EXPERT ADVICE
Ten Steps to E-Mail Security

As director of academic computing at the New York Institute of Technology (NYIT), Cherveny-Keough must ensure that dozens of computing centers across the college's campuses run without a hitch. The centers, located throughout Long Island and Manhattan, support the college's undergraduate and graduate students.

Fall is an especially challenging season for Cherveny-Keough because of the rapid influx of first-time network users. When returning students log onto NYIT's network to check e-mail, account balances and registration information, they run the risk of spreading viruses, worms and other malicious software across the college's digital infrastructure.

Yet NYIT rarely has such problems. The reason: The college has clearly defined security and e-mail policies in place.

Make Policy

Other organizations would be wise to follow suit. More than 137,000 computer security incidents were reported in 2003, nearly double the figure from 2002, according to the Carnegie Mellon University's famed Computer Emergency Response Team (CERT).

The team says that figure is expected to rise more than 50 percent again in 2004, as spam, viruses, worms and phishing attacks increasingly plague the Internet.

E-mail systems remain an obvious target and delivery mechanism for such attacks. Indeed, most e-mail systems lack basic security because companies are either too frugal or too naive to embrace secure messaging. Plus, many employees bypass their corporate e-mail systems and instead rely on free, unsecured public e-mail options from America Online, Yahoo (Nasdaq: YHOO) and Microsoft (Nasdaq: MSFT) .

Don't Relax

"The recession and dot-com implosion forced many people to change jobs multiple times in recent years," notes James Hunt, an executive recruiter in Manhattan. "Rather than bouncing from one corporate e-mail address to the next, some employees prefer to stick with their public e-mail accounts because their confidants will always know where to reach them."

Still, relaxed or non-existent e-mail security policies can undermine an organization. Moreover, lax organizations may be failing to properly comply with Sarbanes-Oxley, the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), SEC, NASD and other federal regulations that require companies to embrace secure messaging.

What's an organization to do? The following 10 steps -- culled from Secure Data in Motion, dba Sigaba , CERT , the FBI and other security-conscious organizations -- offers a guide to getting started with secure messaging.

Take Ten Steps to Safety

1. Formulate a messaging policy that is communicated regularly to all staff members and enforced throughout your company. The policy should clearly state proper uses of e-mail within your organization, as well as privacy and security requirements. Include the policy in employee handbooks and on a human resources intranet. Newly hired employees should read and sign the policy upon joining the company. Review the policy at least quarterly and closely monitor new compliance regulations.
2. Organize e-mail training seminars to emphasize the security and privacy risks associated with messaging. Clearly define terms such as phishing, spam, spim (spam over instant messaging) and social engineering.
3. Enforce the e-mail policy through monitoring, system checks and other random inspections. Be sure the policy states that such steps will be taken from time to time.
4. Tell employees to be wary of unsolicited e-mail attachments, even from people they know. Many viruses can "spoof" the return address, making it look like the message came from someone else.
5. Save and scan any attachments before opening them.
6. Turn off the option to automatically download attachments.
7. Investigate an open, flexible, standards-based secure messaging system. Ideally, the security software should work with your existing e-mail platforms, such as Exchange or Outlook.
8. Insist that your security system offers baseline functionality such as strong end-to-end encryption, mutual authentication, robust auditing features, enterprise control and intuitive management capabilities.
9. Be sure the security software requires little or no user training. The system should offer "point-and-click" sending of secure messages with no need for users to reconfigure their PCs or download complex software files.
10. Ensure that secure messaging is part of your company's annual IT budget. According to Richard Clarke, former cyber security advisor to the President, companies now spend 8 percent to 10 percent of their IT budgets on security. Naturally, a portion of that figure should go to secure messaging.

Follow the tips above and you'll give your executive team -- and employees -- peace of mind as they increasingly depend on secure messaging for mission-critical business correspondence.