Corporations the world over are beginning to see email in a whole new light: not just as a revolutionary business tool, but also as a major potential liability if not controlled.
An obvious example of the power of email to impact an organization was recently seen with the accounting firm Arthur Andersen, in its role in the Enron scandal. The rush by Andersen staff to delete related emails demonstrates that email messages are being seen as acceptable proof of agreement for business decisions.
The vast majority of enterprises today have developed specific security policies regarding stored data - i.e. in databases behind corporate firewalls. In contrast, email, although the dominant means of transmitting information, whether it be legal, financial, medical or other, has remained the Cinderella of security. Yet, with the click of a button, sensitive information is sent every day over non-secure networks.
Emails contain the core of company knowledge and worth, so why is so little attention paid to email security? The answer is because employees do not consider the security ramifications when sending emails. Reputable analyst groups continuously warn about the risk of information security vulnerabilities. In 1998, the Gartner Group predicted that by 2002 there was a 70 percent chance that all enterprises would have suffered a significant financial loss as a result of an information security breach. A Datamonitor market analysis indicates that global economic damage caused by security breaches exceeds $15 billion/year. By securing email communication, organizations can prevent security breaches of their most prevalent method of information transmission.
The U.K. still lags behind the U.S. on email security policy in spite of recent instances involving emails being sent round the globe, which have seriously damaged corporate credibility. The 'Claire Swires' saga, where a bank worker was suspended from his job in the City of London after he sent an email to friends boasting about a chance sexual encounter while watching a football match on the television, is a well-known example. The bashful recipient sent an email to five friends and within hours it had been forwarded around the world, making it another example of a private email being made public. This mail may have been sent in jest but it highlights a serious fact: that email is still as open as it ever was.
It is a well-known fact that most security breaches happen from within the organization. In spite of this, a survey by the Society for Human Resource Management in the U.S., showed that 86 percent of the near 800 human resource professionals polled now use email, but 49 percent of their companies did not train employees in the proper use of electronic messaging and 48 percent did not have written email policies. Six percent of respondents had been asked to produce copies of email messages as evidence for lawsuits. Email is the ubiquitous method of communication, but the attention given to protecting email and educating users has failed to become priority for most organizations.
The rest of this article suggests several steps to ensuring a comprehensive email security policy.
Recognize Security as a Business Process
The new field of security, with its unprecedented emphasis on criminality and terrorism, is a different and unfamiliar world to many mainstream managers. Despite its differences, however, security is a business process. Priorities and strategy must be set, processes established and effectiveness measured. In light of today's globalization, deregulation, outsourcing, email and internet challenges, security must embrace both greater openness and efficiency, while dealing with new vulnerabilities.
Any business process must be managed, and in the case of security, the best role to manage that process is a new kind of corporate security executive who possesses a rare combination of skills and experience in management, analysis, security and leadership. This role has come to be known as the chief security officer. A difficult role to fill, the CSO must be familiar with both physical and digital security issues; the ideal candidate is a policeman, business manager and information technology expert combined.
Nortel leads the way in this regard. Their CSO, Mr. Timothy Williams, was recently profiled in a New York Times article. Mr. Williams has spent 22 years in corporate security. His 15-person global security council, composed of senior managers from a variety of departments including finance, information technology, manufacturing and procurement, was formed to take a comprehensive approach to security matters "across all the core businesses and functions."
Declare Email a Strategic Asset; Protect it as Such
A company with 1,000 employees will spend nearly $4 million a year on email, according to a Tally Systems survey. It stands to reason that such data in motion should be protected at least as well as stored data is protected today. Most organizations today have formal policies for controlling access to key applications, databases and information. Email is no less important, but it has not been formally included in the list of important data to be protected. By defining email as a "strategic corporate commodity," organizations are acknowledging the importance of keeping it protected.
There are good, workable solutions available today to ensure the privacy and confidentiality of data in motion. A well-designed secure email solution will protect sensitive communication from end to end, providing a strong assurance that corporate policies are being enforced.
A secure email solution should:
- Encrypt all sensitive messages from the moment they are sent to the time they are received
- Use the strongest possible encryption
- Employ equally strong authentication mechanisms, both on the sending and the receiving side, so only intended recipients can decrypt and read the email.
- Employ electronic signatures to verify the identity of the sender
- Perform content integrity checks to ensure the message sent is identical to the one received
- Look for solutions with controls and assurances, such as sender-control and end-to-end tracking.
- Keep audit trails, and use them for verification of receipt, non-repudiation, etc.
- Make security transportable, not tied to a specific computer. Enable employees to use internet kiosks and wireless LANs, by equipping them with the tools they need for sending secure email.
Employees play a key role in securing data in motion. Employers need to draft clear policies for internet and email usage and make sure that employees get copies of these policies at least twice a year. New employees should be given a copy of the policy when they start, and the company should follow up with updated versions of the policy at least every six months.
This means defining email usage rules, educating users on email legal liability, prohibiting or limiting personal emails, monitoring adherence to guidelines, filtering outgoing and incoming email for unwanted or unusual content, and ensuring that email is archived according to the document retention policies.
Implement a Comprehensive Data Retention Policy
The potential role of email in legal situations is massive, primarily due to the fact that it really is difficult to make email disappear. Brief reference has been made to Enron and its involvement in the Arthur Andersen debacle. According to news reports, Andersen, like many major companies, has a document retention policy that applies to physical documents; it calls for drafts and preliminary versions of documents to be destroyed, while final copies are retained. Corporate document retention policies must be created that apply to email as well. They need to clearly define what constitutes an email draft or a final version email. In addition, the policy must address multiple copies of email, since it is extremely easy to pass an email to colleagues or friends, or even store them in private email boxes.
Some organizations are struggling to deal with the issue. Coca-Cola, according to published reports, allows users to keep email for 30 days only, automatically wiping out email beyond that limit. Some industries, however, are subject to regulatory requirements for document retention. For example, brokerage firms in the United States must keep all communications for three years. A document retention policy must address both legal requirements and the unique characteristics of email communication, and set reasonable standards and guidelines for employees to follow. Define what is meant by a draft; carefully craft distribution lists, and educate employees on how to ensure compliance to policy.
Define and enforce content management policies
Email risks have been known for years. In 1985 the Rand Corporation, a leading think-tank, wrote a paper entitled Toward an Ethics and Etiquette for Electronic Mail. Yet even today many organizations ignore their potential liability, failing to set or enforce policies. Email risks can fall into two major categories: abuse by outsiders, such as the typical distribution of viruses or other malicious code, and email abuse by those inside the organization. A classic example of the latter is Cisco's recent premature leak of its quarterly earnings, the type of leak that could lead to class action lawsuits.
Email carrying sensitive information, racist, sexist or other offensive material may prove troublesome, embarrassing and costly. This issue arose during the antitrust case against Microsoft Corp., when the U.S. government entered into evidence the contents of emails written by top Microsoft executives describing plans to attack competitors. Similarly, Chevron recently paid $2.2 million to settle a lawsuit resulting from email message containing sexist comments.
Ensure that all email leaving and entering the company is filtered. Any offensive, harmful, derogatory or sensitive information should trigger actions such as quarantining, encrypting or diverting the email.
Similarly, scan all email for viruses and malicious code. If the email security system allows, send alerts and keep audit logs of any suspicious activity for later review and, potentially, as evidence.
Just as employees have been trained to choose strong passwords and not to open email attachments from unknown people, so too must they be educated as to what is permissible and what is not, where liabilities exist, and what they must do to protect organizational assets and reputation. Employers need to draft clear policies for internet and email usage and make sure that employees get copies.
More importantly, the organization should work to ensure that security is as transparent as possible to the end user. This means enforcing content filtering, virus scanning and encryption policies at the gateway for most employees, while retaining the ability for executives and members of sensitive departments to further encrypt while still on the corporate LAN. Don't force users to resort to insecure communication when using internet kiosks, for example; let them easily transport their email security while keeping it out of their way. By making email security transparent to the user, the organization can greatly enhance its security posture without interfering with normal business practices.
There have been too many instances recently of data being compromised, and of information that should have remained private becoming public property. As a result, technologies such as email are being scrutinized to ensure they are sufficiently secure vehicles for future communication. Quite clearly the use of email will continue to expand, trade will continue to flourish, but as with all areas of technology, security will remain a key issue. The scope for attack will continue to increase, the number of access points to confidential information will continue to rise, and with it will remain the need for software products capable of providing secure protection of email communication.
Tanya Candia is senior vice president of marketing at Sigaba (www.sigaba.com).
