Fifty, one-hundred, one-hundred and fifty? How many emails have you received today? Despite a rise in the popularity of instant messaging tools, if you take a look at your inbox it quickly becomes obvious that business still fundamentally runs on email.
Millions of people across the world now use cloud-based email systems with the most predominant being Microsoft Office 365. This has meant that the number of emails in the cloud has inflated and adoption of cloud email services is only set to continue. By 2021, Gartner expects 70% of public and private companies to be using cloud email services. But what happens when the service that supports so many mission critical functions in the business is disrupted?
No cloud vendor is perfect and the number of cloud email outages over the past few years has served as a reminder of this fact. No organisation should trust a single cloud supplier without an independent cyber resilience and continuity plan to stay connected and productive during unplanned and planned service disruptions.
Every minute of an email outage costs businesses hundreds and thousands of pounds. It carries a variety of consequences that range from frustrating to financially devastating. The question is if your work email and productivity are dependent on cloud email, what would a potential disruption cost you?
The risky business of downtime
Email reliability – whether managed through on-premises infrastructure or as a cloud service – is dependent on a variety of factors, only some of which are under the control of in-house IT.
Disaster recovery plans and systems that predict potential IT fails and offer a plan B have been best practice for years. This shouldn’t be any different in a cloud first world. If you don’t have a backup plan in place for when a major cloud service does go down, your email systems will be down until the provider gets it back up again. And you can’t control when that will happen. One hour? Five hours? Days?
This can be caused by anything from the reliability of the servers on which email software runs, the operating system, human error, Internet connections, the power grid, weather and much more. If any link in this chain breaks, email systems can suffer downtime. Large cloud-based collaboration suites like Microsoft Office 365 and GSuite are as susceptible to outages as any other provider, ranging anywhere from a few minutes to several hours at a time. A lifetime for any business, and a blow to the bottom-line.
It’s important to remember too that it’s not just downtime caused by cloud provider interruptions that businesses need to consider. The risk of ransomware is still growing. Recent research shows that 53% of organisations experienced a ransomware attack that impacted business operation, a 26% jump over the previous year. Data loss, financial loss and customer loss were the top three business impacts. Primary email systems may need to be shut down during and immediately after a ransomware attack to help stop the spread of infection. In this scenario, a backup plan to keep email safely flowing and be able to recover data to a known good state is key.
Planning for high availability and recovery
The issue is that all too often disaster recovery plans are insufficient when it comes to the critical and timely recovery of email communications. This ultimately contributes to the excessive outage times that occur when things go wrong.
When developing a business contingency plan, decision makers must determine the acceptable risk associated with email downtime and data recovery in line with the needs of individual users and the organisation overall. This means focusing on Service Level Agreements (SLAs), Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). This will allow businesses to reduce the risk of potential data loss and speed up the restoration of an email service. It involves looking at employee productivity and legal requirements, processes that rely on email, including customer communication, and other regulatory obligations.
Organisations should then implement an email continuity solution that will enable users to continue working with always-on access to live and archived email. Otherwise businesses risk employees using personal email accounts to keep work flow moving and this has serious implications on security and compliance in the workplace. Businesses should also implement a data recovery protocol as for many employees, email archives have now become the primary repository to save and access important information. It’s fundamental that employees are able to continue with their work as normal with as little disruption as possible, meaning data recovery should be a high priority to help aid continuity efforts. This is critical too for recovery efforts following a security breach.
When it comes to planning, businesses also need a clear chain of command, should disaster strike. If any critical systems go down, businesses need to know what action to take and understand who is responsible. A regular continuity and data recovery performance test is key here – a one-off simulation is simply not enough. Depending on the size of the business, performance testing must occur regularly, and solutions must be frequently checked to ensure the business is prepared to continue as normal even in the most critical situations. When all eggs are placed in a single digital basket, it is essential to ensure that your business has the capability to recover from a situation that cuts off access, locks down, deletes or corrupts data.
Building a cyber resiliency strategy
There are also security risks that must be considered when implementing a critical business system availability plan. Importantly, this should feed into wider cyber resilience strategy, which focuses on defence, but also restoration of operations if things were to go wrong.
The first stage of this is for organisations to implement layered security. Email security solutions that might have been adequate several years ago often lack capabilities to protect against today’s modern attacks. This layered security should include cloud technologies that help ensure security solutions are always up to date and ready to protect against the latest and fast-moving threats – something that’s much harder to achieve with legacy on-premises solutions. It helps ensure threats are either captured before they have reached the network or defended against and removed if activated within the business.
Combating cyber risk in the long-term also requires organisations to look beyond technology and ensure a greater and ongoing focus on awareness training. Over 90% of breaches are caused by human error, targeting individuals with cleverly crafted phishing emails. Moreover, our research found that 71% of attacks over the last year saw malicious activity being spread from one infected employee to another. It only takes one untrained eye to open a malicious attachment and render an entire system as useless or for ransom. Educating employees on what to look out for and what to do if they see something suspicious is vital. Being able to identify a phishing attack or an impersonated email is paramount for protecting data, privacy and the business continuity of front-line services.
What’s more, with the General Data Protection Regulation now in full swing, organisations must have a clear plan in place on how they manage and protect critical data stored in email. Failing to adhere to regulations could result in massive financial penalties and poses serious risks for the business’s existence. Worryingly, research from our State of Email Security Report found that data leaks are on the rise, with 41% of respondents noting an increase. This is why it is fundamentally important that in order to minimise the impact of a potential breach, businesses must ensure email systems and data are effectively protected, backed up and recoverable.
The bottom line is that organisations that are highly dependent on email communications and use email as a key repository of business records must focus seriously on the continuity of email. This must span beyond cyber awareness and include remediation and recovery to ensure they can get quickly back on their feet. Building this into a wider cyber resiliency strategy is key to ensuring email is available anytime and anywhere, even when the worst happens.