Is your archiving solution out of date?Can we be honest? Most email archiving platforms in use today are obsolete. The way we use email today has completely changed, and these platforms no longer do what you need them to do.
Archiving solutions need to preserve data and simplify search and e-discovery. Most archiving platforms use the familiar on-premises architecture based on software, server and storage. Like most on-premises architectures, there’s a disaster recovery layer, usually a backup-and-recovery platform.
This architecture was designed in the early 1990s. At the time, the World Wide Web was in its infancy. Payphones were everywhere. And email was a text-based store-and-forward messaging medium.
Today’s email is everything and everywhere
Fast-forward to 2017: what does the world look like now? First, email has far surpassed phone as the primary business communication medium. The average user sends and receives over 122 emails each day. Second: mobility. BYOD is our new normal. And third: 86% of workers recently surveyed say they use email to share files.
Email is a collaboration tool, a workflow tool, and a file management system.
You can probably see where I’m going with this, right? So many of us are vainly trying to force 2017 email into a 1990s archiving architecture. This makes archiving costly and labor-intensive. It requires constant software upgrades, hardware refreshes, and storage expansions.
What about search and e-discovery? These take forever, bogged down by the deluge of messages and attachments that this architecture never set out to address.
Mobility? Nope. Not in the original scope.
The remedy: true cloud archiving
Here’s what you need archive effectively in a today’s email-dominated business world: an independent, immutable cloud archive layer. One that leverages true cloud scale and cloud economy. With dedicated resources for threat scanning, applying retention policies, running search and e-discovery, and all the other specialized archiving functions.
Now what do you get? Excellent cost profile. Excellent search – average completion times under 2 seconds and a 7-second SLA. And mobility by design, with native apps for Android, iPhone, Blackberry, and Windows Phone.
A secure, cloud-based archive that’s separate and independent from production email.
What’s the bottom line? One of our customers, a large retailer, tells us they save $70K annually in TCO compared to their previous archiving platform, and 15% in the time they need for email maintenance. And – something you likely won’t hear about from other archiving solutions – a law firm reports a 66% improvement in end-user productivity. This firm requires all of its attorneys and support staff to run Mimecast on their desktops and their smartphones.
These are the reasons you need Mimecast archiving to properly manage email, the single most essential resource you rely upon.
The question remains: where are you in your archiving journey? Download your complimentr copy of the 2016 Gartner Magic Quadrant for Enterprise Information Archiving report.
Recently, the State of New York has taken steps towards passing the nation’s first cybersecurity regulation which explicitly tells financial organizations in New York what they must do in their security program. You can read an overview of this in the article, “Full Employment for CISOs in New York.”
The main question I have is, does it make sense to legislate the details of a security program versus allowing organizations to build programs that meet the business needs and risk tolerance of their organizations?
Before I answer that question, let me first state that overall, I believe the directives in the regulation generally make sense. In fact, they are practices that most security professionals would have as part of their standard operating procedures. It is a little odd though that they explicitly call out two technology areas – multi-factor authentication and encryption – for inclusion, while staying very high-level on the other security control areas. Again, not that multi-factor authentication and encryption are bad areas to focus on, but why are those included and while other important security controls, such as email security, Web security, anti-virus, identity management, and many other security categories?
Now back to the main question of this blog, is legally requiring specific security practices a good thing? My take is no. However, should regulators consider cybersecurity as part of their supervisory responsibilities? Yes, as part of their view of the organization’s risk management program. Ultimately, organizations are responsible for their own risk management programs and how much risk they can tolerate and how best to mitigate that risk.
Just as regulators don’t direct in detail other aspects of the organization’s business practices, nor should they do it for their cyber risk management practices. There are just too many opportunities for unintended consequences to arise. For example in my experience the more detailed the regulation, it not only becomes overwhelming for the CISO looking to implement, but there’s also a greater chance that the security program turns into a checklist program and not a risk management focused one.
I realize it is a bit cheeky for me to make security resolutions for your security program, but I believe you will find these recommendations to be straightforward and highly actionable. In no particular order:
- If you can’t do it, outsource it. Don’t not do it because you don’t have the expertise or the capital budget to buy or manage the particular security control in question. Now more than ever many security controls can be consumed as services as opposed to being purchased in the form of software or hardware appliances. Increasingly security professionals, just like their cousins in the IT department, can leverage the cloud to get the services they need and save money and time to boot. Security professionals should use 2017 to accelerate their transformation from owning every aspect of the implementation and maintenance of the control to being the strategists and architects of their security controls.
- Plan for an incident response now, well before you need to use it. In this era of near certainty of business impacting security incidents, it’s key to plan now for the variety incidents that will likely hit your business. You know what they are likely to be: ransomware, DDOS attacks, email-borne impersonation attacks, botnet infections, insider threats – malicious, accidental, policy violating, and a handful of others. Work with the relevant functions around your organization, write your incident response plan down and run a table-top exercise or two in 2017. It is much better to do it in theory once or twice before you have to do it for real.
- Make employee security awareness training an everyday affair and not a once a year, video watching boredom fest. While no security program should wholly rely on employees to save them from security incidents, having well-informed and engaged employees greatly helps reduce the risk and mitigate the damage of the inevitable breach. Pushing out a 30-minute video once a year does not. Attacks are dynamic and unpredictable, and so should be the user training. Build informative user messages and tests into the daily operation of your security program. When employees do the right thing, let them know. When they don’t, help them understand why what they did was risky. For example, make it easy for them to report likely spam and other suspicious emails. If you must block something they did, like visiting a sketchy Web site, make sure you tell them why they were blocked and what their options are.
- Evaluate your critical business processes and make sure that they are not completely vulnerable to hacked IT systems or the impersonation of executives or critical partners. Given how easy it is to spoof or hack an organization’s email, it is amazing to see how many business processes are 100% dependent on trusting the content in emails. One needs only to consider the number of fraudulent wire transfers that are generated from simple email requests apparently from executives or business partners to understand the absurdity of fully trusting an email. Please make sure every business process of an importance of yours has automated fraud inspection and out-of-band checks-and-balances that are built-in to the process. Don’t expect your users to be the first and last line of defense.
- I realize this resolution is like requesting three more wishes as your third wish from the Genie (Genies don’t go for that by the way), but I strongly recommend leveraging the SANS 20 Critical Security Controls as a key security framework to benchmark your organization for 2017 and beyond. While there is a lot of depth behind these 20 controls, overall I find this SANS list to be both simple and comprehensive. A great framework to use to frame your security resolutions for 2017 and beyond.
For a quick resource, here’s an eBook from Mimecast outlining five tips to combat email-based attacks.
We recently announced some changes to our MSP program that will be effective from 1 April 2017. We understand that these are disruptive to some of our MSP partners, and we’ve received robust feedback since the announcement. So first I apologize for any distress caused by how we handled these changes and secondly I wanted to explain a bit more about our thinking behind the changes to our MSP program. I also wanted to make myself available to talk with any partners that might still be concerned and want us to work with them on this transition.
In aggregate, we do think these changes are better for customers, better for our partners and better enable us to deliver our services to you and to customers on a sustainable long-term basis.
So a quick summary of the key changes:
- Starting from 1 April 2017, we will only be offering new Mimecast accounts through MSP’s for end users that are contributing a minimum of $100 a month (net to Mimecast).
- We are eliminating entry level email security (basic anti-spam and anti-virus) SKU’s for very small customers.
Here’s the thinking that got us to design the change:
- The economics of delivering entry-level email anti-spam and anti-virus to very small businesses are generally unattractive to SaaS providers. McAfee perhaps most recently illustrated this with their MXLogic product. After years of building a user base that contained much marginal business from thousands of tiny customers, they found it difficult to invest meaningfully in their platform. Ultimately as we all know, they decided pulled the plug on the entire offering. We don’t believe it serves anyone within the Mimecast eco-system to venture down this path, so our decisions are been aimed at steering far away from this fate. Our $100 minimum per customer per month is designed to help us do this and will benefit our partners in a more profitable way.
- We do have conviction that customers should purchase more comprehensive protection to deal with growing email security threats. We feel that especially for small customers who often don’t have any additional layers of protection, entry level email security is not a good solution on its own. So we want to encourage our partners to ensure their customers include more protection, deliver the coverage that they require and do so in a way that is cost effective. So our new entry level SKU now includes our integrated Targeted Threat Protection services. This means that while some very small customers will be paying us more, they will also be getting advanced security protection against phishing, malware, ransomware or impersonation attacks.
We do understand that this is disruptive to some of our MSP partners. We are sorry about that. We are here to work with you to minimize that disruption, within the constraints that we have.
You may know that I am brand new in my role here at Mimecast and frankly am extremely excited about what we can do to help our channel partners innovate and grow. Making a change like this to our MSP program was not an easy decision for the managers that have worked on this before my arrival, but you can be assured of our commitment to being a great partner to you going forward.
Please reach out if I can be helpful to your business as we navigate this change.