Surely everyone changed their LinkedIn credentials in 2012, when the LinkedIn hack was made public right?
Furthermore, most users would have doubled down on their credential security - changing their passwords to something complex and perhaps using a secure service like LastPass to manage those credentials securely, right?
LinkedIn confirmed last week that more than 100 million members' email and password combinations stemming from a 2012 data breach have been posted online.
So when LinkedIn confirmed last week that more than 100 million members' email and password combinations stemming from a 2012 data breach have been posted online, the natural question is 'why bother'?
As I pointed out to CNET this week, it's no longer the credentials themselves which have value (although there might be a few laggards who still haven't changed their passwords). It's the fact that cybercriminals now hone in on a target by building very accurate pictures of companies and employees ripe for targeting. Also, as I discussed with Computing in March, LinkedIn is now the principle super market for enterprise hacking intelligence - a front door for hackers.
Once the overall picture of an organization is complete, the email account of the target be it personal or professional becomes the Holy Grail for the attackers. Suddenly the penny drops…Peace, who according to a story from Vice's Motherboard is trying to sell the credentials for about $2,200 in bitcoin is actually selling the email addresses.
And I'm sure he or she will sell the information in no time at all - because who thought it was important to change their password and email address in 2012? Not many.
Aside from the immediate damage of social engineering-based attacks, the damage will really be felt by organizations who've been hacked over the last few years and are high-value targets in general. What this action has done is highlight the long-tail value of hacking - inspiring cybercriminals to re-harvest old hack data and inspire more audacious attacks in future as the financial incentive has been boosted further still.
Today, we launched our new Mimecast Business Email Threat Report 2016. The survey of 600 IT security professionals shows that while 64 percent see email as a major cyber-security threat to their business, 65 percent also feel ill-equipped or too out-of-date to reasonably defend against email-based attacks.
Email continues to be a critical technology in business and the threat of email hacks and data breaches loom large over IT security managers. Consequently, confidence and experience with previous data breaches and email hacks play key parts in determining an organization’s perceived level of preparedness against these threats. Alarmingly, one-third of survey respondents believe email is more vulnerable today than it was five years ago.
We depend on technology, and email in particular, in all aspects of our work and personal lives. So, it’s very disconcerting to see that while we might appreciate the danger, many companies are still taking too few measures to defend against email-based threats. Budget and C-suite involvement were the biggest gaps found between the most and least prepared respondents. Among the IT security managers who feel most prepared, it’s not a surprise to me that their C-suite is most engaged with email security. But the results show that the reality for a large number of them is that their C-suite is only somewhat engaged, not very engaged, or not engaged at all.
As the cyber threat becomes more potent, email attacks will become more common and more damaging. It’s essential that executives, the C-suite in particular, realize they may not be as safe as they think and take action. They need to get engaged with email security planning and preparation, and allocate time, focus and budget.
Those who feel better prepared to handle email-based threats also allocate higher percentages of their IT budgets to email security. We estimate from our research that security confidence is achieved when you assign over 10% of your IT budget to email security.
Finally our research report also identifies five distinct security ‘personas’ we can all learn from inspired by the data. We call them Vigilant, Equipped Veteran, Apprehensive, Nervous and Battle-Scarred. For more information on the differences between these personas – including budget allocations, levels of C-suite involvement and the top attack vectors they worry about, download our E-book summary of the research here.
When Microsoft Office 365 went down again last month, a painful truth emerged as the outage rolled on for several days – a big deal for your company is not always a big deal for Microsoft.
But what’s different about this one is how slow Microsoft was to respond – maybe because it just affected customers that use IMAP. Microsoft promised to fix the problem by January 23 – five days after the outage.
Certainly Office 365 is not the only service to suffer like this – outages happen, but the reason why Office 365 outages grab widespread attention is because of its increasing popularity and the business critical nature of the email management services it provides.
But there is something significant about this one: what appears to be a failed service update could create an outage lasting more than week. This highlights that your problem and Microsoft’s problem aren’t always aligned. With the number of companies adopting Microsoft Office 365 increasing quickly (as many as 50,000 a month) this problem only gets worse over time. Far fewer customers will be using IMAP, so there is a perceived risk that problems will be treated as a lower order priority fix. This underscores a risk to any organization’s business continuity and data security. No business should rely on a single provider for a critical service such as email. Additional third-party cloud services are the only way to manage these risks.
For many businesses, email is their most critical IT workload. Email continuity is also highly valued by employees. Tolerance for email downtime is almost zero as it costs money, damages reputations and cripples business operations. In short, we all need it to work and to work all the time.
For years IT teams have built disaster recovery plans and systems predicated on the belief that IT fails and you always need a plan B. Nothing changes in a cloud first world. Cloud services clearly fail and if you don’t have an independent email continuity service, your email will be down until Office 365 gets it back up again. And you can’t control when that will happen. One hour. Five hours. In the case of the IMAP failure, 7 days.
So take a page out of the on-premises risk management handbook. Make Office 365 safer with the addition of an independent third-party email continuity service and by keeping an Office 365 disaster recovery solution in place.
For all its strengths, if you rely 100% on Office 365 for your email you are asking for trouble. It’s just a matter of time.
Find out more about how Mimecast can help keep your business running during an Office 365 outage here.
Organizations of all sizes, across all industries, rely on archiving solutions to preserve critical data for compliance and e-discovery, and email is a primary contributor to these systems.
For archiving, we’ve historically relied on tapes, discs and third-party storage services, but now, it’s the cloud. That most recent change has driven the biggest shift as companies look to take advantage of cloud-based technology that reduces costs, improves scalability and provides anywhere, anytime access.
Consider the following:
- Over 112 billion business emails are sent each day. The number of emails continues to increase, straining archives not designed to scale efficiently. A related problem is that many email archiving solutions do not provide an easy way to search and find important messages. This dramatically limits the value to end users.
- The number of cloud services actually being used by organizations is about 15 times larger than IT departments assumed. The problem of Shadow IT and monitoring the information flow for adherence to compliance and regulations is getting larger.
- How employees access information has changed dramatically in the last five years. In 2011, only 8 percent of email was opened on a mobile device. Fast forward to 2015 and nearly 50 percent of email is opened on either a smartphone or a tablet. This growth of over 500 percent demonstrates the need for employees to have instant access to archived information.
- A leading analyst firm recommends deploying enterprise information archiving as software-as-a-service (SaaS). They estimate per-seat costs of SaaS solutions are approximately four to six times less expensive.
Arguably the legal industry has the most stringent requirements for archiving based on the need to rapidly search and find critical communication. With nine offices in the US and Europe and over 230 lawyers, the law firm Brown Rudnick certainly has a unique perspective on the archiving needs of any organization. In fact, the firm receives in excess of 300,000 emails each week!
Join Brown Rudnick CIO Jim Darsigny and David Hood from Mimecast as we look at 'Archives at Risk – The Fundamental Flaws of On-premises Storage'. Reserve your spot today for this informative webinar.