President Bush let it be known on April 14 of this year that he does not send e-mail — not even to his twin daughters — because he fears his “personal stuff” may be made public. His remarks were made during a discussion of whether his administration is being responsive to requests made under the Freedom of Information Act. “There has got to be a certain sense of privacy” he said to the American Society of Newspaper Editors.
Although the President’s remarks deal with the fact that e-mail could be subject to subpoena under certain conditions, it also raises the question of the privacy and security of e-mail in general. Over the past few years it has become widely accepted that e-mail is the digital equivalent of a postcard — easy to read, not very well-protected, open to prying eyes. Less well understood is the viral and persistent nature of an e-mail message. Who really received it? How many copies are in existence?
A Broad Topic
If you mention the words “e-mail” and “security” together these days, the reaction from technology executives is one of concern.
“We have to ensure that viruses, worms and spam don’t come in through e-mail, but it’s a two-way street so we have to also make sure that no viruses or spam go out from the company,” says Lawrence Lu, CTO of Array Networks in Campbell, Calif. “Since almost all information is electronic today, we need to protect intellectual property from being tampered with or going to the wrong person. And then there are the issues surrounding retention and retrieval, government regulations — the list goes on. Most important, we continually work with our users to make sure they understand our security policies.”
Today there is a vibrant market in e-mail and messaging security, with dozens of companies serving consumers and businesses. But products and services can only go so far. It is up to the organization to build, implement, enforce and monitor strong policies, since in the end the human factor is the glue that makes security possible. According to Mike Lambert of the Open Group, “The whole architecture of the Internet e-mail system is ‘policy-unfriendly.’ That leaves us with the option of educating end-users and hoping that they will behave.”
IT executives around the world say that same thing: Implement strong policies, and enforce them. They identify seven key policy areas for e-mail security, and stress that these policies should be implemented not just for corporate e-mail, but also for Web-mail that is used by employees and contractors.
Common-Sense Steps to E-Mail Security
- Don’t let the bad stuff in. The best-known aspect of e-mail security is to keep spam, viruses, worms, Trojans and other malware out of the corporate network. In order to do this, implement a multi-pronged approach to antivirus, anti-spam and other relevant technologies, catching it at servers, gateways, desktops and other endpoints.
- Don’t let the wrong stuff out. Make sure that a) your company is not guilty of sending spam, viruses, pornography, abusive e-mail, etc. and b) you are not disclosing confidential information such as financials or intellectual property. This policy generally involves using simple or complex filters to check for private information and automatically taking appropriate action when such information is found.
- Make sure your messaging systems protect private information. This means making sure that sensitive information is only sent to authorized recipients. To do so, the e-mail should be encrypted (so it can’t be viewed while in transit) and the recipient (either person or organization) should have to authenticate before opening the e-mail. Make sure your policy covers transmission of non-public information to partners — either by encrypting the contents themselves, or sending the e-mail over an encrypted link.
- Make sure your messaging systems are in compliance with regulatory requirements (such as HIPAA or GLBA) to protect individually-identifiable information. The most successful approach to this is to use a product to encrypt regulated information, rather than relying on the users to remember to do so.
- Comply with applicable retention and archival requirements. Understand the requirements for your organization, and build your retention and deletion policies around those specific requirements. Make sure all covered communication is archived and retrievable in the event it is needed in the future. If you use e-mail encryption, make sure you have made provisions to decrypt the messages in the future.
- Prepare for the possible future disclosure of e-mail communication in a non-contextual atmosphere. In a 2004 study, 21 percent of employers reported that they had had employee e-mail and instant messages subpoenaed for a lawsuit or regulatory investigation. Be aware often e-mail is written in a type of “corporate shorthand” using cryptic phrases and insider jargon that may make interpretation difficult in the future. Even worse, much e-mail contains no context whatsoever — so casual phrases could later be interpreted as something illegal or unethical. How do you deal with this issue? That’s where policy item 7, below, comes in.
- Train your users. And make it stick. Make sure they understand your policies about how and when to use e-mail, e-mail etiquette, and e-mail security. Keep policies up to date. Make it easy for users to adhere to policy: where possible, employ automated systems to take the burden off them. Consider implementing some type of periodic quiz or refresher course to ensure that the knowledge doesn’t become stale.
Lu concludes, “E-mail is the killer app of the Internet, but its benefits bring with them a certain amount of risk. We need to reduce the danger of a security breach — whether it is intentional or inadvertent. Unlike other technologies, e-mail has many motivated adversaries who are constantly trying to defeat security measures. It’s a never-ending war, and companies can’t afford to let down their guard.”
Tanya Candia is a consultant and expert on information technology (most notably data management and security), business management and marketing issues. As president/founder of Candia Communications, she consults with companies and currently serves as vice president of Marketing for Senforce Technologies. Candia can be reached at firstname.lastname@example.org.