The Dangers of Convenience

We live in an always-on, digital world. Information is at our fingertips. Mobile devices are pervasive.

Interactive websites, allowing users to comment on posts, and social networking are de rigueur. All these things encourage us to consume—and share—information continuously and often without regard for the consequences. Criminals are increasingly using this information, often detailed about personal lives, to their advantage in social engineering exploits that specifically target individuals and that attempt to exploit the trust that they have in the technology, applications and websites that they use.

Ransomware was distributed through Dropbox, with attackers demanding users pay a ransom to have their files, which have been encrypted and are hence unusable, returned to them.

Ransomware was distributed through Dropbox, with attackers demanding users pay a ransom to have their files, which have been encrypted and are hence unusable, returned to them.

In recent years, consumers have flocked to file sharing sites that allow them to upload and share very large files such as photos and videos with friends and family. Seeing just how convenient such sites are, many users are increasingly adopting their use for business purposes as well, using them to upload information so that it’s available to them from any device that they wish to use, wherever they are. It has been recognized for some time that this creates security risks for organizations regarding sensitive data being placed on file sharing sites that are outside of the control of the IT department—often without their knowledge. Bloor Research has recently published research that discusses the problems surrounding unsanctioned use of file sharing sites in organizations and that provides pointers as to what organizations can do to provide employees with the convenience and flexibility they demand, but in a way that safeguards sensitive information and shields them from the perils of data loss.

But a relatively new problem with the use of file sharing sites is currently in the news. Criminals are turning to the use of such sites for hosting and spreading malware and viruses. In one such campaign, the Dropbox file sharing service has been targeted, with an estimated 500,000 users affected. In this case, ransomware was distributed, with attackers demanding users pay a ransom to have their files, which have been encrypted and are hence unusable, returned to them. It’s believed the attackers have so far netted $62,000 from this campaign alone.

Such attacks have been known about for some five years or so, but appear to be increasingly common. Just this month, an emerging practice came to light in terms of using file sharing sites for high-value, low-volume attacks against high-profile, lucrative industries that include banking, oil, television and jewelry businesses. Discovered by Cisco, these attacks are attributed to a group calling itself the “String of Paerls” group, which has been flying under the radar or security researchers since 2007, constantly changing their tactics to avoid detection.

These attacks highlight the problems many organizations are facing with the use of consumer-oriented services. Many organizations are still grappling with the issue of controlling the deluge of personally owned devices that are connecting to their networks—often outside of the purview of the IT department—as well as the use of cloud-based services by individuals or particular business units, many of which are not officially sanctioned by the organization. Now there is further evidence that they must add control of consumer-oriented file sharing services into the mix—not just to guard against the loss of sensitive information, but to prevent them being used as another vector for attacking the organization.

There are options available to IT that allow them to offer the same levels of convenience to users, but in a way that can bring back control over who is sharing what and with whom. Some of these options are discussed in the research published by Bloor Research referenced above. Centralized control and high levels of security are paramount. They must also be as easy to use as the consumer-oriented services employees are already used to if they are to gain widespread acceptance.

Today’s generation of consumers and employees demand convenience and the freedom to work as they wish. But that convenience brings many dangers to organizations if they cannot control where sensitive information is being posted or transferred, and who is accessing it, or guard against the dangers employees might be exposing the organization to through the use of unsanctioned services. There is a fine line to be tread between ensuring employees are satisfied and productive, and guarding the organisation from malicious exploits and data loss that could dent their revenues, brand and reputation.


Graymail – Mail That You Want, but Just Not in Your Inbox Right Now

The mail you want, but just not right now. Seems like an odd way to talk about email, either you want it or you don’t. For years we’ve been talking about the unwanted types of email, like spam, that have grown to be a pest, but which have largely been dealt with by effective anti-spam services; but now there’s a less distinct line between good and bad as far as our users are concerned. The email that sits in this middle ground has become known as graymail.

Mimecast’s new Graymail Control automatically categorizes graymail and moves it to a separate folder – allowing end users to review the messages at their leisure and keeping the inbox optimized.

Mimecast’s new Graymail Control automatically categorizes graymail and moves it to a separate folder – allowing end users to review the messages at their leisure and keeping the inbox optimized.

More specifically, graymail is email like newsletters, notifications and marketing email. The types of email marketing you are bombarded with receive when you buy something online or use your email address to sign up for something. Normally you are opted-in to these marketing emails unless you manage to spot the often well-hidden opt-out tick box. These emails are initially interesting, but grow tiresome quickly.

You’re unlikely to want them all in your inbox right now, but somewhere else that makes them easier to read later. Many consumer grade email providers offer a way of categorizing graymail, such as Gmail’s Primary Inbox and Promotions tabs.

Graymail isn’t new. The idea was first suggested by Microsoft researchers in 2007, at the now defunct CEAS conference. Graymail, or Gray Mail as it was called then, was defined as messages that could be considered either spam or good. It’s fair to say many end users consider newsletters that they opted-in to, mostly unknowingly, as spam even though they could easily unsubscribe from the sender’s distribution lists.

Graymail is also described by the phrase “Bacn”, (as in bacon). The first use of the term Bacn is thought to have been coined at PodCamp Pittsburgh 2, as a way to differentiate between spam, ham and bacn in your inbox.

The unwillingness of end users to unsubscribe, or understand the problem as being somewhat self-inflicted, has led many enterprise IT teams to look for a solution. As a provider of email security services, Mimecast’s Threat Operations and Spam teams know first-hand how users are inclined to report bacn or graymail as spam email. A large percentage of the email submitted to Mimecast for analysis as spam is in fact legitimate marketing email with valid unsubscribe links.

It has become increasingly obvious that end users will continue to be frustrated by this graymail problem. The most straightforward solution is stemming the flow in such a way that keeps an enterprise inbox free of bacn so legitimate business-related emails take priority. Mimecast’s new Graymail Control provides this capability, by automatically categorizing graymail and moving it off to a separate folder – allowing your end users to review the messages at their leisure and keeping the inbox optimized.

If you’d like to find out more technical detail about how to configure Mimecast’s Graymail Control please visit our Knowledge Base article here.


Don’t Risk Corporate Data: Three Steps to Take Back Control of File Sharing

Bring your own device (BYOD) has redefined the way we work. It allows us to work from any device and access corporate files and networks from anywhere.

Now we also have bring your own cloud (BYOC). Workers are using the device and cloud service provider of their choice for a range of things they would traditionally have used corporate systems for, including file sharing. Without the proper policies in place, this can cause a major headache for IT.

Email remains the most prolific platform for communication and messaging in the workplace. However, certain limitations within email can lead to data security issues. Users simply want to remain productive, send and receive files of any size, and ultimately, work free of restrictions – and they want to do so in a familiar environment. Unfortunately, file size and storage limitations within commonly-used email platforms impose restrictions that force users to find workaround solutions. In most cases, the workaround solution is an unsanctioned, consumer-grade file sharing service.

With the right policies, personal devices at work don't have to be a data security threat.

With the right policies, personal devices at work don’t have to be a data security threat.

Ask yourself: Do you have policies in place to control the use of file sharing services – and ultimately protect corporate data – across your organization? Are you among the 37 percent of organizations that have no policy in place? Or, are you among the 46 percent of organizations that “restrict and say no” to file sharing services altogether, according to research from the recent report from Bloor?

We get it. You are overwhelmed, under-resourced and focused on issues flagged as “top priority.” But if the protection of your corporate data is not a priority, it will eventually catch up to you – most likely in the form of information leaking out of the organization. Whether or not you choose to acknowledge the issue, employees at your organization are finding ways to send, receive and share files of all sizes. According to Workshare, 69 percent of employees are using free file sharing applications – but only 28 percent have authorization from the organization to do so. Consequently, data from Symantec shows through the use of rogue cloud-based file sharing services, 83 percent of large enterprises and 70 percent of SMBs have had sensitive information placed in the cloud without organizational oversight.

The repercussions of consumer-grade file sharing services in the workplace can include loss of IP; sensitive data leakage; loss of visibility and control over where data resides; and compliance, regulatory and eDiscovery breaches. Many of these will not only cause you inconvenience, a significant breach could cost you business, irreparably damage your reputation and result in significant fines from regulatory bodies.

How to Take Control of File Sharing at Work
The bottom line is this: users want your support. If you give them guidance, education and a viable, frictionless solution, they are a lot more likely to comply with your policy. Here are three easy steps to keep corporate information protected by putting in place a secure, controlled file sharing service:

1. Don’t ignore the problem. There is a lot of file sharing happening at work, and file sizes will only continue to rise. Instead of ignoring data protection, make it a priority by finding a service that allows users to work within email to send and receive files – regardless of size – instead of finding workaround solutions.

2. Select an enterprise-grade platform. Consumer-grade services leave your organization susceptible to data leaks and other security threats. They also make it hard for you when it comes to eDiscovery or statements of compliance. Find an enterprise-grade service that gives you visibility and control, while allowing users to work seamlessly within a familiar environment. Use a platform that is built with access controls; content control and data leak prevention; archiving, compliance and eDiscovery; expiring access; and centralized policy management, reporting and logging.

3. Train and educate users. Programs should be in place to help your users understand the sensitivities of different classes of information and the risks associated with mishandling sensitive data. Users should have a clear understanding of what cannot be shared outside the organization and secure ways of sharing appropriate information with external parties.

By following these three steps – and finding the right solution – you can take back control of file sharing in your organization. Interested in learning more? Download this report by Bloor Research: “Take Control of File Sharing Services … Best Practices for the Safe and Secure Use of File Sharing for Organizations.”






Information Governance Best Practice in Legal – How Do We Get Lawyers to Change?

Here at the Legal Week Strategic Technology Forum this week I’ve been listening to, and participating in, various panel discussions around what constitutes good information governance in the legal industry.

This does seem to be a particular challenge to law firms because there are some very entrenched and outdated ways of working that are very hard to shift, both on the lawyer and client side. The CIOs and Information Architects at this event are clearly trying to make sense of this, and deliver value to the business, but it’s often a slow and painful process.

Matthew Ravden, Chief Strategy Officer, Mimecast chaired a panel discussion at Legal Week Strategic Technology Forum 2014 on ‘Best Practice Information Governance’

Matthew Ravden, Chief Strategy Officer, Mimecast chaired a panel discussion at Legal Week Strategic Technology Forum 2014 on ‘Best Practice Information Governance’

One of yesterday’s panel sessions was all about the use of so-called ‘consumer-grade’ services such as Gmail and Dropbox. As is so often the case, Dropbox was called out as the poster child for dangerous, non-compliant tools that end users inside law firms use to collaborate and send large files. There was a quite clear sense from the CIOs in the room that the use of Dropbox is not ideal, but equally, a somewhat disappointing tone of resignation that it’s too difficult to police. So although the room was split in half with those ‘for’ and those ‘against’, very few were advocating any kind of ban on its use. In fact, it seemed to be considered relatively low risk (in the grand scheme of things) provided the right Ts and Cs were in place to ensure ‘proper’ use, and an acceptance of where accountability might lie in case of something going amiss.

I’ll confess to finding this a bit mystifying. I wouldn’t say that outlawing the use of certain tools is necessarily the way to go – all it’ll do is cause resentment, and force bad practice underground – but surely IT should be guiding users towards tools that fit squarely within the approved corporate framework, and keep sensitive material protected and discoverable. There’s clearly a belief that no matter what’s mandated, it’s very hard to enforce, particularly if the end users are head-strong lawyers. But if the tool that’s been suggested as an alternative offers an entirely frictionless, simple user experience, then it should be quite a simple task to affect a change. Shouldn’t it?

Mimecast’s Large File Send product, from an IT point of view, ticks all the boxes for security and compliance. But from the end user’s perspective, it can be pretty much invisible. You just send the large file in the same way you’d send any file. There’s a .lfs suffix if you care to look closely, and you get a pop-up window that gives you some options over how long you leave the file accessible for, if you want a notification that it’s been accessed, and so on.  But other than that, the message to the end user is, ‘you don’t even have to leave Outlook.’ Surely, for this particular use case of Dropbox, or Hightail, or WeTransfer, it’s a no-brainer?  Want to send large files? Go back to email!

All of this is easy to say, of course, but it doesn’t mean that lawyers will necessarily down tools and adopt a different service straight away. If they’ve got used to something, they won’t want to change.

The solution may well be to personalize the problem – or rather, personalize the upside of using a tool like Large File Send.  For example, lawyers like to know when a client has accessed a file, or indeed sent them a file, and Large File Send will alert them as soon as this happens.  With something like Dropbox, it’s likely that the client will put the file on the service and then have to call or email the lawyer to tell them it’s there. Two steps rather than one.

As well as unruly lawyers, the CIOs in the debate pointed to clients’ own practices having a significant influence on the tools that are used to exchange information. But once again, I was left thinking that surely it’s in both sides’ interests to use secure, enterprise-grade technology rather than tools that put data at risk? The same rule applies, though. The experience has to be easy, or the client will stick to what they know best. Again, Large File Send can help here. If you want to receive a large file from a client, simply ‘request a large file’ using Large File Send and the client can upload the document securely and send it to you. They don’t even have to be a Mimecast client.

I resisted the temptation to launch into a sales pitch – in fact I was under strict instructions not to. But for goodness sakes – if you want to send large files, and send them securely – just go back to email!!