|
Today, email is the number-one method of communication used by enterprises around the globe. Yet, as email usage continues to grow, corporations are starting to recognize that it also may be the weakest security link in the network.
Research from the Enterprise Strategy Group suggests that 70 percent or more of a company’s business-critical information may be stored in its messaging system. Two factors make this situation increasingly problematic. First, email systems today are used for much more than messaging. Email acts as a contact manager, a document archive, a file-sharing system, and a project management and collaboration focal point. Second, virtually every employee uses email to communicate with contacts outside of the organization. And unlike paper documents that can be shredded or conversations that can be kept private, emails live on after they’re created.
This revelation is enough to shock any executive or network administrator when one stops to consider that typically, recipients are not authenticated before emails are sent. This means that there’s no check to ensure that it’s acceptable to send certain documents to a given recipient, as well as no check of the actual content that’s sent. Further, email senders typically have their pick of all types of information to include within or attach to their messages—data from file servers, customer databases, ERP systems, and their own computers’ hard drives. As history has shown, it’s shockingly easy to forward confidential internal memos from CEOs and other high-level executives, only to have them end up as topics of discussion on “dotcom deadpool” –type Web sites.
To date, most efforts to secure enterprise email systems have been focused on keeping external threats—like spam, viruses, Trojan horses, spyware and blended threats—from getting in. Firewalls, anti-virus, anti-spam, anti-spyware, content filtering and other products installed on client PCs as well as messaging servers and gateways at the edge of the enterprise have gone a long way toward minimizing these threats from the outside. In fact, the 2004 CSI/FBI Computer Crime and Security Survey found that unauthorized use of computer systems and cybersecurity breaches are both on the decline.
Indeed, this method of dealing with email system security—from the outside in—reflects today’s enterprise security systems and mindset in general. Identification badges and biometric security systems sometimes restrict access to office buildings. Security guards are employed and visitors are escorted from lobby to conference room and back.
But the fact is that today, risks associated with out-bound email may pose a much greater threat to a company’s long-term prosperity and health than inbound risks. Inbound risks generate a lot of very costly, quantifiable, visible and maddening evidence of their destruction. Everyone has watched their productivity decline while the spam piles up, and IT departments may easily become overwhelmed if their company is hit by a virus. CSI/FBI survey respondents reported that virus and denial-of-service attacks cost their companies over $80 million in 2004.
Yet—while visitors are tracked from meeting to meeting and anti-virus solutions are stopping the latest threats from entering the network and wreaking havoc—with the click of the mouse, any one of our trusted employees can accidentally send confidential information to the wrong recipient.
This is a red flag when it comes to security. Why? Any document or other piece of information that can leave the corporate network via email represents a potential costly leak of confidential business assets.
EXPOSURE: TRUTH AND CONSEQUENCES
The simple fact is that email makes it very easy to distribute a company’s most important assets, including:
- Intellectual property
- Trade secrets
- Confidential memos
- Financial data
- Confidential consumer and customer data like protected health information, credit card numbers and social security numbers
The biggest risks to a corporation occur when intellectual property and trade secrets are lost. In 2004, for example, Microsoft found itself in the middle of a worldwide media frenzy when portions of the Windows 2000 and Windows NT 4.0 source code—copyrighted and protected as a trade secret—appeared on the Internet. Almost immediately, reports surfaced that hackers used the code to find a security vulnerability to exploit in an old version of the Internet Explorer browser.
|
