Enterprises invest a sizable portion of their IT budgets in ensuring that sensitive data remains secure and inaccessible to individuals in the outside world. However, a tool that most enterprise employees use daily — e-mail — can easily become a leak in company’s defensive dam.
Businesses can lose vital information through inappropriate employeee-mail activity and inadequate prevention measures. This so-calledleaking e-mail poses a growing impediment to keeping sensitiveinformation secure.
A study by research firm IDC released in mid-October found that 72percent of organizations surveyed in North America had no solution forpreventing data leaks over e-mail. The study further found that 89of 100 surveyed organizations with more than 500 employeeslacked an effective anti-spam solution.
Internet security firm Secure Computing commissioned the survey toconfirm trends it saw in the market. Concern about e-mail security co-exist with those focusing on malware and phishing attacks, according to SecureComputing.
“Only 3 percent of companies surveyed expressed satisfaction with theamount of spam they were getting,” Ken Rutsky, vice president ofproduct marketing for Secure Computing, told TechNewsWorld.
The survey found that organizations must focus more efforts incombating e-mail security risks, said Brian Burke, program directorfor security products at IDC.
IDC’s study showed that e-mail encryption and data loss prevention arehot-button topics for IT executives. Some 85 percent of those surveyedsaid they were very or extremely concerned about data leakage overe-mail. Despite this concern, only 28 percent of those surveyed hadimplemented a system to prevent those data leaks, while 56 percentplanned to do so in the upcoming year.
Between 80 and 90 percent of all corporate data loss incidents occuraccidentally, according to IDC. Some 44 percent of the surveyedcompanies admitted to growing concerns about accidental data loss overdeliberate leaks — only five percent of the responding companiesreported strong concerns about insiders intentionally revealingsensitive information.
Despite this concern about leaky e-mail, only 11 percent of thosesurveyed had adequate inbound protection, and over 70 percent hadnothing in place for data loss prevention on e-mail, according toRutsky.
Companies that have no solutions in place for strong e-mail protectionare courting costly danger.
“The real problem today with data leakage is insider breaches. Systemadministrators are among the biggest violators,” Matt Shanahan, seniorvice president of AdmitOne Security, told TechNewsWorld.
Companies without effective e-mail protection systems allow theirworkers to easily get around restrictions in using corporate e-mail.For instance, workers can get around restrictive e-mail policies byusing outside or web-based e-mail such as those provided by Google, hesaid. Another ruse workers easily use is the print screen command.Even when e-mail cannot be forwarded or saved to an external device,workers can make a paper copy.
“If the worker is intent enough to get the information our of thecomputer, it can be done,” Shanahan said.
Worth the Cost?
When it comes to e-mail, the decision-making process among business executives has drastically changed, according to Shanahan. Forinstance, today organizations are looking much more closely at the bottom line before buying e-mail security. However, many products designed to prevent e-mail leakage don’t actually pay for themselves until they divert a disaster. If a costly leak would have otherwise happened, they’re an incredibly good investment. If not, they were only worth whatever peace of mind they provided.
If the e-mail security product cannot be connected to PCI (PaymentCard Industry) compliance or the security product does not helpmitigate online returns, the purchase decision is more likely notmade.
“If the security product is not impacting the business in one of theseareas, the problem is not getting sold. We are seeing that if thereis no ROI (return on investment), the products don’t sell. More so, weare seeing this in the last half of this year,” said Shanahan.
E-mail is one of the leading doors for intrusion into corporatenetworks. Word documents and spreadsheet attachments can provideintruders with an unquestioned entry route.
“E-mail is the number one source of exploit entry into corporatenetworks,” Paul Kocher, president and chief scientist at CryptographyResearch, told TechNewsWorld.com
Browsers are typically mediocre when it comes to security, and word processors andspreadsheet programs are not tested for security holes to the sameextent as a Web browser, he said. A trend is developing towardencrypting e-mail as a way to protect the contents while it sits on aserver and is in transit, he explained.
Another trait of e-mail that makes it leaky is the frequency withwhich key-logging programs are embedded in attached files, accordingto Kocher. The best way to stop this type of data leak is to scaneverything that comes into the network, though that can cause performanceproblems. Using strong passwords is another way to shut off data leaks.
Stopping the Flow
One method for turning off the data leak in e-mail is to removeworkers’ ability to transfer data to removable storage devices.One product, called “DeviceLock.com,” can lock downnetworks without reliance on third-party support.
“The problem with removable devices such as thumb drives is gettingworse. Mobile devices have their own storage,” Vladimir Chernavsky,president of North American operations for DeviceLock, toldTechNewsWorld.
DeviceLock shuts off data leaks without the need for ITintervention, he said. The device needs no controls andhas no log configurations to set. System admins and otherwith higher access privileges can override the device.
It can be centrally deployed through its management console.The IT manager can set flexible policies for specific company-issueddevices to work, while unknown devices remain blocked. This avoids theall-or-nothing strategy of other port-blocking solutions, Chernavskysaid.
Drying the Leaks
Secure Computing announced last month an initiative called “STAMP“(Seven Technologies for Advanced Mail Protection), designed to improve e-mail security by bringing market research, industry architecture requirements and solutions to theforefront.
This initiative addresses the problems caused by spam surges, malwarethreats, sensitive information leaks and compliance and audit demands. It also takes a look at tools, technologies and solutions necessary to stamp out corporate e-mail risk.
The STAMP initiative is driving Secure Computing’s next-generationmessaging gateway appliance development. The company inOctober launched Secure Mail 6.7.1.
The new version of Secure Mail includes components to curtail dataloss through e-mail. It delivers protection for both privacy andintellectual property.
The new version bundles Secure Mail’s Advanced Compliance engine. Thisengine was previously available separately. Version 6.7.1 basic e-mailprotection boasts five content detection techniques, seven extensiblepolicy actions and multiple encryption options.