There are so many complex aspects of cybersecurity. For many companies, the best starting point is addressing the most common vulnerable entry point first — email.
What is third-party email security & protection?
Third-party email security and protection (ESP for short) is a security solution developed by a security software company that inserts itself into your email provider’s email flow. Typical features include inbound & outbound filtering, encryption, archiving, and enhanced security.
You may ask why isn’t my email provider’s built-in security & protection enough? Why do we want another vendor involved in our email flow?
These are great questions that we will address in this blog by first addressing two key misconceptions.
Misconception #1
The built-in email security & protection functionality to Microsoft Office 365 or G Suite is sufficient.
- It isn’t. As a reminder, email providers like Microsoft aren’t even responsible for your data OR protecting access to your accounts (see Microsoft’s Shared Responsibility Model). Microsoft simply offers the infrastructure to store the “working copy” of your data, and you must bring third-party solutions to fill in the gaps (backup, security, etc.).
- Microsoft does include some fundamental anti-spam/anti-virus features out of the box — over 3 billion phishing emails are sent every day & they’re protecting their infrastructure from unnecessary overhead and providing the minimum protection to remain competitive.
- Microsoft actually sells an email security add-on called Microsoft Defender for Office 365, which is only compatible with their enterprise licenses (typically 300+ employee companies).
- The above information should tell you that Microsoft knows the built-in functionality isn’t sufficient security. They’ll happily sell you an add-on solution to fill feature gaps once you spend more on enterprise licenses.
- The good news is several third-party security companies offer “bolt-on” ESP platforms to Office 365/G Suite, AND they don’t require you to be a 300+ employee enterprise.
Misconception #2
I don’t want to miss an email from a client or prospect, so I’ll risk not using a third-party email security & protection solution.
- First, missing an important email due to filtering is a valid concern. However, this infrequent occurrence can be prevented by configuring the ESP correctly.
- Modern ESP platforms allow safelisting of domains & email addresses, editing sensitivity levels of the spam filter for certain people, and live access to the “quarantine” where suspect emails live. All of these are configurable if there’s a concern about missing an important email.
- Even if you safelist a domain, the features of an ESP platform do not typically turn off entirely. The solution we partnered with will still step in if there’s a near 100% match for a virus or phishing attempt. Also, our solution re-writes all the links in every email to go through a security scanning engine to catch attempts at stealing your credentials or known malware.
- Regarding “risking it,” straight from Deloitte: 91% of all cyberattacks begin with a phishing email to an unexpected victim.
- If 91% of all cyberattacks begin with a phishing email, consider reassessing your priorities and what an incident can do to your company and reputation.
- Finally, if you have cyber insurance or are subject to any regulation regarding protecting sensitive information, review what safeguards you are expected to have implemented. Chances are, an ESP solution will be required to satisfy those requirements. Example regulations that call for at least one or more features of an ESP: HIPAA, FINRA, PCI DSS, IRS Publication 4557, and more.
What does PK Tech recommend?
You should work with a competent IT company that performs a basic IT security risk assessment on you. Seeing no third-party email security and protection solution is a red flag for most IT companies specializing in regulated industries.
If you would like a recommendation on email security solutions for your organization, get in touch with our highly qualified IT pros team.