Orlando Scott-Cowley

If last year’s leaks, hacks and breaches have taught us anything, be they from Fortune 500 companies or our own personal accounts – it is that cyber security, especially concerning email management, is now a top priority.

Before we get further into what promises to be the biggest year ever for matters of mail security and onward, it’s worth reflecting on one of the most useful pieces of research published last year - PwC’s The Global State of Information Security Survey 2016. The research found that in 2015, 38% more security incidents were detected than in 2014 (the total number of global security incidents was revealed in the last PwC survey of the same name to be equivalent to 117,339 per day).

Once in place, the CISO will have their work cut out for them assuring the wider company that the focus of cyber security should be weighted towards prevention.
Once in place, the CISO will have their work cut out for them assuring the wider company that the focus of cyber security should be weighted towards prevention.

It’s therefore of great relief to note that this year’s report confirms that the majority (54%) of organizations have a CISO (i.e. Chief Information Security Officer) in charge of the security program. In recent years there has been a sharp rise in the number of CISOs being created and a few companies, recognizing the critical task of defending the company, its assets and its employees, have smartly made their CISO a member of the C-suite.

Hiring a CISO is the first step, but once in place, they’ll have their work cut out for them assuring the CIO, CEO and the wider company that the focus of cyber security should always be heavily weighted towards prevention e.g. email data loss prevention, rather than wholly on incident response  e.g. a spear phishing attack.

That being the case however, what can make the difference between having a problem and suffering a disaster is advance planning and preparation. In addition, more often than not, what can really save a company is how its CISO responds.

A toolkit for industry-standard security should include plans for email continuity and outages (in terms of system, network, facilities and staff) and one over-riding ‘Highlander’ (there can be only one!) Emergency Action Plan that acts as a master checklist and parent to all other emergency and continuity plans. Once those plans have been developed, they should be practiced, frequently, both on paper, on a desk and in real-life, until all those with a part to play are comfortable that they’d be able to act swiftly and decisively should the worst happen.

Technology is another key factor. However, while it may be wise to invest in the best products and services available at the time of purchase, it’s also necessary to use it to constantly assess and reassess elements of the company’s infrastructure, whether it be its email infrastructure, local network architecture, etc. Any weaknesses found will undoubtedly be exploited, so if a CISO is lucky enough to come across them before any cybercriminals, they should be protected and patched immediately. The fit-and-forget mentality is no longer acceptable, as technology and protection date very quickly.

And finally, it also comes down to the employees. Provide them with the best tools you can, educate them about the dangers of spear phishing, weak passwords and public Wi-Fi hotspots – if you show them how to protect themselves, they will be protecting the company at the same time. By using the best protection, technology, education and training possible, you’re closing as many of the exploitable holes—be they in the network, software, people or process.


Whaling Warning for 2016

by Orlando Scott-Cowley - Cyber Security Strategist

Mimecast today released results of a survey* of IT experts at organizations in the US, UK, South Africa and Australia. The results show the majority (55%) of respondents reporting an increase in the volume of whaling email attacks over the preceding three months.

Whaling attacks (also known as Business Email Compromise - BEC) use email sent from spoofed or similar sounding domain names, and appearing to be sent from the senior executives, to trick accounting or finance users into making illegitimate wire transfers to cybercriminals. The research reveals that most whaling attacks pretend to be the CEO (72%), while 36% had seen whaling emails attributed to the CFO. This type of targeted attack relies on a significant amount of prior research into a target organization to identify the victim and the organizational hierarchy around them.

Cyber attackers have gained sophistication, capability and bravado over the recent years, resulting in some complex and well executed attacks. Whaling emails can be more difficult to detect compared to phishing emails because they don’t contain a hyperlink or malicious attachment, and rely solely on social-engineering to trick their targets.

Social media provides attackers with much of the information they need to execute these attacks, especially when combined with wider insider research. Sites like Facebook, LinkedIn and Twitter provide key details that when pieced together, give a much clearer picture of senior execs in the target business.

To help protect against whaling attacks, we’ve collected this group of recommendations for IT teams to focus on in 2016:

  • Educate senior management, key staff and finance teams on this specific type of attack.
  • Carry out tests within your own business. Build your own whaling attack as an exercise to see how vulnerable your staff are.
  • Use technology where possible. Consider inbound email stationery that marks and alerts employees to emails that have originated outside of the corporate network.
  • Subscribe to domain name registration alerting services so you are alerted when domains are created that closely resemble your corporate domain.
  • Consider registering all available top-level domains (TLDs) for your domain, although with the emergence of generic TLDs (gTLD) this may not be scalable.
  • Review your finance team’s procedures and consider revising how payments to external third parties are authorized.

For a more detailed analysis, including a breakdown of how whaling attacks are conducted download Mimecast’s whaling security advisory here.

*N.B. Mimecast surveyed approximately 450 IT experts at organizations in the US, UK, South Africa and Australia conducted in December 2015.


This week, Mimecast has been exhibiting and presenting at Hewlett Packard Enterprise Discover 2015, at ExCeL London.

The now seminal IT conference has, among other themes, certainly examined the practical impact of Office 365 adoption. With 70% of Fortune 500 companies having purchased Office 365 in the last 12 months and email being the key driver for customers’ move to Office 365, the adoption patterns are now part of everyday debates, presentations and forums in the world of IT.

And migration is certainly not simple - it’s a well-recognized reality that many companies evaluate Office 365 but hesitate to deploy. IT teams realize that putting all critical services with one provider presents a unique set of risks which, however, can be mitigated with the right planning. Organizations need flexibility while transferring critical services to the cloud, not a heart-stopping level of risk whenever outage alerts around Office 365 are made public.

It’s a well-recognized reality that many companies evaluate Office 365 but hesitate to deploy
It’s a well-recognized reality that many companies evaluate Office 365 but hesitate to deploy

 I spoke on the subject on the first day of the conference - my presentation was titled ‘Office 365; risk or reward? Or both?’  In it, I go a step further than highlighting the risks to the health of businesses.

I put forward a case that, so dominant a trend is Office 365 adoption, that I believe it should already be considered critical infrastructure so that public services, and in particular defense, apply appropriate rigor when rolling out new IT infrastructure. If you couldn’t make the conference, you can see some more detail on my presentation here.

So whether you go fully cloud, hybrid or transition just some of your services, a commitment to cloud makes economic, management and strategic sense. However, moving to the cloud should never simply be a one stop shop solution – the risks are just too great.

So if you happen to be at Discover 2015, why not pop by our stand to find out more. You can find us at Booth #362.


As employees around the world look forward to Friday and the imminent weekend, so it seems do the scammers, hackers and cyber-gangs. 

Research out from Cyren shows Friday is the peak distribution day for spam and malware, with almost 4x more malware than Mondays. The theory is that when employees take their laptops home over the weekend, they no longer benefit from the security measures put in place by their employers. Protection that only functions when behind a firewall on the company network.

Friday is the peak day for spam and malware.
Friday is the peak day for spam and malware.

Black Friday – the now global fraud phenomenon following Thanksgiving in the US – is set to be worse still, as vast numbers of employees begin their online festive shopping.

As employees click links in email, open attachments and surf the web unprotected via public unsecured Wi-Fi or their home network, they allow malware onto their machines that can then make its way onto the wider corporate network when they logon on Monday.

By then it could even be too late. With the mean time-to-click on a phishing email being 1 minute 22 seconds according the latest Verizon Data Breach Investigations Report, an attack could have already been successfully executed before the weekend is even over. Employees may have already had their credentials harvested, or been duped into giving away other valuable IP or data for sale or extortion.

So how can cybersecurity pros overcome the challenge of Monday morning security alerts and attack containment? With the right security measures in place, organizations can ensure that laptops along with tablets, cell phones and other devices, are protected both on and off the network. With 95% of breaches starting with an email-based phishing attack, ensuring appropriate email security is in place is a logical place to start.

So what kind of protection is needed? Cloud-based email security provides the most up-to-date defense against constantly changing threats. It allows protection to follow the employee across all devices no matter where they connect or access work email.

Email-borne attacks typically use malicious URLs or weaponized attachments to deliver their malware payload, so protecting both these vectors is key. Link rewriting with real-time, on-click analysis is the best form of defense against links that point to malicious web content. A system should always rewrite all inbound links and check the destination site every time the link is clicked to protect against delayed exploits.

Weaponized attachment-based attacks are best halted by the latest cloud-based sandboxing technology that delivers deep inspection of files. The sandbox must also be able to detect the sophisticated evasion techniques increasingly used to try and bypass sandboxes.

There’s another option here too in the form of attachment transcription to a safe file format. For example, a Microsoft Word document with a malicious macro is converted to a safe PDF format, a process that removes the malicious code. This alternative to traditional sandboxing means emails and files are delivered to recipients without the typical delay of a sandbox, and is arguably a more thorough process that is not susceptible to evasion.

Email-based security protection should be paired with web security to extend reach beyond email too.

Cybercriminals that write and distribute malware work and operate like businesses too, ‘shipping’ their code before they pack up for the weekend and watch employees fall victim to their exploits. By taking precautions like those we’ve described, and continuing to make employees more vigilant and aware of what to look out for, your organization will be better protected against potential ‘weekend weaknesses’.

You can learn more about advanced email attacks in our recent whitepaper: Countdown to Compromise: The Timeline of a Spear-Phishing Attack.

Find out more about Mimecast Email Security with Targeted Threat Protection against both URL and attachment based attacks on our website.