Orlando Scott-Cowley

Four Things Security Professionals May Be Thankful for This Thanksgiving

Delivering secure IT systems to users and the enterprise doesn’t often get the thanks and praise it deserves. I know from first-hand experience that in the world of IT admins there’s often a lot of complaining when a system doesn’t work, but rarely any thanks when it does.

So in conjunction with Thanksgiving in the US, here are a few things we as security professionals might be thankful for.

Happy Thanksgiving from Mimecast!

Happy Thanksgiving from Mimecast!

No Data BreachBeing thankful for not being breached this last year is the big one. You will be very thankful if you haven’t had to appear before your board or on Fox, MSNBC, CNN or even worse C-SPAN, to explain where your customer/credit card/intellectual property/data has gone. I’ve spoken to many of my peers who are extremely thankful as more time has passed and they haven’t had to deal with a major and public incident. The old adage, that the better an IT administrator does their job, the less they will have to do, doesn’t ring true here. The red queen effect of those who seek to exploit our systems is still a strong force as the Sony Pictures team would no doubt testify yesterday.

Security MindfulnessBe thankful for the growing focus on IT security. IT security is getting a much higher profile and this is increasing public concern, and this drives more buy-in from senior management which means more security budget should follow. There is also a trickle-down effect from the volume of stories that hit the mainstream media as they impact our non-technology colleagues too. Telling them that their logins, systems, data, accounts, on-star systems, garage door openers are all at risk from hackers/Anonymous/Unit 61398/Axiom/SEA/etc. The concern this has whipped up means a renewed interest in security measures that makes the task of getting business and wider employee buy-in much easier.

A New CISOBe thankful for the new CISO. We’re told more CISOs are being recruited than ever as the C-Suite accepts the need to have a single senior executive responsible for the management of their security strategy. We’re already seeing the appointment of the CISO can have a measurable effect on reducing the cost of a security breach, and the cost of protecting data, so the ROI on a CISO becomes easily provable.

Savvy UsersBe thankful for employees who are getting more security savvy might sound like a surprise to some. As consumer computing becomes more accessible and easier to adopt, think tablets rather than *nix desktops in terms of complexity, employees are much more technically savvy than ever before. And, as digital natives start to enter the workplace, being new to technology is no longer a problem. Being more technically savvy means educating users to risks has become much easier, and we ought to be thankful for that. However this is a double-edged sword, one I like to call the Dropbox effect; savvy users mean the fast proliferation of unsanctioned consumer grade IT in the enterprise, and that is a Shadow IT threat we’re not thankful for.

So as you sit enjoying your turkey, and you are hoping that a Black Friday spam deal doesn’t lure your employees to a malware laden website, remember there is a lot to be thankful for and people who realize how much of that is down to your hard work!


Let the Cloud Relieve Your Legacy Archive Headache

On-premises email and data archives are a growing challenge to organizations looking to reduce costs and management complexity.

Cloud archiving alternatives offer a compelling opportunity to remove the management headaches and deliver a secure, resilient and highly scalable archive service to meet requirements now and in the future. But concerns remain about the ideal migration strategy that balances effective risk management with new business requirements.

That’s why in this new webinar, I’ve teamed up with Gartner research director Alan Dayley to break down the benefits of the cloud over on-premises email archiving. Together, we also explore the key considerations for migrating to the cloud, and look to the future of email archiving in the cloud.

Hybrid or 100% cloud? Should you migrate everything from legacy systems? How do I know if I even need archiving? We explore the key considerations and review what you need to think about regarding data sovereignty.

For customers thinking about moving to Office 365, but concerned about their readiness, we’ll discuss migration strategies. Meanwhile, for those who have already made the move, we’ll discuss how a third party backup archive can make your data in Office 365 fully resilient

There has never been a better time to move archives to the cloud.

Take a look at video here.


Old World Risk Practice Stays True for Cloud

Using the cloud to improve business agility is de rigueur but how can IT become more agile without sacrificing the information assurance holy trinity of confidentiality, integrity and availability?

My answer to this perceived quandary is based on the oldest risk management principle of all – one of ‘don’t keep all your eggs in one basket’, or more accurately, having two cloud vendors is better than having just one.

It’s a truism to say all clouds have outages, we must accept that fact, this strategy offers recovery options and alternative ways to continue communicating if the primary cloud provider is not available.

It’s a truism to say all clouds have outages, we must accept that fact, this strategy offers recovery options and alternative ways to continue communicating if the primary cloud provider is not available.

This question seems to have been at the root of a recent V3 Agile Business Roundtable.

Moving large workloads and services to the cloud is a major part of most agile business strategies but participants across a wide range of industries shared concerns about the security, reliability and adoption path to cloud computing. BSkyB enterprise architect Trevor Hackett also made the point that “When using a cloud service provider you have a vested interest in the company as if they go bust you face disaster.”

Before trusting sensitive assets to a cloud service provider, decision makers within an organization need a sound basis on which to evaluate the merits of a service offering. This should include an assessment of each Cloud Service Provider’s (CSP’s) service level agreement (SLA) terms, operational framework, architectural model, organizational history, stature within the industry, and the assurances granted to customers.

We have said many times before; reputable cloud service providers will be only too happy to help you understand how they serve and protect you and your data, and the importance of your own due diligence prior to purchase.

Office 365 adoption is a great example of the opportunity to improve agility and reduced cost of ownership with cloud services. But often CIOs don’t want to run the risk of critical business systems like core email services being outside of their immediate control. Email users have zero tolerance for downtime, and demand their connectivity be restored as quickly and painlessly as possible.

With on-premises Exchange, IT managers have choices about how they deal with planned or unplanned outages, and often put in place full disaster recovery and high availability solutions on-site. But with Office 365 that option no longer exists, and for many organizations, the fact that Office 365 is a single point of failure for such a mission critical service is a major concern, and a common roadblock for cloud migration.

But moving to the cloud doesn’t mean you should do away with a multi-vendor, multi-layered security strategy. A blended-cloud approach allows businesses to distribute important data between multiple vendors. It’s a truism to say all clouds have outages, we must accept that fact, this strategy offers recovery options and alternative ways to continue communicating if the primary cloud provider isn’t available. This exercise in risk management also supports smarter procurement by reducing the possibility of vendor lock-in. In short, you would be replicating the multi-point business continuity strategy you’ve built on the LAN, but in the cloud—a concept often overlooked during a cloud migration.

So in the end, a pragmatic approach to risk management on-premises and in the cloud will allow businesses to avoid the greatest risk of all – inaction and stagnation in increasingly agile business practices.


Protect Against Targeted Attacks Webinar – The Highlights

First of all, I’d like to say a big ‘thank you’ to everyone who attended Tuesday’s Mimecast webinar featuring Forrester on ‘Protecting Against Targeted Attacks’.

The interest has been huge, and we’ve made the recording of the session available here. We’ll also be focusing on key themes raised during the session over the coming weeks on this blog.

To start, we thought it would be useful to pull out and reflect on some key quotes from the session.

Recording of Mimecast webinar featuring Forrester on ‘Protecting Against Targeted Attacks’ from September 30th 2014, when practical steps to protect your business were outlined by Rick Holland.

Recording of Mimecast webinar featuring Forrester on ‘Protecting Against Targeted Attacks’ from September 30th 2014, when practical steps to protect your business were outlined by Rick Holland.

Rick Holland, Principal Analyst, Forrester Research:

- ’67% of the espionage cases in organizations involved phishing’ discussing the Verizon ‘2014 Data Breach Investigations Report‘.

- ‘There are two types of phishing vectors – one the malicious attachment…and two, URLs to malicious sites’.

- ‘The average cost of a data breach is $3.5m up 15% from 2013’ discussing the Ponemon Institute ‘2014 Cost of a Data Breach Study: Global Analysis’ sponsored by IBM. Interestingly, class action law suits of effected customers are part of the calculation and might be a rising trend for organizations to address.

- ‘As it becomes more common for remote workers to operate outside of VPNs (BYOD and BYOC), enterprises must protect the user when they actually click’. ‘Even if users could put something on their mobile device to protect them, they are hesitant from a user experience perspective.’ – this was one of the key points in the session, as traditional approaches to security only protect users on the network and corporate managed devices. It’s important to think beyond this given BYOD and remote working. Protection must be available no matter the device used to access corporate email systems, without increasing the IT overhead or adversely affecting the users’ experience. As Rick suggested, organizations must ‘protect the click’.

- ‘Sometimes the URL isn’t bad at the time of delivery’ the attacker may turn the server over from benign to malicious after the email is sent.’

- ‘URL rewriting is emerging to protect the user…I recommended it as an RFP requirement.’

- ‘Whatever the culture of the organization, use that to (tailor) security training…increasing awareness and propensity to report incidents.’

- ‘(Phishing) is only going to get more and more sophisticated.’- which is why the protection organizations put in place now must be able to stay ahead of the attackers.

Steve Malone, Security Product Manager, Mimecast:

- ‘Phishing is viewed as a technology problem…the usual approach is to add more technology. But the issue is that adding more technology is actually increasing complexity.’ Steve further explained that the most successful approach is two-fold: choosing the right technology coupled with user education.

- ‘As we’ve got better at protecting against these attacks, the attackers have moved the goal posts. We now have to assume all the links in emails are bad.’

- ‘Clean up (post-attack) is generally very difficult and time consuming and the root cause is not addressed.’

- ‘Mimecast’s Targeted Threat Protection addresses advanced attacks in email by rewriting the URLs. It means protection regardless of the device used.’

- ‘We’re building into the service a real-time education component for users.’

It’s clear from the interest and the great questions we received at the end of the presentations that this is a hot topic. The evolution of threats is forcing IT teams to rethink the planning, purchasing and management of their business security systems. In addition, it’s being recognized that in order to stay ahead of the attackers, technology alone is not the answer – the complete solution needs to account for this and train users in a new way.

Please leave a comment or @reply me at @orlando_sc if you’ve any particular areas you want us to cover in our follow up posts.