|
Outbound email and other electronic communications (such as web-based email, blog postings, FTP and other messaging streams) pose a significant risk for data loss or data leakage. Mitigating such risks is becoming increasingly important and complex with the introduction of new information privacy and data protection regulations that cover information exchanged internally, as well as with partners and customers. For example, the relatively new Payment Card Industry (PCI) Data Security Standard (DSS) and the Office of Management and Budget (OMB) Personally Identifiable Information Guidelines (PIIG) place additional constraints on how data is stored, processed, and transmitted.
Compliance with these types of regulations—or simply adopting best practices for protecting the sensitive or private information valued by your company, custom-ers, employees and partners—adds a relatively new twist to email security. Sure, one must still be vigilant against inbound threats, but now outbound mail needs to be examined to be certain there is no data leakage. This often involves setting up corporate data protection and privacy policies, encrypting confidential corporate and private personal data, adopting best practices to ensure the policies are used, monitoring for compliance, and demonstrating (to regulators and security auditors) that procedures are in place and working.
Whatever solutions are selected, they must be easy to deploy and manage. Otherwise, they will not be used. For example, a hard-to-use encryption solution will encourage users to send information in plain text. Similarly, solutions must not prevent or obstruct business from taking place. In particular, a solution must be accurate so that it does not block mission-critical and authorized email from getting through.
To meet these criteria, companies often employ a combination of security solutions, practices, and procedures. This white paper will examine the new email security and compliance challenges and ways to address them.
Outbound Email Becomes a Concern
Traditionally, most email security and protection solutions have focused on inbound threats. But increasingly, orga-nizations find that they must also address outgoing mail, too. In fact, nearly one in five outgoing emails (18.9%) contains content that poses a legal, financial or regulatory risk, according to a 2007 survey of email decision-makers at 308 large U.S. enterprises (conducted by Forrester Consulting on behalf of Proofpoint).
Respondents to the survey say that the most common form of non-compliant content is email that contains confidential or proprietary business information. Unfortunately, there are several ways such information can be leaked.
First, there is the malicious user intent on stealing intellectual property, confidential company information, or customer records. Such behavior is a growing concern. A 2006 eWeek article cited a study by the Ponemon Institute that found the “loss or theft of intellectual property came in first in terms of risk, reputations and cost to the organization.”
Disgruntled employees intent on stealing information have many options. They could send a spreadsheet as an email attachment or copy information from a database and paste it into the text of a message. Such employees could use a free Web-based email account or an instant messaging service to try to circumvent scans of corporate email. They could also encrypt information using a third-party solution downloaded from the Internet to hide its content.
Second, data leakage might simply occur by accident. For example, one common problem is for a user to send an email message with confidential or customer information to the wrong person. Imagine a harried employee trying to get a number of things done at once. He or she composes a message intended for a particular person or group of people and in the rush to type in the recipient’s names in the ad-dress line, Outlook automatically completes the name. To speed things along, the user simply presses “Enter” to accept the full name, but it turns out the first listing in Outlook is “Mark Smith,” when the message was really intended for “Marks, Joe,” who appears farther down the list of choices.
|
