Mimecast is a cloud-native cyber resilience platform, formed around 18 years ago and now an established brand. We have over 38,000 customers and operate in 100 countries. We started protecting customers in the antivirus playground. We evolved and try to be ahead of the cybercriminals. We advance how we look at emails and internet access and try to protect our end-users in the best possible way. We also did some acquisitions in the past couple of years to stay ahead of the cybercriminals.
Protecting email is a very important element. A lot of threats start here. We also connect to all kinds of vendors with our API technology to make sure that we can coordinate threats into one platform.
We look at our landscape in three zones; we try to protect our customers and their end-users in their perimeter, delivering the cleanest emails. We control and detect threats in the internal email environment and help end-users to understand what cybersecurity is.
We have just started to see traction in helping organisations to protect their brand. A big Spam breakout in Netherland asking end-users to go onto the website and reset their details. A very fake email but a known brand used to trick customers.
How to make sure email is always up and running and that you can send large files. How do you protect end-users from browsing different websites and that they are legitimate? For today, we are going to talk about those end-users. How can we make sure we secure them and help them to do their work remotely?
Working from home: how employees can work with minimum security risks
Are you providing a physically secure network connection to your employees?
95% of users are not running an open firewall. Are you tunnelling all traffic, or do you allow breakout to the internet from the home office? How and what ways are posed so that employees of the company can work with the minimum risk, or at least make it risk-visible?
Not all company employees have a company-owned phone. Going into the home office for six or seven months, must maintain business continuity. At the same time, how do you manage with firewalls because people are not behind them? That’s not true; we have local Windows managed firewalls. We have to change the mindset and how to centralise the management of those local firewalls. We need to grant visibility.
Internet service provider as an integrator: it’s very important to make the first distinction, how are organisations dealing with homeworkers from a client perspective? Companies still allowing personal devices to be connected to company premises, which is a big problem. They are not managed correctly by the IT department.
Secondly, how do you connect those endpoints? Through the internet or to your company premises? Are you doing that with naked internet connections? Behind a router, not being behind a firewall? Are you providing split tunnelling in your VPN solution? Is that home user breaking out through the internet at home, or are they connecting to an enterprise VPN concentrator? In the second situation, you are still behind a company firewall. Also, from the email scanning perspective, it’s very important to have that layered security approach, be protected on the endpoint with the endpoint protection solution from the company. That doesn’t give you 100% security, but it lowers your risks.
Split tunnelling: it’s interesting. In Belgium, some companies have the luxury to have a decent amount of bandwidth available so that they can take the surfing traffic from the end-users up to their company premises and let them break out there. That’s not a luxury that every enterprise has. Although, from a security perspective, it’s more or less a requirement unless you provide your home worker with a decent firewall, or with a decent security appliance and security solution. Start from the attack factor, which is the endpoint. It’s not your network, the attack is your endpoint. Is it controlled by yourself or not? How are you providing internet connectivity and connectivity to your systems? A lot of companies are not dealing with this in the right way.
How do you deal with those users, train them, and connect them to your organisation to understand what they are doing? The problem of the end-users has now exploded due to the fact everyone is working from home. We had already noticed this in small proportions. People who were working from coffee bars or airports. This is a new topic we have to look at – not the fact people are working remotely, more how do we control our IP. How do you control access to data, and not only to the network but the data and levels of data?
Generally speaking, it is a challenge. Traditionally, we have been talking about perimeter security. This is an extra layer for protecting your information, and what you would like to do is set it up in such a way that not only do you provide the best security in software and hardware, you have full control over who has access to what. It’s essential for making it more secure than you already have. Especially with workforces working from home. Administrators should be able to do their jobs remotely, but you have to be careful when there’s even less control than in an office situation. There are plenty of risks in the office but working from home is even worse. There’s less control possible.
How do you deal with admin permissions on remote devices?
We have extremely fast support desks. This is what companies are struggling with – blocking access to laptops but struggling with time.
If you need escalated privileges, you can request them. You have to explain why you need this and be aware a client is running on every endpoint system. This is looking behind your shoulders at what you are doing. If you require root or admin access, you may not get it, but for an app, allowed – depending on the level. It’s a bit of a man in the middle situation. If there are alarms, you’ll get a phone call from a cybersecurity guy. For example, a CMD prompt permission would only be allowed within that application session.
From an identity governance perspective, there’s a different approach. Roles have entitlements behind them. They are provided automatically if you are entitled to them. By default, do not assign everyone an administrator role.
In these challenging times, we need a pop-up allowing us to do our work so that people who can do that are already in a sort of rule group.
By default, should the same access be provided to what people need?
It should be practice allowing as little access as necessary, but the maximum possible. The fact that people working from home is not by default a greater risk. If someone wants to leak data, the person with the right authority will be able to do so; it doesn’t matter where you are. Governance works wherever you are situated. You want to expose your people as little as possible, and your information needs to be protected the best you can. Just by introducing that way of working, you can protect your information the best you can.
Identity and access management is an important set of controls. DLP possibilities: data leakage prevention. It’s a big exercise, and at least in Belgium, there are not a lot of organisations doing that. Within the private sector, not many organisations are doing their data classification. Where are the golden nuggets? What type of data do you have in terms of sensitivity? It could be anything, financial data, employee data, intellectual property. Define your classification system and put labels on your data. Work with layers around the data. It comes to the point where you say this is sensitive data and highly restricted information, and then at the endpoint as well as the perimeter, you’ve got some tools that depending on the label that you put on that data will define if that data can flow throughout email or the internet or not. So that’s DLP. It’s another set of controls to control which data will leave your company in which way. And it goes hand in hand with AIM.
Once classified, you know what will not be allowed to the information, and that will determine whether or not you are going to get it.
Regarding information classification, the weak point is that the person itself defines the level of confidentiality or protection, so it’s not 100% waterproof. Depending on assessment or judgement, how you control and then switch to another level of protection. It helps in creating awareness. What is in that document? Can it be shared in public or not? It creates awareness, that is the main advantage. You cannot trust automatic labelling.
Awareness is key, it’s every layer of security you are thinking about.
Email data is more exposed than anything else – attachments, or whatever is shared through emails.
Data leakage and data control is a big concern. It’s always the end user who needs to classify a document, and end-users always find a way to get a document from A to B. Documents and data will flow, wherever you want them to go. How as an organisation can you get the control of data, but not stop the end user from using the platform? Still, end-users are sending documents via email as a collaboration platform. This is hard to control where data is going. Less than 5-6% of customers are building DLP policies.
When those emails stay in their sent items, it makes the risk even worse if somebody hacks into those accounts. Provide a decent archiving policy. Find other ways to make sure data does not reside in emails.
If you are still in the situation that email is your primary collaboration tool, set your email policy only allowing attachments of 30K or whatever. Force your users into the situation that they have to use a collaboration tool that is more likely to be controlled professionally. You have to provide a safe and secure alternative. If you are in a situation that email is your prime collaboration tool, you need to step away from that. You have to be in line with your management. It’s not a thing that you decide on your own.
Management can be a problem. They are not very used to this. It’s up to you to convince them.
It’s about awareness, not only for the end-users. Even for the IT people. It’s small elements that awareness is not for specific groups of people, it’s for everyone. Run an awareness programme within organisations.
Phishing by email and telephone (WhatsApp) is the biggest threat. It can look completely different each time. You must follow the procedures. You even see signed documents by banks. They look genuine. It’s not only IT security but also phone security. You cannot let everybody in.
There are several products out there like the one from Mimecast. You see the number of positive clicks of your users decreasing when the awareness level is raising. You can also, depending on the phish, that the user has been tailored to and can get tailored training about the mistake they have been making and will be re-evaluated the next time a phishing campaign is run on your company. Those users will be profiled and tailored to specific training. We see the same things. It’s not for free, but it pays off.
You have to look at different angles. If you look at products to help you it needs to be carried out from the top down. You will see that it doesn’t land inside your organisation at all.
Employees: How do you keep your teams motivated? How do you replace the informal conversations? Do you see the same enthusiasm in your teams?
This is a question that has a lot of different elements. When it comes to IT people, they know how to handle the PCs, but need to know what is going wrong. When you’re talking in general, keeping people motivated is that to work at home should be as easy and without hiccups as possible. With IT, we had some performance problems in March, but we had to work around the office traffic not going over our VPN. That was a technical hiccup. Others have more to do with HR. The office environment is sitting on the kitchen table with chairs – that is not perfect at all. I see people around me getting back and neck problems. At the office, we have an ergonomist. With the home office situation, this is not the case. The people looking at workspace themselves now have to expand to the home office to keep people motivated. With the coffee chats, we have chat applications. It will never replace it completely. In my preferred situation, I prefer to work one or two days at the office. The small questions you ask we don’t do on Teams or chat. That’s what I miss most.
Throughout our organisation, there was a poll sent out through all employees and exactly those things came out. The vast majority of employees liked to have two or three days of homeworking and the rest of the week going to the office to have some balance. They need it because we are humans, they need that physical contact. It’s still different in real life than looking at a screen. It’s not the same. From the ergonomic and physical point of view, people could take their screens and even chairs with them to the home office, so that was a funny sight. We saw an exodus with people carrying around chairs and big screens. It still gives people not the same experience as at the office although it is very appreciated, saving a lot of time. Work/life balance has improved. Efficiency improvement takes a toll. Being in calls and checking the faces of 10 people at a time is very brain intensive. The pros come with the cons.
Is productivity increasing or are people better off with working from home when they don’t have the travel hours without all the chit chat that happens in the office? There are productive and unproductive days because you are stuck in meetings. This is what we see at a productivity level.
If you are dealing with the vast majority of your staff from home, how worried should we be about network security?
In an ideal situation, a company should run a tunnel to provide the same from a networking security point of view instead of letting people create a VPN from their endpoint because still, you are drawing attention from that unsafe home IP address. That network connection that you have got at home is not secure. There is nothing there. You are wide open to the internet. Even if you have endpoint security, you are still on an unsafe network. Even colleagues in IT don’t have that.
Security in general is perceived at CEO level that IT is a cost centre and doesn’t bring value. Have to distinguish between cost and value. Aside from that comes the privacy of the user. You are going to monitor all the traffic that goes through that connection.
If you are handling a company infrastructure, you know from a governance point of view you have an IT and company policy which people are normally signing when they start. Traffic is being inspected for security reasons. What is the difference between a protected network and a firewall?
Not all organisations have management that sees it as an issue for end-users to have their machines to connect to the company network. Revenue is not an issue, it’s more the type of activities.
The mentality of the CEO is ‘we didn’t have an incident’. It’s not if, but when. Sooner or later there will be an issue.
Parameter security: the endpoint is the place to focus on. This still is a possible way to introduce an important layer of security. If you are returning to the situation where an end user is working from home with an unprotected ISP line with just a router, imagine, at your company, do you have your endpoint security and your firewall products from the same vendor, using day zero tactics? So, the endpoint, is that the same intelligence as your firewall?
It’s not changing providers because X Y Z, they all have the same security base. If it’s in the budget, you find what fits into the budget. It’s a trade-off. How good commercially are you selling that problem to your management.