Email Security’s Hidden Complexity: Are Termites Eating Your House?

Tom Mairs
May. 21, 2018 by Tom Mairs

My wife and I have moved more than 20 times during our marriage. Some of those were to rental units and some of them involved ownership. In all cases, the common theme was that transition is hard. It is doable, but it is hard. What we have found is that transition always comes with lessons and if you are willing to learn from them, then any transition can be good. The accumulated knowledge from those events has helped us understand how to predict market changes, evaluate new properties for unseen defects, and most importantly, weigh the pros and cons of leaping into a move.

We are now on renovation project number nine and have become proficient in many things and we also know when to ask a professional for help. We have replaced carpet with hardwood, stripped and replaced tile, installed cabinets and replaced plumbing. Not many things scare us off with the exception of dry-rot, and termites, and asbestos. I hate that stuff. Nothing is worse than pulling off the 1970’s era wallboard with a plan to quickly put up new sheetrock, only to find the wood frame of a supporting wall eaten through by dry-rot or termites. That means a whole new ballgame, a larger and more expensive project and a great deal of unplanned expense.

Making the Connection

I see daily parallels working with companies that integrate email into their mission-critical processes. A large part of my job is running discovery calls with companies to find out how their systems are working, what processes they use, and how we may be able to help improve their situation. Sometimes they are in great shape and have thought of all the issues and fixed them. We have many conversations that end with “great job, let us know if we can help in the future”. It is the real estate equivalent of looking for a reno project and finding out someone has done all the work already. Nice house, but there is nothing for us to do here.

More often than not though, we tap on the walls, pull back some tiles and find ugliness that just can’t be ignored. There may be a fresh coat of paint on your application, but are there security holes in the underlying code? You’ve used all the latest API connection tools so your business looks modern, but is the data passing over unencrypted channels? Have you replaced all the windows in your house with inferior product that looks better but lets in the cold?

Metaphors aside, any company working with customer data or providing any service online needs to pay close attention to security and get their “house” in order. If you contract your email delivery or web hosting to a third party, did you verify that they are SOC2 compliant in ALL business areas? It is not enough to claim SAS70/SOC2/ISO-27001/<insert-security-standard> on only the cloud services or production part of the business when much of the personal data is actually in the corporate environment. It is also not enough to “hand-wave” over that argument claiming that your data is “safe” because your hosting company has been in business a long time. New threats appear daily and the threat landscape is constantly changing. If your hosting provider or ESP does not have a dedicated security team, you need to start asking some critical questions.

The definition of “personal data” can be different depending on where you are on the planet, but regardless of your location, your customer’s data security is _your_ responsibility, not that of your hosting provider or ESP. If you have not asked these questions of your hosting provider or ESP, you should plan to do that as soon as possible. Our team would be happy to help you on that path.

  • Are you SOC2 and/or ISO-27001 compliant in ALL business areas?
  • Have you done a recent penetration test?
  • Did you allow the penetration test to be run INSIDE the network as well?
  • Do you recommend or insist on HTTPS/TLS communications for all data in transit?
  • Do you encrypt all data at rest?
  • Do you have a dedicated security team who report directly to the CISO?
  • Is the production environment segregated from the corporate environment with a VPN and MFA?
  • Will you subject your company to an InfoSec review?

This is the technology equivalent to testing for dry-rot or listening for termites. If the answer to ANY of the above is “no”, then you need to worry about what else they have not planned on. While things may look great on the surface, digging up the floorboards may reveal hidden issues. Are there cracks in the foundation? Are termites eating your house?

When you do find out that your house is structurally compromised, you need to decide if you can fix it or if it is cheaper and safer to just move. In the case of an ESP or web host, you may not have access to fix their issues, or have the time to wait for them to do it. Transition is hard, but sometimes it is the necessary thing to do. SparkPost is a shiny new bungalow with a solid foundation and no termites; let us show you around.

—Tom

 

Related Content

What Game of Thrones Reveals About SaaS Email Security

The defenses and vulnerabilities of castles in Game of Thrones should be a warning for SaaS providers about phishing and email security.

read more

5 Best Practices for Security Notifications

Learn the 5 best practices for security notification emails that product teams can use to build user trust and confidence.

read more

Why Attestations Are Just One Part of Your Cloud Security Program

Attestations are a necessity for any cloud security program. Here’s why you need to look beyond just checking the boxes to ensure your perimeter is secure.

read more

Get started and start sending

Try SparkPost and see how easy it is to deliver your app’s email on time and to the inbox.

Try Free

Send this to a friend