by Fran Howarth
We live in an always-on, digital world. Information is at our fingertips. Mobile devices are pervasive.
Interactive websites, allowing users to comment on posts, and social networking are de rigueur. All these things encourage us to consume—and share—information continuously and often without regard for the consequences. Criminals are increasingly using this information, often detailed about personal lives, to their advantage in social engineering exploits that specifically target individuals and that attempt to exploit the trust that they have in the technology, applications and websites that they use.
Ransomware was distributed through Dropbox, with attackers demanding users pay a ransom to have their files, which have been encrypted and are hence unusable, returned to them.
In recent years, consumers have flocked to file sharing sites that allow them to upload and share very large files such as photos and videos with friends and family. Seeing just how convenient such sites are, many users are increasingly adopting their use for business purposes as well, using them to upload information so that it’s available to them from any device that they wish to use, wherever they are. It has been recognized for some time that this creates security risks for organizations regarding sensitive data being placed on file sharing sites that are outside of the control of the IT department—often without their knowledge. Bloor Research has recently published research that discusses the problems surrounding unsanctioned use of file sharing sites in organizations and that provides pointers as to what organizations can do to provide employees with the convenience and flexibility they demand, but in a way that safeguards sensitive information and shields them from the perils of data loss.
But a relatively new problem with the use of file sharing sites is currently in the news. Criminals are turning to the use of such sites for hosting and spreading malware and viruses. In one such campaign, the Dropbox file sharing service has been targeted, with an estimated 500,000 users affected. In this case, ransomware was distributed, with attackers demanding users pay a ransom to have their files, which have been encrypted and are hence unusable, returned to them. It’s believed the attackers have so far netted $62,000 from this campaign alone.
Such attacks have been known about for some five years or so, but appear to be increasingly common. Just this month, an emerging practice came to light in terms of using file sharing sites for high-value, low-volume attacks against high-profile, lucrative industries that include banking, oil, television and jewelry businesses. Discovered by Cisco, these attacks are attributed to a group calling itself the “String of Paerls” group, which has been flying under the radar or security researchers since 2007, constantly changing their tactics to avoid detection.
These attacks highlight the problems many organizations are facing with the use of consumer-oriented services. Many organizations are still grappling with the issue of controlling the deluge of personally owned devices that are connecting to their networks—often outside of the purview of the IT department—as well as the use of cloud-based services by individuals or particular business units, many of which are not officially sanctioned by the organization. Now there is further evidence that they must add control of consumer-oriented file sharing services into the mix—not just to guard against the loss of sensitive information, but to prevent them being used as another vector for attacking the organization.
There are options available to IT that allow them to offer the same levels of convenience to users, but in a way that can bring back control over who is sharing what and with whom. Some of these options are discussed in the research published by Bloor Research referenced above. Centralized control and high levels of security are paramount. They must also be as easy to use as the consumer-oriented services employees are already used to if they are to gain widespread acceptance.
Today’s generation of consumers and employees demand convenience and the freedom to work as they wish. But that convenience brings many dangers to organizations if they cannot control where sensitive information is being posted or transferred, and who is accessing it, or guard against the dangers employees might be exposing the organization to through the use of unsanctioned services. There is a fine line to be tread between ensuring employees are satisfied and productive, and guarding the organisation from malicious exploits and data loss that could dent their revenues, brand and reputation.
by Alan Kenny
Thursday mornings don’t get more exciting than this. Yesterday I was asked to represent Mimecast at a briefing hosted at Number 10 Downing Street by the UK Prime Minister, David Cameron.
We were one of only ten UK technology companies invited to speak to an audience of leaders of some of the world biggest companies and other members of the Government – the event was called ‘Pitch 10’. The goal was to showcase the strength and talent of the UK tech scene. It was great for Mimecast to be recognized again for our work in this way and to join other inspiring companies carving their own paths as innovators and businesses.
Mimecast at a briefing hosted at Number 10 Downing Street by the UK Prime Minister, David Cameron. We were one of only ten UK technology companies invited to speak to an audience of leaders of some of the world biggest companies and other members of the Government – the event was called ‘Pitch 10’.
My brief was pretty simple. Come and tell us about the company and what you have achieved.
Firstly I’d say that this event, and others, show that the UK tech scene is something to be admired. It’s a vibrant and diverse community of innovators and business people right across the country and from around the world. London’s Tech City gets a great deal of the press and plaudits of course but it was good to see firms from other parts of the UK represented.
As those who follow us closely will know we’re a cloud email, security and archiving business. So job number one was to explain our view about the criticality and primacy of email in business.
When you take a moment to think about it you realize quickly that we all rely on email. Email is the communications and data backbone of all organizations large and small, private or public sector. It underpins our communication, collaboration and decision making. It carries our ideas, insights and knowledge. It stores and exchanges contracts, orders and business commitments.
Because of this, managing, storing and protecting email (and the valuable data it contains) is a critical consideration for IT teams. This is where we come in. We help customers move to the cloud and solve three critical challenges beyond the mailbox.
We help them:
- Protect their organization by improving email and data security from the growing volume and sophistication of security threats they face every day.
- Ensure their business carries on when the primary email service is out of action with our continuity services.
- Archive the rapidly growing volumes of email communication and associated data safely in the cloud, and off their own on-premise infrastructure.
Now traditionally organizations have put several independent systems on their IT infrastructure to address these email needs, adding considerable cost and complexity. Mimecast’s secure cloud platform enables organizations to protect their corporate email and data; move these security, continuity and archiving services off their own IT infrastructure safely to the cloud, and decommission these additional systems, freeing budget and resources for other priorities.
I’m pleased to say that the reception to our story was very warm and supportive. We’re proud of what we’ve achieved for our customers. We also see a great deal more opportunity and chance for innovation still to be grasped.
So as probably the world’s most famous front door shut behind me, it was straight back to our offices in The City in London and back down to the day job.
by Dan Sloshberg
Bring your own device (BYOD) has redefined the way we work. It allows us to work from any device and access corporate files and networks from anywhere.
Now we also have bring your own cloud (BYOC). Workers are using the device and cloud service provider of their choice for a range of things they would traditionally have used corporate systems for, including file sharing. Without the proper policies in place, this can cause a major headache for IT.
Email remains the most prolific platform for communication and messaging in the workplace. However, certain limitations within email can lead to data security issues. Users simply want to remain productive, send and receive files of any size, and ultimately, work free of restrictions – and they want to do so in a familiar environment. Unfortunately, file size and storage limitations within commonly-used email platforms impose restrictions that force users to find workaround solutions. In most cases, the workaround solution is an unsanctioned, consumer-grade file sharing service.
With the right policies, personal devices at work don’t have to be a data security threat.
Ask yourself: Do you have policies in place to control the use of file sharing services – and ultimately protect corporate data – across your organization? Are you among the 37 percent of organizations that have no policy in place? Or, are you among the 46 percent of organizations that “restrict and say no” to file sharing services altogether, according to research from the recent report from Bloor?
We get it. You are overwhelmed, under-resourced and focused on issues flagged as “top priority.” But if the protection of your corporate data is not a priority, it will eventually catch up to you – most likely in the form of information leaking out of the organization. Whether or not you choose to acknowledge the issue, employees at your organization are finding ways to send, receive and share files of all sizes. According to Workshare, 69 percent of employees are using free file sharing applications – but only 28 percent have authorization from the organization to do so. Consequently, data from Symantec shows through the use of rogue cloud-based file sharing services, 83 percent of large enterprises and 70 percent of SMBs have had sensitive information placed in the cloud without organizational oversight.
The repercussions of consumer-grade file sharing services in the workplace can include loss of IP; sensitive data leakage; loss of visibility and control over where data resides; and compliance, regulatory and eDiscovery breaches. Many of these will not only cause you inconvenience, a significant breach could cost you business, irreparably damage your reputation and result in significant fines from regulatory bodies.
How to Take Control of File Sharing at Work
The bottom line is this: users want your support. If you give them guidance, education and a viable, frictionless solution, they are a lot more likely to comply with your policy. Here are three easy steps to keep corporate information protected by putting in place a secure, controlled file sharing service:
1. Don’t ignore the problem. There is a lot of file sharing happening at work, and file sizes will only continue to rise. Instead of ignoring data protection, make it a priority by finding a service that allows users to work within email to send and receive files – regardless of size – instead of finding workaround solutions.
2. Select an enterprise-grade platform. Consumer-grade services leave your organization susceptible to data leaks and other security threats. They also make it hard for you when it comes to eDiscovery or statements of compliance. Find an enterprise-grade service that gives you visibility and control, while allowing users to work seamlessly within a familiar environment. Use a platform that is built with access controls; content control and data leak prevention; archiving, compliance and eDiscovery; expiring access; and centralized policy management, reporting and logging.
3. Train and educate users. Programs should be in place to help your users understand the sensitivities of different classes of information and the risks associated with mishandling sensitive data. Users should have a clear understanding of what cannot be shared outside the organization and secure ways of sharing appropriate information with external parties.
By following these three steps – and finding the right solution – you can take back control of file sharing in your organization. Interested in learning more? Download this report by Bloor Research: “Take Control of File Sharing Services … Best Practices for the Safe and Secure Use of File Sharing for Organizations.”
by Nathaniel Borenstein
A bit less than four years ago, Facebook decided to get into the email business. I wrote a blog entry at the time, warning it a bit about what it was getting into.
Facebook announced the closure of its email service earlier this year. Facebook emails will automatically be forwarded to whatever email address Facebook users have listed as their primary one.
I warned it about the technical complexities of email, and the pitfalls that required email veterans on the team to avoid repeating. I really thought the biggest problem it faced might be technical. I figured that with its brand, it certainly had ‘market permission’ to enter the email space.
But we never got a chance, really, to find out how good Facebook mail was, because almost nobody used it. I didn’t see that coming, because I thought that there was potential value in integrating Facebook messaging with email. I should have known better, though, because I made a similar mistake back around 1982.
In 1982, I was developing and maintaining email clients for a couple of timesharing systems of the day, when I discovered that two future friends were developing a bulletin board system and a calendaring system for the same environment. We decided that what was really needed was to integrate all three into a single user interface that streamlined everyone’s communication.
We called the system BAGS, after our last names – the Borenstein Anderson Garlan System. It was modestly successful, and was maintained for many years after I moved on. But people didn’t use it as a single user interface. Some used it for both email and bulletin boards, but separately, as if the fact that they were all one program was something they needed to work around. Like Facebook, we found that users just weren’t drawn to the kind of ‘universal interface’ that draws computer scientists like moths to a flame.
It turns out there are good reasons why people have always had multiple communication mechanisms. The characteristics of a communication technology, coupled with the community rules, standards, and customs that develop around that technology, inevitably result in a mechanism that’s better for some things than others.
If you need to send me a message, what’s the difference between email and instant messaging? It’s not just a matter of whether you’re using a laptop or a phone, because either can be used either way. But when you’re using a laptop, you’re likely to be in a more relaxed or serious environment, so it’s natural to compose an email, which is likely to be longer, more nuanced, funnier, or otherwise more complicated than seems right for an instant message. On the other hand, if you’re running across an airport, dashing off an instant message will be rather more appealing. And if you’re like me, you’ll sometimes dash off an instant message to yourself, reminding you about a more complex email you need to send.
Facebook was one of the pioneers of social networking, which as a communication medium is radically different than email. People use it to communicate with whole groups of friends or relatives at once, and they think of themselves, generally, as operating in a semi-public forum. Email feels (rightly or wrongly) more closely controlled and limited in distribution. Combining two media that differ in important aspects is a recipe for confusion, and users intuitively resist it.
The email world and the Facebook world often leak into each other, but that doesn’t mean users want them to merge. The best email programs have user interfaces that are highly evolved to what users expect from an email medium – features that make it well suited to complex threads of discussion, but less well suited to ad hoc group discussions with your friends’ friends. Merging the two doesn’t necessarily make things simpler – the features of one can actually get in the way of the other.
The bottom line is simple: email is very, very important to a lot of people, and they are wary of anything that might weaken its usefulness. If Facebook had set up its email service to be entirely independent of the social networking system, it might have been able to attract users, and then gradually introduce carefully selected features that connect the two in useful ways. Perhaps that’s how it’s planning to approach its acquisition of WhatsApp; if it’s sufficiently cautious in how it integrates the two services, it might well succeed.
So, while we are saying goodbye to Facebook mail, perhaps it’s not forever. There’s still plenty of room for innovation in email, in social networking and in the spaces in between. But it’ll take a more open, incremental and modest design to succeed.