Employees at all levels within the enterprise are privy to a wide range of sensitive and proprietary information, which holds a high risk of damage if handled inappropriately. Those same employees are highly reliant upon e-mail for the effective distribution of information. And yet, for most of them, as soon as they hit “send,” all control of their e-mail, and the sensitive or proprietary information contained within, is lost. Employee e-mails frequently spread beyond the intended recipients where they are forwarded, cut and copied. Sometimes information is stolen or sent to a competitor.
Each year, e-mail misdirection results in significant security breaches, loss of intellectual property, and violations of compliance regulations. A 2005 poll for Fortiva by Harris Interactive shows that 68 percent of U.S. employees who use e-mail at work have sent or received e-mail via their work account that could place their company at risk.
Loss of Privacy
The problem of e-mail misdirection is further compounded by the fact that as e-mail makes transitory stops, it is often stored or copied before being sent on. Even if stored for a microsecond during transfer, many e-mails can be classified as “stored communications.” The United States Courts recognize that stored communications are subject to an “inherent loss of privacy” and can legally be read by the owner of the server on which they were stored.
The legal industry is thriving on the vast number of disputes pertaining to loss of intellectual property and trade secrets. Unlike phone conversations, faxes and other forms of communication, it is very easy for trade secrets contained in e-mail and attachments to end up in the public sphere. In some instances the posting of a trade secret to a popular Webpage can even lead to its forfeiture.
Ample media attention has been focused on inbound security issues such as viruses, phishing attacks and theft of sensitive customer information from large databases. The threats posed by spyware and malware are also widely understood. But another area, the misdirection of outbound e-mail, is where many businesses fall short.
Conventional Security Measures Aren’t Enough
Common security models include firewalls and intrusion detection at the network level, access control lists and password protection on the folder/file level. Digital information can also be encrypted for transit. However, once opened by the authorized individual(s) protection ends and the file can be distributed anywhere. To ensure true e-mail and document security, a solution must provide persistent security (meaning the protection remains no matter where the e-mail travels or is stored).
Today’s use of “e-mail disclaimers” is also not a viable protection and cannot guarantee the privacy of information contained in an e-mail. The information may be confidential and subject to protection under the law, but the fact remains that no real protection is provided against a breach of information.
New Developments in Encryption and Rights Management
Encryption solutions are vital to the secure transmission of e-mail, but one of the best methods for protecting intellectual property from interception and redistribution is e-mail rights management software. With it, the message is encrypted and content authors can specify exactly how recipients may use that e-mail.
Senders can prevent unauthorized distribution (no forwarding, printing), and unauthorized editing (no cut, copy, paste) of content. Users can set expiration dates on their e-mail and documents, effectively deleting the documents from the recipient’s inbox and PC at a specified date and time. In addition, users can set access privileges — for example, a CEO might specify that an e-mail only be accessible on a particular date by the executive management team.
Many IT departments have been slow to insist that employees encrypt their electronic correspondence largely because of the complexity involved. To effectively encrypt e-mail and other data utilizing accepted cryptographic standards, users had to be comfortable with onerous technical protocols such as public key exchange. They also need at least a cursory knowledge of Public Key Infrastructure (PKI).
Fortunately, new security applications accessible from the desktop enable employees to determine how recipients may use their e-mail and documents. This technology historically has been server-based, highly complex and costly. But today, organizations of all sizes are deploying powerful outbound e-mail encryption and rights management controls that are easy to administer, and facilitate end user workflow and communications.
How P2P Works
Peer-to-peer (P2P) encryption rights management solutions give customers and partners the ability to easily access and securely reply to protected e-mails without requiring significant changes to the corporate IT infrastructure.
P2P architecture does not require e-mail to be sent through a central server (thus eliminating the need for costly server licenses) and facilitates the receipt of secure content beyond the firewall. With P2P architecture, the content author begins by assigning rights controls to an e-mail. A session key is then generated and encrypted with the content and rights controls.
If keys have already been exchanged between sender and recipient (some applications silently and transparently facilitate key exchange between sender and recipient during their first secure e-mail exchange), then the session key is encrypted with the public key of each recipient. Lastly, the encrypted files and keys are sent to the intended recipients. If the e-mail is delivered to anyone beyond the designated recipients, the file contents remain encrypted and access is denied.
E-mail misdirection and misuse can spell disaster for a business’ reputation and bottom line. Enterprises invest heavily in protecting their sensitive information from outside attack, and they’d be wise to stem threats that arise from the misuse and misdirection of outbound e-mail. Fortunately, a wide range of tools are available today for organizations of all sizes that are easy to use, delivering greater security and control to maintain an overall sense of trust and confidence in their data protection processes.
Ray Zambroski is the CEO of Essential Security Software, a provider of outbound e-mail security solutions.