You think you’re prepared to deal with cybersecurity threats. But, what if your organization became the target of a whaling attack, spear-phishing or weaponized attachment? These are just a few methods hackers and cybercriminals use to steal confidential data, employee information and even cash. Are you confident that your corporate email can protect your organization from these insidious attacks?

To ensure you really are confident to cope with email-based attacks, you need to get in touch with your true IT security self. This can help you find out how much of an impact past experience with email attacks has on future preparedness, and whether or not your organization is dedicating enough of your IT budget to cybersecurity.

Don’t worry: we can help. Mimecast recently surveyed hundreds of IT security pros across the globe to get to the bottom of how they felt about email security preparedness. Those responses identified the gaps between how prepared they think their companies are against email threats, and how prepared they actually are. Based on this insight, we spotted five security “personas” of IT security pros, or ways of helping you self-identify with a group that shares your values:

  • The Vigilant: This is less than one-fifth of IT security professionals. They demonstrate a high confidence in their ability to handle or defend against cyber threats, despite no experience with email hacks or data breaches.
  • The Equipped Veterans: Approximately one-fifth of IT security professionals – they are confident in their cybersecurity and have dealt with attacks in the past.  
  • The Apprehensive: About one-third of IT security professionals – they have no experience with data breaches or hacks and do not feel confident in their level of preparedness.
  • The Nervous: Less than one-tenth of IT security professionals – they feel completely ill-equipped to cope with the cyber threat.
  • The Battle-Scarred: Just over one-quarter of IT security professionals – these have experienced a history of data breaches or email hacks, but still feel unprepared to defend themselves against attacks in the future.

Ready to find out your true IT security persona? Take our IT Security Persona Test now. Learn about your distinct personality type and tips to boost your confidence.


Mimecast Welcomes Email Privacy Act

by Peter Bauer - CEO and co-founder

Mimecast welcomes a new bill designed to protect emails and other electronic communications.   

Can you remember the world in 1986? Aliens, Top Gun and Labyrinth were on at the movies and brick phones weighed the same as a bag of sugar.

The Electronic Communications Privacy Act was also enacted by the United States Congress. This ancient legislation allows law enforcement to search through emails, instant messages and photos stored in the cloud once they are 180 days old.

Back then, emails stored on a third party server for six months were considered by the law to be abandoned. This allows law enforcement agencies to obtain the data with just a written statement certifying that the information is relevant to an investigation, without judicial review.

Thirty years later and business archiving requirements, cloud technology and public opinion has moved things on considerably.

Today, we are proud that approximately 16,200 organizations and millions of their employees from around the world have entrusted their email and data to Mimecast. We process more than 180 million emails per day and our customers look to us to protect them from cybercriminals, outage and unwarranted government snooping.

The new Email Privacy Act (H.R. 699), passed unanimously by the U.S. House of Representatives, will require the government to get a warrant from a judge before obtaining private communications and documents stored online.

Email has gone from being just a communication platform to probably the greatest single repository of corporate knowledge any organization holds. Almost all corporate activity, discussion or ideas touch email at some point.

Due process should apply in digital world now more than ever before.

Our customers use Mimecast to improve the security, reliability and archiving capabilities of their own email servers or primary cloud email service. We take our responsibility to protect their email and the petabytes of business information this includes very seriously.

Public opinion is on the side of fair and reasonable control of law enforcement and government in this regard to protect the right of the individual to privacy.

This is a clarion call for governments around the world to continue to modernise law-making in wake of the unstoppable rise of cloud computing services. Laws written in the analogue and desktop computing age need rethinking for the cloud era. 

Email is the bedrock of modern day communication and deserves up-to-date protection enshrined in legislation. This bill is a step in the right direction to further protect citizens’ private historical data held in the cloud from unreasonable intrusion.


Trust Matters at Mimecast

by Elizabeth Ruhl - Director, Governance, Risk and Compliance at Mimecast

Mimecast recently announced it has completed two important security tests: the Health Insurance Portability and Accountability Act (HIPAA) Security Compliance Assessment and Service Organization Control 2 Type 1 (SOC 2 Type 1) Independent Service Audit. Both third-party reports affirm the security, availability and integrity of Mimecast’s operations and applications, and reflect Mimecast’s commitment to making email safer for business.

Trust is the foundation of our business, and security, privacy and data protection are built into everything we do. This is why we regularly update and maintain certifications and audit reports, which allow us to be transparent to our customers and partners.

Transparency in reporting.
The SOC Reporting Framework allows companies to communicate how their products and services achieve the ‘Trust Principles of Confidentiality, Availability, Integrity, Privacy or Security.’ This is a meaningful way for companies to describe their internal controls to their customers, potential customers and partners through an internationally accepted independent audit. Mimecast understands the importance of these trust principles to our customers, partners, shareholders and investors. These reports are intended to meet the needs of a broad range of users that must understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy. This expands our ability to demonstrate trust, transparency and meaningful controls beyond our Information Security Management System (ISMS), already certified through ISO 27001 (information security management system) and ISO 27018 (controls for the protection of personally identifiable information in the public cloud) to the service environment provided by Mimecast to our customers.

Protecting confidential customer healthcare data.
The HIPAA Privacy, Security and Breach Notification Rules, as updated by the HIPAA Final Omnibus Rule 2 in 2013, set forth how certain entities, including most healthcare providers, must protect and secure patient information. The Health Information Technology for Economic and Clinical Health (HITECH) Act (HITECH) directly regulates Business Associates (BAs) and directly imposes the same privacy and security obligations required for Covered Entities (CEs). Mimecast is a Business Associate for several customers, and we sign Business Associate Agreements (BAAs) with those customers. This means the company has legal, regulatory and contractual obligations to protect Mimecast customer information, including electronic Protected Healthcare Information (ePHI). Mimecast’s HIPAA/HITECH Security Compliance Assessment Report is available on request to prospects that sign the appropriate NDA and to existing customers under service agreement confidentiality.

Interested in learning more? Contact us for additional information about our certifications and audit reports. 


Today, Technology Can Help Stop Whaling Email Attacks

by Steven Malone - Director of Security Product Management

Today we launched the world’s first service designed specifically to stop whaling (CEO fraud) attacks.

Since previewing it at the RSA Conference in March, we’ve had a lot of interest in Impersonation Protect. And, as part our commitment to continuous email security updates, Mimecast would like to announce that all Targeted Threat Protection customers will get the new service for free.

Whaling attacks are designed to trick key users, often in the finance team, into making fraudulent wire transfers or other financial transactions to cybercriminals by pretending to be the CEO or CFO in a fake email conversation. Some also target those responsible for sensitive employee data, payroll information, which could be used for identity theft or to claim fraudulent tax refunds.

These malware-less attacks have been growing around the world as cybercriminals change their attacks to try and circumvent traditional email security techniques such as anti-virus, real-time URL checking and attachment sandboxing.

Growth in whaling (CEO fraud) attacks

  • According to the FBI, whaling email scams alone were up 270% from January to August 2015. The FBI also reported business losses due to whaling of more than $1.2 billion in little over two years, and a further $800 million in the six months since August 2015.
  • A recent report from the UK City of London Police’s National Fraud Intelligence Bureau (NFIB) shows that from July 2015 until January 2016 there was a marked increase in CEO-fraud with a total of 994 reports being made to Action Fraud.
  • According to Mimecast’s own research, since January 2016 67% of firms have seen an increase in attacks designed to extort fraudulent payments and 43% saw an increase in attacks specifically asking for confidential data like HR records or tax information.

Just in the last few months, a large number of organizations have confirmed their employees have been the victim of these attacks. Many losing millions of dollars or highly sensitive data to cybercriminals.

Even the smartest employee can fall victim to these malware-less attacks. Employee education and rigorous business processes do play an important role but at Mimecast we believe smarter technology can play a larger role in identifying social-engineering attacks.

Advanced pattern recognition

The content of these messages isn’t spammy. Whaling emails are carefully socially engineered and designed to read like a real email and are highly targeted to each recipient.  With no spammy content and no attachment or link to click, it’s highly likely that other security defenses will not detect these mails as dangerous.

Mimecast can already detect traditional spoofing using frameworks like Sender Policy Framework (SPF). Other custom Mimecast policies can check for both envelope and header spoofing. To add further dedicated protection from increasingly common “domain similarity” attacks, Impersonation Protect allows detection of similar domains to a customer’s genuine domains as one of its threat indicators.

How it works

Impersonation Protect identifies combinations of key indicators of attack (IOA) in an email to determine if the content is likely to be suspicious, even in the absence of a URL or attachment.

  • As email passes through the Mimecast Secure Email Gateway, Impersonation Protect examines several key components of the message.
  • Impersonation Protect examines typical IOAs in the email, such as the email’s display name, domain name, domain age and the body of the message to determine if the email could be a social engineering attack, like whaling or CEO-fraud.
  • If the email fails a combination of these tests, administrators can configure Impersonation Protect to bounce the message.
  • Or, alternatively quarantine or even notify end users the email is suspicious.
    Impersonation Protect identifies combinations of key indicators of attack (IOA) in an email to determine if the content is likely to be suspicious, even in the absence of a URL or attachment.
    Impersonation Protect identifies combinations of key indicators of attack (IOA) in an email to determine if the content is likely to be suspicious, even in the absence of a URL or attachment.

 We recently explained in a little more detail how Impersonation Protect works by applying advanced pattern recognition to these malware-less emails. This new service can defend on-premises, hybrid and pure cloud email deployments including Microsoft® Exchange and Office 365™.

Previously there was little you could do to protect your organizations from whaling attacks. It largely came down to education and hoping your colleagues wouldn’t be duped by a well targeted, social engineered attack. But with Impersonation Protect we have changed that – you now have technology to protect you alongside training.

We look forward to hearing feedback on Impersonation Protect as it continues to evolve.