Today, we launched our new Mimecast Business Email Threat Report 2016. The survey of 600 IT security professionals shows that while 64 percent see email as a major cyber-security threat to their business, 65 percent also feel ill-equipped or too out-of-date to reasonably defend against email-based attacks.
Email continues to be a critical technology in business and the threat of email hacks and data breaches loom large over IT security managers. Consequently, confidence and experience with previous data breaches and email hacks play key parts in determining an organization’s perceived level of preparedness against these threats. Alarmingly, one-third of survey respondents believe email is more vulnerable today than it was five years ago.
We depend on technology, and email in particular, in all aspects of our work and personal lives. So, it’s very disconcerting to see that while we might appreciate the danger, many companies are still taking too few measures to defend against email-based threats. Budget and C-suite involvement were the biggest gaps found between the most and least prepared respondents. Among the IT security managers who feel most prepared, it’s not a surprise to me that their C-suite is most engaged with email security. But the results show that the reality for a large number of them is that their C-suite is only somewhat engaged, not very engaged, or not engaged at all.
As the cyber threat becomes more potent, email attacks will become more common and more damaging. It’s essential that executives, the C-suite in particular, realize they may not be as safe as they think and take action. They need to get engaged with email security planning and preparation, and allocate time, focus and budget.
Those who feel better prepared to handle email-based threats also allocate higher percentages of their IT budgets to email security. We estimate from our research that security confidence is achieved when you assign over 10% of your IT budget to email security.
Finally our research report also identifies five distinct security ‘personas’ we can all learn from inspired by the data. We call them Vigilant, Equipped Veteran, Apprehensive, Nervous and Battle-Scarred. For more information on the differences between these personas – including budget allocations, levels of C-suite involvement and the top attack vectors they worry about, download our E-book summary of the research here.
When Microsoft Office 365 went down again last month, a painful truth emerged as the outage rolled on for several days – a big deal for your company is not always a big deal for Microsoft.
But what’s different about this one is how slow Microsoft was to respond – maybe because it just affected customers that use IMAP. Microsoft promised to fix the problem by January 23 – five days after the outage.
Certainly Office 365 is not the only service to suffer like this – outages happen, but the reason why Office 365 outages grab widespread attention is because of its increasing popularity and the business critical nature of the email management services it provides.
But there is something significant about this one: what appears to be a failed service update could create an outage lasting more than week. This highlights that your problem and Microsoft’s problem aren’t always aligned. With the number of companies adopting Microsoft Office 365 increasing quickly (as many as 50,000 a month) this problem only gets worse over time. Far fewer customers will be using IMAP, so there is a perceived risk that problems will be treated as a lower order priority fix. This underscores a risk to any organization’s business continuity and data security. No business should rely on a single provider for a critical service such as email. Additional third-party cloud services are the only way to manage these risks.
For many businesses, email is their most critical IT workload. Email continuity is also highly valued by employees. Tolerance for email downtime is almost zero as it costs money, damages reputations and cripples business operations. In short, we all need it to work and to work all the time.
For years IT teams have built disaster recovery plans and systems predicated on the belief that IT fails and you always need a plan B. Nothing changes in a cloud first world. Cloud services clearly fail and if you don’t have an independent email continuity service, your email will be down until Office 365 gets it back up again. And you can’t control when that will happen. One hour. Five hours. In the case of the IMAP failure, 7 days.
So take a page out of the on-premises risk management handbook. Make Office 365 safer with the addition of an independent third-party email continuity service and by keeping an Office 365 disaster recovery solution in place.
For all its strengths, if you rely 100% on Office 365 for your email you are asking for trouble. It’s just a matter of time.
Find out more about how Mimecast can help keep your business running during an Office 365 outage here.
Organizations of all sizes, across all industries, rely on archiving solutions to preserve critical data for compliance and e-discovery, and email is a primary contributor to these systems.
For archiving, we’ve historically relied on tapes, discs and third-party storage services, but now, it’s the cloud. That most recent change has driven the biggest shift as companies look to take advantage of cloud-based technology that reduces costs, improves scalability and provides anywhere, anytime access.
Consider the following:
- Over 112 billion business emails are sent each day. The number of emails continues to increase, straining archives not designed to scale efficiently. A related problem is that many email archiving solutions do not provide an easy way to search and find important messages. This dramatically limits the value to end users.
- The number of cloud services actually being used by organizations is about 15 times larger than IT departments assumed. The problem of Shadow IT and monitoring the information flow for adherence to compliance and regulations is getting larger.
- How employees access information has changed dramatically in the last five years. In 2011, only 8 percent of email was opened on a mobile device. Fast forward to 2015 and nearly 50 percent of email is opened on either a smartphone or a tablet. This growth of over 500 percent demonstrates the need for employees to have instant access to archived information.
- A leading analyst firm recommends deploying enterprise information archiving as software-as-a-service (SaaS). They estimate per-seat costs of SaaS solutions are approximately four to six times less expensive.
Arguably the legal industry has the most stringent requirements for archiving based on the need to rapidly search and find critical communication. With nine offices in the US and Europe and over 230 lawyers, the law firm Brown Rudnick certainly has a unique perspective on the archiving needs of any organization. In fact, the firm receives in excess of 300,000 emails each week!
Join Brown Rudnick CIO Jim Darsigny and David Hood from Mimecast as we look at 'Archives at Risk – The Fundamental Flaws of On-premises Storage'. Reserve your spot today for this informative webinar.
If last year’s leaks, hacks and breaches have taught us anything, be they from Fortune 500 companies or our own personal accounts – it is that cyber security, especially concerning email management, is now a top priority.
Before we get further into what promises to be the biggest year ever for matters of mail security and onward, it’s worth reflecting on one of the most useful pieces of research published last year - PwC’s The Global State of Information Security Survey 2016. The research found that in 2015, 38% more security incidents were detected than in 2014 (the total number of global security incidents was revealed in the last PwC survey of the same name to be equivalent to 117,339 per day).
Once in place, the CISO will have their work cut out for them assuring the wider company that the focus of cyber security should be weighted towards prevention.
It’s therefore of great relief to note that this year’s report confirms that the majority (54%) of organizations have a CISO (i.e. Chief Information Security Officer) in charge of the security program. In recent years there has been a sharp rise in the number of CISOs being created and a few companies, recognizing the critical task of defending the company, its assets and its employees, have smartly made their CISO a member of the C-suite.
Hiring a CISO is the first step, but once in place, they’ll have their work cut out for them assuring the CIO, CEO and the wider company that the focus of cyber security should always be heavily weighted towards prevention e.g. email data loss prevention, rather than wholly on incident response e.g. a spear phishing attack.
That being the case however, what can make the difference between having a problem and suffering a disaster is advance planning and preparation. In addition, more often than not, what can really save a company is how its CISO responds.
A toolkit for industry-standard security should include plans for email continuity and outages (in terms of system, network, facilities and staff) and one over-riding ‘Highlander’ (there can be only one!) Emergency Action Plan that acts as a master checklist and parent to all other emergency and continuity plans. Once those plans have been developed, they should be practiced, frequently, both on paper, on a desk and in real-life, until all those with a part to play are comfortable that they’d be able to act swiftly and decisively should the worst happen.
Technology is another key factor. However, while it may be wise to invest in the best products and services available at the time of purchase, it’s also necessary to use it to constantly assess and reassess elements of the company’s infrastructure, whether it be its email infrastructure, local network architecture, etc. Any weaknesses found will undoubtedly be exploited, so if a CISO is lucky enough to come across them before any cybercriminals, they should be protected and patched immediately. The fit-and-forget mentality is no longer acceptable, as technology and protection date very quickly.
And finally, it also comes down to the employees. Provide them with the best tools you can, educate them about the dangers of spear phishing, weak passwords and public Wi-Fi hotspots – if you show them how to protect themselves, they will be protecting the company at the same time. By using the best protection, technology, education and training possible, you’re closing as many of the exploitable holes—be they in the network, software, people or process.