Email is a key communication tool for businesses today. Despite the importance, many businesses that transition to the cloud are blindly relying on a single email vendor, such as Microsoft Office 365 or Google Cloud, without giving thought to a cloud redundancy plan.
This is in comparison to only a few years back when businesses meticulously backed up email servers in fear of losing or not being able to access data due to an IT incident.
However, there are a growing number of recent incidents that should serve as a crucial reminder for organisations to develop their own redundancy plan, rather than rely on a single vendor.
Earlier this month, Microsoft reported that some users of its Office 365 and Azure clouds were unable to access services. As a result, some users were not receiving notification prompts via their applications.
The most recent incident occurred about three weeks after with a similar login problem for Office 365 users. Users received repeated credential prompts and were unable to log in to the Outlook client. This happened only days after reports users were being unable to sign in to the Microsoft Teams Desktop client.
Just last month, users of Microsoft’s cloud services were unable to log in if they require Azure multi-factor authentication, impacting millions of users who were unable to access their accounts for over 14 hours.
This outage is just another in a slew of outages plaguing the platform this year. Similarly, in September, a Microsoft Azure outage that took down the Azure Active Directory service impacted IT services around the world, including Office 365. This outage was due to severe weather taking out cooling systems in one of its central data centres.
With huge operational dependency on the Microsoft environment, no organisation should trust a single cloud supplier without an independent cyber resilience and continuity plan to keep connected and prepared during unplanned, and planned, outages.
While these outages are disruptive, the consequences are worse when the downtime is caused by a cyberattack. Mimecast’s State of Email Security report indicated that nearly a third of Australian organisations have seen business operations affected by ransomware in the last 12 months. The same research revealed 83 per cent of organisations have been hit by an attack where malicious activity is due to infected email attachments or URLs.
Operational dependency on any one environment creates business risks that need be addressed. It’s inevitable that services will fail from time to time and IT leaders need to ensure they have not outsourced responsibility to a lone cloud service.
Using a single cloud email provider also increases the risk of a successful malicious attack as native and advanced threat protections are not adequate for the evolving and ever more sophisticated cyber criminal attacks.
Anyone outsourcing a critical service like email needs to consider who will suffer most from reputational damage, internal operational issues, and financial loss. All organisations, including Microsoft, need to consider what downstream effects there are from losing a critical service due to technical failure or human error.
The price tag of downtime is expensive. According to Gartner, the average cost of IT downtime is US$5600 per minute, which adds up to well over US$300,000 per hour. And if you consider that the average downtime Australian organisations experienced following a ransomware attack is three days, the financial damage can quickly add up.
While these figures are daunting enough, it’s more than just about the dollars and cents. Businesses need to consider the detrimental long-term effects downtime can have on productivity levels, business reputation, and the damage it can cause on customer relationships.
There has never been a more important time for organisations to seriously consider implementing a business continuity and disaster recovery plan. Businesses should not wait for a vendor outage or ransomware attack.
Part of the strategy should involve having at least a secondary off-premise recovery data centre to ensure that if anything were to happen to the primary site, there will always be a second location to reduce the impact of an outage. Local hosting to reduce latency and ensure data sovereignty should be considered. It is also worth reviewing independent sources such as SE Labs, which assesses security products and services designed to detect attacks, protect against intrusions or both.
A disaster recovery plan alone is not enough. Resiliency in layers is key to business continuity. This means equipping employees with the knowledge to understand what to do if a potential threat lands in their inbox. This is particularly crucial given human error accounted for 37 per cent of all incidents reported, according to the latest Notifiable Data Breaches Quarterly Statistics Report.
Testing and planning regularly will ensure that when organisations are hit with an outage that the impact of downtime is minimal, and they can be up and running as soon as possible.
Nick Lennon is country manager of Mimecast Australia.