Layered Security: A Must-Have, Especially for Microsoft 365

Among the many important revelations in Mimecast’s State of Email Security 2021 (SOES) report there was this: Nearly nine out of 10 (88%) of Microsoft 365 users think their companies need additional layers of email security over and above the protections that Microsoft provides.

This begs several important questions beginning with: Why? But also, “What exactly is layered security?” and “How best to achieve it?”

Seeking Additional Safeguards

A large majority (81%) of the 1,175 MS 365 IT security decision makers who took part in the 2021 SOES study hold the safeguards included by Microsoft in its office suite in high regard. Yet nearly three out of four (72%) also agree that there is room for improvement. That may be in part because two-thirds of these respondents (67%) said their organization had experienced an MS 365 email outage during the past 12 months, and nearly half (49%) characterized the impact as moderate to severe.

But it may also be because of the growing recognition that email-related security risks are greater than they’ve ever been. Travel restrictions, work-from-home and other responses to COVID-19 have made businesses increasingly dependent on email. And, per the SOES survey, email usage rose at more than eight out of 10 companies in 2020. At the same time, the study also found that email-borne threats have soared 64% as cybercriminals have tried to take advantage of the confusion and anxiety surrounding the pandemic.

In response, 55% of technology and security executives plan to increase their cybersecurity budgets and add to their full-time cyber staffs this year, according to a recent PwC survey.[1] The aim is to increase their companies’ cyber resilience, so that they can respond more quickly to an attack or prevent one altogether. This is in line with the SOES study, which found that companies with a cyber resilience strategy are much more confident in their ability to withstand an email-borne attack than those without one. Which brings us back to the notion of layered security, also known as defense-in-depth.

What Is Defense-in-Depth?

Defense-in-depth is a layered approach to cyber resilience that, when used in conjunction with MS 365’s already robust native security components, can plug holes and help compensate for end-user negligence when conducting business via email.

Providing a backstop for users is especially critical in the current environment. With phishing attacks up by 63% since the start of the pandemic and employees more distracted by their work-from-home environments, nearly half (46%) of the SOES survey respondents reported greater fallout due to some type of employee misstep. In a related finding, the Mimecast Threat Center found that employees worldwide are clicking on malicious URLs embedded in emails three times as often as they had before the pandemic began.

These developments underline the importance of a defense-in-depth (DiD) strategy, where if one line of defense falls short, a second or third can save the day. By integrating different types of defenses from different vendors, the DiD model closes security cracks through which a threat could attack.

Some of the more important layers of a DiD strategy include:

• Network security controls based on traffic analysis. Rules derived from this analysis can help firewalls and intrusion protection systems identify potential threats and determine when to block access.
• Anti-malware programs that go beyond signature-based detection with heuristic features that scan for suspicious patterns and activity.
• Data integrity analysis software that uses a file’s checksum to verify its source and frequency of use. Incoming files with discrepancies can be flagged as suspicious and their source IP address can be checked to ensure that it is known and trusted.
• Behavioral analysis software is the belt to the DiD suspenders. When a firewall or intrusion protection program has failed, behavioral analysis picks up the slack by identifying behavior that doesn’t correspond to the norm. If it does, the application can then either issue an alert or execute automatic controls to halt a breach in progress.

Another advantage of a DiD strategy is how it undermines a malefactor’s ability to target the shortcomings in Microsoft’s security arsenal. To learn what they’re up against, cybercriminals will often subscribe to MS 365 themselves and conduct dry runs to test the viability of their attacks. Deploying a variety of third-party defenses deprives them of this stratagem, forcing them to operate on unfamiliar territory.

The Bottom Line

Many businesses rely on the safeguards provided by Microsoft 365 to keep their email secure. But the SOES survey found that nearly nine out of 10 companies believe they need additional layers of protection. As the SOES report makes clear, a cyber resilience strategy that helps a business adapt and respond to new threats pays substantial dividends. Companies making use of a layered approach, such as defense-in-depth, are more confident in their ability to prevent an email-borne attack and are less likely to be severely impacted should one take place.

[1] “2021 Global Digital Trust Insights,” PwC