Any effective enterprise risk management program is going to address Microsoft Exchange as part of the overall...
plan. After all, it's one of the most critical systems in the enterprise.
The problem I often see is that Exchange is treated as "just an email server" -- there's not much to lose if a breach occurs and presumably not much to gain by spending a lot of money and effort securing the system. This couldn't be further from the truth.
Exchange security vulnerabilities
There are many well-documented -- and often widespread vulnerabilities -- related to Exchange, such as:
- Weak passwords;
- Missing patches that facilitate malware, remote exploits and denial of service attacks; and
- Personally identifiable information that's exposed in cleartext email messages and .PST files on unprotected endpoints.
The list of opportunities for things to go awry is endless.
How is information security treated?
But it's not just about technical flaws. With Exchange security, you have to look at operational weaknesses, such as missing or unenforced policies, weak data backup procedures and lack of an incident response plan.
Still, with email security best practices in Exchange, you can go up to an even higher level of risk management by looking at how the information security function is treated and how compliance is managed.
I often see enterprise email systems that are compliant but not really secure. For example, Exchange password policies, remote wipe capabilities, system logging and other procedures may be enabled, but are they really helping? Have these areas been tested for vulnerabilities? Who's managing each of these areas? This façade creates a serious false sense of security.
So what can an enterprise Exchange administrator do to ensure that the messaging environment is truly locked down? It's complex and covers many aspects of the business -- namely management -- where the right people must be on board and politically and financially support your Exchange email security best practices initiatives.
Apply information security standards to Exchange
Even if you're not in charge of information security in your organization, you can use such standards to your advantage by applying them directly to your Exchange environment. You'll have to purchase the ISO/IEC framework for about $175, but 800-53 is a free download. You could even apply PCI DSS to your Exchange security program.
Map standards to existing security program
A good way to get management's attention and catch the board and stakeholders' eyes is to match your Exchange information security program with a well-known standard such as ISO/IEC 27002:2013 or NIST 800-53. Looking at the essence of these standards and frameworks, they are all about email security best practices:
- Determine the risks
- Document the policies
- Implement the proper technologies
- Monitor and manage
- Prepare for the worst
Don't overcomplicate things by spreading your security standards too thin or by going against an existing email security program. If you follow email security best practices, you map the standards to your current Exchange security program as well as your ideal setup.
The enterprise needs a solid message messaging system, which requires applying email security best practices across the board. It's also going to require discipline, better IT communication with management, more management support and more overall security leadership. You'll need dependable technologies such as antimalware, spam protection, content filtering and data loss prevention to see things through.
Reach out to your information security and compliance team. You might even address Exchange security best practices directly with your chief information security officer to bring that system and the critical information it houses under a larger security umbrella. Do not ignore the importance of all of this -- that's when security challenges start surfacing.
Avoid email security challenges in large businesses
Keep your email safe in a small business
Can you follow email security best practices with self-assessments?