E-mail security at crossroads

Most e-mail policies in organisations fail, as businesses increasingly miss the biggest threat within them - employees.

So said Nathaniel Borenstein, chief scientist at Mimecast, speaking during the ITWeb Security Summit at the Sandton Convention Centre yesterday.

Defining security is protecting what one values. “But what happens when that which you value [employees] is itself a threat?” he asked.

He said e-mail security is important because about three-quarters of business data is now stored on e-mail.

“Traditional e-mail security includes protecting business, data and employees from accidents due to data loss. It also includes preventing or thwarting outside threats.”

However, he explained, organisations are not protecting against the accidents their teams make as they ask too much from them.

According to Mimecast's 'Generation Gmail' study, he said, 85% of corporate users under the age of 25 bypass corporate e-mail security systems to get their work done.

“There are higher percentages for other age groups too, as more and more users are going 'rogue' for e-mail. However, most of them are only simply trying to get their jobs done,” he noted.

He explained that users are not thwarting e-mail security willy-nilly. “They are just drawn into it by the tools and rules companies give them, for example absurdly low quotas, overly complex firewalls, and poor reliability.

“They are not children or soldiers; they are smarter than most mules but they are just as stubborn. They need a mixture of carrots, sticks and better paths to walk on.

“We need to create the path of least resistance. The most natural and easy way to do any task should also be the most secure way,” he said.

Make life easier for the workforce, he stressed. “Don't require them to enter a VPN just to access e-mail, don't give them inferior mail tools for home use and don't give them any storage quota at all. Make sure your systems are super reliable and, above all, focus on educating, not dictating, about security.”

He went on to say as businesses try to implement the carrot and stick method, the carrot is usually in the shortest of supply because the employees are not given incentives. “Don't skimp on resources for business communications,” he noted.

It is also Borenstein view that the stick tends to be abused, thereby chasing away users from the organisation's e-mail control.

“The era of Darth Vader [the antagonist in the Star Wars film series] in information security is coming to an end,” he said, arguing that dictating staff to always follow certain procedures is not always a perfect solution.

“We demand a lot from users and in the process force them to cheat the system, and also cause administrators to make mistakes.”

Borenstein said mistakes by IT teams within organisations are the biggest threat and the hardest to counter.

In that vein, he said cloud computing has the power to take away much of the complexity of implementing and maintaining access-from-anywhere corporate e-mail systems.

“A good cloud provider can easily address the needs of the new generation and protect the business.

“By outsourcing many of the problems and empowering rather than restricting workers, IT administrators can use the cloud to regain control of their workforce, improve the security of company IP, do more with less and keep those demanding Generation Gmail workers happy,” said Borenstein.

Related story:
Workaholics fuel rogue e-mailing