When It Comes to Email Security, the Cloud You Pick Matters

Businesses using Google Workspace are half as likely to suffer a reportable cyberattack compared with companies using Microsoft 365, according to claims data collected by cyber insurance firms.

In its midyear "2023 Cyber Claims Report," insurance firm Coalition found that companies using Microsoft Office 365 were more than twice as likely (a 133% increase) to make a claim against insurance, compared with companies using Google Workspace. Another analysis of claims data by insurer At-Bay found that Microsoft 365 had a relative email claims frequency of 0.14%, exactly double that of the 0.07% for businesses using Google Workspace.

The insurance data suggests that Google Workspace is less risky than Microsoft 365, and, as such, premiums for Microsoft 365 users are higher, says Adam Tyra, general manager of security services at At-Bay.

"Based on the findings of our email security research, Google Workspace users will see significantly lower premiums compared to Microsoft 365 users," he says. "But it's important to note that we're pricing based on actual outcomes that our insureds are experiencing with various solutions, rather than our perception of how those solutions perform based on testing in a lab."

Microsoft's and Google's platforms are both popular targets for attackers. In 2022, email campaigns targeted Microsoft 365 accounts to steal credentials and employees' information, while researchers discovered a way to bypass logging on Google Workspace to download data from Google Drive without a trace.

Microsoft Office 365 is nearly 2.5 times as risky as Google Workspace. Source: Coalition

Yet the relative risk of the two platforms has rarely been measured. While several other insurance companies declined to reveal their data, and the National Association of Insurance Commissioners (NAIC) did not respond to a request for comment, the data from Coalition and At-Bay suggests that Microsoft 365 users are at greater risk than their Google Workspace counterparts.

Microsoft did not directly address the insurers' data or the conclusions, but it did outline its efforts to stymy attackers.

"Microsoft's strategy to combat email-borne attacks is anchored on three principles: research-informed product innovation, taking the fight to the attackers by taking down attack networks, and focusing on helping organizations improve their posture and user resilience," a spokesperson told Dark Reading.

Email Remains a Major Vector

Coalition and At-Bay both stressed that email continues to be a popular vector for attackers. Business email compromise (BEC) accounted for about a quarter (26%) of the cyber claims reported by Coalition's policyholders, while ransomware accounted for 19%, according to the firm's report on cyber claims. Meanwhile, email contributed to 41% of all claims by At-Bay's customers in the first half of 2023, and insecure email continues to be a significant risk factor, Tyra says.

Coalition theorized that the difference in claims frequency for companies using Microsoft 365 and Google Workspace could be due to the default protections offered by the platforms. The base Microsoft license does not include Defender for Office 365, which offers additional email security features that Google has in its base offering, Coalition pointed out in its report.

Google touted its cloud-native services and their secure design for its advantage against attackers. Gmail and Google Workspace have incorporated machine learning since 2004, have a large user population of some 3 billion accounts to draw on for threat intelligence, and incorporate new protections often, says Neil Kumaran, group product manager for Google's Gmail Security and Trust group.

"We invest extensively — and continue to invest — in applying new layers of protection all the time, and I think that's a concrete foundational difference between us and some of the other platforms," he says, adding that the massive user base "gives us a lot of threat signals that we can use to effectively protect all of our customers."

Cloud-Based Email Is More Secure

Whether Google Workspace should be the go-to email solution for companies is unclear, At-Bay stated in its report.

"[W]e aren't clear if this disparity is a simple case of Google offering better security features than Microsoft," the insurance firm stated. "It's in our opinion that both vendors appear to offer a credible and highly robust portfolio of security control options to accompany their email offerings. Instead, it's possible that the outcomes depicted by our data may be more closely related to circumstances surrounding the organizations operating these respective solutions than about the effectiveness of the solutions themselves."

However, both companies stressed that using any cloud-based email platform is better than an on-premises system because the cloud versions incorporate more sophisticated features, such as machine learning, gather threat intelligence in real time, and are more responsive to ongoing threats.

"The best thing you can do is to use a cloud-based email provider," At-Bay's Tyra says. "If you can't move to the cloud, the next best thing to do is to deploy a leading email security solution."

Companies should also implement multifactor authentication on all accounts, starting with the most privileged, including executives and system administrators, says Chris Hendricks, head of incident response at Coalition. To head off email threats, companies should use email security technologies, such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC).

"In addition, organizations can also increase their email security by regularly training their teams on what phishing attacks are, how they can proliferate into full-scale cyberattacks, and what to look for," Hendricks says. "While they're at it, they can also teach employees the importance of good password practices and how to avoid taking finance and IT actions based on suspicious emails."