Email is the top communications tool used by modern organisations, with many now shifting from on-premise to cloud-based. And while this has numerous business benefits, it also means that security must be top of mind. Werno Gevers, Regional Manager – Mimecast Middle East, tells us why organisations should look to adopt a defence in depth strategy for long-term cyber-resilience.
How important is email as a tool for organisations and what kind of trends have you seen in terms of a shift from on premise to cloud-based?
We’ve seen a big shift. Email is the number one business communication tool used by most organisations. It’s usually one of the first platforms organisations move to the cloud. We’ve seen cloud email security services from Microsoft and Google dominate the global market and these are now accelerating in the GCC.
According to Gartner, 84% of IT decision makers indicated that they were currently using or planning to use Microsoft Office 365 in the next six months. We also see, according to some of Gartner’s other research, public cloud services revenue in the Middle East and North Africa is expected total nearly US$3 billion by 2020 – an increase of 21% year, over year.
How would you say that the COVID-19 pandemic has accelerated this shift?
It has been a remarkable catalyst for Microsoft adoption. Teams adoption increased by over 40% in a month and Office 365 is a collaboration platform, so businesses had to accelerate their cloud adoption strategy to cater for the remote workforce demand.
Also, another Gartner forecast report highlighted that Software-as-a-Service accounts for 53% of the total public cloud service revenue for the Middle East and North Africa, and this is set to total 1.6 billion in 2020.
Why is email such a target and how detrimental are attacks via this vector?
Email was never designed to be mission critical and to house up to 80% of an organisation’s intellectual property. But, seeing that email is the primary form of communication, it offers an open channel for attackers into any organisation. It is much easier for hackers to exploit human vulnerabilities through social engineering, while a lot of business processes are dependent on email as well.
But while most email system providers offer some level of security and resilience, they fall short of what many security and IT teams would consider adequate, in part because their widely used homogeneous security systems are typically easier for an attacker to bypass compared to a multi-layered defence.
So, third party email security and resilience solutions exist to fill this void. Email attacks are on the rise and they’re only getting more targeted, sophisticated and damaging.
We see numerous third-party research on the impact of a data breach and the average cost is estimated at around US$3.92 million. And of course, organisations can be exposed to regulatory fines like GDPR or reputational damage which is really hard to quantify.
We’ve also done some of our own research. According to our State of Email Security 2020 report, 60% of UAE organisations believe it’s inevitable or likely that they will suffer from an email-borne attack in the coming year. Seventy four percent of Saudi Arabian respondents said the same.
And of organisations who fell victim to email borne attacks, 54% of UAE and 42% of KSA experienced data loss and 40% of UAE and 22% of KSA experienced an impact on employee productivity. We also saw that 24% of UAE and 26% of KSA organisations saw business disruption or downtime which lasted up to three days.
What are the existing security measures in Microsoft Office 365 and what are the gaps?
There’s an enormous concentration of corporate email services created by Microsoft Office 365 and this represents an irresistible target to cyberattackers. There are more than 300 million business users on Office 365 today.
And according to Verizon’s 2019 Data Breach Investigation Report, 94% of malware is delivered by email and nearly half, about 45%, of malicious email attachments are Microsoft Office files.
Cybercriminals attack Microsoft Office 365 far more than any other software environment worldwide. The volume of users on these global cloud-based email services means there’s more malware designed to penetrate these environments.
Microsoft regularly tops the list of brands that hackers impersonate and has the most phishing attack attempts.
According to a study, ongoing research detected an average of more than 222 unique Microsoft phishing URLs per day. Organisations try to rely on the security and data protection of the cloud email providers alone, which has proved sub-optimal against advanced phishing attacks.
There are limitations to Microsoft email security tools for M365 that expose business email users to a number of different risks. Some of these gaps are things like limited app discovery and risk assessment, limited DLP capabilities, limited threat and anomaly detection, as well as limited backup and recovery.
How have criminals shifted their focus to cloud platforms like Microsoft Office 365 now that workers are remote?
Many organisations have moved to cloud platforms like M365 or Google to support the remote workforce, so the attack surface of organisations is increasingly expanding to the cloud.
Cloud email services are becoming a de-facto choice for organisations of all sizes. We see the global pandemic is accelerating this adoption as organisations are forced to make pragmatic decisions about business transformation costs and risks.
We also see many employees are now also working from home, often for the first time, and cloud tools are a ready-made option to keep organisations productive and look after their customers.
Cybercriminals are also refocusing their phishing impersonation and ransomware attacks from office networks to cloud services to target those remote employees working from home.
What is a defence in depth strategy made up of?
Defence in depth is really a layered approach when it comes to cybersecurity. And when used in conjunction with the native security features of Microsoft 365, a defence in depth strategy can support a company’s security posture and provide a much greater degree of cyber resilience.
It prescribes using multiple layers of security so, architecturally, these also need to be in the cloud to effectively work alongside Office 365 and Google. A layered security approach when used in conjunction with something like Office 365 which already has robust native security components can plug holes to compensate for end user negligence when conducting business via email.
Also, with a defence in depth strategy, if one security control proves ineffective, others are in place to fill the breach. Other important elements of that could be things like your network security controls, or the first line of defence when securing a network is analysing its traffic and firewall, block and intrusion protection systems, as well as anti-malware, which guards against viruses and other forms of malware.
It goes beyond signature based detections and includes heuristic features that can scan for suspicious patterns and activities.
Preventing or limiting the consequences of an attack calls for more than just enhanced email security. Any preventative measures need to be part of a larger strategy of cyber resilience that embraces backup and recovery, Business Continuity and compliance.
Why should CIOs consider investing in additional third-party tools to build out defence in depth strategies for their office suite?
By integrating different protective mechanisms from different vendors, the defence in depth model eliminates security gaps that threats can fall through.
Businesses should be aware of the gaps in the security coverage provided by Microsoft and compensate accordingly. A comprehensive way to do this is by adopting a defence in depth security strategy and employing a range of trusted third-party security solutions.
Of course, the advantage of a defence in depth strategy speaks to the fact that Microsoft cloud and application security affords a reasonable level of protection.
However, third-party solutions are designed to offer more advanced features than the native security tools on Microsoft 365.
It also allows an enterprise to sidestep the limitations of a security monoculture, incorporating third party solutions into your security environment forces a cyber thief to pick an additional set of locks.
Cybercriminals often subscribe to Microsoft 365 themselves and will conduct dry runs to test the viability of the attack strategies before setting them into motion.
Deploying third party defences deprives them of this sort of strategy, forcing them to operate on unfamiliar territory.
What best practice approach should CIOs and CSOs take to ensure a long-term robust email security strategy?
Organisations need to implement a cyber-resilience strategy that can address the diverse set of email threats and offer robust continuity options to remedy unplanned downtime.
They also need the ability to recover lost, deleted or corrupted data after an attack, and to evolve from a perimeter-based discipline to a more pervasive one. They need to adopt a strategy that helps address threats in three distinct zones – the email perimeter being first one, the inside organisation or network being the second one and then beyond the perimeter in the third one.
Ignoring the gaps that could come with relying on single vendors dramatically increases your risk profile and potential for negative business impact.
Downtime is also a consideration when using cloud platforms like Microsoft Office 365, how can organisations ensure resilience and business as usual?
Email access is critical to Business Continuity management. While services like M365 are generally reliable and don’t experience many long-term outages, localised outages are not uncommon.
Short outages can have serious consequences and users typically will turn to personal email accounts, bypassing corporate security and increasing the likelihood of a successful email attack or data leakage.
Another key challenge faced by businesses during an outage is access to information, as well as personal emails which are not captured by a company’s archiving and backups.
So best practice dictates that any backup be stored in a completely separate infrastructure from the primary data source. Email downtime results in a loss of revenue, negative impact on the customers and customer services and a drop in user productivity. Downtime is a reality which organisations must face.
Whether email is on premise or in cloud services like M365 it’s important to have continuity solution that lets you keep email flowing, whether impacted by severe disruption or natural disaster or unplanned maintenance or migration.
In order to achieve true cyber resilience, businesses need to work with a limited number of highly trusted vendors who are proficient in integrating their solutions into an Office 365 environment.