Richmondshire District Council is a local government body in North Yorkshire, England. It covers a large northern area of the Yorkshire Dales and must consistently deliver a wide range of public services – from revenues and benefits and homelessness services to environmental health, planning, waste and recycling, and more. The scale of the council’s operations, which are headquartered in Richmond with 14 smaller sites, means email is a primary communicationtool both within the council and to interact with the public.
For ICT & Business Change Manager, Graeme Thistlethwaite, that means keeping email on is a major priority: “It is our main communication tool. If it wasn’t available, a lot of people would not be able to do their jobs and services would suffer.”
Equally, Graeme and his team of three technical analysts have a major focus on data security: “A lot of potentially sensitive information gets shared via email, whether that is personal financial data or information about vulnerable people; keeping that safe and secure is vital.”
However, there is a tension between that focus on data security and Graeme’s business change role, which is about opening government up to local residents: “The business change element of my role is about how we use technology to deliver more efficient, accessible services. Clearly, we are also very focused on GDPR compliance and use of data, so we essentially need to be more open and more secure at the same time. It’s about striking a balance.”
By 2016, that delicate balance between service innovation and data security was at risk. Managing and maintaining the council’s on-premise Exchange 2016 environment was taking up more and more time. Email security and a lack of content control to prevent data leaks were all causing major headaches for Graeme and his team.
"We handle all the emails ourselves, from Exchange at the backend right across the board for around 220 users,” he explained. “At that time, we had a real issue with sophisticated attacks using malicious URLs and attachments, C-level impersonation and huge amounts of spam. Our email filters were simply not up to the job of detecting those advanced attacks, so a lot of malicious emails were getting through.
“The result was we spent a lot of time firefighting. What’s more we didn’t have great visibility of the kinds of data being shared via email, nor the ability to detect and prevent users sending out sensitive content.”
Meanwhile, because the council had no dedicated email archive, managing a huge volume of historical email was very time consuming.
“We had no archiving solution to speak of, so we had huge mailboxes on the network. We were constantly asking people to reduce them, we had limits on mailbox size and so on. All the same local storage just grew and grew, which was another data security risk, while managing all that local storage was a big job and very time consuming."
“Things like legal hold and eDiscovery were issues too. Without a central record, it was a very labour-intensive manual process.”
Together, managing email security and local storage was diverting the team away from development work, leaving Graeme reliant on expensive external resource to meet business change targets.
“We were spending around two days every week just managing email,” he pointed out. “That took us away from development work, from that change work designed to deliver better, more efficient services and a more open local government.”
Graeme was keen to find a single solution able to address all these issues. “Something had to change. The environment was becoming unmanageable while the risk from sophisticated attacks and data leaks was a constant worry.”
After a market review supported by the council’s ICT partner, Razorblue, the council identified Mimecast as offering the ideal solution. “The priorities were to deal with our storage issues, update our security capability and, to prevent data leaks as part of GDPR compliance. Mimecast was one product able to deal with all these issues, and with the efficiency that comes with managing it all from a really easy to use console, rather than managing a range of potentially conflicting point solutions.
“Mimecast was clearly the market leader in terms of features and cost effectiveness and a demo proved just how good it was. It was clearly the ideal solution."
Graeme Thistlethwaite, ICT & Business Change Manager
With a decision made, deployment was a straight forward process, Graeme confirmed: “We worked out what package we needed, and actually rolling it out was pretty painless. We had lots of support so it was a seamless transition and everything was in place within a couple of weeks.”
The Mimecast Cloud Archive has transformed the council’s ability to organise, securely store and find historical emails, significantly cutting back on the ICT team’s workload in the process. On a monthly basis, the archive enables around 900 rapid archive searches, with results delivered inside 60 seconds.
“Now we do not rely on local storage, which has massively reduced the support overhead,” Graeme said. “Instead, we have an independent, secure cloud archive that is easy to use. It is pretty much automatic.
“After 18 months emails get archived in their original file structures, so people can self serve in terms of finding old emails while email accounts are no longer being used as file stores. Email is now what it should be, a communications tool, not a file store.”
“Of course, it’s also great to know that, if something goes wrong, we can easily recover and restore from a safe backup.”
Crucially, Mimecast has enabled the council to secure its email against advanced email borne threats. For instance, Mimecast Targeted Threat Protection scans every inbound email in the Mimecast Cloud, to block those containing malicious URLs, sandbox attachments, and detect C-level impersonation attempts.
Every month, the Mimecast solution scans up to 75,000 inbound emails, rejecting around 68%. It sandboxes 5,000 attachments, protects around 1,000 in email URLs clicks, 1 in 19 of which would otherwise be unsafe, and detects up to 24 impersonation attempts. Meanwhile, it helps to protect the council’s reputation by scanning around 15,000 outbound messages, 3% of which are rejected as unsafe, or representing a data leak risk.
“It’s a fantastic solution,” Graeme confirmed.“It’s stopped malware, spam and advanced attacks, including C-level impersonation, in their tracks. Only this week I had a call from a company warning me not to click on an email. It was very well disguised but even so, Mimecast had already stopped it in the cloud. It never even made it into our environment.”
Mimecast Content Control and Data Leak Prevention (DLP), meanwhile, make it easier for Graeme and his team to monitor and deal with emails containing sensitive data.The solution rejects around 3% of outbound messages per month, either as unsafe or representing a data leak risk.
“The Data Leak Prevention features make it easy for us to keep an eye on what is beingshared via email; NI numbers, personal info, databases and so on."
“We are now looking at pairing it with Mimecast Secure Messaging, which will allowus to mandate that any emails legitimately containing sensitive data are delivered in the most secure way possible, while holding any that might represent accidental data leaks."
“Combined with Mimecast email security, those controls will strengthen our GDPR compliance by helping us to ensure we are doing all we can to protect the information we hold.”
Crucially, Mimecast has also enabled Graeme to significantly cut the time spent managing email: “We’re saving hours and hours,” he said. “These days we spend maybe an houra week managing our email environment, compared with two or more days per week before.”
As a result, the team is able to dedicate more time to innovation, without having to bring in additional help.
“Without Mimecast, our roles would be very different,” he confirmed. “We’d be under pressure trying to hit our targets in terms of change and development. For instance, since deploying Mimecast we have run a big project to upgrade our Windows environment. That would not have happened on time if we were still chasing our tails managing email as we were before, or it would be very expensive because we’d have to bring in additional resource.”
Graeme has also been impressed with the ongoing support the council can rely on, and which has helped it to maximise its return on investment.
“The account management side has been fantastic,” he said.
“When we have account management meetings, Mimecast always comes armed with feedback, new ideas and new features that could benefit us in terms of getting the most from the product."
“Mimecast is one of the few companies I have come across that is so proactive in helping us to follow best practice or make best use of product features. I’d say we’re already at about 90% in terms of our ability to use our Mimecast solutions to the maximum.”
Overall, Graeme is very happy with the Mimecast solutions Richmondshire District Council now has in place: “I’m delighted,” he concluded. “It has totally transformed everything aboutthe environment, does what it says on the tin, and it is easy to manage."
“Already I’d say I am 90% more confident in our email environment. With Mimecast in place it is efficient, effective and constantly developing to respond to new threats.”
“These days we spend maybe an hour a week managing our email environment, compared with two or more days per week before."
Graeme Thistlethwaite, ICT & Business Change Manager