in 2024, nearly 30% involve some form of social engineering, and nearly 18% are fraud or BEC that also plays on the human element.

Cybercriminals also have a huge financial upside, making it far too appealing to stop. According to the 2023 FBI Internet Crime Report, Business email compromise (BEC) is one of enterprise organizations' most significant cybersecurity threats.

The report cited that $2.9 billion was lost in 2023 alone to Business Email Compromise (BEC). Email is both a means of attack through phishing and initial access malware and a high-value target for company intelligence and financial fraud.

Despite the efforts of the biggest players, phishing, business email compromise, and account takeovers are still happening and on the rise. And despite these staggering numbers and reality, businesses are still underinvesting in or underthinking how to solve the email security problem.

So what gives? What has the cybersecurity market been doing to solve these evolving problems over the years?

Let’s first break down what the email security market looks like.

Breaking Down the Email Security Market

The email security landscape has slowly evolved into fragmented, overlapping subcategories, each addressing a piece of the puzzle, but no solution dominates. 

It is not uncommon for companies that start off in email security focused on spam and phishing defense to move into email data loss prevention (DLP), insider threat detection, security awareness training, and encryption. The inverse has held true as well for the companies in those adjacent spaces that are moving into email security. 

Nearly $3 billion has been invested in the broader email security market over the past 20 years. It’s staggering to take a step back and look at it. This figure includes both companies that started and have stayed mainly as “email security” companies and companies that started out solving a different kind of problem and then later moved into the email security space as a product offering.

Breaking down these numbers further, we can see that 82% of the $3 billion, or $2.4 billion, has gone to 10 companies:

It’s worth noting from this chart that some companies have expanded beyond being “pure play” email security companies.

So, let’s take a closer look at how the email security market has segmented itself from a capability standpoint.

Double-Clicking into Email Security Capabilities

To better understand how this market is divided up, I’ll use a diagram I made showing where the majority of email security tools focus on today for inbound email vs. where the industry is heading:

The industry has been relying on endpoint detection and response (EDR) tools to do the heavy lifting as the final frontier of email, and it hasn’t really been working. While EDR has brought the industry forward a very long way, it is still inherently reactive and is more about incident response and containment.

Email-based threats, on the other hand, are a different beast. Phishing and BEC often rely on social engineering and trick people into taking bad actions before the EDR systems detect a threat. When the EDR triggers a response, sensitive data may have already been compromised, or a person may have been phished.

As email threats have grown in complexity and creativity, the market for email security solutions has also grown and can be broken down into several sub-categories:

Secure Email Gateways (cloud-based or otherwise) - Established

These platforms serve as the frontline defense against incoming threats, filtering out malicious emails before they reach the inbox. They focus on detecting and blocking spam, phishing attempts, and malware-laden messages “in front” of the email service providers and attempt to prevent bad emails from reaching inboxes in the first place.

Email Service Providers - Established

These are the largest tech companies in the world that provide email platforms. Google’s Gmail and Microsoft’s O365 (or whatever it’s named today) have long been trying to solve email security problems at the macro level. Google and Microsoft are some of the few companies uniquely positioned to create big changes across the Internet and the industry to make us all safer. 

Google claims they protected Gmail users “from nearly 15 billion unwanted messages a day, blocking more than 99.9% of spam, phishing and malware” in 2022. Those figures' numerator and denominator will only increase in the last two years.

In February 2024, Google took another step towards industry security by enforcing email authentication for any “bulk email sender,” those who send more than 5,000 messages to Gmail addresses in one day. This means that companies or individuals who sent emails to anyone with a Gmail address had to enable DKIM to prove to Google that the sender was who they said they were.

Microsoft has taken a different approach to lifting the industry up. Instead, it has added security measures to its existing Microsoft O365 suite. Microsoft's security business has grown significantly in recent years, becoming a key part of its overall strategy. As of 2023, Microsoft’s security division was reported to generate over $20 billion in annual revenue, marking a 33% year-over-year growth. 

Email Incident Response and Collaboration Workspace Security - Growing

Email incident response platforms are designed to support the triage and containment of email-related security issues, identifying and neutralizing malicious emails. These tools provide organizations with post-email delivery defense by applying a herd-like immunity across all email accounts. Once a threat is detected, these platforms can:

• Remove malicious attachments post-delivery,

• Re-write phishing URLs to ensure they are safe, and

• Combat fake QR code phishing emails that have bypassed Secure Email Gateways and native email provider protections.

However, the scope of email security has expanded beyond the inbox. Modern email incident response platforms like Material are evolving into a broader Collaboration Workspace Security space, where posture management checks emails and the entire collaboration ecosystem. This includes securing email, collaboration file shares (i.e., Google Drive, Microsoft OneDrive), and unstructured documents (e.g., Word documents, spreadsheets) across various cloud-based tools. These platforms address a range of security concerns by incorporating:

• Sensitive data discovery to protect critical information,

• Email data governance to ensure proper handling of data,

• Step-up authentication for accessing email attachments, and

• Tracking and managing documents with excessive sharing permissions both within and outside the organization.

By merging incident response with collaboration security, these platforms provide a comprehensive approach to safeguarding not just email, but the broader digital workspace organizations now depend on.

What’s Not Covered

This piece intentionally won’t include security capabilities like:

• Email encryption

• Outbound email inspection

• Email data loss prevention (DLP)

• Security awareness tools that support good email security etiquette and hygiene

However, it is also worth noting that many of the players in the space cover many of the above capabilities, I just won’t be covering off on those topics here.

This post will also not cover the host of email platforms that focus on email-sending hygiene, which is not specific to security but has the added benefit of improving the security and trustworthiness of emails and the companies that send them. 

Many of the platforms focus on the health of email deliverability over security, and for a technical terminology level-set, I’ll define a few key terms in this space:

• Mail Exchange (MX) Record - a DNS record that directs how an email should be relayed from the sending domain to the recipient via Simple Mail Transfer Protocol (SMTP).

• Sender Policy Framework (SPF) - helps prevent unauthorized mail servers from impersonating your domain and reduces the risk of phishing attacks.

• DomainKeys Identified Mail (DKIM) - helps verify that emails are genuinely from the domain they claim to be from and ensure the message contents are not accessed or changed in transit.

• Domain-based Message Authentication, Reporting, and Conformance (DMARC) - adds an authentication protocol to prevent email domains from being spoofed. DMARC works in conjunction with SPF and DKIM to ensure that the email's “From” address is not forged.

I like to call SPF, DKIM, and DMARC the Email Deliverability Holy Trinity™. These checks are essential to an overall email strategy and should not be ignored.

With those caveats and terminology out of the way, it’s time for the email security market to evolve its approach to securing email and stemming the tide of phishing attacks.

The Future of Email and Collaboration Security

Probably the most significant shift and advancement in the email space has been the move towards cloud-based email platforms. Cloud constructs rely on every action in the cloud being an API call under the hood, and now email can follow that suit. 

Now, security vendors can scan all of the emails in all of the inboxes of all of the tenants for a given company and give you a posture state on what is good, bad, and ugly. This can be done as often as API rate limiting allows and can give you a more proactive view of the health and security of one of your company's most important business applications.

Does this sound familiar? It should because it’s exactly how the cloud security posture management (CSPM) market evolved and why that capability is now commonplace in all cloud security vendors. Cloud security posture needs constant re-assessment, and so does your email and collaboration suite.

The email security market needs to move beyond the reactive, detection-first approach and focus on structural changes that address email's full scope as an identity source and data store.

References

• Ichthyology: Phishing as a Science

• Emails sent per day 2027 | Statista

• Cyber security breaches survey 2024 - GOV.UK

• New Gmail protections for a safer, less spammy inbox

About Return on Security

Return on Security is all about breaking down the cybersecurity industry for you with expert analysis, hard facts, and real-life stories. The goal? To keep security pros, entrepreneurs, and investors ahead in a fast-moving field. Read more about the “Why” here.

Feel free to borrow any data, charts, or advice you find here. Just make sure to give a shoutout to Return on Security when you do.

Thank you for reading. If you liked this analysis, please share it with your friends, colleagues, and anyone interested in the cybersecurity market.

Follow me on LinkedIn or Twitter to never miss Return on Security updates.