It’s no secret that cloud-based email is becoming attractive to many organizations for a variety of reasons. It comes with significantly lower costs than on-premises email, and end-users tend to love it.
But, protecting cloud-based email from cybercriminals has its own unique set of challenges. While the style of cyberattack is largely the same—primarily phishing and business email compromise (BEC) campaigns that are designed to deliver ransomware, cryptomining and other types of malware—migrating to popular platforms such as Microsoft Office 365 and Gmail can have major security ramifications.
It’s extremely important for organizations to understand the cybersecurity-related pros and cons of both cloud-based and on-premises email before making the transition.
The Pros: Overall, on-premises email is easier to protect inside the firewall through established email gateway security vendors and solutions. On-premise security platforms can keep their data isolated to an internal network and firewalls can be used to control access to the data, which thereby reduces the chances of a malicious attack. Meanwhile, on-premises malware detection programs can be used to regularly scan the network to determine whether there may be any obvious intrusion attempts or suspicious traffic.
The Risks: On-premises systems use anti-spam and advanced threat detection solutions like a sandbox to analyze email content and attachments. However, cybercriminals are continually improving their software’s ability to avoid detection by these conventional methods.
Unfortunately, we’re no longer living in the days of recognizing a phishing email by its bad grammar or telltale poor design. Criminals are very good at spoofing legitimate companies’ appearance, content and domains, so it’s nearly impossible to detect phishing emails by simply looking at them. Criminals also have developed social engineering techniques that increase the likelihood of a user opening an email and clicking a link.
The Pros: Cloud based email comes with a number of major benefits. It is inherently easier and less expensive to deploy because there is no hardware and software to maintain. It’s accessible to employees from virtually anywhere in the world, adding a great deal of flexibility to a workforce. Plus, the platform vendor typically provides all necessary support and maintenance, decreasing the demand on your in-house IT department. With all of this in mind, it’s no surprise that cloud business email accounts are expected to account for 87 percent of all business email accounts by the end of 2022.
The Risks: At the end of the day, protecting cloud email is more challenging than on-premises email for a variety of reasons. For one, criminals only need to figure out one platform vulnerability and they can launch the same attack against every organization and employee that uses it. Plus, once attackers are able to compromise an email system, they can simply impersonate a legitimate user and send an email that appears to be internal.
Included anti-spam and anti-malware solutions do a good job of providing a first layer of protection, but they are really only focused on detecting the known bad stuff. Microsoft offers Advanced Threat Protection as an incremental fee-based service, but advanced and targeted attacks can still get through, necessitating an additional layer of protection. Unfortunately, platform providers such as Microsoft and Google are just not security companies.
What to know before deciding
When determining if this is the right time to make the move to the cloud, it’s important to know that it doesn’t take any additional security skills or expertise within an IT department compared to on-premises systems.
However, if an organization decides that the added flexibility and lower costs brought about by cloud-based email are worth the risk, there should be increased user training and organizational awareness, which can help mitigate the threats brought about by end users.
Above all else, an organization must be prepared to invest in new layers of security without relying on email platform providers or on outdated or ineffective tools. The native security controls provided by cloud email platforms will act as a solid first layer of defense, but an additional layer of protection against advanced malware, phishing, social engineering and BEC attacks could save an organization from potential reputational and financial disaster.