April 25, 2017What does cyber resilience mean to you? The answer will surely vary across industries. And, to some, the term might not mean anything at all. In fact, according to new research from Vanson Bourne, not enough organizations are making cyber resilience planning a priority.
Only 30 percent have already adopted a cyber resilience strategy, with about one-third still in the early stages of development or planning. Too many organizations are leaving themselves unprepared for the unknown, and it doesn’t have to be this way.
Organizations of all sizes need a cyber resilience strategy; no exceptions. Yes, security is critical, but not the only piece of the cyber resilience equation. Multi-purpose data archiving, business continuity and the ability to empower the end-user should also have equal consideration. This holistic approach to IT management is what we call cyber resilience, and this is core to our business and how we interact with our customers.
Cyber resilience resonates throughout everything we do at Mimecast – it’s engrained in our internal and external philosophy. But, we wanted to find out how other industry thought leaders are thinking about cyber resilience, and how they are applying it to their own business models. So, we took the great opportunity to tap into the powerful mindshare at RSA Conference 2017 by hosting the first-ever ‘Cyber Resilience Think Tank’ at the San Francisco NASDAQ Center. Insights from the event were captured in a Cyber Resilience Report released today from Cybersecurity Ventures.
I had the pleasure of leading this think tank discussion, which was made up of almost two-dozen leaders in the cybersecurity industry, and moderated by Ari Schwartz, Venable CEO and former member of the White House National Security Council. The impressive caliber of Think Tank participants – which ranged from Malcolm Harkins, chief security and trust officer of Cylance Inc., to Helen Rabe, head of information security for UK-based Costa Coffee – validates that cyber resilience is a hot-button issue that organizations of all sizes and across all industries should care about – and plan for.
The Think Tank attendees validated our approach to cyber resilience planning. It starts with the understanding that security alone simply isn’t enough. And it ends with a comprehensive plan to manage IT, and hopefully, a philosophy that helps drive your business and customer relationships.
Now, more than ever, organizations need a broad approach to cyber resilience planning and they can’t expect do it alone. Industry leaders need to continue to push cyber resilience and provide actionable insights and prescriptive advice to drive towards a more cyber resilient future.
Think Tank contributors included:
- Matt Crouse, Director, Information Security & Compliance, Lucky Brand, LLC
- Joe Gajdosik, Director of IT Security, Curtiss-Wright Corporation
- Jason Gunnoe, Chief Information Security Officer, Bridgestone Tires
- Cathy Hammond, Chief Security Architect, Teleflex
- Jim Hansen, COO, PhishMe
- Gary Hayslip, Chief Information Security Officer, City of San Diego
- Ed Jennings, COO, Mimecast
- Joel Lowe, Head of Information Security, Sonic Automotive
- Neil Murray, Chief Technology Officer, Mimecast
- Phil Owen, Global Head of Information Security, IHS Markit
- Helen Rabe, Head of Information Security, Costa Coffee
- Brian Reed, Chief Product Officer, ZeroFox
- John Sapp Jr., Director, IT Security & Controls, Information Security Officer, Orthofix, Inc.
- Ari Schwartz, Managing Director of Cybersecurity Services, Think Tank Moderator, Venable, LLC
- Maurice Stebila, IT Security, Compliance & Privacy Office, Harman International Industries
- Chris Wysopal, CTO & Co-Founder, Veracode
April 19, 2017
What’s Your Contingency Plan for an Exchange Online Outage?This winter was sitting in a hotel room in Boston watching a blizzard fall outside my window. Not the worst situation I could be in (as I sipped my cup of coffee). At some point the news flashed a number at the bottom of my screen for folks to call if the power went out. If the power goes out? Now that would have changed my comfy scenario pretty quick and I jotted that number down just in case I needed a contingency plan. Does the hotel have a generator? Where are the emergency exits (elevators would be out). A moment ago I was enjoying the snowfall, but now I’m thinking ahead because…well…things happen.
Things happen. And it’s smart to have a contingency plan in play to ensure you aren’t just a standby victim waiting for the lights to come back on (or in the case of Exchange Online, for your email to come back up). In the years that Office 365’s Exchange Online has been available there have been major and minor outages of the service each year, often at inopportune times (as if there is an opportune time to lose email). I think of the Microsoft Worldwide Partner Conference (WPC) in Orlando in 2015 where the email service was down for several hours. Or the December 2015 event that hit Europe due to a misconfiguration error of a Microsoft engineer with Azure (which affected the Office 365 customers that rely on Azure for identity management and such). Or the June 30th, 2016 outage that affected some North American customers for up to 9 hours! Last day of the sales quarter!
Some say, “well, that’s the risk of going to the cloud and when things go down, they go down… and you wait!” That may be true of some things. But what if I told you there was an alternative when it comes to Exchange Online. What if I told you that when it goes down (and it DOES go down) your users could continue to work and not even know there was an outage. A pretty nifty trick, especially if you’re the one who proposed the move to Exchange Online and don’t want to have to explain the outage (or lack of ability to do anything other than fold your arms and wait for Microsoft to fix it).
The solution? Mimecast’s Continuity for Exchange/Exchange Online
The way this works is brilliant. When you bolt Mimecast on to the front end of your Exchange or Exchange Online, you basically have the MX records pointing in to Mimecast and then set up send/receive (aka outgoing/incoming) connectors to have mail flow between the two. That allows Mimecast to perform enterprise grade security scrubbing along with an optional archive data bank storing emails coming and going. In addition, Mimecast has their own MTA so in the event a problem occurs on the email server itself (Exchange or Exchange Online) the admin simply has to kick off a continuity event in their Mimecast administration portal and mail flow is now completely handled on the Mimecast side (with a 100% SLA). End users can continue to send and receive email in one of three ways: through Outlook if they have the Mimecast plugin for Outlook, through their Mimecast mobile app and/or through a Mimecast web portal.
One of the biggest challenges facing IT admins these days with regard to availability of the Office 365 suite of services is transparency. It’s often the case that end users start to complain about a loss of services but the IT admin doesn’t see an alert from within their Office 365 admin center. Everything is showing up green, but their end users faces are all red. The IT admin turns to Twitter or Reddit or other social media outlets to try to determine if the problem is on the company side or Microsoft’s side. In Microsoft’s defense there is quite a bit happening on their end and while one customer might be down or a grouping of customers, depending on the extent and type of outage, it isn’t time to throw out a red flag just yet. But for those customers who are down, they need more transparency. However, monitoring this type of outage is becoming increasingly more difficult as Microsoft breaks users into separate pods, ultimately obscuring the true extent of an outage.
To address the need for better transparency, Mimecast is up’ing its game in the continuity space by adding in Continuity Event Management or CEM. One of the key elements to CEM is the ability to monitor your connection to Exchange Online on a continuous basis looking for possible problems. It does this using an ‘organic’ inbound check (can my SMTP server receive mail) and a ‘synthetic’ outbound check (can my SMTP server send mail). In the event of a problem an alert gets sent through SMS or to an alternate email (logically because your primary is down) and you’re basically given a panic button to manage the alert. Push the button, invoke the Mimecast continuity mode for your people, go back to whatever it was you were doing before the alert with the knowledge that your people are fine.
Truth be told, things happen. You know it. Cloud infrastructure breaks down sometimes. If you’ve been impacted by a cloud disruption, you’re not alone. And if you haven’t (yet), you’re not immune. So what’s your contingency plan? What do you do when Exchange Online goes out in whole or in part? If your answer is ‘fold your arms and wait for Microsoft to fix it’ that’s a choice you’re making. It’s not the only choice you have. You could choose to have a plan b. An email continuity solution that can keep your people sending and receiving email, despite the outage.
You have a choice.
See how Mimecast can make email safer for your business. Schedule a demo today!
April 14, 2017There’s an affliction infecting corporate counsels, compliance officers, and IT teams. It’s called Archivalgia or, more colloquially, “Pain in the Archive.” Left unchecked, Archivalgia can do a world of damage. As with most diseases, recognizing the symptoms is crucial to treating the problem. Unfortunately, these symptoms are often mistaken for signs of other ailments. Here’s what to watch for:
ROI Vertigo – the dizziness that occurs when costs overtake benefits – is both the hardest symptom to detect and the most damaging. Look for recurring costs that come with running archaic on-premises archiving platforms: frequent software upgrades, disruptive hardware refreshes, and painful storage expansions. Watch out for labor-intensive administration too. When the time spent maintaining your archiving solution eats into time you should be spending innovating or building competitive differentiation, seek professional help.
Mobility problems – usually caused by aging legacy platforms, but increasingly caused by poorly-designed cloud offerings – constrain workflows or reduce productivity. In today’s iPhone and Android-enabled business world, a mobile workforce is a healthy, productive workforce. Email is your organization’s lifeblood, the essence of insight, collaboration, and process efficiency. Anytime, anywhere access to email archives facilitates a healthy circulation of ideas and fewer tickets for your busy IT admins.
Where productivity is concerned, search speed goes hand-in-hand with mobility. If you’re search administrators or your end users experience search times in hours or even days, more serious problems could soon follow. These include weak responses to legal challenges, compliance audit fatigue, and a rash of trouble tickets.
Speaking of poor responses, it’s time we all got past the stigma of e-discovery dysfunction. While E-Discovery Dysfunction (EDD is nobody’s idea of a good time, neither is it a personal failing or evidence of a mid-career crisis. Aging archiving platforms often cause e-discovery searches to peter out under legal or compliance pressures. Thankfully, modern science can help. The right archiving platform – developed and optimized for the cloud – can restore youthful e-discovery vigor, and satisfy business partners both upstream and down.
Also known as IAS, Irritable Admin Syndrome is the number one complaint among organizations suffering from Archivalgia. The trouble is that IAS can be caused by several different underlying ailments (including Persistent Irascible Temperament Ailment, or PITA). Given the rampant spread of Archivalgia, however, business health experts recommend that all organizations experiencing IAS review their archiving operations as soon as possible, to avoid permanent damage.
Obsolete architectures, resource silos, and development dead-ends are all leading causes of pain in the archive. Don’t hesitate to seek true cloud archiving relief should any of these symptoms arise.
Download The Changing Shape of Enterprise Information Archiving video, featuring Alan Dayley, a Research Director covering information governance, archiving, and storage management software at Gartner, as well as yours truly, the video looks at Enterprise Information Archiving, its past, and the factors shaping its future.
April 11, 2017
Imagine for a moment that you are the “rockstar” IT director of a Top 100 firm. You’ve just presented your 2017 plan to the board for major IT initiatives, which include a plan to support General Data Protection Regulation (GDPR) compliance. The presentation goes well, and you’re invited to stay and chat during the break.
Just as you’re about to walk to the coffee machine, a new board member comes up to you, thoughtfully sipping tea, saying: “Good presentation!” Before you can say thanks, she says: “You know, there are some things around GDPR which really worry me” - “What business value does GDPR offer us? With data in so many places, can we possibly get a quick win on GDPR risk mitigation? Is there a way to reduce the risk of data breaches for which we could be fined millions?”
As you listen attentively to the questions, your mind races as you think about the noise, alarm and scare-mongering of how organizations will be impacted by the GDPR. Phrases such as “fines of 20 million euro or 4% of global turnover”, and gloomy headlines like “Could new data protection rules mean the end of SMEs” have driven much of the concern and anxiety about the damage to a business’s reputation, impact on its share price or costs associated with GDPR. From her questions, it was clear that this new board member took these scare tactics to heart.
Being the “rockstar” IT Director you respond enthusiastically saying the senior executives and the board have been proactive in supporting the preparation and response to the GDPR. You talk unreservedly about how the GDPR can help the company become more efficient in the way they manage, process and protect personal data. It could also help them use data more profitably for their own ends, allowing them to become more competitive. Especially, if the business is intent on ‘transforming’ for a digital data-driven age, GDPR can form the foundation of that effort.
Time is of the essence
You agree with the board member that the business does need a quick win for implementing appropriate security and data protection measures for personal and sensitive data, as 25th May 2018 is not too far off. However, you explain that the process can be complex and challenging given the huge amounts of personal data such as email addresses, names, phone numbers, credit card details, and other sensitive information that may be stored across multiple data repositories, either onsite or in the cloud.
As the conversation progresses, more board members join the impromptu discussion around the coffee machine. You mention that you already have a plan for a “quick win” which will help in mitigating GDPR risk. You explain that almost every day we hear or read about losses of personal data, whether it’s a malicious attack or an accidental loss, or emails being compromised. You state a well-known fact that 91% of cyberattacks start with a phishing email – something which the board members find unpalatable. This is when you mention that it’s no wonder one of the GDPR measures gaining traction with IT managers is implementing appropriate advanced email security protection.
Now all eyes are focussed on you, and being the IT rockstar that you are, you stress that the business should use GDPR as an opportunity to get a firmer grip on continually evolving email threats. You describe how easily it can be done by putting into place measures which include multi-layered threat protection to defend against spear-phishing, ransomware, impersonation and other targeted email attacks.
You enlighten the board further on the new rights for individuals, which limit the personal data organizations are able to collect and store under the GDPR. You clarify how the business can use powerful cloud based archives to provide rapid search capabilities to find, remove or transfer personal or sensitive data. You also make it clear that these solutions ensure uninterrupted access to live and historic email data in the event of a sudden email outage or planned downtime.
Like any “IT rockstar”, you end on a positive note commending the board on their awareness of GDPR and growing cyber security risks. The new board member should feel confident knowing that, at the very least her concerns around a cyber resilient GDPR strategy are being addressed.
Find out how Mimecast helps to simplify GDPR compliance by visiting the Mimecast GDPR for email resources page.