If last year’s leaks, hacks and breaches have taught us anything, be they from Fortune 500 companies or our own personal accounts – it is that cyber security, especially concerning email management, is now a top priority.
Before we get further into what promises to be the biggest year ever for matters of mail security and onward, it’s worth reflecting on one of the most useful pieces of research published last year - PwC’s The Global State of Information Security Survey 2016. The research found that in 2015, 38% more security incidents were detected than in 2014 (the total number of global security incidents was revealed in the last PwC survey of the same name to be equivalent to 117,339 per day).
It’s therefore of great relief to note that this year’s report confirms that the majority (54%) of organizations have a CISO (i.e. Chief Information Security Officer) in charge of the security program. In recent years there has been a sharp rise in the number of CISOs being created and a few companies, recognizing the critical task of defending the company, its assets and its employees, have smartly made their CISO a member of the C-suite.
Hiring a CISO is the first step, but once in place, they’ll have their work cut out for them assuring the CIO, CEO and the wider company that the focus of cyber security should always be heavily weighted towards prevention e.g. email data loss prevention, rather than wholly on incident response e.g. a spear phishing attack.
That being the case however, what can make the difference between having a problem and suffering a disaster is advance planning and preparation. In addition, more often than not, what can really save a company is how its CISO responds.
A toolkit for industry-standard security should include plans for email continuity and outages (in terms of system, network, facilities and staff) and one over-riding ‘Highlander’ (there can be only one!) Emergency Action Plan that acts as a master checklist and parent to all other emergency and continuity plans. Once those plans have been developed, they should be practiced, frequently, both on paper, on a desk and in real-life, until all those with a part to play are comfortable that they’d be able to act swiftly and decisively should the worst happen.
Technology is another key factor. However, while it may be wise to invest in the best products and services available at the time of purchase, it’s also necessary to use it to constantly assess and reassess elements of the company’s infrastructure, whether it be its email infrastructure, local network architecture, etc. Any weaknesses found will undoubtedly be exploited, so if a CISO is lucky enough to come across them before any cybercriminals, they should be protected and patched immediately. The fit-and-forget mentality is no longer acceptable, as technology and protection date very quickly.
And finally, it also comes down to the employees. Provide them with the best tools you can, educate them about the dangers of spear phishing, weak passwords and public Wi-Fi hotspots – if you show them how to protect themselves, they will be protecting the company at the same time. By using the best protection, technology, education and training possible, you’re closing as many of the exploitable holes—be they in the network, software, people or process.
This week, Mimecast has been exhibiting and presenting at Hewlett Packard Enterprise Discover 2015, at ExCeL London.
The now seminal IT conference has, among other themes, certainly examined the practical impact of Office 365 adoption. With 70% of Fortune 500 companies having purchased Office 365 in the last 12 months and email being the key driver for customers’ move to Office 365, the adoption patterns are now part of everyday debates, presentations and forums in the world of IT.
And migration is certainly not simple - it’s a well-recognized reality that many companies evaluate Office 365 but hesitate to deploy. IT teams realize that putting all critical services with one provider presents a unique set of risks which, however, can be mitigated with the right planning. Organizations need flexibility while transferring critical services to the cloud, not a heart-stopping level of risk whenever outage alerts around Office 365 are made public.
It’s a well-recognized reality that many companies evaluate Office 365 but hesitate to deploy
I spoke on the subject on the first day of the conference - my presentation was titled ‘Office 365; risk or reward? Or both?’ In it, I go a step further than highlighting the risks to the health of businesses.
I put forward a case that, so dominant a trend is Office 365 adoption, that I believe it should already be considered critical infrastructure so that public services, and in particular defense, apply appropriate rigor when rolling out new IT infrastructure. If you couldn’t make the conference, you can see some more detail on my presentation here.
So whether you go fully cloud, hybrid or transition just some of your services, a commitment to cloud makes economic, management and strategic sense. However, moving to the cloud should never simply be a one stop shop solution – the risks are just too great.
So if you happen to be at Discover 2015, why not pop by our stand to find out more. You can find us at Booth #362.
Yet again, another vendor has given up on its commitment to its customers’ email security and archiving. Just as Webroot and Google had done previously, Intel Security recently announced the end of life of its McAfee SaaS Email Protection and Archiving service. Former MXLogic customers are left with the risk of losing their security protection if they don’t act quickly.
Meanwhile, at this week’s Symposium, Gartner's SVP & Global Head of Research Peter Sondergaard predicted that the typical technology organization will spend up to 30% of its budget on risk, security & compliance by 2017. With cyber risks on the rise, there’s never been a better time to review your long-term archiving and security strategy.
It’s fair to say that it is relatively easy to swap out a security gateway service but archiving is definitely a long-term bet. Data volumes are skyrocketing and organizations should be concerned around the cost and pain of migrating terabytes of critical data out of a defunct system in future. Short-term cost saving and poor vendor selection today could mean you’re left high and dry in years to come.
At Mimecast we have a track record of helping customers migrate away from end-of-life email services, providing on-going support and a regular stream of new products and service updates.
The Google Postini EOL announcement brought many organizations to Mimecast, at first for security but eventually customers ended up with so much more. One example is Au Bon Pain who first came to Mimecast with a security requirement but then added archiving and our email continuity service. They were so pleased, they offered to do a case study on Mimecast about their experience.
Archiving in 2015 means going beyond just storing customer emails and attachments safely. We believe that providing employees with rapid access to this critical data, wherever they are, is equally as important. Meanwhile, a host of new advanced and targeted email threats need to be kept at bay.
Securing email and archiving means making a long-term commitment. We take that very seriously indeed and it is our business – nothing distracts us from that. Whether your primary emails are on-premises or in the cloud, you need to carefully evaluate your options today and determine who’s best placed for the future.
Question: what’s happened between this year’s IP EXPO Europe and last year’s? Answer: the security arms race has gone into overdrive.
Twelve months seems a short time, but in that period attacking techniques have matured markedly – now hackers are regularly employing sophisticated social engineering techniques in email and instant messages to trick staff. Also, the payload is now becoming more varied with a renewed focus on weaponized attachments used to infiltrate organizations.
So, what’s the next step to protect your organization?
Neutralizing these relentless and sophisticated attacks demands a deep commitment to security. It means investing in the right technology of course but I believe that it's employees who could be the strongest allies of IT managers in fighting back against these threats.
We have seen this before. The security and intelligence services rely on sophisticated surveillance technology but the vigilance and support of the general public is a key line of defense in the battle against terrorists and criminals.
Comprehensive and regular employee awareness programs are an important line of defense in an organization. Building this human firewall will be one of the themes I’ll be addressing in my presentations at IP EXPO this year.
I’ll also be focusing on how migrating to Office 365 presents an opportunity but also significant risks that need to be considered.
Details of my two presentations are below:
- ‘Office 365: Risk or Reward? Or Both?’ at 1:00 pm on Wednesday the 7th of October in the Network & Cloud Infrastructure Theatre
- ‘What's Stopping You Being the next Big Data Breach?’ at 1:40 pm on Thursday the 8th of October in the Cyber Threat Protection Theatre
If you'd like to find out more, drop in to see us (Stand #CC19, in the Cyber Security Europe section) to talk about the risks surrounding on-premises and Office 365 email infrastructure. You can register here for free (a saving of £35) if you enter your details before 7.00 pm, UK time, on Tuesday the 6th of October.