Architecture, Application Security

Email is evolving as a business tool, and so is email security

October 13, 2006

Much as Mark Twain responded to his obituary published in the New York Journal in 1897, the demise of email as a corporate communications tool is far from true. But it is rapidly becoming the equivalent of an out of control train in many enterprises. Usage and volume are growing yearly with Gartner Group forecasting a 20-percent compound growth rate over the next three years with knowledge workers spending a whopping 25 percent of their time on email per week! As for what's in all that email, Forrester Research recently reported that for the U.S. companies surveyed, 20 percent of outbound emails contain information that could put the company at risk for financial, legal or regulatory fallout.

Email = Workflow

Email has become the central business application for millions of knowledge workers around the globe. Accessibility through mobile devices like Blackberries, and the proliferation of wireless broadband only makes it easier to connect and read email. The ability to push information with the press of a button and move something off your virtual desk to another defines daily workflow in most businesses both large and small. Additionally, forwarded emails represent twice the volume of those sent originally - that's a lot of virtual "paper pushing."

Email has grown organically inside the four walls of major corporations spurred on by the same things driving instant messaging, social networks and text messaging - the need for a simple and flexible way to communicate and share information. Rather than be displaced by these new technologies, email will remain the cornerstone of enterprise communications because all major enterprise business processes either rely on it or are built around it. This has led to additive architectures designed to keep email up and running with the necessity to keep this most visible IT application operational and avoiding the dreaded "email is down" call from the masses.

Email has become the enterprise data warehouse by default as employees use it for everything from mortgage application management to contract negotiations to the mass distribution of 20MB reports — circumventing expensive file sharing/collaboration systems. Even personal employee information is routinely distributed, unsecured, via email by both the enterprise and individual employees. While the corporate end of this problem may be more easily fixed, email monitoring is a touchy subject as companies have to balance trusting employees, company culture and the dreaded "big brother" syndrome. There is good news - the majority (98 percent-plus) of email users are not malicious or intentionally trying to break the rules, making this a very solvable problem. However, the other two percent are working against you and proper controls are necessary to protect your company.

Email = Risk

While it's common knowledge that email has been used as the basis for employee law suits and criminal fraud and is often a vehicle for leaking proprietary company information, most IT departments haven't taken all of the steps necessary to reduce or eliminate this risk. Many have taken a piecemeal approach—the problem is that the issues are just too big for that to work.

IT professionals face the challenge of addressing technological, cultural and legal issues all at the same time while keeping the solutions from crippling this critical information asset. Spam filters are effective in keeping malicious email out of the system but they also filter out important messages. What is a tolerable percentage of missed messages and how is this decided?

Archiving is becoming increasingly important as the organization uses the corporate record to do business and protect itself from lawsuits. But this implies the need for understanding the context of each conversation — intelligence that many systems lack.

Other technologies are designed to deal with the people side of the equation by stopping bad behavior before it happens. They sound appealing at first blush, but fall down in implementation. Who wants to be responsible for reviewing questionable emails before they can be released? IT departments who have attempted this find that the quality of sampling or random reviews quickly leads to frustration. Outside of financial institutions, companies don't have the time, budget, or inclination to construct whole departments for nothing more than email "supervision."

Corporate security and compliance professionals do understand the benefits of a proactive program to help avert "incidents" before they occur. But the problem is finding an approach that anticipates and avoids problems instead of putting you in a constant reactive state.

Email = A Storage Issue

For those of you that haven't enjoyed the "Wizard of Oz" in some time, consider the plight of the Scarecrow and his search for a brain. He had all of the mechanics, but none of the intelligence. Typical email archiving solutions are very similar in that they will do what you tell them and save every email sent and received but lack the intelligence to aid in the retrieval process. All email finds its way into your archive and all are treated equally. Adding intelligence to this process can alleviate the flood of email as well as prepare companies to retrieve emails - the reason they are being archived in the first place. This is not about artificial intelligence or Bayesian-type analysis which demos well but falls down operationally. This is about using your existing data sources (directory services, databases, etc.) to add contextual information to email records as they are saved to make it easier and cheaper to retrieve them when needed. For instance, companies that want to identify correspondence to or from both inside and outside counsel, as well as forwarded emails that could be Attorney Instructions find that intelligent archiving makes it so they don't have to sift through a mountain of email to identify those precious few that can be excluded from an inquiry based on privilege. How big a deal is this? At $1 to $2 per email reviewed, 90 days of 100 employees' email can add up to a $500,000 legal bill - and that's just for one incident.

Email: a strategic approach required

Since email is not going away anytime soon, what should a company do to leverage its value while reducing its costs and risks? Rather than trying to boil the ocean with lots of techno-jargon, I suggest the following approach:

        1. Understand how email is used at your company

        Assessments are the trojan horse of the software industry designed to show you the problem that you will then pay to solve. You need to move beyond the notion of a "48 hour risk assessment" and embrace the notion of understanding usage over time. Usage means how is email used, where does it go, how does it change over time, and where are the outliers and even potential abusers in your organization. One company discovered that an employee was running a side DJ business based on intelligent email profiling, by highlighting him as the largest sender of mp3 attachments to external addresses. That type of information is both meaningful and actionable versus the current practice of a quick scan for the word "confidential" that is both meaningless and prone to false positives because every corporate disclaimer contains that word.

        2. Give your users the first shot at correcting mistakes

        We have consistently seen that email traffic to personal or ISP accounts from corporate addresses is 2 percent of all traffic and about 4 percent of volume. This means that these emails are heavily attachment-laden, ranging from sensitive documents to employees sending work home for the weekend. Regardless of content, this stream of traffic is a significant source of risk. Putting a system control in place that asks the user to confirm adherence to company policy can both bring about behavior change (and the associated risk reduction), as well as put the decision in the hands of the person that knows their intent best - the sender. Doing this from the desktop client is a non-starter, as no one wants to manage another desktop application. Doing this from the gateway provides the safety net with the smallest possible footprint.

        3. Ensure you are using reasonable efforts to protect your information…and other employees

        Putting the proper safeguards in place to protect your intellectual assets and their propensity to be released via email is essential. Combining user-based correction with contextual and behavior-based analysis of email will identify suspect emails before they are released and allow for proper oversight. No one wants to read more email, but is there any good reason an email with an attachment should be going to a competitor? The recent incident at Coca-Cola illustrates this in great detail. As part of her plan to sell trade secrets about a new beverage to the competition, a Coca-Cola employee was alleged to have done a variety of things including sending an email to Pepsico from her supervisor's account. Regardless of the content of the message, in the hyper-competitive beverage industry an email to your main competitor should have set off alarm bells versus having to get a call from that competitor about the plot, as in this case. The "insider threat" must be addressed in the opening moves of any sound IT email policy.

        4. Move from organic-growth architectures to strategic design

        We have seen more and more large companies initiating strategic redesign projects around their messaging infrastructures. Organic growth based on need has led to tremendous redundancies, inefficiencies, and "swivel chair" networks where configuration changes must be made across systems and points of presence. What would you do if one of your three gateways went down? Could you redirect all traffic through international gateways with one configuration change? One company needed that capability as part of their disaster recovery plan and now has it because they took a strategic look at how they wanted to manage their messaging infrastructure. Things as simple as email privileges (i.e., who gets to send external email) are difficult, if not impossible, to set and administer due to architectures that have evolved over time. Adding intelligence to the email storage and retrieval process is a critical area that is easily overlooked. Existing data sources, such as directory services and databases, can be employed to add contextual information to email records. But it all has to map back to the policies and regulations specific to a particular operation. Many companies are embarking upon message "clearing house" projects where a unified email policy system provides the long absent central point of command and control over email infrastructure. This type of design provides the systems management that companies must employ if they want maximum risk-reduction, continued asset accessibility and cost efficiencies.

Email is Dead, Long Live Email!

Email is not going away, it is simply going through a metamorphosis. If it is to mature into a more useful and secure business-critical asset you will need to move from a piecemeal or organic management system to an email strategy. Companies consciously making this transition understand that it is far from a simple process but that the benefits far outweigh the investment made. Implementing a governance approach that manages people, technology and information is the only reasonable solution to enterprise email problems.

-Shaun Wolfe is president and CEO of MessageGate.

prestitial ad