Industry Trends

Protecting Email is Essential to Your Security Strategy

By Bill McGee | May 02, 2016

FortiMail Awarded VBSpam+ Certification. Again.

Email is still the primary form of critical, formal business communication. It also continues to be the primary conduit for malware, phishing attacks, and data loss.

Here’s why: no matter how much they are trained, people make mistakes- especially when social engineering hits the mark.

Any effective email security strategy has to assume that folks will open email attachments, click on infected website links and ultimately have their system compromised.  It takes just one person, one time, in an unthinking moment for the damage to be done  According to Verizon’s most recent Data Breach Investigations Report “the median time to the first click on the attachment [of a phishin campaign] was 3 minutes, 45 seconds.”  A compromise happens in minutes.

But there are so many email security devices and solutions available, it’s hard to know what to choose. Here are five questions you should ask before choosing a new solution or renewing your service contract with your existing vendor.

1. Is it regularly tested and certified?

There are a number of independent third-party analysis and certification labs out there that provide annual, quarterly, or even monthly updates for security solutions like email gateways. Get them and read them.  Avoid commissioned tests paid for by a specific vendor based on their own methodlogy.

Fortinet’s Email Security Gateway, for example, was just awarded Virus Bulletin’s VBSpam+ certification, again.

But what does that mean? Here are a few things to consider when looking at reviews:

  • Look at test results over time.

One test may not mean much. Tests simply report a moment in time for any product. So it’s hard to know if you caught a product in the middle of a development cycle, or if they have a history of reliability and efficacy.

  • Fortinet’s Email Security Gateway has now been certified by the Virus Bulletin spam test 41 TIMES IN A ROW. That’s the definition of reliability
  • Ask why your vendor isn’t participating.

There are lots of answers, and none of them are comforting. Common vendor excuses include:

  • It’s too expensive. Really? If your vendor can’t afford to have their product independently tested and validated, what else can’t they afford? Can you really trust your business’ security to a company operating on a shoestring?
  • It requires taking engineers away from development. Same answer. Testing and validation needs to be part of any engineering strategy. This isn’t a reason. It’s an excuse.
  • We only do the big tests. Who gets to decide which tests are important? (Answer: you do.) If you are looking at reviews and you regularly notice that your vendor isn’t participating, you need to ask why. (Hint: it’s probably related to the first two excuses above.

Fortinet is committed to open testing, validation, and certification. And if you want results based on your organization’s unique requirements, just ask. We are always happy to participate in a head-to-head bake-off with any set of competitive solutions.

2. What is your email security solution’s catch rate, for standard and targeted attacks?

It really doesn’t matter what cool features an email security solution provides if its ability to detect spam and email is too low, if it allows sensitive data to be attached to communications, if malware slips past its sensors, or if it regularly labels good email as bad email.

In this most recent VBSpam test, Fortinet scored a 99.99% spam catch rate with 0.0% false positives, earning their highest certification. And this marks FortiMail’s FIFTH consecutive 99.9%+ final score.

As importantly, look at availability and effectiveness of integrated sandboxes. This is an important new technology that explores the attachments and URLs of even brand new emails to see what they do, just as if clicked on by the end user.  Even though it can take some time- minutes in some cases- it’s an important protection and a delay that most end users won’t even notice. 

3. Can it be integrated into your larger security strategy?

If you are looking at what tools you will need to secure your network over the next three to five years or more, this may be the most important question you can ask.

More users using more devices than ever are going to need to communicate with each other efficiently and securely regardless of where they are located or which email tools or services they want to use. And email is only one piece of your security challenge. Sophisticated threats use multiple attack vectors and coordinated strategies to penetrate and compromise organizations.

But it is not uncommon for organizations to have deployed security solutions from dozens of different vendors inside their distributed infrastructure. These siloed security devices use different management tools, different sources for threat intelligence, and have no ability to share critical information. This creates gaps in your security defenses.

Security Designed for the Evolving Digital Business

The FortiMail Secure Email gateway is designed to not only be highly effective on its own, but to also work as part of the highly integrated Fortinet Security Fabric. This architecture approach allows devices to share threat intelligence, management, and orchestration, and to intelligently collaborate to respond to threats located anywhere across the distributed network. And it is based on open standards for enhanced interoperability with existing and future security investments.

The best answer to complexity is simplicity. Which is exactly what the new Fortinet Security Fabric, including the FortiMail Secure Email Gateway, is designed to deliver.

Click here for more information on the FortiMail Secure Email Gateway solution. And to learn more about the new Fortinet Security Fabric, you can download Fortinet’s new white paper here.