E-mail has revolutionised how organisations communicate. The ease of use of e-mail also makes it relatively easy to transport confidential information and valuable intellectual property outside an organisation - without anyone knowing until it's too late. To combat these threats, businesses must develop clear policies for outbound e-mail content and should adopt technology to monitor and enforce such policies.
Today, e-mail is the number-one method of communication used by enterprises around the globe. Yet, as e-mail usage continues to grow, corporations are starting to recognise that it also may be the weakest security link in the network.
Very few organisations assess what information employees actually have access to or even have data classification rules in place. This means that all employees have access to large volumes of information that they either do not need or should have access to. This unrestricted access and the pervasive nature of e-mail opens the door for potential information loss, often to the detriment of the organisation.
Research from the Enterprise Strategy Group suggests that 70% or more of a company's business-critical information may be stored in its messaging system. Two factors make this situation increasingly problematic.
Firstly, e-mail systems today are used for much more than messaging. E-mail acts as a contact manager, a document archive, a file-sharing system and a project management and collaboration focal point. Secondly, virtually every employee uses e-mail to communicate with contacts outside of the organisation. And unlike paper documents that can be shredded or conversations that can be kept private, e-mails live on after they're created.
To date, most efforts to secure enterprise e-mail systems have been focused on keeping external threats - like spam, viruses, Trojan horses, spyware and blended threats - from getting in. Firewalls, anti-virus, anti-spam, anti-spyware, content filtering and other products installed on client PCs, as well as messaging servers and gateways at the edge of the enterprise, have gone a long way toward minimising these threats from the outside.
However, messaging security covers more than just spam and malicious code. It also includes outbound message filtering, policy enforcement and regulatory compliance and all these factors need to be addressed in order to adequately ensure messaging security within organisations.
Corporate concerns
The simple fact is that e-mail makes it very easy to distribute a company's most important assets, including intellectual property, trade secrets, confidential memos, financial data, operational data and confidential consumer and customer data, such as protected health information, credit card numbers and identity numbers.
In addition to this, organisations are concerned with:
* Complying with internal e-mail policies;
* Abiding by privacy regulations and guidelines;
* Conforming to financial disclosure and corporate governance regulations;
* Guarding against leaks of valuable Intellectual Property and trade secrets;
* Protecting against leaks of company confidential information; and
* Guarding against inappropriate content and attachments being sent out of the organisation.
Common forms of inappropriate content
* Proofpoint Outbound E-mail and Content Security in Today's Enterprise, 2007
Recent studies have shown that of all e-mail content leaving the organisation:
* 30.2% is confidential or proprietary business information about the organisation;
* 25% is adult, obscene or potentially offensive content;
* 20.5% is personal healthcare, financial or identity data, which may violate privacy and data protection regulations;
* 16.9% is valuable intellectual property or trade secrets, which should not leave the organisation; and
* 7.4% of organisations don't know what is leaving the business.
Implications for organisations
If company confidential information falls into the wrong hands, or if the leak is reported publicly, the consequences can be devastating.
Information leaks can not only undermine competitive advantage, they can also breach confidentiality with customers, partners and reporting bodies like accounting firms, jeopardise the timing of financial disclosures, put consumer privacy at risk and create public relations disasters, as well as creating the potential for lawsuits and influence listed companies stock.
What does all this mean for those tasked with securing sensitive corporate information and for those responsible if and when leakage occurs? First and foremost, it's crucial to recognise that costly e-mail exposures will continue to increase unless action is taken to define and deploy the policies, processes and technologies that govern e-mail usage and content security. Only then will a corporation be able to mitigate the business risks associated with exposure.
Indeed, many enterprises have instituted policies that govern employee usage of e-mail. Unfortunately, most of these policies only cover "acceptable use" factors, geared towards ensuring that e-mail usage doesn't negatively impact employee productivity. Employees understand that they can't download and share MP3 files, and that they can't visit Web sites that promote gambling or pornography. But are there rules to govern whether or not they can attach a source code file to an e-mail message and send it to a friend outside the company to critique?
Countermeasures
Condyn recommends that organisations follow the following process:
* Understand your business and which digital assets are important;
* Create policies that consider business assets, processes and employee access to company data;
* Understand what the confidential/valuable information is and where it resides;
* Define risk and develop a list of possible security countermeasures;
* Evaluate security measures (physical and network-related) and potential technology solutions;
* Implement e-mail security technology;
* Monitor and enforce policy via security technology and human oversight;
* Conduct audits to analyse risk and identify trouble spots; and
* Train the organisation to recognise risks and refrain from security-jeopardising behaviours.
A comprehensive e-mail security plan and solution implementation does not have to be difficult or disruptive to the organisation. With input from key personnel and focused e-mail security goals, a company can begin the policy development process. The right filtering and content analysis solution will help define policies and risk. The same solution should offer monitoring and enforcement features, centrally manage processes, and provide comprehensive auditing capabilities.
Identifying and preventing e-mail leaks is crucial - especially at companies with any sizeable work force. There are just too many points of contact with the outside world. E-mail exposes everything you tried so hard to protect with standard network security mechanisms. This problem cannot be ignored in the hope that employees will think twice before attaching certain documents.
The key is to:
* Clearly define policies and risk;
* Monitor and enforce policies enabled by available security technologies;
* Update policies as business changes; and
* Audit and train the organisation to reduce risk over time.
Share