Cat-and-mouse

E-mail is now one of the most important communication and productivity tools for any organisation. Currently, over 50 billion e-mails are sent daily and this is projected to grow to 110 billion per day by 2008. Unfortunately, over 70 percent of any organisation’s e-mail is unwanted spam. This makes security key – to secure inbound mail from viruses, spam other e-mail threats and to protect outbound mail and ensure it complies with your company’s e-mail policy.

E-mail’s continually burgeoning popularity also makes it an increasingly attractive target for individuals seeking to do harm, either for their own misguided personal satisfaction, or more likely, for financial gain.

The first e-mail hackers found simple vulnerabilities in e-mail systems and exploited these known weaknesses. Now, however, hackers and virus writers have become specialists, constantly developing new and innovative methods of overcoming the improvements made in today’s security systems. The game of cat-and-mouse is unlikely to end any time soon, if ever. With every improvement in defensive techniques, hackers and virus writers modify their tactics in an attempt to circumvent these defences and wreak havoc on corporate networks.

What is the typical cost to a company of misuse of e-mail systems?

There is no standard price list for the misuse of e-mail. If e-mail is not strictly filtered before it enters an organisation, offensive and malicious software can cause incalculable damage to systems and even result in legal claims from employees. Likewise, if e-mail leaving an organisation is not carefully monitored, it can be used to transfer confidential information such as customer lists, plans and intellectual property to unauthorised recipients outside an organisation.

The National High-Tech Crime Unit (NHTCU) is the UK Government Agency that works with law enforcement agencies across the globe to combat the rapidly growing problem of cybercrime. Although the forms of attack are many and varied at their heart is the age-old criminal motivation – making money at someone else’s expense. Cybercrime is not victimless. Recent research by the NHTCU calculates that UK businesses lost over UK£2.45 billion to cybercrime last year.

One of the most prevalent forms of cybercrime is phishing, which proliferates by e-mail. Phishing scams involve sending a message (usually via e-mail but also increasingly instant messaging) that is designed to imitate a trusted provider and provides a link through which the unsuspecting users can provide information to ‘update’ their account. The e-mail itself is often cleverly designed to look legitimate, bearing the provider’s correct logo, colours and a professional presentation. Unfortunately, information gained through phishing is often used for identity theft.

How important is an e-mail security policy?

An e-mail security policy is considerably more important than words on a piece of paper. It needs to be strongly enforced, regularly updated and actively communicated to all users. All organisations need to set the e-mail use policy that is right for their business communication needs and make sure it addresses the following requirements to be effective:

Users: Although users need to be aware of their organisation’s e-mail policy they are unlikely to keep it ‘front of mind’ in their everyday use of e-mail. Although technology (see below) can go a long way to protecting users it is vital that users do not leave themselves vulnerable to attack or compromise. Recent research by CipherTrust, the leader in messaging security, reveals that over 250,000 new PC zombies are created by hackers virtually every day. Once a PC has been compromised in this way, hackers can use it to launch attacks and compromise the integrity and reputation of an organisation’s e-mail system.

Technology: Any policy needs to be applied consistently to every e-mail that enters or leaves an organisation. That is where technology solutions, such as the CipherTrust IronMail messaging security appliance, are vital. The technology provides inbound protection from spam, viruses, trojans and other forms of malicious attack that can be sent by e-mail. Equally importantly, the technology provides outbound security by ensuring compliance with your e-mail policy and privacy legislation. With spam now costing British business £1.3 billion a year, investment in e-mail security is not a cost, but an investment in any organisation’s productivity and profitability.

Mobility: The growth of wireless communications, webmail and e-mail via handheld PDAs such as the Blackberry or smartphone have liberated users and now provide anytime, anywhere access to e-mail. With this freedom comes responsibility. Sensitive information that can be accessed anywhere needs to be protected more securely than normal e-mail to ensure its privacy. This is where e-mail encryption has an important role to play. With encryption users can secure an e-mail as it leaves an organisation’s e-mail system and enable only the authorised recipients to decrypt the message upon secure delivery to their e-mail system.

How can e-mail misuse impact a company's reputation?

A positive reputation takes years to acquire and only a few seconds to lose if just one inappropriate, offensive or non-compliant e-mail gets into the public domain. There are numerous companies that have found their reputation subjected to tabloid-style ridicule as a result of the inappropriate use of e-mail. Such an experience is more than a PR embarrassment. It can cost in terms of shareholder value if the incident is severe enough to impact share price.

E-mail security provides safeguards, particularly for outbound e-mail, that can protect a company from this type of incident. The CipherTrust IronMail appliance, for example, automatically applies a company’s e-mail policy to all outbound e-mail to minimise the risk of inappropriate, inoffensive or malicious content leaving a company and becoming the possible cause of damage to an organisation’s corporate reputation.

What precautions are necessary for other forms of business communication?

There are two other forms of business communication that are rapidly being adopted by companies. One is instant messaging (IM) and the other is voice over internet protocol (VoIP). IM is already in daily use by over 200 million corporate users worldwide for rapid business communications and VoIP will be implemented by over 43% of large organisations this year.

Both of these forms of business communication offer considerable benefits to companies. With IM you know the recipient of your message is online and available to provide an immediate response. With VoIP, companies can potentially make substantial savings to their telecommunications costs by using broadband connectivity for voice calls at far lower costs than normal telephone connectivity.

Today, the problem of large volumes of unsolicited messages is an e-mail phenomenon. How long before instant messaging, suffers from the problems of spim (spam over instant messaging)? Likewise, how soon before VoIP users experience problems with spit (spam over internet telephony)?

Any company that wishes to remain competitive in the 21st century will adopt these rapidly emerging forms of business communication. The successful companies will be the ones that implement them securely.

CipherTrust is already helping organisations to address the security challenges posed by IM. Our IronIM appliance is a messaging security solution specifically designed to protect corporate IM systems. IronIM implements your messaging security policy to all IM communication. It ensures that IM is a productive business communication tool, not a potential backdoor for viruses to enter your mail system or for confidential information to leak from your network.

Why legislation makes e-mail security a critical concern of all CXOs?

The CFO/Finance Director or even the CEO/Managing Director may not immediately consider that e-mail security is one of their main business concerns. They, and other non-IT board directors, may consider they can leave it to the CIO/IT Director. If that is the case, they are wrong. E-mail impacts all aspects of a company’s operations and is subject to a variety of legislation such as the Data Protection Act, the Regulation of Investigatory Powers Act and increasingly European and USA legislation can have a significant impact on the requirements for companies to store and retain e-mail.

E-mail security needs to be a concern for all board directors to ensure that their company is fully compliant with all legislation that can have an impact on their operations.