In depth: Mimecast talks email security, insider threats and human firewalls
Mimecast knows email security and the nasty things that lurk behind the surface better than most. With more than 24,900 customers, the company concentrates on providing cloud security, archiving and continuity services for 24,900 customers.
SecurityBrief talked to Dave Hood, Mimecast’s director of product marketing. His mission is to help organisations become more cyber resilient, particularly across Office 365, Continuity and the Mimecast API.
The company recently conducted a study called the Email Security Risk Assessment (ESRA), which showed that everything from spam, dangerous file types, malware and impersonation attacks are making it through organisations’ own security and email providers.
“Some take a set and forget approach to email and only make changes need to be made such as a migration or there is a catalyst event like a security breach or service disruption. Our research shows that if organisations aren’t using next generation email security solutions and reviewing their defences then they are vulnerable,” he says.
Why are email security breaches still happening?
“First, it’s important to recognise that email is the number one way that organisations are being attacked. 9 in 10 hacks begin with email, because it’s a communication channel that employees use all the time and trust. Hackers exploit that trust with sophisticated attacks,” Hood says.
Echoing the calls of many security expert, he says that legacy technologies like antivirus and antispam will no longer work anymore because the threats are evolving – and fast.
“Organisations need to deploy protection against payload-based attacks such as malicious links and attachments, and impersonation attacks that do not have a malicious payload but are instead trying to create an action such as a fraudulent wire transfer,” he says.
Attacks don't just come from the outside
It’s not just attacks from outside the organisation that are worrying, as Hood says that internal threats can come from compromised or malicious insiders.
Hood says that email from internal users can show lateral threat movement, whether it be malware, URLs or impersonation emails, throughout the organisation.
He says there are three main insider types that could create security problems:
- Compromised insiders – these ‘trusted sources’ are often used as stepping stones to broaden an attack. “Once attackers infect one target they want to spread their reach within an organisation, escalating their access privileges. Now armed with insider data, they can phish other employees more easily.”
- Careless insiders – Unknowingly spread attacks or put sensitive data at risk. “Simple protections can limit the ability for sensitive data to be accidentally emailed outside of an organisation.”
- Deliberately malicious insiders, although not common, but can cause major damage. “A trusted third-party email archive can also make it impossible for one rogue employee to destroy critical data archives.”
“The bottom line is, internally generated email, whether staying inside or going out, needs to be part of every organisation’s threat detection and cyber resilience strategy,” he says.
Why - and where - are IT professionals lacking?
But one single ESRA study is not enough. To take testing even further, Mimecast teamed with Vanson Bourne and found that while IT departments are wary of malicious URLs or emails, they are still left vulnerable.
The studies showed that IT professionals were surprised at how poor their email security is, and Hood says that it’s not only a case of the ‘she’ll be right’ ignorance, it’s also about insufficient training that doesn’t occur often enough.
“Traditional annual training may give a false sense of security that employees will be able to spot attacks, but the truth is that these attacks are well crafted to get past even the most vigilant employee,” he says.
Hood says that modern email security technologies need to be able to rewrite links before the email even lands in an employee’s inbox. This provides protection across all devices and all locations.
“Secondly, at the time of click, whether that is one minute after the email is received, an hour after the email is received or five years later when the email has been archived, the link must be checked in real-time. Checking a block list is not enough as many targeted attacks use malicious websites that were previously unknown,” he says.
The final piece in the puzzle is what Hood calls the ‘human firewall’ at the organisation. Whether administrators use tools to identify those who need more training, or employees take it on themselves, it is all about identifying risky emails and links.
The company built its own Internal Email Protect service to help deal with email threats, and unlike other vendors, Mimecast brings together security, continuity and data replication capabilities.
Internal Email Protect can prevent email-borne attacks, make sure that employees have access to email during attacks, and store data in third-party archives to make sure that it’s not lost after an attack.
“Together, these services allow organisations to adopt a posture of cyber resilience, ready to manage any attack without damage to their operations or brand,” Hood says.
Mimecast's plans for the year ahead
So beyond all the statistics and services, what lies ahead for Mimecast in 2017? Hood says the company is growing rapidly, with 3Q results showing 30% YOY growth.
Closer to home, he says that Australia is an important factor in its APAC operations, with its Melbourne head office acting as APAC headquarters.
“Ongoing investment in Australia cybersecurity expertise, local partnerships and regional technology infrastructure has been instrumental in our growth. We’ve migrated hundreds of customers to our Australian data centres to serve their local data sovereignty requirements,” he says.
“A key differentiator in the market for Mimecast has always been our commitment to customer success and we’re proud of the program we’ve built. Our growth plans into new markets reflect this commitment,” Hood concludes.