Hey Amer, thanks a lot for joining us today. So, we’re going to talk about email security. Maybe before we start you can introduce yourself to our audience.
Sure. My name is Amer Mustafa, and I’m Senior Executive Vice President at Indusflow. I’m responsible for running the IT Services division, which includes all services related to caring for the IT infrastructure for our customers.
Great, so the topic for today is layered security. We’re educating our audience on what the various layers of cybersecurity tools are, and technologies and education that a company should have in place to properly manage their security. So, I’d like for you to talk a little bit about email security. What is email security?
Email security is all of the services and processes that you put into place that are designed to protect email. These can include everything from education for users on proper usage of email—you know, how to stay safe as it relates to email—but of course more importantly, various technology components that are put into place to protect the integrity of email.
As most people know, a lot of security threats are born from email. A lot of organizations that have experienced security threats have been exposed to them through a bad email that’s made it through their security net.
What are some specific types of security threats that you’ve seen out there?
Well, if you think about email, it’s a global communication system that we all rely on every day, but which actually has very little security built into it as a technology. What that means is that on the internet, anybody can send an email message to anybody else and generally speaking, there’s really no overarching security mechanism that allows a person to disallow them. So, by the very nature of email, it’s an inherently insecure platform. That means that organizations have to come up with or implement several components—technological components that are going to safeguard the integrity of the email that’s coming in.
So, as you know, a lot of people are talking these days about ransomware. Ransomware is just one category of virus or malware that’s in circulation throughout the world. The typical scenario is that a person receives an email, the email has an attachment, and that attachment contains the malware, the ransomware virus, or any other type of malware. By double-clicking on the attachment, they then activate that particular piece of malware, which then infects their computer, which results in effects to the wider network.
Got it. So, now we’re getting to the actual technologies that are typically deployed by an organization. I hear a lot about appliances like Barracuda. I hear a lot about cloud-based, advanced email security tools, so what are the kinds of tools out there that an organization should be implementing to better secure their email?
Sure. So yeah, that’s right.. So organizations may have their email hosted internally on a corporate email server, or they may have it hosted externally on any number of cloud-based email service providers, such as Office 365, or they may have a hybrid approach. The question is, when email comes into the organization, do you know at what point the email is being filtered? If you have an appliance-based approach, then typically you’re using corporate email servers as opposed to a hosted service, and the appliance would be hosted in front of your mail server so all inbound email would hit the appliance first. The appliance would take care of filtering those emails to make sure they’re good, and then forward only the clean stuff to your corporate email servers.
The other approach would be to use a cloud-based service that would essentially perform the same function—all inbound email would go to the service provider first. The service provider would filter those email messages and then forward the clean stuff, you know, to your corporate email server or to your cloud-based email service provider. So, both of these approaches involve email hitting a filtering service or filtering appliance first, prior to the email being forwarded to the actual email server.
The other thing I’ve heard is that many of these cloud-based email platforms, like Office 365 and G Suite, already have their email security software built into their product, so why would an organization that’s using cloud-based email need to (or maybe they may not need to) get involved with it with an additional layer of security through other cloud-based or appliance-based security software?
Right. So, as with the security field in general, you can always get more. The principle that is at play with security is that you could you could always pay more to get more. The question is, what is appropriate for your organization? So, the built-in protections that many of the big online, cloud-based email service providers have is generally at the level of spam protection. So Office 365 and G Suite, these have spam protection features that you get a basic feature of the basic product, and those are suitable for protecting you against a lot of spam email.
Spam email is generally junk email, so these might be advertisements, more of an annoyance than anything else. It sounds like it may not constitute a large volume of email. We do find that with some customers, 60 to 80 percent of inbound email is actually spam. So it could actually, for some organizations, constitute a majority of inbound emails. Certainly, having a basic level of spam protection is important more from a productivity standpoint than a security standpoint. The lines are often blurred, but spam and junk mail, strictly speaking, is more of an annoyance than a security threat. So, the question about what the basic level of protection can protect you from, is basically at the level of spam or junk email.
Now what we would want our customers to have, you know, what organizations would want, is a higher degree of protection than just from the junk. For example, you may be getting all kinds of junk email from lists or from newsletters. Maybe you subscribed to them, maybe you haven’t subscribed to them, they’re basically advertising products. But on the flip side, you may receive just one email with a virus attached to it. This email may not be sent in large quantities, it may not be sent to everybody in the organization, it may be targeted to be sent to a specific person within the organization, and so from the perspective of junk email it’s technically not junk email; it’s not spam. It’s not really advertising, but it is an email that contains a very dangerous attachment. So that’s where you would want to get a more advanced type of security protection for your email system. There are a number of providers out there— like Mail Assure and AppRiver—these are all popular providers for email security. What they do is add an extra layer of protection from malware and from viruses.
Now, if you think about an email that comes in, a classic example is an email comes in with an attachment, and in order for that type of email to really infect your computer you would have to jump through a few hoops. It might sound like people wouldn’t do this, but people do actually do this. The classic example is that an email comes in, it’s got an attachment, and that attachment is inherently dangerous. It might be a Word macro, for example. So when the user receives the attachment, if their “spider-sense” don’t start tingling, then they might say, “Oh, well this here is an email with an invoice attached to it.” So they double-click on the attachment, and the invoice is in a .zip format, but they don’t think anything of it. So they double-click on it and they open up the .zip file. Now so far, so good, but the .zip file contains a Word document, so they say, “Oh, this is the invoice. I should double-click on the Word document.” When they double-click on the Word document they get a warning that pops up on their computer that says this Word document contains macros and could harm your computer, but still they say, “No, it’s an invoice, so let me go ahead and accept that” and then once they jump through that hoop, then the virus activates and infects their computer.
With those types of attachment-based security threats, people are getting a lot more savvy to that. You really do have to jump through a few hoops in order to allow yourself to be infected by that type of malware.
It’s not always as simple as that. Some emails could contain links, web links that the user needs to click on, where they’re taken to a website and the website asks them to download something which they have to accept, and then they get the infection that way. So in a classic sort of email security system that only checks emails for virus attachments, that system wouldn’t catch the second type of security threat, which is an email that comes in which has links to websites that contain downloadables that are virus-laden. So it’s really the online security service providers, email security providers, that are kind of working day and night to make sure that their databases are updated. Not just databases of known viruses, where their security engines are scanning for viruses in emails, but also their databases that maintain lists of websites and URLs and IP addresses that are known sources of threats that people may click on and then download a virus that way.
So, because it’s a constantly shifting area—these websites could be popping up on a daily basis that are now hosting downloadable viruses—that’s really why, from our perspective, it’s important to have email security experts,the companies that are in the business of knowing that, and working day and night to provide the email security layer for our customers.
As a Managed Services Provider, Indusflow is managing email security for a number of our customers. Could you enlighten our audience on some of the tools that we are currently employing, or what is our strategy around email security for our current customers, and what is the approximate price point the customers should expect to pay to get advanced email security software?
Sure. So first of all, I’d say that our approach has changed over the years. In the past, like maybe seven years ago, even 10 years ago, when most of our customers had on-premises, corporate email servers our approach was more of a software-based approach. So a software security layer running on the corporate email server, in those days was adequate to provide a good layer of scanning before forwarding the email to the corporate email server. But now, that approach has really not kept up. So we are using a number of cloud-based email security providers—our go-to partner currently is AppRiver, and they have been doing a pretty good job. So with cloud-based email security providers, there are different vendors out there, but generally, the architecture works the same way. The company would—or we would do this on behalf of our customer—we would change the MX records for that particular domain to point to the email security provider. What that means is that once the MX records are changed and they’re pointed toward the email security provider, all inbound email would then hit the email security provider first. There, all of the emails would be filtered, and then the email security provider would forward on the emails to the actual email service, which could be cloud-based or on another corporate email server. The nice thing about that is it’s kind of a store-and-forward approach. Most of these cloud-based email security providers don’t store the email beyond the time that they absolutely need to store it, and as long as everything’s working, that should be milliseconds or maybe seconds, but in the event that your corporate mail server is down, or even if your cloud-based email service provider is down (it does happen, sometimes G Suite has issues, sometimes Office 365 has issues), so rather than the email delivery failing, the email is then stored on the email security provider’s servers until the corporate email servers are back up again. So that gives you an added layer of resiliency to your email solution. That way, emails don’t get bounced—they could be stored in this sort of limbo state for a day or a couple of days. Most of these providers will store it for anywhere from two weeks to a month, so that really gives you some added protection. And then, of course, once the email service is back up again, then the service provider forwards the emails to them. So that’s generally how they’re architected.
Most of these solutions are around $4 per mailbox, per month, or in that sort of price range, so it’s pretty affordable. Of course, when it comes to security versus affordability, companies have to have a serious approach to security,depending on the customer size. If we’re talking about SMBs (small and mid-sized businesses), they’re obviously not going to spend millions of dollars on a security solution. It’s got to be the right size,and the nice thing about hosted email security platforms is that they’re priced on a per-mailbox basis. So, if you’re a small organization and you’ve got 30 to 50 mailboxes, then it’s priced on a per-mailbox basis, and similarly, if you’ve got thousands of mailboxes, it’s going to be a higher price tag.
Great. Well, that was very informative. I really appreciate your time, and we’ll talk about it more at a later time.
All right, thank you.