An organization’s approach to maintaining and protecting its IT real estate from outside threats is a top priority in today’s business environment. To combat socially engineered attacks, organizations should consider a layered approach to security. This strategy will optimize IT’s time in new ways.
In an ideal world, a full-time IT professional or team would have the job of managing an organization’s security and protecting its data. Yet, most organizations don’t have the resources to employ full-time IT security professionals when security is just one of several core IT operations.
That’s not to say security should be someone’s part-time job, though, either. Expecting the IT department to effectively remain ahead of all emerging threats, while still balancing day-to-day tasks and mission-critical operations, is simply unrealistic. Not to mention, it’s quite a bit of pressure – just one malware-ridden email that makes it past an organization’s email filter can easily wreak havoc on an entire IT estate.
A layered approach to security includes IT partnering with and educating its employees to help fend off attacks; it also includes leveraging public cloud providers as outsourcing partners to assist in the war against today’s threats. Securing the network against constant threats is a work in progress. It will never be completed, and it should not fall to the IT team alone to fend off or resolve every cyberattack.
Leveraging external expertise
The technical expertise and competency of a third-party cloud provider can strengthen a layered approach to security and ensure an organization’s system is continuously maintained and does not become a target.
Think about the way a cloud provider serves its customer base. It is a cloud provider’s job to match new spamming methods and security threats as quickly as attackers come up with them in order to keep their customers’ data safe and constantly available in the cloud. In fact, the very success and reputation of the provider depends on its ability to keep new threats at bay.
Keeping customers’ critical data out of hackers’ reach requires a certain level of technical expertise and tools; it’s hard to imagine that an internal IT team with limited resources is equipped to ensure this level of protection on its own. This is especially the case since spammers and hackers show absolutely no signs of slowing down, with 94 percent of companies reporting a cybersecurity issue in the last year. A dedicated group of third-party experts, therefore, goes a long way in getting ahead of the latest threats – the likes of which could compromise data ranging from customers’ personal information to executives’ confidential email conversations.
Educating employees
All this said, leveraging external expertise does not mean that an organization can push security to the back of its mind. A cloud-based email management provider may be better at blocking spam, for example, but the organization it serves still knows its own users the best.
With many critical security tasks in the hands of a dedicated cloud provider, organizations can repurpose some of their resources to cultivate a more security-conscious workplace, and train staff to act as the first line of defense against malicious attacks.
All this can be done by sending employees regular threat advisory messages that give clear information and examples of what not to do and what to look out for.
This method of training employees is especially effective in combating spear phishing attacks, an increasingly common threat whereby the attacker disguises a malicious link as one that is from a trusted sender, therefore capitalizing on human error. According to an HP TippingPoint Survey, 70 percent of IT professionals deal with phishing attacks at least once a week; but if an organization were to create a culture of caution, this number would likely decrease.
Unfortunately, this is easier said than done. Educating users on the difference between a safe and malicious link within an inbound email, for example, is an ongoing, strategic process that requires constant refining.
Reminding users on a weekly basis how to identify dangerous emails may be an obvious tactic; but is it the right one? An organization could instead send out a broader “security tips” email on a monthly basis. This way, it is much less likely that an employee’s eyes will glaze over after receiving “yet another annoying email from the IT department.” People are more likely to read newsletters if they’re not too frequent; and it’s even more likely if the organization regularly conveys the message in an amusing way. The right tactic here ultimately depends on the personality of an organization and its users; there is no one-size-fits-all approach to any kind of education.
Two heads are better than one
Smarter employees act as an initial buffer against new threats. But even the savviest users make mistakes, which is why organizations must take a multi-layered approach to security. When cautious employees are leveraged in parallel with third-party expertise and advanced security tools, like advanced filtering and identity authentication, the risk of an organization making headlines as the latest victim of a highly damaging data breach becomes smaller and smaller.
Whether it be a startup or an enterprise, when it comes to being the target of an attempted attack on the network, the question is a matter of when, not if. Therefore, without a plan of attack to take on today’s security threats, an organization has essentially written its own suicide note.
Yet, there is no silver bullet that will address all of today’s most urgent threats. For now, a two-pronged approach that consists of IT staff focused inward on employee education and the protection of a cloud provider with an external focus is about as foolproof as an organization will get. Where one falls short, the other is likely to pick up the slack. With two layers of security, an organization can safeguard critical data housed on the network while its employees’ inboxes remain devoid of business-crippling malware.
Peter Bauer is CEO of Mimecast and founded the company in 2003 with CTO, Neil Murray. Peter’s career began in South Africa, where he founded a successful distribution company, trained as a Microsoft systems engineer and worked on corporate messaging systems. He founded FAB Technology in the mid-nineties. After selling it, he moved to the UK and founded Mimecast. In 2008 he moved to the U.S. to lead Mimecast’s growth here. Connect with Peter on LinkedIn.
Newsletter blurb/title:
Cloud Email Management
and Layered Security
An organization’s approach to maintaining and protecting IT real estate from outside threats is a top priority today. This article discusses cloud-based email management and why organizations should consider a layered approach to combat socially engineered attacks and to optimize IT’s endeavors.
Optimize IT Endeavors with Layered Approach to Security
By Peter Bauer, CEO, Mimecast
An organization’s approach to maintaining and protecting its IT real estate from outside threats is a top priority in today’s business environment. To combat socially engineered attacks, organizations should consider a layered approach to security. This strategy will optimize IT’s time in new ways.
In an ideal world, a full-time IT professional or team would have the job of managing an organization’s security and protecting its data. Yet, most organizations don’t have the resources to employ full-time IT security professionals when security is just one of several core IT operations.
That’s not to say security should be someone’s part-time job, though, either. Expecting the IT department to effectively remain ahead of all emerging threats, while still balancing day-to-day tasks and mission-critical operations, is simply unrealistic. Not to mention, it’s quite a bit of pressure – just one malware-ridden email that makes it past an organization’s email filter can easily wreak havoc on an entire IT estate.
A layered approach to security includes IT partnering with and educating its employees to help fend off attacks; it also includes leveraging public cloud providers as outsourcing partners to assist in the war against today’s threats. Securing the network against constant threats is a work in progress. It will never be completed, and it should not fall to the IT team alone to fend off or resolve every cyberattack.
Leveraging external expertise
The technical expertise and competency of a third-party cloud provider can strengthen a layered approach to security and ensure an organization’s system is continuously maintained and does not become a target.
Think about the way a cloud provider serves its customer base. It is a cloud provider’s job to match new spamming methods and security threats as quickly as attackers come up with them in order to keep their customers’ data safe and constantly available in the cloud. In fact, the very success and reputation of the provider depends on its ability to keep new threats at bay.
Keeping customers’ critical data out of hackers’ reach requires a certain level of technical expertise and tools; it’s hard to imagine that an internal IT team with limited resources is equipped to ensure this level of protection on its own. This is especially the case since spammers and hackers show absolutely no signs of slowing down, with 94 percent of companies reporting a cybersecurity issue in the last year. A dedicated group of third-party experts, therefore, goes a long way in getting ahead of the latest threats – the likes of which could compromise data ranging from customers’ personal information to executives’ confidential email conversations.
Educating employees
All this said, leveraging external expertise does not mean that an organization can push security to the back of its mind. A cloud-based email management provider may be better at blocking spam, for example, but the organization it serves still knows its own users the best.
With many critical security tasks in the hands of a dedicated cloud provider, organizations can repurpose some of their resources to cultivate a more security-conscious workplace, and train staff to act as the first line of defense against malicious attacks.
All this can be done by sending employees regular threat advisory messages that give clear information and examples of what not to do and what to look out for.
This method of training employees is especially effective in combating spear phishing attacks, an increasingly common threat whereby the attacker disguises a malicious link as one that is from a trusted sender, therefore capitalizing on human error. According to an HP TippingPoint Survey, 70 percent of IT professionals deal with phishing attacks at least once a week; but if an organization were to create a culture of caution, this number would likely decrease.
Unfortunately, this is easier said than done. Educating users on the difference between a safe and malicious link within an inbound email, for example, is an ongoing, strategic process that requires constant refining.
Reminding users on a weekly basis how to identify dangerous emails may be an obvious tactic; but is it the right one? An organization could instead send out a broader “security tips” email on a monthly basis. This way, it is much less likely that an employee’s eyes will glaze over after receiving “yet another annoying email from the IT department.” People are more likely to read newsletters if they’re not too frequent; and it’s even more likely if the organization regularly conveys the message in an amusing way. The right tactic here ultimately depends on the personality of an organization and its users; there is no one-size-fits-all approach to any kind of education.
Two heads are better than one
Smarter employees act as an initial buffer against new threats. But even the savviest users make mistakes, which is why organizations must take a multi-layered approach to security. When cautious employees are leveraged in parallel with third-party expertise and advanced security tools, like advanced filtering and identity authentication, the risk of an organization making headlines as the latest victim of a highly damaging data breach becomes smaller and smaller.
Whether it be a startup or an enterprise, when it comes to being the target of an attempted attack on the network, the question is a matter of when, not if. Therefore, without a plan of attack to take on today’s security threats, an organization has essentially written its own suicide note.
Yet, there is no silver bullet that will address all of today’s most urgent threats. For now, a two-pronged approach that consists of IT staff focused inward on employee education and the protection of a cloud provider with an external focus is about as foolproof as an organization will get. Where one falls short, the other is likely to pick up the slack. With two layers of security, an organization can safeguard critical data housed on the network while its employees’ inboxes remain devoid of business-crippling malware.
Peter Bauer is CEO of Mimecast and founded the company in 2003 with CTO, Neil Murray. Peter’s career began in South Africa, where he founded a successful distribution company, trained as a Microsoft systems engineer and worked on corporate messaging systems. He founded FAB Technology in the mid-nineties. After selling it, he moved to the UK and founded Mimecast. In 2008 he moved to the U.S. to lead Mimecast’s growth here. Connect with Peter on LinkedIn.