Mimecast: Tackling Cybersecurity in a connected economy
Mimecast, founded in 2003, is an international cyber resilience company, with offices in the UK, US, South Africa, Australia, Europe and the Middle East. Mimecast uses dispersed data centers, intelligent mail routing and robust cloud security to provide a security network capable of managing over 35,000 customers and 296 billion email accounts, with a 100% uptime service.
Mark O’Hare, Chief Information Security Officer at Mimecast was one of the first 25 employees to join the company when he came on board in 2008. This has given Mark a comprehensive understanding of the Mimecast’s inner workings and its position within a rapidly evolving industry. Speaking of the changes in the cyber security industry Mark says: “Organisations can no longer afford to be reactive when it comes to their cybersecurity posture. They need to become more proactive to survive the evolving threats they face. To do that you need that credible and actionable threat intelligence along with a detailed understanding of your vulnerabilities.”
The company has won a plethora of awards for its workplace environment, through an ethos of collaborative development and job satisfaction. This methodology extends out to Mimecast’s clients, where transparency, tailored experiences and a focus on the customer reinforces a trusting relationship. As Mark explains: “We have customer success managers and customer experience managers making sure our customers understand that we’re passionate about their security and their well-being, and ensuring they get the most out of our product. After all, we’re building a product for them and not for us.”
Mimecast has shifted from an email security-focused platform in its infancy, into a more robust cyber resilience platform. Today Mimecast’s platform takes on a much broader remit, supporting a wider range of customer security needs, such as Awareness Training, Web Security and Threat Intelligence through a single, trusted platform. Organizations that deploy multiple point solutions can often end up with over complicated and over engineered security environments. This leads to poorly implemented and managed services as they attempt to protect multiple facets of a company’s network through several disparate solutions. Complexity is the enemy of security. For Mimecast to achieve its goal of an accessible and reliable cyber resiliency focused product for its clients, it has had to keep simplicity in mind without compromising the platform’s ability to manage the diversifying needs of web-reliant businesses.
According to Mark, cybersecurity can appear to be a “piecemeal, fragmented, complex and confusing industry for many.” For that reason, he said, Mimecast understood the need for “a longer-term focus on customer efficiency, making our products easy to deploy and manage, while still allowing for those organizations who require more complex controls to customize our product to suit their own unique requirements.” Mark admits that no business is exactly the same, meaning each has a unique risk acceptance profile. For that reason, he says, “coming in with a cookie cutter approach for certain environments such as banking, manufacturing, health care, land insurance, to mention a few, simply won’t work. Each industry and even each organization in each industry have different requirements and we need to cater for all of them.”
This approach could not be delivered by sheer manpower alone and so new technologies have had to be implemented to cope with the growing scale of demand. Machine learning and AI analytics have had a hand in this, where a platform can monitor user behavior, learning trends in a way any one user approaches their work. When there is a major deviation from these operational behaviors, the machine learning system can flag this up as a warning event, which can then be investigated more thoroughly. As the machine learning system gathers more information on the habits of its users it is able to make more accurate insights into what may, or may not, be a threat or a security incident, increasing efficiency exponentially and allowing organizations to scale their security defenses without having to scale the number of employees investigating incidents.
“Technology has to evolve to keep up with far more complex and often automated threats that we face these days. Traditional methods aren't enough anymore, we have to embrace things like machine learning and AI to keep up – essentially fighting threat automation with security automation,” Mark explains.
Mimecast also offers end user cybersecurity training and awareness helping organizations to reduce or eliminate human error. As human error is the leading cause of security breaches, having highly cybersecurity conscious staff can drastically reduce risk to a business. Mimecast has a Cybersecurity Awareness Training solution that educates employees on the everyday cybersecurity risks employees will face and then importance of being cyber-diligent through highlighting the impact these risks expose organizations to. Mimecast’s Awareness Training modules are tailored toward making cybersecurity awareness digestible and humorous so the target audience is engaged. The Mimecast platform also allows organizations to test their user’s resilience to phishing attacks through simulated phishing testing campaigns. The platform takes several user behavior metrics into consideration and computes an overall organization risk score. Mark says, “it is great to see your organization’s risk score decreasing over time as your users become better at detecting and reporting phishing scams. This kind of information is also just what Executives and Boards want to see.”
“There's a real challenge around educating new staff as they join the business, especially those that have not worked in an environment where cybersecurity training and awareness has been a focus”. An important part of the onboarding program is to let employees know what is expected of them,” says Mark. “The new user onboarding program should cover off the organization’s Acceptable Use Policy and include security awareness training and testing. Employees are often the last line of defense in your security chain, so it’s essential to focus on educating them and making sure they understand what's at stake when things go wrong.”
The company’s focus on people does not stop there. As rising demand for cybersecurity continues, so does the challenge of recruiting good cybersecurity talent. Mimecast is dedicated to finding the best talent the industry has to offer and fostering a long-term relationship through competitive pay and job satisfaction. For Mark, it’s all about “making sure your team feels challenged and that they really enjoy coming to work. We spend a significant amount of time at work so in order to retain top talent you need to keep them happy, enjoying their work and making them feel that they are part of a meaningful team executing meaning projects.”
Also, by enabling its workforce to do their job through a thorough a portfolio of approved business tools, a business can ensure its employees are using regulated and approved methods, rather than bringing in external and unapproved services to process and store sensitive data. Mark explains, “One of the most important things, as your company and workforce grows, is giving your users the appropriate tools to get their job done. With so many SaaS based tools available, it is now easy for users to leverage unsanctioned applications and infrastructure. Shadow IT becomes a major problem because these application have generally not been security approved and the organization ends up losing control of your data and how it’s protected” says Mark.
Mimecast’s holistic approach to cybersecurity, using technology, threat intelligence and user education has led to the creation of a robust platform able to deal with each customer’s individual requirements.