Email providers play an integral part in the operation of most businesses. Email is used as a primary source of communication and takes up, on average, 23 percent of an employee’s workday.1 But what happens when an email provider experiences an outage? How are companies affected? Quantifying and calculating the impact on productivity requires considering many different factors.
The level of email reliance for different companies varies by industry, and accounting for email usage is important.
Type of business sector
The level of email reliance for different companies varies by industry, and accounting for email usage is important. The probabilistic service provider model, implemented in Verisk’s Cyber Risk Navigator, captures scenarios for an email usage factor that considers whether an industry’s use is low, medium, or high. For example, industries like mining and manufacturing tend to rely on email less than industries like health care and public administration.
Email subservice types
Email service providers can be broken into four broad categories: Hosting, security, marketing, and transactional.
- Email hosting providers: When people think about email, they think of the email hosting provider (examples include Gmail, Outlook, Hotmail, etc.). These account for most emails an average user sends and receives. If the hosting provider is down, that can lead to business interruption from missed messages or the inability to access documents. This could happen as a result of an unplanned outage, a server malfunction, disruptions in the provider’s internet connection, or a cyberattack. An email hosting provider outage would have the most significant impact on a company’s productivity.
- Email security providers: Email security providers (like Proofpoint) help protect users from potentially dangerous emails (e.g., phishing) by acting as a firewall. For example, the service might capture spam emails and send users a single email each day summarizing the emails caught in the spam filter, offering the user the option to release any email captured in error. When email security providers experience an outage, a company’s pre-defined setting of whether to “fail open” (allow all emails through, including potentially dangerous emails) or “fail close” (allow no emails through at all) kicks in. In general, most companies opt to “fail open” to ensure business continuity. Although this could increase a company’s risk of falling for a phishing attempt, the impact to productivity is nonexistent.
- Marketing email providers: These emails are automated for marketing purposes to help keep clients and prospects engaged with a business. By allowing users to create and track cases, email marketing providers (think Salesforce) send emails that can remind you to follow up. If these providers go down, perhaps you wouldn’t have closed the deal without reminders that helped you stay prompt with your communication. Still, often email marketing provider outages have a small impact on a company’s bottom line.
- Transactional email providers: When you receive an automated email like purchase receipts, abandoned shopping cart reminders, or password reset options, the sender is a transactional email provider (Mandrill is one example). Although some productivity may be lost from a transactional provider outage, it's considered less impactful than an email hosting provider outage.
The probabilistic service provider model takes email subservice type into consideration when modeling gross loss. Usage caps are implemented to account for the lesser impact of non-hosting email providers on overall productivity.
On-prem or on the cloud?
A single email provider may have multiple offerings that vary based on how and where they're set up. Some email providers offer on-premises (“on-prem”) solutions where the software is installed and run locally on the company’s servers. But an alternative is growing in popularity–many email providers offer a cloud-hosted option where the hardware is remote, and users have on-demand availability without direct active management. But what happens if one cloud provider experiences an outage that impacts multiple services? This is a “cross-service” event, which is included in the probabilistic service provider model. For example, if a Microsoft data center is hit, the impact could affect both Azure (cloud) and Outlook 365 (email).
Email provider outages can significantly impact a company’s productivity and bottom line and understanding how to model the risk can be challenging given all the different factors that come into play.
To learn more about the probabilistic service provider model, and how you can utilize it in our leading cyber risk modeling platform, Cyber Risk Navigator, please reach out to Pamela Eck, senior cyber risk consultant at Verisk (firstname.lastname@example.org).