Microsoft Office 365™ is fast becoming the standard platform for organizations across the globe, with 135 million business users worldwide as Microsoft’s April 2018 earnings announcement. With a move to Office 365, there’s a lot for organizations to consider, including the impact it will have on email security.
Mimecast’s J. Peter Bruzzese, an Office 365 MVP, recently sat down with TechTarget’s Mike Perkowski to discuss migrating email to the cloud and all the steps organizations need to take to do the move the right way. Below is a transcript of part of their discussion.
Mike Perkowski: Is moving your email boxes to the cloud a good time to rethink your strategy and your philosophy about email security?
J. Peter Bruzzese: Well, rethink? I guess it depends on what your strategy currently is. I’m a huge believer in defence in depth. I believe we have multiple layers we need to look at and consider our budget and say “OK, where can we put all of our security points here?”
A lot of folks focus on the endpoint. They make sure their systems—whether it’s laptops, desktops, mobile devices—that those are secure, and that’s great. But did you know most
attacks these days, whether it’s ransomware or it’s a spear-phishing attack, they’re coming through email. Granted, the end user is the one who eventually clicks the link, but they’re coming through email.
MP: That’s the transport mechanism for them.
JPB: So, what do you do? If you move to Office 365, Microsoft provides a free Exchange Online Protection (EOP) solution. Free is great, but is it good for your security? Well, that might be nice as a backup parachute, but what do you have for your primary chute?
Typically, what we see are third-party solutions that sit on the front-end…I believe having a solution like that out in the gateway will help your end users because the fact of the matter is, when an email comes in with a link, they click it…
MP: And that’s all it takes.
JBP: Right. So, we need technology on the front-end to protect them. It’s a defence in depth approach. Everyone says it’s the human [that’s the weakest area]. No, because that email still has to get through to the human first. So, focus on your gateway. Microsoft provides EOP and then you can pay for Advanced Threat Protection from Microsoft, which is an extra up charge.
Once you start paying an upcharge for security from Microsoft, you have to ask yourself, “Am I paying for something that is going to be comparable to what a third-party can give me? Is Microsoft’s ATP comparable to third-party solutions?” And at this point, I would say no. You have to look at what third-party solutions can do above and beyond ATP.
Because if you’re paying for it, you have to make sure you’re paying for the best solution out there. Don’t go with mediocre security, because ultimately you’re going to pay for it eventually when you get hit with that Bitcoin request in a ransomware attack.
So, I don’t know that you’d rethink your security structure, but you should think about changing it.