Messaging Newswire
Follow Us on Twitter
Facebook Page
Google Plus Page
RSS feeds
Reducing Liability through Effective Email Policy Management
Widgets & RSS FeedsYou know all those papers human resources had you sign when you were hired? Do you remember the one spelling out the company’s email use policy? It might have been sandwiched in between the prior inventions checklist and the W-4 form. You don’t remember reading it? No matter, few people do.
For many organizations, that piece of unread paper is all that protects its messaging systems from willful or unintentional misuse. In a survey for an upcoming report on email policy management (EPM), Osterman Research found that only 32 percent of respondents feel that they have a detailed and thorough policy in place, while 66 percent have what they consider to be a “basic” email policy, covering general email use, but little else. The final 2 percent have not gotten around to writing anything at all.
“Paper or verbal policies are not effective. They provide no visibility, management oversight, or help to educate employees on what is okay and not okay to send,” says Glen Kosaka, director of Data Protection Marketing at Trend Micro. “Looking at violations related to HR policy, I’d posit that many policies are of the ‘CYA’ type, which are really just there to handle violations and appropriate remediation, such as disciplinary actions, legal actions or termination. These policies need to be in place to ensure that proper procedures are followed and to avoid any perception of arbitrary or discriminatory actions.” Kosaka believes that most companies do have some sort of email policy management (EPM) in place, especially with regard to the protection of sensitive information and compliance with government regulations. The challenge, he says, lies in policy enforcement.
“Many healthcare companies verbally instruct users to not send personal health information via email, but they have no visibility into what is and is not actually sent,” he explains. “To say, ‘We have a policy in place,’ without visibility is no longer sufficient. The government is (getting more) aggressive in their prosecution efforts, especially with the many public leaks we have seen lately.”
Adds Michael Osterman, principal of Osterman Research, “You need paper policies to say ‘Hey, don’t do stupid things’ but then you also need good protection against what gets sent through email. You need some sort of a system that will look at the content that’s flowing through the email system and at a minimum, provide a pop-up to the sender saying, ‘This file is in violation of corporate policy 124. Knock it off’.”
Defining and Implementing EPM
Most experts agree that a successful EPM starts with figuring out what needs to be protected. The review process should address the needs of all internal stakeholders—IT, legal, HR, and management—and should, at the very least, detail what types of content should and should not travel through the corporate email, IM, and Web mail systems. “Customers need to classify their data and understand its acceptable use before they can create an email policy for protecting it,” says Kosaka, “Once they’ve taken that step, the challenge is cutting through the vendor hype to find a solution offering effective monitoring and enforcement, yet easy management for the email security admin.”
Osterman agrees, “You start with the policies before the technology because you’ll need to sit down with legal counsel and senior managers and say, ‘these are the liabilities we have, these are the laws on the books, these are the things we need to comply with from a corporate best practices standpoint’”.
Amir Lev, CTO of Commtouch feels that communications policies should also address acceptable Web use in order to ensure a safe and harassment-free work environment. “Viewing hate sites, pornography, or other offensive content should be prohibited outright to avoid legal and security risks.”
When it comes to adding compliance to EPM, things get a little more challenging. Federal and state compliance requirements differ greatly depending on the type of industry. A thorough EPM must be flexible and comprehensive enough to ensure adherence to all regulations that may apply. “There are various industries that have specific compliance issues such as HIPAA for healthcare and Sarbanes Oxley for financial services,” says Lev. “Of course, a company can have all the written policies in the world, but they certainly need technology to enforce them.”
Kosaka adds that EPM solutions should provide protection at all layers within the infrastructure—cloud, gateway, servers, and endpoint—and they should share and correlate information across all threat vectors (email, Web mail, PDAs and IM), to provide better and more immediate protection.
In sketchy economic times, many organizations must pick and choose between being proactive and making do with what they have. “In many cases, the implementation and maintenance of EPM is costly and resource intensive,” explains Najaf Husain, founder, CEO and president of AppAssure. “At a minimum, a next generation email protection solution should be deployed to provide proactive email retention management, access to historical email, and application protection from data corruption. This will go a long way toward an effective EPM strategy while reducing cost and management oversight. Our advice is to look for areas of cost optimization within your application infrastructure and deploy best of breed, purpose-built solutions that improve user productivity and reduce the risk of application failures and loss of mission-critical data.”
Osterman adds that companies must define and address three key issues in their EPM: appropriate use of email, content/message encryption, and archiving.
What’s at Stake?
Companies that take a wait-and-see approach to EPM aren’t necessarily ignorant of the risks, believes Osterman. “They may have other priorities on the IT wish list or they may not have money to spend on what they feel are theoretical risks.” However, in the era of polymorphous viruses, targeted phishing, drive-by downloads and more, it’s surprising that any risks would be considered “theoretical.”
So what’s at stake? “Given that most companies don’t have enforceable policies, the risks include accidental and malicious data leaks, attacks containing malicious URLs, lawsuits for inappropriate use, and failure to address U.S. e-Discovery requirements,” says Kosaka, “According to the Ponemon Institute, the cost of a data breach now exceeds $6.3 million USD per incident. The government is also getting more aggressive with companies that fail to implement enforceable EPM, especially after a breach. The five-year, ongoing security audits we [see] mandated by the government are very expensive and are an attempt to make sure companies put in real, enforceable EPM solutions, not just ‘light and fluffy’ paper policies.”
Lev believes that failing to keep tabs on employee use of company resources creates far too high a risk to ignore. “For example, a small company that doesn’t enforce its email or browsing policy may have an employee that views pornographic messages or inappropriate Web sites while at work. If any of the other employees are exposed to it, they could easily sue the company for sexual harassment and win. There is a lot of precedent for that type of lawsuit.”
Says Husain, “For many businesses the financial risks of not having EPM are huge. Eighty percent of corporate IP is communicated via email. Imagine the loss attributed to a failed email service or days or weeks of lost email.” To that end, AppAssure offers Replay, a next generation, continuous application protection solution that reduces email retention costs, while accelerating application recoveries from hours to minutes.
Policy management, in all of its incarnations, seems to always lead back to security. Lack of email policy and the vendor solutions necessary to enforce it is much like leaving the back door to the house unlocked. It’s closed, but it only takes one person trying the knob to know how to get in.
“It’s a security driven issue in many respects,” explains Osterman. “There are so many things that can go wrong through normal acceptable use of email, Web, IM, etc. People make mistakes. Take for instance the Pfizer employee that installed a peer-to-peer app on her laptop with the sole intent of sharing music. It ended up exposing the personal records of 14,000 Pfizer employees. Certainly you need policies that say, ‘Don’t install anything on your laptop or desktop that is not IT approved’ but you also need a system in place that will sniff it out and that will say, ‘Okay this looks like BitTorrent traffic, it looks like it’s allowing file sharing through IM,’ and then you need the ability to lock that stuff down.”
For companies looking to streamline their EPM, Kosaka believes they need look no further than Trend Micro’s Messaging Security product line, which includes new additions such as email archiving, email encryption and endpoint-based data leak prevention for messaging. For customers looking for an integrated, centrally managed EPM solution, Trend Micro also offers NeatSuite Advanced.
“No matter which vendor solutions they choose,” says Lev, “Companies should look for multi-purpose solutions (like UTMs and other gateway appliances) that offer access to best-of-breed technologies from within a single box. They should also verify that their solution of choice has an “in the cloud” security component in order to make sure they are being kept up-to-date on the newest attack vectors and their defenses. More importantly, they should make sure their current solution addresses their needs for the next five to seven years.”
What Lies Ahead?
Here is what our sources had to say when we asked for email policy management (EPM) predictions for 2009.
“There is widespread recognition of frequent, unintentional data leaks, with email being the most frequent channel for these breaches. I expect there will be an increased focus on protecting sensitive data leaving companies,” thinks Glen Kosaka, director of Data Protection Marketing at Trend Micro. “Given the increasing regulatory climate—with some U.S. states mandating encryption when emailing private data—technologies such as data leak prevention (content filtering) and email encryption will become mainstream to companies of all sizes and in all industries.”
Michael Osterman, principal of Osterman Research says, “I think 2009 is going to be a big year for policy management, particularly as it relates to encryption and archiving. Part of that is going to be driven by the financial meltdown. There’s going to be a lot more scrutiny of corporate behavior as the U.S. government becomes “investors” in companies like AIG and Freddie Mac and potentially the auto makers.”
Najaf Husain, founder, CEO and president of AppAssure feels that the coming year will be focused on backup re-design and how to get the most out of current infrastructure. “Next generation application protection solutions that blend EPM with email protection are positioned well.”
“Because there are so many compliance areas—each of which often needs its own technology solution—I believe that more companies will be offering combined compliance solutions that make use of best-of-breed technologies to create a ‘one-stop-shop’,” concludes Amir Lev, CTO of Commtouch.
