Email Security Trends 2025

Email remains a cornerstone of organizational communication. However, we have observed a critical disconnect between the rapidly growing compliance requirements related to email and the development and adoption of the necessary robust security measures.  

The insights in this report emphasize the importance of shifting perspectives: rather than trying to educate employees and expecting them to do the right thing at the right time, organizations can adopt tools and processes that reinforce good security practices and simplify compliance to meet evolving regulations like NIS2, DORA, GDPR and HIPAA.  

This report invites businesses to reimagine their approach to email security. By fostering a culture of accountability and support, balancing user empowerment with robust safeguards, organizations can align their email practices with the demands of a fast-changing digital landscape. We hope these insights inspire actionable steps to create a safer, more efficient environment for your teams as you prepare for the challenges of 2025 and beyond. 

As we approach 2025, email remains the number one channel for communication and the exchange of sensitive information - but could it also be its biggest vulnerability? 

There is a troubling gap emerging between the perceived risk of using email, and the reality of day-to-day security and risk management. IT leaders primarily focus on inbound threats such as phishing attacks, which 47% rank as their top concern. Yet two-thirds admit that outbound security breaches, often caused by innocent human mistakes, result in far more data loss than malicious social engineering attacks - a clear sign that email is a silent threat vector that demands closer monitoring, training, and compliance oversight.  

This widening security gap also poses problems from a compliance perspective. From NIS2 and GDPR in the EU to CCPA in the US, as well as industry-specific regulations like HIPAA in healthcare and global standards such as ISO/IEC 27001, which require email security to be considered as part of a broader risk management strategy, organizations have a lot to consider. These compliance objectives rightly take the form of internal company security policies, yet while 73% of employees are aware of the security policies pertaining to email, only 52% adhere to them.  

The message is clear: businesses need to start introducing operational guardrails and intelligent security controls to secure email as a channel and empower employees to use it safely and confidently. IT leaders are hearing this message loud and clear. Over the next two to three years, their focus will shift toward automation and the use of AI-based tools to not only counter increasingly sophisticated inbound threats but give employees the support they need to mitigate the risks inherent to outbound email. 

This report, based on a study conducted in October 2024 with 400 IT decision-makers and 2,000 employees across the US, UK, Netherlands, France, Germany, and Belgium, offers an evidence-based exploration of these vital issues. By analyzing insights from organizations with 250+ employees across various sectors, it will provide actionable recommendations to help businesses to comply with regulatory requirements, reduce data leaks and improve security outcomes. Through smarter investments, empowered employees, and the seamless integration of smart technologies, businesses can maintain email’s role as a vital – but safer – tool for communication. 

Email is indispensable to modern business, but it also stands directly at the intersection of escalating cyber threats and tightening regulatory demands. Originally developed in the 1970s, even before the internet, email was designed as a basic messaging tool – not a secure communication platform. Over the years, protocols such as DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) have been retrofitted to bolster security, yet despite these gains, it has resulted in a patchwork approach to security that has left email vulnerable. Malicious attacks, lacking adoption of security standards and authentication methods, as well as data loss through human error, only compound email’s inherent vulnerabilities.  

Malicious attacks, or “inbound” threats, are considered the biggest threat vector to email amongst IT leaders, with 47% stating that currently inbound threats are a bigger concern to them than outbound email security. Understandably, malicious threats dominate the security agenda; Advanced Threat Protection and malware detection (50%), employee training and awareness programs (48%), and phishing prevention (43%) are the three main priorities for email security investment according to IT leaders, over and above encryption and human error prevention. 

While the focus on malicious attacks has spurred advancements in detection and prevention technologies, IT leaders still feel preventative measures are lacking; 67% of IT leaders say that security vendors are not innovating quickly enough with evolving AI risks. Furthermore, 59% of employees say that they are worried that AI will make it harder for them to know if an incoming email or link is legitimate.   

It is clear; while threat prevention is the focus for IT leaders, current tools and defenses are falling short. In addition to the inbound struggle, our research highlights an overlooked threat vector in email’s security defenses requiring equal, if not more, attention from IT leaders this year. 

The outbound threat blind spot 

Data protection authorities, such as the Dutch privacy authority and the UK’s ICO, consistently report that human error remains the leading cause of data loss. Yet inbound threats, due to their malicious nature, tend to receive the most attention. It is only recently, as the amount of sensitive data businesses gather and the compliance mandates around it have increased, that this "attention gap” has become glaringly apparent.  

Our research shows that outbound email mistakes are alarmingly common. Employees frequently send the wrong attachment (33%), misaddress emails to unintended recipients (32%), or misuse CC and BCC fields (20%). These mistakes are more likely to happen when employees are tight on time (54%), when they are stressed (40%), or when they feel overwhelmed by too many messages (40%).   

Misaligned email security priorities 

While 47% of IT decision-makers identify phishing and malware as top threats to their data, only 20% prioritize outbound risks and just 39% of IT leaders point to data loss prevention/human error as an investment priority for email security. Yet, despite the low level of attention paid to outbound risks, two-thirds (66%) of IT leaders admit that employee mistakes in outbound emails result in more significant data loss than malicious inbound attacks.

Maintaining inbound security is, of course, essential, but not at the cost of outbound security. This misalignment extends beyond perception to investment: only 25% of IT leaders believe their security spending is “very well aligned” with actual risks. Adding to the complexity, 38% rank "employee misunderstanding of security policies" among their top vulnerabilities, while 60% of employees report using workarounds to bypass policy measures, highlighting a potential gap between IT leaders’ assumptions and the reality on the ground. 

Compliance is arguably the most pressing challenge for IT leaders in 2025. In Europe, landmark legislations like DORA (Digital Operational Resilience Act) for financial institutions and NIS2 (Network and Information Systems Directive) for essential sectors, including government and healthcare, are set to take effect in 2025. The UK is introducing the Cyber Security and Resilience Bill in the same year. In the United States, federal laws such as HIPAA (Health Insurance Portability and Accountability Act) and GLBA (Gramm-Leach-Bliley Act) are undergoing continuous enhancements, with individual states enacting their own stringent data protection laws. 

Each of these legislations include key requirements around risk management, information classification, secure information transfer, awareness training, and data leakage prevention – throwing email firmly under the regulatory spotlight.  

Key legislative requirements for secure information management:   

Various common denominators are explicitly detailed in the majority of new regulations that directly impact email and require immediate attention to ensure requirements are met within the email environment to support compliance:   

• Robust risk management practices: Organizations must adopt a proactive stance against phishing, integrating comprehensive risk management, incident response, and continuous monitoring into their cybersecurity strategies.
• Information classification: Organizations must classify information based on sensitivity to determine appropriate security controls for email transmission, preventing unintended exposure.
• Secure information transfer: Right-sized encryption and traceability are required to protect information during transmission from interception and unauthorized access.
• Access control: Access to sensitive information must be restricted to authorized individuals, necessitating reliable authentication for both senders and recipients.
• Awareness and training: Regular training and updates on information security policies are mandatory to maintain a security-conscious workforce.
• Data leakage prevention: Organizations must implement measures to minimize data leak risks due to human error, including monitoring and blocking or quarantining emails containing sensitive information with insufficient protection or potential errors. 

How to manage hidden threats  

While IT leaders estimate that only 34% of outbound email incidents are formally reported, many employees handle mistakes informally—50% say they would notify the unintended recipient directly, while just 9% would report the incident to IT. This behavior leaves IT teams in the dark about the true scope of email security incidents, undermining their ability to address systemic issues. 

Making compliance a cultural norm 

Employees using unauthorized platforms, a lack of security awareness among employees, and the increasing number of tools being used by staff are consistently ranked among the top three security vulnerabilities by IT leaders. 

Employees are the common thread running through these top-ranked vulnerabilities, but they are the symptom rather than the cause. Employees simply reflect the environment in which they operate, and if the tools, training, and processes aren’t in place to instill security as a cultural and operational goal, these vulnerabilities will persist.

When asked what their primary email security focus for would be over the next two to three years, almost one-third of IT leaders (31%) said they would prioritize compliance with data protection regulations, and 28% said they would be looking for an “all encompassing” solution for inbound and outbound security. Increased threat levels from AI, which is constantly being used to refine and sharpen phishing methods and tactics, was noted as the primary driver of these changes, with 45% of leaders citing it as their motivation for change. However, 4 in 10 (38%) cited regulatory pressures and concerns about compliance as their number one driver for change.  

Employees are calling out for more supportive measures to help them in meeting their organization’s compliance requirements. Without user-friendly, cohesive tools and clear policies, employees will continue to fight against security best-practice, resorting to more efficient workarounds. In fact, around 60% of employees say they frequently use IT policy workarounds to “get the job done” and save time or effort.  

Policy awareness gaps 

Many employees lack a clear understanding of their organization’s email security policies, with 38% saying they don’t fully comprehend them. Among those who frequently make email mistakes, this confusion climbs to 52%, creating a direct link between policy understanding and the likelihood of making errors.  

Re-thinking email security training delivery 

While nearly all organizations provide some form of training, its effectiveness remains limited. Organizations recognize the importance of email security training, with 95% of IT leaders confirming its availability within their companies. Yet only 26% believe it drives significant improvements in employee behavior to safeguard data, and nearly half (46%) acknowledge that there is room for improvement. This rift between the prevalence of training and its perceived effectiveness points to fundamental flaws in its design and delivery.  

Part of the reason training falls short is that it is often shaped around the organization rather than its employees. More than a third (36%) of employees across large organizations describe email security training as ineffective or a waste of time, and dissatisfaction increases to 54% among those who frequently make email mistakes. This group, which stands to benefit most from effective training, often feels that programs are overly generic and fail to address the specific challenges they encounter in their roles. 

Our research shows that employees overwhelmingly prefer interactive and scenario-based training formats that mimic real-world situations. Immediate prompts and contextual feedback, integrated into their daily workflows, are particularly effective for reinforcing secure behaviors. 

A call to action for leadership 

Improving email security must be an urgent priority for leadership. The risks of inaction are clear and costly: rising data breaches, substantial financial penalties, erosion of customer trust, and even personal liability for executives under new regulations. 

Leadership must ensure that security investments are strategically aligned with the most pressing threats facing their organization. With only 24% of IT leaders highly confident in their current alignment, this gap leaves critical vulnerabilities unaddressed. Outbound email security, often sidelined in favor of inbound threat mitigation, demands equal attention to protect against data leaks and human error. Redirecting investments toward comprehensive solutions that address these overlooked risks is essential to building a resilient and effective security framework; solutions that not only support compliance but demonstrate tangible business value: a key factor in securing leadership buy-in for future investments. Fewer than one in four IT leaders believe their current security spending aligns well with the risks their organizations are encountering. 

Leaders must adopt a structured, proactive approach to secure email systems, focusing on five critical pillars: 

1. Conduct a comprehensive email security audit 
2. Invest in advanced email security solutions 
3. Adopt robust encryption and authentication protocols 
4. Enable staff through comprehensive data leak prevention strategies 
5. Foster a culture of security 

By taking these steps, organizations can transform email security from a silent vulnerability into a powerful strategic asset. This shift not only ensures regulatory compliance but also strengthens competitive positioning, enhances operational resilience, and builds trust with customers and stakeholders. 

As 2025 approaches, improving email security is not just a strategic imperative—it is a compliance necessity. New legislations now hold board members personally liable for cybersecurity failures, making decisive action essential. Robust encryption and authentication are no longer optional but critical to securing communication channels against the escalating sophistication of cyberattacks.    

In a world where the margin for error is narrowing and the consequences of negligence are escalating, the time to act is now. By investing in robust security solutions, advancing employee education, and aligning practices with international standards, organizations can mitigate risks, protect their most critical communication channels, and ensure email remains a trusted cornerstone of business success.