Email is a prime method of communication for organisations and is therefore a key area of focus for cybersecurity teams. Erik Hart, Chief Information Security Officer at Cushman & Wakefield, explains how the company relies on Mimecast’s solution to protect its email systems and for information security innovation.
Cushman & Wakefield, a global commercial real estate services firm with approximately 50,000 employees in over 400 offices and 60 countries, required a solution that would protect malicious emails from being delivered, remain scalable and fit the company’s ‘cloud-first’ vision.
“We don’t want the burden of managing servers,” said Erik Hart, Chief Information Security Officer at Cushman & Wakefield. “If you grow or shrink – you’re stuck with that same infrastructure, which may not always be what you need.”
With email being the global commercial real estate company’s primary form of communication, it must be protected at all costs. “Email presents the largest risk for threats like phishing, and with more people working remotely than ever before, it’s even more critical to protect our email communications,” said Hart. “That’s why we turned to Mimecast.”
Hart’s information security team required a solution that would go a step further than just monitoring email. “We needed a way to make sure good emails get delivered and bad emails don’t hit an employee’s inbox,” said Chan Amarasingha, Cushman & Wakefield’s Platform Architect for Messaging.
On-demand support is critical. “Our global platform is often changing through mergers and acquisitions. We need partners that can scale with us and stay flexible – that are just a phone call away whenever we have to add users to the system,” said Hart.
Once Cushman & Wakefield’s information security team members looked into Mimecast, they knew they had a match for their cloud-first vision. “Mimecast just fits right in. You really manage it more towards IT applications and service offerings, not the hardware behind it,” said Hart.
The Cushman & Wakefield team uses a combination of Mimecast products to meet its information security needs, including an application programming interface (API) to assist in onboarding and offboarding employees, and Internal Email Protect (IEP). “Mimecast IEP provides a quick way to identify a suspicious email and delete it,” said Amarasingha. “And if an email turns out to be a false positive, we can quickly restore the deleted message.”
Years into their partnership, Cushman & Wakefield continues to rely on Mimecast for information security innovation. “We’re now using DMARC Analyzer to see who is receiving emails from our brand and can use that information to identify partners or threats,” said Amarasingha. “DMARC recently helped us diagnose a marketing tool issue with email delivery problems that could have prevented converting prospects into clients.”
We spoke to Erik Hart to gain further insight into how the end-user utilised Mimecast’s solution to enhance business operations.
Can you tell us more about your role at Cushman & Wakefield and about your responsibilities as CISO?
I am Global CISO for Cushman and Wakefield. So, all of our cybersecurity as well as our IT controls initiatives are my responsibility.
What trends have you seen in the email security space over the last year or so and how has this impacted your operations?
There are a couple of trends we’re seeing in the email security space: number one is an increase in various phishing techniques – one aspect is trying to get people to either download or click on something, get access to their computer and thus move throughout the organisation. I think the bigger trend we’re seeing is a lot of these email fraud problems that are going on where it’s a domain that may look similar and not necessarily trying to get somebody to download or install something but take operational action to do something. We’ve seen this with a number of clients where their email systems have been compromised and different payment information on invoicing has changed. And they are the two trends we’re seeing there: how do you protect against those impersonation-type attacks, and then how do you protect from those ‘bad clicks’ at the end of the day.
And the other trend we’re also starting to see is how do you integrate your email system so it can start talking to more of your other security systems.
As a leading global commercial real estate company, how do you manage your operations to ensure you offer your worldwide customers a secure service?
There are certain services within our organisation that are very much global standard and email is one of those where everybody goes through the same systems no matter what business line they’re in. As we’ve done mergers and acquisitions, one of the first things we do is restart rerouting their email through our system through Mimecast to look at trends and what’s going on. And that’s really been how we’ve secured our email is by having that one corporate standard for all those emails reaching our employees. I think that’s important because this is one of those things that really does require a global standard considering the tens of thousands of people using email every day.
Why did you decide to work with Mimecast on this occasion?
Mimecast was actually chosen before I started here, but one of the reasons for it being chosen was down to the Software-as-a-Service cloud support that it has. Cushman & Wakefield came together from a conglomeration of a couple of other commercial real estate firms so it needed a platform that could grow as the business grew with the various mergers and acquisitions and not have to have lots of system changes etc.
I think another reason when considering some of the benefits we’ve received from Mimecast is also in how its customer support has worked and truly been an extension of our staff in supporting coming up with different solutions when needed. Really working with us to come up with solutions and help configure the Mimecast system to support our business needs has been a massive benefit. I see this as a huge differentiating factor in comparison to some of the other players in the space where their customer service can be quite lacking.
What specific benefits have you seen since working with Mimecast and how far would you recommend its solution(s)?
Some of the specific benefits we’ve seen include the fact that the customer support model is so capable in helping us. We’ve not had to add additional staff and other factors in some of our messaging platform areas because of the support Mimecast offers.
I think another great benefit is again, just able to scale as we scale and not even having to think about it. We don’t even need to question whether we have enough capacity when carrying out mergers and acquisitions.
What advice would you offer to other CISOs looking to protect their email systems?
Firstly, I think it’s important that they think about what interactions they want their employees to have. For some organisations, they want things to be happening in the background that they don’t really have to think about. For other organisations, they want it to be a much more integrated interaction. I would ask a CISO about their organisation’s culture of how email is used and how much they want to have their employees interacting with it.
I think it’s important to consider how much visibility you want to allow your employees and users to have and how much they will use it – if you do a bunch of things and they don’t use it, it’s really not adding value to the organisation.
What’s on the horizon for Cushman & Wakefield over the next 12 months and how has Mimecast accelerated your business capabilities?
As we’ve continued to grow, Mimecast has been able to grow with us without missing a step. For us, the focus will be on seeing how Mimecast is going to build in some other areas. I think that’s important because we see, again, the trend of how people are using email starting to change; from it being just an email that comes in to getting one for the first time from a new contact.
I think another big thing on the horizon with Mimecast is not only what it can do, but also what other solutions or services it may continue to partner with in the security ecosystem and what other things it can integrate with in order to have an organisation that has a more holistic ecosystem where various security platforms are sharing information.Click below to share this article