Email -- and its lack of reasonable content filtering -- is one of the greatest enablers of information leakage today.
When considering the essential elements of information security and the letter of the law per Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH) Act, PCI DSS, and so on, email-based security breaches likely occur on a daily basis. But since no one knows about it, they assume it's not an issue.
The potential for inadvertent or even intentional leakage of sensitive information -- and the subsequent industry and government sanctions that organizations face when adequate content filtering is not in place -- creates a risk few executives would be willing to take on, at least not executives who understand all the facts.
Here is the state of email content filtering as I'm seeing it and some things worth considering so that you can beef up your email security efforts once and for all.
Who's doing what?
About 25% of organizations I work with are using some type of email content filtering to detect and block sensitive information in email as it leaves the network. Most organizations use third-party email security appliances and managed services. I've seen others use basic controls in their Exchange Servers. I've also seen organizations set up individual rules in Microsoft Outlook to filter shared computers and email accounts.
Does email content filtering really work?
The extent of most content filtering is typically in the form of cleaning malware and stripping attachments from email messages; this configuration works as designed most of the time. However, I've found that stripping legitimate attachments from email often works too well and gets in the way of people doing legitimate business.
True content filtering doesn't involve inspecting the email body and attachments for sensitive information (PII, intellectual property, etc.) and then taking action on what is found. In many organizations that have reasonable security controls, odds are high that email content filtering is not being done to the extent it's needed. It's not being proactively managed, nor is it falling within the scope of information security testing.
Gaining control of email content
There seems to be a preconceived notion that email content filtering is not necessary along with the assumption that other email controls such as SSL, strong authentication and malware protection are enough. These mistakes relate back to three factors:
1. Not having management on board with security
2. Not understanding which applications and information are important
3. Not knowing how applications and information are being put at risk during day-to-day operations
Getting the right people on board and determining what's at risk is the first step toward gaining control over valuable email content. Creating reasonable email and Internet policies, then enforcing them with content filtering technologies comes next. Just be sure that all of the correct people are talking about the right issues.
I recently came across a situation where an IT director had a great content filtering system ready to go, but couldn't get anyone to outline the business rules to configure it (what to trigger on, what to log, what to block, etc). IT made the investment and wanted to set users and the business as a whole up for success. However, too many people involved, including management, were pointing fingers; nothing was accomplished for over a year.
Make sure that the right people are performing hands-on monitoring. I often see network administrators who are responsible for everything, which is neither a wise nor sustainable strategy, especially once something bad happens. Content filtering is as much an human resources, operations and legal matter as it is an IT or security matter.
With all the threats that businesses face -- from careless/malicious insiders to industry/government regulations -- content filtering has to mean something more to your business. Email is old and boring, but with users left to their own devices and with sensitive information coming in and going out of your organization, it's a big part of the business risk equation. Proper content filtering is the answer. Don't get caught without it.
Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. He can be reached at email@example.com.
This was first published in March 2010