During a recent trip to Australia, we were fortunate enough to catch up with Mimecast Co-founder and CEO Peter Bauer. Amid our sit down we discussed the concept of ‘Work Protected’ Together and where executives should be focusing the majority of their time and investment when it comes to cybersecurity.
A Q&A with Mimecast’s Peter Bauer
1. Peter, one of the key things you mentioned during Mimecast Connect was the concept of ‘Work Protected’ - at a high level, what does Work Protected mean to you?
Workers should be able to work protected in their digital work environment. Email and collaboration tools are where work happens, but they are also where risk is concentrated – technology is fallible and human error is inevitable, making organisation’s more vulnerable than ever.
As humans we trust the digital surface where we execute and perform our professional work. We want to address the risk at the intersection of people, data and communications. This started with email in the early 2000s and has now expanded to include collaboration platforms.
And while we’re known as an email security company it’s not just about email, it’s actually about work and making sure you can have confidence in your digital work environment. The ability to work protected is to have confidence that the environment you’re working within is secure, safe and authentic. To address this, we partner with System Integrator’s like Brennan to deliver vital protection to companies of all sizes, by integrating with other security vendors who are focused on categories such as XDR, Firewall, SASE, CASB and SWG. We want to offer advanced security in a very important area, but fundamentally we also want to be an important building block in an organisation’s security architecture, so when building a system of systems, they have something that not only works really well but also has interoperability.
2. When it comes to cybersecurity, where do you think executives should be focusing most of their time and investment?
The sharp increase in data breaches and cyberattacks have translated to greater awareness amongst business leaders across the globe of the danger cyberattacks pose, and executives are demonstrating a greater willingness to confront the risk. This increased focus on cyber preparedness by the C-suite should give CISOs more empowerment to articulate their requirements and implement strategies and tactics that will make their organisation more secure. It’s now up to them to work with the board and executives to clarify what their priorities and obligations are to reduce business risk.
- Creating a cyber – aware culture: As the last line of defence, employees need to acknowledge the role they play in keeping an organisation secure. Cyber risk isn’t just an IT problem — it’s a critical vulnerability that directly equates to overall business risk and employees at all levels must recognise that cybersecurity affects them personally and is something for which they are directly responsible.
- Maximum return on investment: In our State of Email Security 2023 report, 64% of Australian organisations said their cybersecurity budget is less than it should be. Corporate boards may finally be paying attention to cybersecurity, but they still have many other priorities, such as managing through economic uncertainty and volatility. They will therefore want to ensure that they are getting the most out of their security solutions.
- An integrated framework: In response to growing cyber threats, as well as skills shortages, many organisations are investing in a plethora of new, best-in-class security products. This tool sprawl often creates additional complexity that hurts organisations more than it helps. Enterprises, on average, have 60 to 80 different security monitoring tools in their portfolio, many of which go unused, underutilised or forgotten. Organisations will want to look at adopting best-of-breed security tools and platforms that offer a deep library of API and third-party integrations. An integrated framework empowers organisations to effectively navigate their unique environments by consolidating tools and getting the most out of their security solutions.
3. What are the most common cybersecurity challenges that executives face and what’s your advice for helping them overcome these challenges?
The cybersecurity skills shortage is well-documented and remains one of the biggest challenges for organisations. Many global organisations find it difficult to recruit appropriately skilled cybersecurity professionals, leaving teams under pressure and under-resourced. But the cyber threat landscape continues to accelerate at a rapid pace, driving higher levels of burnout and human error across the sector.
Again, the skills gap cannot be plugged by simply investing in dozens of the latest niche security products. Forcing already stretched security teams to master a myriad of tools, consoles and workflows shifts priorities from managing risk to managing technology. The companies best positioned to offset cybersecurity’s labour challenges are those adopting security tools and platforms that offer integration into an organisation’s existing security ecosystem. This allows them to consolidate tools and reduce human error by: Improving protection via security intelligence and threat sharing, improving efficiency via automation which offloads repetitive and mundane manual tasks to AI-enabled tools, and improving prevention via sharing and consolidating tool data.
4. It’s often said that employees are at the frontline of an organisation’s security, how do executives equip their employees to exercise a level of vigilance towards their organisation’s IT infrastructure?
At every company, regardless of size, a basic understanding of the risks and most common types of attacks needs to become common knowledge. In Mimecast’s State of Email Security 2023 report, 43% of Australian respondents said insufficient employee awareness of cyber threats would be their organisation’s biggest security challenge in 2023. To address this, organisations need to implement cyber awareness training that educates employees to the dangers and teaches them to recognise and safely manage the threats to which they are routinely exposed.
The most effective security awareness training is on-going, short, and engaging, which creates a more cyber aware culture across the whole organisation. Employees at all levels need to take ownership of the role they play in securing their workplace and view it as a collective effort to keep their work protected.
5. We know cyberattacks have risen in Australia by 13% alone over the past year – what do you think is the reason for the recent increase in cyberattacks?
Thanks to increased hybrid and remote work models in Australia, opportunities are ripe for cybercriminals to attack businesses with a reliance on email and collaboration tools to carry out their threats. An increased digital work surface means more online data and a larger attack surface, which greatly increases a criminal’s motivation and chances of success. Combine this with increased efficiency by attackers, more tools available in a criminal’s arsenal and greater returns on investment, and there’s a perfect storm. These days it’s no longer a matter of if an organisation will be attacked, it’s when – and the right protective measures need to be in place to defend and effectively manage an attack.
6. In Australia there has been a lot of recent press and discussions about the Australian government potentially stepping in and taking command of IT systems for any Australian company that falls victim to a major cyber incident – what are your thoughts on this?
It’s important that every government takes this issue seriously and takes the relevant steps to improve the security posture of their country. Fighting and preventing cybercrime needs to be a coordinated and centralised effort – so what the Australian government is doing is certainly a positive sign.
Government’s role is to provide regulation, threat intelligence and confidence to the economy – this is vital. But it’s also important that organisations don’t develop a false sense of security that government is going to solve cybersecurity risks for them. It is not the role of government to manage a corporate IT system. Cybersecurity is a team sport, and everyone needs to play their role, be diligent and take responsibility. We’ve got real work to do right now to be secure.