Email security alternatives amid Microsoft 365 cloud pandenomics

3 min read Cybersecurity
Richard Botley, cyber resilience strategist at Mimecast, explores the evolving cloud productivity and email security channel landscape.

It was the best of times… cast your mind back to November 2019 BC (Before Covid), when tech giant Broadcom closed its acquisition of Symantec’s enterprise security business for $10.7 billion. They laid out plans to focus on endpoint security, web security and data loss prevention, areas the company cited as its “highest revenue opportunities” for the “Global 2000” largest organisations.

However, it made no mention of email security. Despite the rise of new collaboration tools, email shows consistent dominance and no sign of wavering in its use. Customers tell us employees are now opening and responding to emails faster than ever before, using it as far more synchronistic tool than it was designed to be. Email-based cyberattacks continue to be a growing risk factor for organisations, and thus email security continues to be a priority area of defence.

This is the major opportunity for the channel. Many organisations are reviewing alternative cybersecurity strategies and are looking to strategic partners to help build resilience against attacks, human error and technical failure.

Cloud pandenomics  

The wider background here is that organisations are now moving to Microsoft 365 en masse to help simplify their IT estate, reduce costs and boost productivity. As part of this, Exchange Online has fast become the de facto standard for cloud business email. Google Workspace (formerly G Suite), is growing too but less often used for email by the larger enterprise organisations.

Covid-19 ‘pandenomics’ has rapidly accelerated digital transformation as every organisation radically rethinks how they collaborate. This is giving today’s cloud’s late majority a shove, reminiscent of the early adopter onramp in the 2008-2009 downturn, as IT leaders sought the financial op-ex incentives of moving to software-as-a-service vendors.

Today, many of the traditional more popular cloud services are particularly well-suited to pandemic business challenges. These include communication and productivity tools, CRM, video conferencing, email and team collaboration. This presents massive opportunities in the Microsoft channel ecosystem including around the Azure cloud platform and the cloud-based Microsoft 365 productivity offering. Early metrics of this trend are already there. Microsoft’s reported results in September, showed ‘Office 365’ commercial revenue growth of 21% year-on-year.

Some resellers were historically concerned about the impact the cloud would have on their businesses, but the reality is that most organisations need a great deal of advice and support to adopt these new platforms. Selling complementary hybrid cloud products, training or building additional managed services, particularly around security, are the common ways to build revenue around these deals.

Security gaps

Microsoft provides some native email security features but simply can't deal with this level of malicious attention on their own. In a recent sample, Mimecast examined 100+ million emails that cleared Microsoft 365 and found that 28% contained undetected spam and phishing threats. It’s vital that the channel tests these weaknesses to protect their customers from attack.

Although Symantec continues to offer email security, a new report by independent market research firm Osterman Research highlights concerns on how Broadcom would remain committed to email security.

Osterman points out how Broadcom has begun to deprioritize its smaller customers and changed certain policies for its mid-sized and larger customers. Meanwhile, media, analyst, and even social media reports, tells stories of fewer products, less innovation, and decreased support.

Defence in depth

A single cloud service like Microsoft 365 can represent a greater risk exposure if you flatten all of your protections, services and applications into one dependent system. So far, the security efficacy has proved sub-optimal against advanced phishing attacks and even the most basic anti-spam management. Defence-in-depth security best practice prescribes using multiple layers of security and architecturally these also need to be in the cloud to effectively work alongside your Exchange Online tenant.

Earlier this year, Mimecast’s State of Email Security research found that 33% of UK organisations had already added another layer of email security on top of Microsoft 365. Another 41% had existing plans to add this missing layer. We’ve spoken to many organizations around the world who have moved to Microsoft 365 in the current climate and quickly realized they needed to bolster their advanced phishing defences.

Cloud resilience

Another area of concern for the channel is uptime and reliability, critical to maintaining productivity and customer satisfaction during the era of virtual working.

Unfortunately, a number of significant Microsoft outages in 2020 have affected Exchange Online, Teams, and often multiple other services when there have been issues with the underlying Azure platform. Mimecast’s research found that 60% of global organizations using Microsoft 365 had experienced an outage in the 12 months prior.

We’ve found that many of our partners’ customers have a clear timeline to deploy Microsoft 365 but have concerns over the migration too. This is where engaging a secondary high-availability cloud email service can help ensure a faster, smoother process and the always-on availability of email and archives.

Symantec long ago sold off their Enterprise Vault product line and thus can’t provide email backup and recovery and continuity services, except by reselling the services from a now separate company and without a joined-up development roadmap.

Channel opportunity

As security email threats continue to evolve, the channel must remain the prime risk management partner for its customers. New upsell and recurring revenues from new Microsoft 365 managed services need to be explored and filling the gaps in Microsoft Exchange Online Protection security offer a major opportunity.

Email security controls should operate at, inside and beyond the perimeter of an organization and this requires a more layered strategy to remove customer uncertainty.