Corporations, government agencies, health care and legal organizations, and private businesses throughout the U.S. rank security as a major priority, realizing that their most sensitive assets -- indeed their very viability -- may be at risk unless they take a new approach to security.
One of the most important areas for IT managers to address is data protection: This encompasses both data at rest (stored in databases and servers) and data in motion (typically e-mail communication). Although the issues related to protecting stored data are well known, much less attention has been spent on protecting data in motion. This is imprudent, because many organizations send sensitive information outside the organization's boundaries continually. E-mail is the dominant means of transmitting information, yet very little is done to keep it safe when traveling over insecure networks.
Organizations in the U.S. learned a great deal in the past two years; one of the biggest take-aways is that a focused approach to securing data in motion is essential. Conventional wisdom thus far indicates that organizations should, at the very least, adopt three basic security practices: Declare e-mail a strategic asset and a key business process and protect it as such; define and enforce content management policies; and educate your users.
1. Declare e-mail a strategic asset and protect it as such
An organization with 1,000 employees will spend nearly $4 million a year on e-mail,
Any business process must be managed, and in the case of security, the best role to manage that process is a new kind of corporate security executive -- one with breadth of experience, analytical skills, business savvy and leadership qualities: the Chief Security Officer (CSO). The CSO must have familiarity with both physical and digital security issues; the ideal candidate is a policeman, business manager and information technology expert combined.
Nortel provides a good example of the CSO function. Nortel's CSO, Timothy Williams, put together a 15-person global security council, comprised of senior managers in departments including real estate, finance, information technology, manufacturing and procurement. This group was formed to take a comprehensive approach to security matters across all the core businesses and functions. As a result, the group was able to quickly respond to the events of September 11, tightening and monitoring security programs.
Good, workable solutions exist today to ensure the privacy and confidentiality of data in motion. A well-designed secure e-mail solution will protect sensitive communication from end to end, providing strong assurance that corporate policies are being enforced.
A secure e-mail solution should:
- Encrypt all sensitive messages from the moment they are sent to the time they are received. For IT, it is extremely important that such encryption take place without user intervention.
- Use the strongest possible encryption.
- Employ equally strong authentication mechanisms, both on the sending and the receiving side, so only intended recipients can decrypt and read the e-mail.
- Perform content integrity checks to ensure the message sent is identical to the one received.
- Incorporate controls and assurances, such as guaranteed delivery and end-to-end tracking.
- Keep audit trails, and use them for verification of receipt, non-repudiation, etc.
- Make security transportable, not tied to a specific computer. Enable employees to use Internet kiosks, wireless LANs and wireless devices, by equipping them with the tools they need for secure e-mail.
2. Define and enforce content management policies
E-mail risks can fall into two major categories: abuse by outsiders, such as the typical distribution of viruses or other malicious code, and e-mail abuse by those inside the organization. A classic example of the latter is Cisco's recent premature leak of its quarterly earnings, which could easily result in a class action lawsuit.
E-mail carrying sensitive information or racist, sexist or other offensive material can prove troublesome, embarrassing and costly. This issue arose during the antitrust case against Microsoft Corp., when the U.S. government entered into evidence the contents of e-mails written by top Microsoft executives describing plans to attack competitors. Similarly, Chevron paid $2.2 million to settle a lawsuit resulting from an e-mail message containing sexist comments.
IT must ensure that all e-mail leaving and entering the company is filtered. Any offensive, harmful, derogatory or sensitive information should trigger actions such as quarantining, encrypting or diverting the e-mail. Similarly, scan all e-mail for viruses and malicious code. If the e-mail security system allows, send alerts and keep audit logs of any suspicious activity for later review and, potentially, as evidence.
In addition, ensure that e-mail is covered by the organization's document retention policy. The issue of document retention came up with reference to Arthur Andersen's role in the Enron scandal. E-mail messages are seen as acceptable proof of agreement for business decisions, thus the rush by Andersen staff to delete related e-mails.
Many organizations are struggling to deal with the issue. Coca-Cola allows users to keep e-mail for 30 days only, automatically wiping out e-mail communications beyond that limit. However, this approach does not ensure that e-mail forever disappears. What if the employee has sent messages to people outside the company, or to their own personal e-mail box? These are some of the thorny issues that IT management faces when determining document retention policies.
3. Educate your users
A survey by the Society for Human Resource Management shows that 86% of the 757 Human Resource professionals polled now use e-mail, but 49% of their companies don't train employees in the proper use of electronic messaging. Further, 48% don't have written e-mail policies. Six percent had been asked to produce copies of e-mail messages as evidence for lawsuits.
While this survey relates specifically to Human Resources departments, it is an example of how it often becomes the responsibility of IT management to ensure employees are trained in security issues. Just as employees have been trained to select strong passwords and not open e-mail attachments from suspicious sources, so, too, must they be educated as to what is permissible and what is not, where liabilities exist, and what they must do to protect organizational assets and reputation. Employers need to draft clear policies for Internet and e-mail usage and make sure that employees receive copies at least twice a year, recommends a lawyer at Hill & Barlow in Boston.
More importantly, the IT organization should work to ensure that security is as transparent to the end user as possible. This means enforcing content filtering, virus scanning and encryption policies at the gateway for most employees, while retaining the ability for executives and members of sensitive departments to further encrypt while within the corporate LAN. By making e-mail security transparent to the user, the organization can greatly enhance its security posture without interfering with normal business practices.
About the author
Tanya Candia is an expert on information security and is currently the Senior Vice President of Marketing & Strategic Services for Sigaba (www.sigaba.com). Candia can be reached at via e-mail at firstname.lastname@example.org.
For more information on this topic, visit these other resources:
- Executive Security Briefing: Four steps to take now for better security
- Executive Security Briefing: Selling security to upper management
- Best Web Links: Security Management
This was first published in November 2002