Cisco Systems, Inc. (CSCO) Earnings Call Transcript & Summary

Hello, everyone. Welcome to the E-mail Security in 2023 webinar. I'm Lisa Plant, your WebEx producer today. In a moment, I'll turn the session over to Corien Vermaak. But first, I have a few housekeeping notes to cover. Please note, you have been automatically muted. Feel free to ask your questions in the Q&A panel throughout the session. To enable close captions, please click on the Close Caption icon, next to the Meeting Assistant in the lower left corner of your WebEx screen. Click on the downward arrow and choose your language. At the end of this session, a survey will automatically pop up in your browser. Please click continue to complete the survey. We really appreciate your feedback. With that, let's get started. Corien, the floor is all yours.

Thank you very much, Lisa, and welcome, everybody. We have run -- and if this is not your first speaker series webinar that you're joining, we've run a series of these, and they are always quite robust conversations. Now with me on the virtual stage today, I have Adam Rice. Adam have been a CISO for a very long time in very large organizations and multinationals. And I'll allow Adam to introduce himself just now. But I also have with me today, 1 of our 2 specialists in e-mail security in Bradley Anstis. Now Bradley, Adam, welcome to this afternoon's webinar.

Good to be here.

I think it's a great opportunity to give you the stage and just ask you to introduce yourself because a lot of your background gives this afternoon some gravitas. So Adam, I'm going to start with you and ask that you introduce yourself, please.

Yes. My name is Adam Rice. I am a CISO Adviser here at Cisco. I've only been here for 7 months, retired. And before then, I was the Chief Information Security Officer at companies like Rio Tinto, Hilton Worldwide, Data Communications and a few others. About 30 years in IT technology and about 16 of those as a cybersecurity executive. And I'm glad to be here. It's a good topic, very relevant.

Thank you very much, Adam. Bradley, do you want to introduce yourself?

Sure. Thanks, Corien. So I'm a true product guy. Certainly, I'm a security specialist at Cisco looking after the e-mail security business across Asia Pacific. That's what I'm doing currently. Been at Cisco for about 4 years, but actually, the majority of my career has actually been in product management and engineering, running security research teams, et cetera, specializing in e-mail and web security. I've been lucky enough to work all over the world. I've certainly worked as a customer. I've worked as an e-mail administrator day to day. But certainly, a lot of my career has actually been in [ vendor land ]. So certainly, over 20 years working in -- with e-mail security with customers all over the world, last 8 years back in Asia Pacific, which I love, but looking forward to our chat today.

Thank you very much, Bradley, and Adam, and welcome to this afternoon's conversation. Now I think hand in hand with the password, e-mail security is probably one of the oldest controls that security executives have focused on. We realized very early that this new explosion of communication being e-mail is a tremendous threat vector for perpetrators. Now as we enter the last few weeks of 2023, I have read most of the industry reports that came to light over the last 12 months. And almost all of them still indicate that business e-mail compromise and e-mail threats are on the increase.

But I want to ask both Adam and Bradley to give me a bit of a view of what are the challenges within e-mail security, speaking in this current day and age. As the technology develops and we rely on e-mail more and more, what are the current challenges that you are seeing in 2023 when it comes to e-mail, e-mail defense and threat defense?

Well, I can start. I remember back in the day when everybody hosted Exchange on their network, and then -- which had very little built-in security, so spam and spear phishing and BEC and malware drive-by links would come pouring into the organization. And these were dark days because everybody was scratching their head and trying to figure out how to stop it. And then you moved on to buying e-mail hygiene appliances that you would rack up on your networks, like the FireEye products, and there were others like Proofpoint and so on. And they would delay your mail. They were heavy-compute given what was going on back then. And the results, I always thought, were kind of mixed. And then I think when Microsoft and others have just moved all the mail into the cloud, most organizations just [ rubbed ] their hands and handed the security problem to the vendor, primarily Microsoft with the E5 license, where you just buy e-mail hygiene. But recent events have shown that Microsoft is less than transparent and there have been some big problems have come out of their e-mail security solutions, where they're losing digital certificates and losing entire enterprise mail tenants like the U.S. Department of Defense. So I think that CISOs need to understand that the battle is not won. E-mail and -- is a vector and a major source of cyber risk for all organizations, if it's not handled aggressively. I would rest your laurels on any better product necessarily. I think that it's something that is going to continue to be a big deal and certainly remains a primary source of malware delivery [indiscernible] to someone's network, in my mind.

Thank you, Adam. I think it goes without saying that we can't really single out a single vendor in this new modern age. A lot of our organizations are adopting some form of cloud-delivered e-mail. We have seen, over a number of months, large organization adopting Gmail as a business platform. So the big movement in the industry is really the migration for mail -- from mail as an on-prem solution to a cloud solution. And what I hear you saying is there's a plethora of challenges that comes with that. Bradley, this is ever evolving. What is your view as you deal with customers in the thick of things, trying to defend against all of these e-mail threats?

Yes. So for me, really the biggest issue, I think, at the moment is the evolving threat landscape and customers' confusion about how to stay ahead of that. Certainly, we've seen some -- as Adam was referring to, we've seen some pretty interesting sorts of occurrences happening in those cloud productivity suites. And certainly, we have seen the Verizon Gmail quite significantly recently, which is pretty interesting, certainly starting to tap on Microsoft's door. But the dominance of those -- the adoption of those platforms, that drove a change in architecture, right? So people moving from on-premise e-mail security, as Adam was talking about, into the cloud but then also moving towards newer architectures for e-mail security as well. So potentially things like integrated cloud e-mail security or ICS, as Gartner calls it, as opposed to the kind of older SMTP gateway-based solutions. But whatever architecture you choose that is best for you, it's the evolving threat landscape that's really the biggest issue here. And that's where e-mail and the threats we're dealing with are being sent in lower numbers, but a lot more targeted towards organization. And this is very different towards what we've been dealing with in the past. So we used to have volumetric attacks like spam and campaigns and all that sort of stuff. And the engines we built to protect customers against that very much relied on how many examples of this e-mail have we seen globally in our customer base. And that's how we can work out if it's a volumetric type of attack or not. Those sorts of technologies and controls have to evolve with business e-mail compromise. Business e-mail compromise, commercially the most damaging issue we're dealing with at the moment. It's been around for a while. They sent very low numbers, no attachment -- typically, no attachment, no embedded URL, very difficult to detect, especially with today's generative AI capabilities that I'm sure Adam will love to get into. They're better formatted, using better language than ever before. But certainly, that's causing us to evolve as well. But that would be one side. Technically, the most concerning thing we're dealing with is account takeover. This is where -- caused by like a credential phishing campaign where the attacker is now getting control of your users' cloud [ product to the ] account. So they've got access to your users' inboxes. And that's where they're now starting to send their malicious campaigns or malware attacks or whatever it might be is now an internal e-mail. And of course, historically, your e-mail security gateway being SMTP gateways run as an Internet gateway. It's getting incoming and outgoing e-mails. They're not scanning internal mailbox -- the mailbox e-mail. And even Gmail and even Microsoft have very little controls, scanning internal e-mail, a lot less than what they do on inbound email, for example. So that's causing organizations to sort of start rethinking what they're doing around e-mail security and the types of controls, et cetera, they're trying to bring to this very important function. And then finally, the other piece that I would see that customers are struggling with is integrating e-mail security into the wider security infrastructure. And I'm sure this is something -- another thing that Adam can really add a lot more flavor to than I can. But certainly, the inclusion of e-mail security into your wider incident detection type platforms, whether it's XDR types of technologies or whatever you might be using, is really becoming critically important. E-mail can no longer run as its own separate island. We have to integrate in with the rest of your security infrastructure. And it's great to see vendors evolving and innovating in this area.

Bradley, it's quite clear that we've moved a long way when we understand some of these challenges. But do you mind spending a bit of time on how do you see organizations respond to these challenges? How are people doing things differently today and in 2023 than what they have been doing in e-mail threat defense and e-mail security over the last few years?

So I think previously, in the last 2 years, I think from my viewpoint, e-mails kind of got cool again, which is obviously a negative because customers are starting to pay attention to it a lot more. So previously to that, they were off worrying about web security and securing Internet gateways and multifactor authentication and a plethora of other security projects that they were grappling with. But certainly, the threat landscape is driving that focus back not only for e-mail. But certainly a lot of customers have been blindly just renewing what they've done for the previous 5 or 6 or 8 years or whatever. And they just kept on doing it. Now they're starting to say, hang on a second, this is not working. Maybe they've migrated into Microsoft 365, as Adam was talking about, maybe trying to use the built-in controls. Maybe now they're starting to discover that they're not quite as -- providing as good a coverage as required. And unfortunately, the places where they are a little bit deficient where the more dangerous e-mail attacks are actually coming from. So organizations are rethinking architecture. They're rethinking what they're doing in terms of e-mail security. And I think it's a great opportunity to be thinking about what you need to be doing in the future, not just what you're doing today. So for example, account takeover. One, obviously, solution for account takeover is rolling out Duo multifactor authentication, which is great. You're not solving the original problem, but -- and you don't have a human behind every single mailbox. So it's not a complete solution. But organizations need to start thinking about how important is it for us to be scanning internal mailbox and mailbox e-mail. If it's important, then when should we be sort of bringing that on? Because that absolutely will drive a change of architecture for you or additional architectures depending on exactly what you need going forward. So it's really the visiting of what they're doing around e-mail security. It's taking the time to think about what's important to them and then what sort of solutions they're going to be able to use to do that.

That's very insightful. Now I want to pivot to Adam a little bit and leverage some of your industry experience. Adam, as an ex-CISO for a large multinational hospitality company like Hilton, why is e-mail security specifically so important to organizations? And what is your belief when it comes to overall incident detection and response in relation to e-mail?

So that's a good question because, obviously, everybody knows that if you don't really pay attention to e-mail hygiene, the malicious messaging is going to drop the malware, it's going to start a cascade of problems that are going to create some real problems for you. But also, what we like to do is also use e-mail and e-mail campaigns against us as a super important source of threat intelligence against the organization, right? Even when we worked -- when I worked in the U.S. defense industrial base, we leveraged e-mail campaigns, spear phishing campaigns or attempts against our network as a primary source of early indicators of campaigns -- malicious campaigns being directed against us by either criminals or APT actors. And we would do this by investigating and looking at all of the spear phishing e-mails that were sent our way. If there was malware attached to one of the e-mails, that actually made us very happy because we would safely pull that e-mail out and unpack it in a controlled setting. And out of that, we would drive the C2 locations, kind of all of those little bits and pieces of what the malware was trying to do. And more importantly, we could attribute the malware to a specific actor. And then once you do that and you know who that actor is, then you pull the broader set of indicators compromised from that actor, and then you're informed on how the entire campaign would be run against you. This is both criminal, who have really stepped up their game to kind of follow the advanced threat playbook, all the way to the APT nation state espionage actors through e-mail. And if you can achieve an attribution to a specific actor, then you have their MO on how they play the entire campaign against you, which means that you can look back in time and see how they primarily do try to get at you all the way forward in time to see how they try to steal your data. So you can go proactively put trips, alarms into all of that in front of you. E-mail, when people are coming at you on e-mail, it also kind of informs you of who the bad guys are that want your stuff specifically. It's a busload to protect against everything. And so e-mail was really a big source of that, right now, threat intelligence because back in the day, even now, usually, when an organization deliberately starts a campaign against you, either for BEC or network compromise, they're going to lead with malicious messaging. It's usually how it comes at you. So e-mail security, important, yes, but also a great way to put your ear to the ground to see who's looking at your organization to try to steal stuff.

Now I want to ask you, if you're in a position to share, but what kind of architecture from a security perspective did you focus on when you were in that role?

So we -- I would always look at it from solving the problem, right? So the problem is malicious messaging or -- and business compromise is kind of different because, to Bradley's point, there is usually no hook you can grab. The technology solution for business e-mail compromise is difficult. You get -- it's primarily around awareness training and just very strict rules on who hits enter when you ship money to, I don't know, that bank in Hong Kong or wherever they go. So with that -- not business e-mail compromise, but when it comes to malicious messaging, which is your attachments and your drive-by links, we would very carefully look at the efficacy and the solution that we have. And even as we move to cloud-based Exchange, like the whole world did a few years ago, even when we turned on all the dials to 10 and configured the solution to absolutely quarantine any suspicious e-mail, not even deliver to users' mailbox, that's number one, is turn all the dials to 11, right? Even if some e-mails don't make it and people cry, I didn't get my e-mail, that problem is a lot smaller than the problem of the malware being delivered. But we've got the efficacy of some of these online systems was just not where we wanted it. So what we did was we deployed an e-mail relay that would then send the mail through an additional 2 or 3 solutions. We don't put all our eggs in one basket, especially in the defense business, where the bad guys also would use Exchange online as the source of e-mail attempts against your organization, leveraging the fact that, that internal hygiene between Exchange tenants is nowhere near as good as stuff leaving and coming out of the broader mothership. So the bad guys use Exchange as a source of attacks against us. And once they started doing that, the efficacy of the control [ is all the ] way down. So we put on-prem solutions as well. Otherwise, we noticed stuff was slipping through. And one other thing, if you count on your employees not to click on that link or not download that malware and go through like 10 or 11 deliberate steps to install it, someone's going to do it, right? Doesn't matter how much training you give. In the end, the bad guys just have to get it right once, and we have to get it right all the time.

Thank you very much. Adam, now just a last thought on that. A lot of security leadership that we deal with on a day-to-day basis is pivoting away from a single-vendor architecture. What is your take on that from a strategic intent to move away from that one vendor from a reliance point of view when you protect an e-mail security portfolio?

So again, it's looking at the problem you're trying to solve. I don't think it's a single vendor. The fact it is a single vendor is necessarily the problem. I just don't think that a single-vendor solution is going to cover all the bases and control the risk at the level that I was comfortable with. And so the move to a multi-vendor solution was primarily driven just through the efficacy of a single-vendor solution. A lot of people hit that easy button. As soon as Azure and Exchange 365 happened, everyone just hit that easy button and just parked their e-mail in the cloud, gave the job to Microsoft and said, "Well, now we don't have to deal with that." But of course, you're responsible for the results regardless of who your vendor is. And so really see if the single-vendor or multi-vendor solution is solving that risk in a way that you're comfortable with. We found that it didn't really solve it at the level we wanted. So in spite of the complexity and the additional costs, we felt that we had to go with the multi-vendor solution.

Now Bradley, I want to ask you to respond a little bit to what Adam just shared with us. How are -- what is the market in the industry responding with when you listen to these customer challenges? How are we looking at this product solution differently in this modern day?

Yes. So really 2 ways. And the first way, we've actually already talked about in terms of architecture. So Adam talked about those cloud productivity suites like Microsoft 365 or GSuite that you have mentioned, perhaps not relying on them so much for e-mail security or needing to supplement what they do. And that's certainly where these new ICS or integrated cloud e-mail security-type solutions have come from is to supplement those -- the core security controls inside those sorts of platforms. And then in the other area that a lot of innovation companies like Cisco was working on is all around the detectors. So we talked about the move from volumetric threats that we're dealing with to more targeted, a lot more sort of lower number, more highly targeted type attacks. Unfortunately, all the old stuff is still there. So we can't turn off wholly our volumetric stuff. We've just got to put more detection engines in there. But really it's the detection technology that we're using. And I think the types of technology we're starting to now adopt, the attack is absolutely using generative AI-type technologies to optimize what they do. And we're absolutely starting to use predictive AI-type technologies to counter that. Coupled with that, natural language analysis is also playing a very important part. So Adam talked about how business e-mail compromise is very difficult to detect, and he's absolutely right. And the old way of sort of trying to detect that is looking for any signs of that senior executive being spoofed, so the e-mail trying to make it look like it's coming from the CEO or the CFO or whoever it might be. That's really one of the only ways we have in the historic security engines of detecting business e-mail compromise. Now with these newer detection engines that we have like using natural language analysis, for example, we're able to look at the body of the message and see if there's a sense of urgency. We can see if -- which all business e-mail compromise has. Business e-mail compromise could be fake invoices, or it could be payroll scans, or it could be gift card scams being sent to executive assistants, et cetera. We can look for all that sort of information. We can also integrate them with the corporate directory, find out where the e-mail is going to. So suddenly, if we're sort of looking at e-mail message, we can see a sense of urgency, they're talking about payroll changes and it's been sent to our payroll administrators, I have a pretty good indication that that's business e-mail compromise. And we're just using these newer sort of technologies to detect the latest threat is really important these days. Some organizations need this a lot sooner than others. That's kind of the really interesting thing we're seeing in the marketplace. The majority of the customers probably can't -- aren't quite at the point of needing some of these newer technologies. We absolutely have customers that do. But certainly, Cisco has been doing a lot of work, for example, in this space to make sure we're innovating in these areas and also doing acquisitions. I mean, recently, we acquired a company called Armorblox. While Cisco has been working with AI and larger language models and all that sort of stuff for the last 18 month or so and making really good progress, Armorblox have been doing it for 6 years. They're one of the first ICS-type products in the marketplace. So that acquisition is going to further help us accelerate the work that we're doing in this critically important area. So to my point, it's really important, these newer detecting technologies. The other byproduct which is really important, which also speaks to another one of Adam's points, is I can also provide you so much more detail about the e-mail incidents. So I can -- for example, I can tell you if it's a payroll BEC. I can tell you if it's credential phishing campaign being sent to your end users, look out account takeover-type issues. I can recognize all that information, supply all that extra detail into your incident detection technologies to help make them a lot more efficient as well. And then also bidirectional, coming back in, I also need to play my part being the e-mail security solution in the actual response in the remediation side of this as well. So those powerful and extensive APIs, bidirectional APIs is really important. And I think customers are really starting to understand the value of that.

Bradley, it certainly seems like for the bulk of the work, we're trying to keep the good stuff in and the bad stuff out. But barring all of those and these magnificent strides that's being made in the industry towards e-mail security, what are some of the other considerations that our listeners need to be aware of when it comes to e-mail security in this modern day?

Well, Adam set me up for this one as well. Happy clickers, security awareness, are your -- and he's already said that you can't detect 100% everything. I completely agree. No matter how much of my stuff that you buy, I can't give you 100% block guarantee of e-mail threats coming into your organization. Anyone that does, you should seriously be concerned. Today, it's all about making sure you've got the right investment. Obviously, technology controls, stopping the stuff getting to the users' inboxes. That's absolutely ideal. Stopping as much as we possibly can getting to those user inboxes is absolutely best practice. But then also you need that second layer. Your end users need to be able to recognize, hey, is this -- they don't need to have an absolute knowledge, but -- or I'm suspicious about this. Is this business e-mail compromise? Is this is what Bradley was telling me about last week? Is this credential phishing? Maybe this is a phishing campaign that the IT team we're talking about in that brown bag lunch we did a couple of weeks ago. It's your end-user security awareness programs that, I think, customers need to start thinking about maturing, away from those kind of monthly brown bag lunch approaches that we all used to do into more interactive-type platform. So using phishing simulation activity to work out how bad your problem is and perhaps where your issues might be and then coupled with cyber education programs to help educate the users to the right level. They don't need to be absolute experts, but certainly, they need to be able to become suspicious. We would rather they were suspicious and then be wrongly suspicious rather than wrongly being not concerned because that's where you're going to actually have the problem. The other cool thing we can do with those sorts of platforms is we can also identify our happy clickers, that is end users we have that will go to astonishing links to click on everything and fill out all the forms, and they just get themselves sucked into these campaigns seriously. We can identify who those happy clickers are, and we can actually take that information out to our e-mail gateway. And we can actually apply more stringent security profiles to just that user's e-mail traffic to make extra sure that we're not allowing anything into that more dangerous user's inbox. So that would be one area. Security awareness is definitely something that organizations need to start thinking about how they can mature. The final area is DMARC compliance. Now I know DMARC is not the most riveting subject to talk about and a lot of people find it quite complex. But if you're using an effective DMARC adoption and reporting tool, it can make it really, really easy. I mean I know this is not a product advert, but Cisco's platform that we use actually has GPT-type technologies built in to help you become a lot more efficient and provide you advice about what you should be doing next when you're getting DMARC-compliant. So when you're DMARC-compliant, that's going to help you ensure that your legit e-mail is getting through to the users you want it to get to. And it also helps -- and they can also provide obviously a lot more trust and that e-mail coming from you, but you'll also get notified very quickly if there's unauthorized usage of your domains. And obviously, that's helping you understand if someone's using my domains for nefarious purposes, whatever that might be. But the biggest mistake everybody makes when they're trying -- when they're becoming DMARC-compliant is they do it just for your e-mail domains. The attacker doesn't care, and he probably won't use the domains you're using for active e-mail. He will go and use other domains that are really identifiable to your organization that maybe you are not paying so much attention to. Those are actually probably the more important ones to become DMARC-compliant before your main e-mail ones. But anyway, becoming DMARC-compliant, do the right thing, if all organizations were DMARC-compliant, we could certainly start winding back some of the security controls, I think, that we have and, to Adam's original point, stop slowing down e-mail slightly. I don't think we slowed down that much, Adam. But we certainly do process it, and we certainly do take care with it. But we certainly could optimize that a bit more if everybody was DMARC-compliant.

Thank you very much, Bradley. Now I want you to just draw down a little bit around the use of artificial intelligence in how we see the problem solution pan out in the modern day. You mentioned a little bit how we use technologies like Armorblox to accelerate this. But what does this large language inspection and natural language inspection really mean for e-mail and the users of e-mail?

Yes. So I mean, a lot of these new next-gen detectors are using these technologies, and they are technologies that we have never used before for e-mail security. So I mean Adam will certainly talk to how attackers are using these technologies to optimize what they're doing, but on the defense side, certainly, these technologies give us another arrow in our quiver to be able to make sure we're protecting our customers as much as possible. Obviously, analyzing the -- our natural language being used inside that e-mail, doing that technically obviously also helps us to support multiple languages a lot quicker than what we've been able to do before. Using machine learning to look at the good message flow because if we're using machine learning to identify what we think is a good message, obviously, it makes it a lot easier to identify what's bad. These sorts of technologies have really changed the way that we're applying e-mail security in the field. But Adam, do you want to talk about how the attackers are using AI to optimize what they're doing because that's pretty fascinating?

The bad guys. The [indiscernible]. So I think that if you're struggling with controlling spear phishing or even spam or just commodity e-mail problems, if that's a struggle right now I think that very soon when the bad guys start to sort out how to use AI in a deliberate way and I'm not talking to mom-and-pop guys like the real big criminal organization data, Eastern Europe and the Russian Federation, once they decide that it's worth their time and money to invest in that infrastructure because, of course, it would be hard for me to run a full large language model out of my basement, I just would -- I don't think I could without dumping a whole bunch of money into it. So the bad guys are businessmen. They're very good at what they do. They're funded. They have venture capitalists come in and buy a stake in the game. And when they find that there is a benefit to leveraging some evil AI to go after organizations, the quality and the preciseness of the e-mails is going to improve drastically, right? So the Nigerian prince is going to away. He's going to retire at last. Finally, he got his money out of Africa, right? Finally, somebody gave $1,000 so he could give them that $5 million. But -- so I think that the point is all spear phishing e-mails and stuff, once you -- once they add their target analysis to that AI or they're deliberately going after a specific organization, it is going to become a work of art is what they're going to send your way. And so if it gets past your technical controls, especially around business e-mail compromise, people are going to have to absolutely rely on processes regardless of whether the e-mail -- I mean, just think of this, not just the e-mail from the CEO asking to transfer the money to a bank in Hong Kong. But the voice mail from your CEO, speaking in natural language, in a 2-way conversation even on the phone. It's their voice, right? You can get a 10-, 15-second sample of somebody's voice, and AI can mimic it almost perfectly. What is lacking still is kind of the deepfake video. Still looks to have that uncanny valley look to it, like you can tell there is something going on. But there's already been things where somebody is -- I'm near an airport. My WiFi is terrible. Here's the CEO. It's his face talking. It's a s***** video feed. And it's totally his voice talking to somebody into transferring a couple of million bucks to a bank in Eastern Europe. And as long as that type of attack works and they can make money, given their investment in those campaigns, right, they spend money on these campaigns and they certainly want to make a profit, as soon as they can figure out how to make a profit out of that, it's going to come in people hard because anytime these new novel attacks start, there's going to be that initial purchase where it's going to work really well and they're going to make their money. And then technology vendors and organizations are going to scramble to compensate once it starts coming. So I would say that if you're not good at managing your e-mail security now, the time is fixed. It is right now because it's about to get a whole lot more complicated. This is what I think.

And I think the other interesting area too, and you mentioned that with voice messaging and potentially video messaging in the future, today, I know we're just -- I'm sorry, Corien, I know we're just talking about e-mail security. But at the end of the day, phone calls, messaging, Teams, whatever you might be using, it's all communication. So we kind of need to uplift e-mail security to be communication security. And I think that's another -- and certainly, we're not making any product announcements today, I'm sorry. But certainly, I see that's going to be coming in the near term as well. So certainly expanding the types of technology that we're applying on e-mail today and obviously optimizing on e-mail today to other communication [ paths ] because at the moment, they're obviously very poorly protected.

Yes.

Yes. So I can't agree more. We've seen the threat vectors include instant messaging that's now readily used within organizations. Teams chat, communicate and transfer files in that way. So absolutely, the expectation is that within the near, if not immediate future, we're going to see an explosion on attacks within our communication channels. When we look at individuals, the Australian government, for instance, most recently reported that [ just ] scans on a personal level is up threefold. And this comes at a time when the defense effort has never been as prominent and as well funded as they are in this most recent year. So we certainly need to use all of what we have to our disposal to protect against e-mails. And when I talk to senior information security leaders, they tell me all the time that it is absolutely not amateur hour out there. And when you see these attacks play out, it becomes quite evident that perpetrators have been lingering in mailboxes and building their reconnaissance while present inside the mailbox for a number of months. They don't even necessarily need the network lateral movement in particular. They build their reconnaissance information whilst scavenging all the information that we hold in our e-mail boxes, which is quite scary. Now I want to wrap this up within the next few minutes. So Bradley, Adam, thank you very much for your tremendous contribution. I'm going to ask if there are any questions that people posted in the chat box. We will then be handling those. I'm going to give you a closing thought, Adam, so...

I've got one more thing to add when you give me a chance that people have to consider.

Absolutely. And maybe make that part of your closing thoughts. What are you looking for in 2024? And what should businesses prioritize when it comes to e-mail security? Adam, take a go at that.

Okay. First, one thing that we didn't talk about is the prevalence of personal web-based e-mail on corporate enterprises. So I mean I can jump on my Gmail, and I can click on that link, and I can download that malware. And e-mail has this remarkable ability of just [ barking ] right past your perimeter controls, right? So don't forget webmail. In fact, if your industry is at a lot of risk, when I worked in the defense industrial base, we did not allow Gmail or Yahoo! Mail or any of that on our network. Absolutely not. [ And in all the ] controls that are put in place, that have the most impact to the users. They were singing the blues. But anyway, so don't forget your Gmail and stuff, you got to look at that. There are solutions that can help reduce that risk. But mail is mail, right? I think going into 2024, I think that if you haven't focused on e-mail hygiene for all the reasons that we've discussed, primarily this emergence of AI, which is about to become ubiquitous in our lives before we even realize it, kind of behind the scenes, as it's happening as we speak. I think the bad guys are just going to catch up with that. And then it's going to present risks and challenges that we haven't even considered yet. I mean they're more clever than we are. So they're going to dig at something. So really just keep your ear to the ground, watch this space. E-mail remains a primary vector of badness on your network, definitely.

All right. And I'll try and keep it under 4 hours. So certainly, moving into -- and people that know me probably are not surprised by that comment. Certainly moving into 2024, I think one thing I see in -- when I'm talking to organizations all over Asia Pacific is they're not optimizing or making use of what they have already. They've got existing investments. Whether you're using Cisco or someone else, whatever you might be using, there's always areas where you can actually optimize a lot more than what -- in your e-mail security solution than what you're using at the moment. So ensuring -- just the first step, go back and revisit what you're using now. Are there ways that we can optimize this? Are there ways that I can increase my security coverage using my existing investment? Are there ways -- in terms of optimization, I'm meaning things like are you using end-user spam quarantine management to take all the load off your help desk? Are you maximizing connection filtering to take all the load off the security engines and stop that delay the Adam thinks that we have? Are you -- have you got the right combination of coverage for attachments, not only signature-based AV for known malware, but make sure you're also using unknown malware controls like sandboxing or examples like the Cisco Threat Grid technology. And then embedded URLs, the other way that attackers have of getting malicious content into your organization, what sort of scanning capabilities are you doing across embedded URLs? Are you sandboxing those URLs? I mean there's a lot of things that you need to be doing these days. And what I find is a lot of customers probably had them turned off for the last 3 or 4 years and kind of forgotten that maybe existing investments can actually cover a lot of these things that -- places that have gaps for at the moment. So make sure you're optimizing what you're using at the moment. That's number one. Number two, start thinking about when do I need to start scanning internal mailbox to mailbox e-mail. You will need to at some stage. It's going to be different for different organizations. But at some stage, you need to be thinking about how am I going to -- when do I need to do it and how am I going to do that? And that's where these new architectures can really help you because the newer integrated cloud e-mail security solutions can also scan internal e-mail as well as inbound and outbound. User awareness training, security awareness programs, how do I mature that? Where am I at the moment? How effective is it? Maybe do some phishing simulation work, work out where your gaps are and what the current levels are, work out where you need to make the investments there. DMARC compliance, please, please DMARC compliance, get it on your project plans for 2024 if it's not there already. This is now how we can help. The more people with a DMARC compliance, it's going to make all of our jobs a lot easier. And then the final one for me is all around how e-mail integrates into your wireless security infrastructure. But it's not just dragging information out of your e-mail security solution, it's also using your e-mail security solution in the response remediation phase as well. So that bidirectional SecOps integration and how I can maximize that in my current environment is so correctly important. Unfortunately, maybe some of the products you're using at the moment aren't going to be talking well to each other. Maybe there's some different investments or change-outs you need to make in some of those sort of vendors. But certainly, when you're thinking about any new security investment, be it thinking about how does it integrate in my investment or is -- how is that going to play a part on my longer-term incident detection and response-type strategy. So that's what I think for 2024.

Bradley, your passion for e-mail security is infectious, and I absolutely love it. Thank you very much for your time this afternoon. Thank you, Adam, for your valuable contribution out of industry. It always is such an eye-opener to realize the true magnitude of what we are fighting and what we have become part of the solution in how we defend our users against all the [ militia ] that is out there. Now I want to ask our users a few call to actions. Number one, if anything that we said is remotely interesting today, please reach out to us. We would like to have a further conversation with you. And as you can hear, some of us are extremely passionate about this topic. So would be happy to further some of these conversations. Second to that, if you haven't already subscribed to this content over the last few seminars, please go and do that. If this was your first one, go and look at some of our old content. We've had tremendous speakers on the role, and we have been extremely blessed to have them as part of our speaker series. And lastly, we would like to get your feedback. We would really appreciate if you could participate in our survey towards the end. And I just want to double check with our team if there are any current questions. There's no questions at the moment, but if there is a question that you would like for us to answer, it is not too late. We'll be sending some of the collateral out to everybody that registered for this event. So you are most welcome to get back in contact with us, and we will be willing to answer all of those questions. Adam, thank you very much for your time. Bradley, thank you very much for your passion and time. And to everybody that joined us, have a wonderful afternoon. Good afternoon, everybody.

Thank you. Thanks, Corien. Cheers, Adam.

Thanks. Bye.