Every month, we highlight a specific product or solution that we know our customers use and trust. We take an independent look at this offering, engaging with an industry-leading insider and getting their expert opinion on a solution they know inside and out. This month, we recruited Dan Davies, Babble’s Head of IT Security and Compliance, to give his thoughts on Mimecast User Awareness Training & Phishing Protection.
Dan Davies – IT Security and Compliance Manager, Babble
Dan’s career in cyber security began in 2011, at Cobweb Solutions, when he made the move from service desk support to Network Operations Centre (NOC) administration. While working at Cobweb, Dan was involved in building the first Vblock system in Europe. Dan went on to work for Ultracomms, where he was instrumental in helping the organisation achieve their PCI DSS level one certification, the highest standard for payment security in the world – the company retained this standard in 2016, and kept it until it was acquired by Babble.
Since 2021, Dan has been an integral part of Babble’s cyber security and compliance operations. He led the team that saw Babble achieve its ISO27001 accredited, a project that was completed in just 6 weeks.
Dan’s personal pet peeves when it comes to security and compliance includes poor password management and reuse, and creating hard copies of company information. “I had a bit of a beef with Ultracomms’ financial director, who loved to keep hard copies,” Dan told us. “Nowadays, a hard copy is a bad copy!”
Outside of work, Dan likes to stay active and enjoy the outdoors – he is an avid Airsofter, a wild camper, and restores classic Land Rovers for fun (he is currently working on a 1990 110 Defender). Dan is an ongoing supporter of Naomi House and Jacksplace, a charity that provides palliative and end-of-life care for seriously ill children and young adults. He has held three 24-hour game streams on Twitch since 2020, which collectively raised £5095 for the charity – Dan has another stream planned for 2024.
Q: What is your role in relation to Mimecast? How long have you been using it? Why did we choose it? Were there any other providers we looked at?
A: As IT Security & Compliance Manager at Babble, my role is to review Babble’s user training procedures, and manage email security. This means I use Mimecast’s email security products a lot in my day-to-day work. As Babble is a Mimecast partner, and Mimecast’s experience in the email security sector is so extensive, choosing it as our email security solution was a no-brainer – our hands-on experience with the platform means we can help our customers get the most out of it themselves.
Q: Tell us about the Mimecast User Awareness Training and Phishing Protection platform.
A: The User Awareness Training platform is used to train our staff in all areas of cyber security that will impact them in their work and in day-to-day life. It helps ensure our staff understand their role in keeping the organisation safe and secure.
Q: Why is email security and user awareness important?
A: Cyber security touches everything in modern life. You don’t even have to be the target to be impacted by the fallout or directly impacted as collateral damage – for example, supply chain compromises can result in an attack on one company spreading to other companies by accident just because they are linked via supply train. The majority of breaches still originate from Business Email Compromise (BEC) attacks, so having that protection in place helps mitigate a lot of the threats.
Q: Is Mimecast easy to use?
A: The portal for the awareness training is very easy to use and the reports are good. You can click through the dashboards to drill down to the information you want with a lot of detail.
The email protection portal is highly detailed, and Mimecast have produced an excellent collection of well-written guides. The guides enable you to get a deep understanding of the platform very quickly.
Q: What do you like about the user interface? What do you enjoy most about using the interface? Are there any drawbacks?
A: The dashboards and User Interface for the User Awareness Training portal are easy to use. The information is clear, and the drill down feature is very handy for monitoring user training progress.
Q: How does Mimecast protect against phishing attacks?
A: The email security has standard checking against sender markers such as Domain-based Message Authentication, Reporting & Conformance (DMARC), DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF).
Emails are also scanned for dangerous links and attachments before they hit the mailbox. The UAT portal means we can train our staff on how to spot and mitigate phishing attacks among other things – this adds additional layers of protection against phishing.
Q: What layers of protection does Mimecast offer?
A: Mimecast has several different products that offer email protecting in different ways – there’s Advanced Email Security, Data retention & Compliance, Awareness Training, DMARC Analyzer, and Collaboration Security (this is designed for collaboration solutions like Microsoft Teams). If all of these offerings are implemented together, organisations would have very well-rounded, layered protection.
Q: Can you share any examples of phishing attacks that Mimecast has thwarted?
A: Like all businesses nowadays, we’re getting hundreds of phishing emails on a daily basis – Mimecast does an excellent job of filtering these out.
Training and Education
Q: What training and educational resources does Mimecast offer?
A: Mimecast has an excellent array of educational resources that focus on User Security Awareness. The modules cover all the fundamentals – such as password and credentials harvesting, financial fraud, ransomware, multi-factor authentication, and many other topics. The Awareness Training portal also has targeted modules for various industry compliance frameworks – including NIST, PCI DSS, GDPR, HIPAA, and ISO.
Q: Are these resources effective in improving user awareness?
A: They are, and they allow us to track users’ engagement and progress through modules as well as see where they’re doing well and where they may need further support.
Q: Can you share any positive feedback from users? What are your thoughts on the effectiveness of these resources?
A: Users agree that it successfully conveys a lot of important information, and the light-hearted format makes the prospect of security training less daunting. I think that the storytelling aspect makes it a lot more engaging than if they were dry informational videos.
Reporting and Analytics
Q: What reporting and analytics features does Mimecast offer?
A: There is the Mimecast reporting module – which gives you a bird’s eye view of the email environment. From this dashboard, you can produce reports on the performance of your email security. The Mimecast Compliance and Supervision function also provides analytics and reporting which are useful for compliance audits.
Q: What data can you gather from the platform?
A: From a training perspective, you can see engagement and missed modules and where staff are doing well and not so well. This means we can help staff fill the gaps in their security knowledge. For email security, you can see how many messages are being received and how many are being blocked.
Q: How can I use this data to improve my security posture? How is this data useful?
A: The data is important in helping us drive user engagement. We can target users that need additional training, and we know exactly which users are not engaging with the training altogether – and therefore we know who to nudge. The data we get from the email security reporting helps us with future security planning.
Integration and Compatibility
Q: Is Mimecast compatible with other security solutions, including Microsoft? Which is your favourite to use and why?
A: The spam filter is compatible with most scenarios, meaning it works well with Microsoft, and compliments Microsoft’s integrated email security in Outlook and Exchange. The Mimecast solution for Collaboration Protection also works very well with Microsoft Teams. The training platform is stand-alone, but the modules cover a lot of important knowledge that users can apply to their work in Microsoft.
Q: Does Mimecast integrate with popular email platforms and applications?
A: So far, we have never found an email platform that Mimecast has not worked with. The Collaboration Protection product also seems to work well with a lot of the popular collaboration platforms.
Q: How does this flexibility enhance Mimecast’s effectiveness?
A: Its compatibility with all these platforms means that most – if not all – organisations will be able to integrate Mimecast into their infrastructure. While a lot of organisations nowadays opt for ecosystems like Microsoft, companies who have picked and mixed their infrastructure out of different systems and platforms will still find that Mimecast fits into their stack well.
Q: Does Mimecast comply with UK security frameworks?
A: ISO 27001, and the training module’s dashboard is a useful way to demonstrate our training to an auditor. Mimecast also complies with major frameworks like NIST and HIPAA, which is useful for UK organisations who do business in the U.S.
Q: How does Mimecast help organisations comply with ISO 27001, CE, and CE+?
A: Mimecast is very effective for demonstrating our company’s security awareness for ISO 27001 and CE+ accreditation. Employee training is an important phase in getting ISO 27001 accredited, and Mimecast fulfils that aspect well.
Q: What tools and features does Mimecast offer to help organisations demonstrate compliance?
A: The dashboards are useful to demonstrate to an auditor; it shows the level of training that our staff have attained and gives auditors a good understanding of their level of security awareness.
Q: How cost-effective is Mimecast compared to other solutions?
A: Compared with similar products on the market, we have found that Mimecast is priced similarly. Considering the ease of deployment and the level of protection it offers, I would say Mimecast is very cost-effective.
Q: What is your overall assessment of Mimecast’s value for money?
A: Factoring in ease of deployment, compatibility with popular business platforms, and the features and capabilities of the platform, I would consider Mimecast to be good value for money for both SMBs and enterprises.
Q: What is the support like?
A: In all the time we have been using the system, I have only had to talk to support twice. In both instances the support team got back to me and resolved the issue within an hour.
Pros and Cons
Q: What are the pros and cons of using Mimecast for email security and user awareness training?
A: The pros are the training system is good and gives you great visibility of how users are doing. The email system is compatible with all the popular email and collaboration platforms and has some great information resources. One area for improvement I would like to see would be a refresh of the UI for the email security portal.
Q: What are some of the things you really don’t like about Mimecast?
A: I remember an instance of one of the training modules giving what I would consider to be outdated advice – the advice was to print copies of emails for secure sharing. Nowadays, it is far easier to track information digitally whilst keeping it protected. With how quickly security technology evolves, best practices change over time – it is important that the user training solution we use adapts to those changes.
Q: What types of organisations would you recommend Mimecast to?
A: Organisations need an easy to user UAT system and a robust email scanning and monitoring system; organisations that use Microsoft 365; organisation uses a popular email or collaboration platforms, like Gmail or Slack respectively.
Q: Who would you recommend Mimecast to?
A: Most businesses. Mimecast can be easily scaled for use in SMBs and large enterprises.
Q: Who is it NOT for?
A: Micro-businesses. The user awareness training is useful to all, but very small businesses may find that the built-in security features of products like Outlook and Teams may suit them until their operations scale out.
Q: Could we function as a business without Mimecast?
A: We would function for as long as it takes for a major cyber security breach to hit us – in this day and age that is a question of when, not if!
Q: Do you have any final words of wisdom, as a business admin user?
A: It’s a great system which is why it has been regarded as an industry leader for such a long time. It does have a few rough edges – i.e. the user interface and certain pieces of advice – but its developments in AI-powered security and cloud gateways show that it is still an important security leader.
Q: Out of 5, can you give it a star rating?
A: 4 out of 5