The Enterprise E-Mail Data Sieve

Enterprises invest a sizable portion of their IT budgets in ensuring that sensitive data remains secure and inaccessible to individuals in the outside world. However, a tool that most enterprise employees use daily -- e-mail -- can easily become a leak in company's defensive dam.

Businesses can lose vital information through inappropriate employee e-mail activity and inadequate prevention measures. This so-called leaking e-mail poses a growing impediment to keeping sensitive information secure.

A study by research firm IDC released in mid-October found that 72 percent of organizations surveyed in North America had no solution for preventing data leaks over e-mail. The study further found that 89 of 100 surveyed organizations with more than 500 employees lacked an effective anti-spam solution.

Internet security firm Secure Computing commissioned the survey to confirm trends it saw in the market. Concern about e-mail security co-exist with those focusing on malware and phishing attacks, according to Secure Computing.

"Only 3 percent of companies surveyed expressed satisfaction with the amount of spam they were getting," Ken Rutsky, vice president of product marketing for Secure Computing, told TechNewsWorld.

The survey found that organizations must focus more efforts in combating e-mail security risks, said Brian Burke, program director for security products at IDC.

Worrisome Results

IDC's study showed that e-mail encryption and data loss prevention are hot-button topics for IT executives. Some 85 percent of those surveyed said they were very or extremely concerned about data leakage over e-mail. Despite this concern, only 28 percent of those surveyed had implemented a system to prevent those data leaks, while 56 percent planned to do so in the upcoming year.

Between 80 and 90 percent of all corporate data loss incidents occur accidentally, according to IDC. Some 44 percent of the surveyed companies admitted to growing concerns about accidental data loss over deliberate leaks -- only five percent of the responding companies reported strong concerns about insiders intentionally revealing sensitive information.

Despite this concern about leaky e-mail, only 11 percent of those surveyed had adequate inbound protection, and over 70 percent had nothing in place for data loss prevention on e-mail, according to Rutsky.

Insider Breaches

Companies that have no solutions in place for strong e-mail protection are courting costly danger.

"The real problem today with data leakage is insider breaches. System administrators are among the biggest violators," Matt Shanahan, senior vice president of AdmitOne Security, told TechNewsWorld.

Companies without effective e-mail protection systems allow their workers to easily get around restrictions in using corporate e-mail. For instance, workers can get around restrictive e-mail policies by using outside or web-based e-mail such as those provided by Google (Nasdaq: GOOG), he said. Another ruse workers easily use is the print screen command. Even when e-mail cannot be forwarded or saved to an external device, workers can make a paper copy.

"If the worker is intent enough to get the information our of the computer, it can be done," Shanahan said.

Worth the Cost?

When it comes to e-mail, the decision-making process among business executives has drastically changed, according to Shanahan. For instance, today organizations are looking much more closely at the bottom line before buying e-mail security. However, many products designed to prevent e-mail leakage don't actually pay for themselves until they divert a disaster. If a costly leak would have otherwise happened, they're an incredibly good investment. If not, they were only worth whatever peace of mind they provided.

If the e-mail security product cannot be connected to PCI (Payment Card Industry) compliance or the security product does not help mitigate online returns, the purchase decision is more likely not made.

"If the security product is not impacting the business in one of these areas, the problem is not getting sold. We are seeing that if there is no ROI (return on investment), the products don't sell. More so, we are seeing this in the last half of this year," said Shanahan.

Easy Access

E-mail is one of the leading doors for intrusion into corporate networks. Word documents and spreadsheet attachments can provide intruders with an unquestioned entry route.

"E-mail is the number one source of exploit entry into corporate networks," Paul Kocher, president and chief scientist at Cryptography Research, told TechNewsWorld.com

Browsers are typically mediocre when it comes to security, and word processors and spreadsheet programs are not tested for security holes to the same extent as a Web browser, he said. A trend is developing toward encrypting e-mail as a way to protect the contents while it sits on a server and is in transit, he explained.

Another trait of e-mail that makes it leaky is the frequency with which key-logging programs are embedded in attached files, according to Kocher. The best way to stop this type of data leak is to scan everything that comes into the network, though that can cause performance problems. Using strong passwords is another way to shut off data leaks.

Stopping the Flow

One method for turning off the data leak in e-mail is to remove workers' ability to transfer data to removable storage devices. One product, called "DeviceLock.com," can lock down networks without reliance on third-party support.

"The problem with removable devices such as thumb drives is getting worse. Mobile devices have their own storage," Vladimir Chernavsky, president of North American operations for DeviceLock, told TechNewsWorld.

DeviceLock shuts off data leaks without the need for IT intervention, he said. The device needs no controls and has no log configurations to set. System admins and other with higher access privileges can override the device.

It can be centrally deployed through its management console. The IT manager can set flexible policies for specific company-issued devices to work, while unknown devices remain blocked. This avoids the all-or-nothing strategy of other port-blocking solutions, Chernavsky said.

Drying the Leaks

Secure Computing announced last month an initiative called "STAMP" (Seven Technologies for Advanced Mail Protection), designed to improve e-mail security by bringing market research, industry architecture requirements and solutions to the forefront.

This initiative addresses the problems caused by spam surges, malware threats, sensitive information leaks and compliance and audit demands. It also takes a look at tools, technologies and solutions necessary to stamp out corporate e-mail risk.

The STAMP initiative is driving Secure Computing's next-generation messaging gateway appliance development. The company in October launched Secure Mail 6.7.1.

The new version of Secure Mail includes components to curtail data loss through e-mail. It delivers protection for both privacy and intellectual property.

The new version bundles Secure Mail's Advanced Compliance engine. This engine was previously available separately. Version 6.7.1 basic e-mail protection boasts five content detection techniques, seven extensible policy actions and multiple encryption options.