Email and other messaging technologies have, in many cases, replaced both the telephone and postal mail for business communications — and with good reason. Once you have the infrastructure in place (Internet connection, mail servers or ISP), it's less expensive than either making long distance calls or sending paper documents (especially if they need to get there quickly). It's faster than snail mail but less intrusive than a phone call, and creates a record of the content that you don't have when using the phone. It can be more secure than other means of communication if encryption is used.
Because we've come to depend so heavily on email, however, and because it's used so often and often so casually, it can present a weak spot in our corporate security plans. Attackers and spammers can use email to get things into the network that aren't wanted, from advertising that wastes time and productivity to viruses that can crash systems or cause loss of important data. Internal users can, deliberately or inadvertently, "leak" confidential company information via email. And hackers can intercept mail and learn company or client secrets.
Why you need an email security plan
Even when your company is small and you don't have any million-dollar trade secrets, protecting the integrity of email sent to and from your internal network is important. Viruses and malware don't discriminate based on size, and an infection can easily spread to everyone in your company and then to everyone outside the company who's in your employees' address books.
If you're in a regulated industry, your electronic communications may be governed by HIPAA, Sarbanes-Oxley (SOX) or other compliance requirements that mandate privacy of certain information. Even if you're not, your company probably creates intellectual property of some sort, and developing an email security policy early on will head off many problems in the future.
Another risk is that risqué content can put the company in a position of legal liability if offensive material is construed to create a "hostile work environment". Email security mechanisms that filter out potentially offensive materials help protect against Title VII sexual harassment lawsuits based on the hostile workplace concept.
Developing an email security plan
To be effective, your email security plan must consist of two parts: policy and enforcement. Your policy should spell out what is and is not allowed in terms of incoming and outbound messages and what constitutes abuse of the company's email system. Enforcement includes technological mechanisms (filtering) and/or monitoring.
Courts have generally held that an employer has the right to set rules controlling what employees can and can't do with the company's equipment and infrastructure, and that employers also have the right to monitor usage for compliance with their rules. It is best practice to notify employees that their email will or may be monitored and to have them sign a statement confirming that they have been so notified and agree to the usage guidelines and monitoring as a condition of employment. As the company grows, it becomes more important to put this writing.
Your email security plan should address the following issues:
- Spam/advertising control
- Virus detection and prevention
- Content rules
- Encryption for sensitive messages
In a small company, you may be able to use host-based security software installed on individual computers to secure email. As the company and network grow, this becomes cumbersome and difficult to manage. You can save the cost and effort of reconfiguration by starting from the beginning with perimeter or server-based security. This will also prevent performance slowdowns of your workstations caused by host-based filtering.
Enterprise level messaging security
Large companies have two options when it comes to securing their messaging infrastructures. One is to do it yourself, in house. Add-on programs for your firewalls and server-based enterprise level programs such as Sunbelt Software's IHateSpam for Exchange, GFI's MailSecurity, SurfControl, Dynacom'si:mail, and other third party products can protect against unwanted commercial email, filter content, and protect against viruses, Trojans, scripts, and blended attacks. Filtering can be implemented at a standalone SMTP gateway or as a plug-in for your mail server software.
The second option is to use a messaging security service to handle your email. These managed services filter incoming mail before it ever even enters your network. This means not only is workstation performance unaffected, there is also no load put on your network bandwidth to bring the unwanted mail into the network, nor on your mail servers to process filtering rules.
Managed email security services include Microsoft's FrontBridge, Postini's integrated message management, IBM's Email Security Management and others. These services can handle very large volumes of email and thus are easily scalable as your business and email usage grows.
Monitoring messaging usage
Some of the content filtering programs mentioned above can be set to block content based on key words or phrases. Monitoring software such as Spector CNE can not only detect the key words you specify, but can also record email messages (both sent and received) and save them to a central location, as well as logging the content of IM and chat conversations. You can configure the monitoring software to send an alert to an administrator whenever your specified key words are detected.
Sophisticated filtering software used by services can even analyze the content of graphics files and block or trigger an alert if suspicious photos are found.
Protecting sensitive messages
By default, email messages have no real privacy; they're more like postcards than sealed letters because they can easily be read by server administrators or even hackers who use packet sniffers to capture data as it travels across the network. Encryption "seals the envelope" so that messages can only be read by the intended recipient.
There are many email encryption solutions available, most of which are based on public/private key pairs. Users need to enrol in a Public Key Infrastructure and obtain a certificate from a certification authority. Server-to-server level encryption and password protection are other options. Some managed email services also provide encryption services. For example, FrontBridge offers a secure email option that uses identity based encryption technology that uses the user's email address as the public key and automatically binds the user's identity to that key, so that it's not necessary to go through the process of obtaining certificates.
Selecting the right solution
As always, you should consider future growth and scalability from the very beginning when you choose an email security solution. Methods that work well for small networks, such as host-based junk mail and virus filtering or user-managed PGP encryption for messages, may not work so well with a larger network. A managed service can be a cost effective and scalable solution because you don't have to invest in extra hardware or software, you don't have to worry about administrative overhead, and the most popular services are set up to handle both small and large volumes of messages
