The concept of organizations keeping a watchful eye on employees during company hours is nothing new. From the introduction of the time card 120 years ago, which required employees to clock in at the beginning and end of the work day, employee monitoring has evolved from simple confirmation that individuals are present and accounted for, to more detailed insight into employee activities taking place while "on the clock."
This evolution has been driven in part by today's widespread use of email in the workplace, plus the increasing popularity of instant messaging, blogs and other online communication forums - all of which expose companies to new data security risks.
The boom in electronic communications, combined with business challenges - such as increased industry competition - and the introduction of data and privacy laws on both a national and state level, require organizations to take extra steps to reduce the risks associated with outbound email and to protect corporate assets in the process.
The birth of email
The name Vinton Cerf might not have widespread recognition, yet this individual's technical discoveries have forever changed the way businesses operate. A co-designer of the TCP/IP internet network protocol, Cerf was responsible for founding the internet, and orchestrated the first sanctioned commercial use of email in 1988.
Fast forward just a few years and the use of email quickly caught on in corporate and personal domains. While email was soon recognized as a critical business tool, it didn't take long for organizations to identify the potential risks that came along with this new form of communication. A quick click on the "send" button could create any number of corporate mishaps, with confidential data – legal documents, customer identity information and trade secrets – being circulated, whether maliciously or accidentally, inside and outside of the organization.
In the early to mid-1990s, keyword-based email filters, which scanned for specific words before an email was sent, were introduced to help organizations secure individual email messages. This marked the start of genuine enterprise concern around data security and was followed by the availability of a range of data protection, monitoring and filtering technologies, resulting in almost 60 percent of companies implementing outbound email monitoring solutions by 2006.
Email is not the only culprit
The number of electronic communications channels has exploded in the past few years, but email remains a top focus for organizations when it comes to data protection and security challenges. With a staggering 70 percent of corporate data residing in email, this channel will continue to pose the biggest threat as a means for the improper disclosure of confidential data. However, additional outbound data streams – including HTTP (i.e., blogs, web-based email, message boards), instant messaging and FTP - have entered the mix and can also be conduits for violations of internal communications policies, confidential information exposure or sources of regulatory risk.
A 2006 survey of 300 large enterprises, conducted by Proofpoint and Forrester, about concerns around outbound email found that 55 percent of organizations are seriously concerned about web-based email as a means for exposing sensitive data, with FTP and instant messaging following closely behind.
As a result, companies are expanding their use of messaging security solutions beyond traditional anti-spam and virus protection, to defend against the risks posed by outbound email and other messaging streams. The survey also found that more than one-third of companies have deployed technology for monitoring content in webmail, (i.e., HTTP email services such as Hotmail, Gmail, etc.) or other forms of HTTP traffic. In addition, almost 30 percent of respondents have deployed a solution for monitoring content in instant messaging traffic, with another 24 percent intending to deploy such technology in the next 12 months.
The risk is real
The respondents of the same Proofpoint/Forrester survey estimated that one of every five emails leaving their organizations poses a risk. However, many organizations are completely unaware of the type of content flowing outside company walls and, as a result, are in the dark about the potential risk exposure via email. In an audit of one healthcare provider's outbound email, Proofpoint found hundreds of potential HIPAA violations occurring every hour.
These statistics aside, you need to just pick up a newspaper these days to be reminded of the reality of security breaches via electronic channels, as evidenced by the following incidents:
- Feb. 1, 2006: Reported by CNET, Dell inadvertently posts configurations for unannounced notebook computers via a Dell FTP site.
- Feb. 17, 2006: Blue Cross Blue Shield says a contractor took 27,000 names and social security numbers and sent them over email to a home computer.
- March 7, 2006: Google mistakenly posts internal projections not meant for the public on the company's website.
- April 14, 2006: Social Security numbers of 1,400 University of South Carolina students were mistakenly emailed to classmates.
- July 28, 2006: Social security numbers and financial information of 2,000 Riverside, Calif. employees were inadvertently sent through City Hall's email system.
Content security drivers
The potential financial and legal risks associated with outbound messaging streams vary by company and industry, and need to be evaluated and determined by each individual organization. To better understand the internal and external drivers that lead companies to implement comprehensive data security processes, let's look at two key vertical segments:
Federal and state privacy regulations are requiring financial services companies to implement more stringent policies and procedures to ensure that private customer data is not shared with unintended audiences:
- Gramm-Leach Bliley Act (GLBA): Requires organizations to ensure that their customers' nonpublic information (NPI) is fully protected against unauthorized access or use. The challenge is how to secure NPI without blocking valid electronic communication.
- S arbanes-Oxley : Companies need to ensure that private corporate information is not released prior to becoming publicly available, without impeding business operations.
- State privacy laws: New laws, such as California SB 1386, are being passed to ensure that when data does leak out that the appropriate stakeholders impacted by the data are notified.
For manufacturing organizations, intellectual property, whether product- or process-related, is data that translates directly to gaining and maintaining a competitive edge. Fully protecting this information is driving manufacturers to deploy solutions that keep corporate assets from being leaked via email and other messaging streams and to avoid costly repercussions, such as brand damage, stock price hits, etc.
Content poicy framework: The four W's
Regardless of what drives organizations to secure outbound messaging streams, the ongoing challenge across all industries is how to secure critical data once it has been created, while making the information easily available to the necessary constituents. In addition to using technology to help automate the monitoring of outbound messages, the most successful messaging security processes also require well-defined company policies related to the use of email and other forms of electronic communication.
The idea of creating policies can be daunting, but in reality, messaging policies can be simple, and should to be simple, in order to be effective. Whether creating new data security policies or updating existing ones, here are some recommended steps to help with the process:
- What do you do? Take a deep look at your core business (i.e., how you make money) and the external forces impacting operations, such as competitive players and industry regulations, to determine what's driving your business forward.
- What's your intellectual property? To help prioritize the data that needs to be protected, address the following: What do you sell? What personal private information do your systems contain? Do you work with other parties to create this data? Are you exchanging information with partners and distributors?
- Who do you do business with? The next key step is to determine the highest level of risk for your organization, by evaluating: Who has access to intellectual property? Where does information flow (i.e., employees, partners, suppliers, customers)
- How information is accessed and from where? When and how often does the data need to be accessed? Where does it exist on network? How is it typically accessed (via email, fax, file server, etc.)?
The above will give organizations a good baseline understanding of where the highest level of risk and exposure exists and provides a guideline of where to focus energy and efforts tied to messaging security.
Survival of the fittest
The reality is that email, along with new forms of electronic communications, makes it extremely easy to distribute a company's digital assets, and organizations need both policies and processes in place to fully secure outbound messaging streams. The need to comply with privacy and data security regulations will continue to drive organizations to expand their deployments of messaging security technology, while developing a more complete understanding of the value of corporate data and the potentially costly repercussions of data leaks.
Up-to-date data security policies combined with the right technology solution can proactively prevent liabilities created by noncompliant or offensive emails, ensure the privacy of customer and employee data and secure valuable intellectual property and trade secrets, ultimately protecting your business.
-Sandra Vaughan is vice president of products and marketing for Proofpoint