At Archive360, we know a lot about de-commissioning legacy email archives. Every day we speak with potential customers about moving legacy email archive data to Microsoft Office 365 or a new email archive. The underlying question on each customer’s mind is, “should I migrate the archive data now or can I want until some future time?” At the end of the day it is the responsibility of each customer to make this decision. In this blog I will address the potential security risk of maintaining a legacy email archive.
This week I spoke with my good friend Martin Tuip, who happens to be an expert in all matters related to email and archiving (ex-Microsoft MVP) about the issue of email security with respect to legacy email archives. Here is what Martin had to say:
“Consider for moment the amount of sensitive company information that is contained in an email archive. The archive contains email and attachments for all employees, usually spanning a time period of ten years (or more). Email containing sensitive sales information, finance information, and all forms of intellectual property are contained in the archive. Next consider that the archive has been in operation for many years, has managed access for thousands of employees, many of whom have departed, and is coded with ten-year-old technology that is vulnerable to today’s security attacks. Now you get a picture of the risk to your company should the email archive be hacked.”
Fact or Fiction?
Before jumping to an obvious (I think) conclusion, I did some quick research about email security and the risk created by legacy applications like email archiving. Hackers, I learned, have favored email for the ease at which they can gain access to someone’s account as well as the rich (and valuable) content it holds. The most popular method is “phishing”. With phishing, the hacker sends a fake email to an unsuspecting person asking for their account credentials. As simple as it sounds, phishing is successful 22% of the time.
Earlier this year Yahoo announced that the account information of at least 500 million users was stolen by hackers two years ago in the biggest known intrusion of one company’s computer network security. Yahoo Mail is one of the oldest free email services, and many users have built their digital identities around it from their bank accounts to photo albums and even medical information.
In reality, legacy email archives create a risk due to the old technology they were built on. Many of the leading email archives were designed over fifteen years ago. Generally speaking, archiving technology based from the late 1990’s is woefully lacking in the security present in today’s technology. In fairness, applications are regularly upgraded and improved; but this assumes the customer has been diligent with vendor offered upgrades and patches.
Here in lies the risk. Hackers understand that aging applications running old code are more vulnerable to attacks as compared to current applications. The HP 2015 Cyber Risk Report states that 44 percent of known breaches in 2014 came from technology vulnerabilities that were between two and four years old. Attackers continue to leverage well known techniques to successfully compromise systems and networks. Many vulnerabilities exploited in 2014 took advantage of code written many years ago, some systems still in use decades old. Hackers continue to leverage these classic avenues for attack. Exploitation of widely deployed client-side and server-side applications are still commonplace.
Time to Migrate
If you are still running a legacy email archive, you should carefully consider the security risks and consider replacing that legacy email archive or move the archive contents to another archiving platform such as Microsoft Office 365. There are many factors to consider when such a move is contemplated, such as budget and staffing, regulatory requirements, and legal risk but taking all factors into account, we recommend that you make the move “sooner rather than later”.
When you are ready to de-commission your legacy email archive, Archive360 is ready to assist. Since 2012, we have successfully migrated over 600 customers out of aging legacy email archives. It is no coincidence that we are referred to as the “archive migration experts”. A title we carry with pride.
 HP Security Research | Cyber Risk Report 2015