Message Monitoring

Using the Intelligence Locked away in Email

Michael Osterman — Wed, 28 Nov 2012 17:29:59 +0000

For most organizations, the largest single source of information about what’s going on in their business is the collection of user mailboxes and email archives distributed across the company. These data stores contain information about who communicates with whom, what employees say, the files they’re sending, how they spend their time, etc. This rich source of content can provide valuable business intelligence to decision makers, but few extract even a fraction of the valuable content contained therein.

To address this problem, Dell Quest announced MessageStats Business Insights, a feature of the new release of its MessageStats offering. Business Insights provides a number of useful features, including the ability to identify email and social media usage trends by individual users, whether or not sensitive content is being distributed outside of the organization in violation of corporate policies, how email volumes are changing over time, how email is being used as a file transport system, whether or not employees or others are sending harassing or offensive messages, etc. You can find more information about MessageStats here.

Although MessageStats and other tools that offer a deep dive into the business intelligence contained in email systems are extremely valuable, they require a change in the way that many think about email. For example, an Osterman Research survey found that there is wide variability in the way that senior managers view email content. Our research found that 18% of senior managers consider email content to be transitory and that there is no need to retain it, while another 46% believe that while email records are important, they are the responsibility of employees—not IT—to manage properly. Only 35% believe that records in email are important AND should be managed by IT according to corporate policies.

We recommend two things: first focus on email as the incredibly valuable source of business intelligence that it is. Don’t purge email stores without archiving the business content from them, don’t treat email as just a transitory source of information, and manage email according to a set of detailed and thorough corporate policies. Second, implement tools that will give managers proper insight into what is happening in email and how it impacts their business.

Electronic Communication Can Get Your Company in Trouble, but Organizations Are Not Doing Enough to Protect Themselves

Michael Osterman — Thu, 01 Nov 2012 18:26:54 +0000

A woman’s boss overheard that she had purchased a new dress and decided to send her an email late at night telling her “I’m sure you’ll look amazing in it.” After a half-hearted apology for sending her the email, he then sent her an instant message that she felt was “completely inappropriate.”

Two women were fired from PNC Bank for forwarding an email of Hillary Clinton’s head superimposed on a pornographic image. These women then sued PNC for wrongful termination, claiming that PNC had not previously enforced its policies prohibiting such behavior.

A trial lawyer for the Securities and Exchange Commission (SEC) was fired for sending three emails expressing his political views, demeaning support staff, and for mailing a confidential report in violation of SEC policies. The case went to arbitration.

A 17-year-old high school student allegedly received highly inappropriate emails and text messages from a now former Crown Point Community School Corporation employee and filed an 11-claim lawsuit in response.

A collection of a few tweets I found as I’m writing this include:

“(important meeting tomorrow morning but it’s alright my boss is also drunk right now)”
“Sometimes I think my boss is drunk. Not always. Just when he’s drunk.”
“I swear I am going to sock my boss one of these days!! He’s such an idiot!!!! Incompetent!! How he is my boss, I don’t know!!!”
“My customer is like… Stupid or something”

The Carson Medlin Company was censured and fined $20,000 by FINRA for, among other things, it “.…failed to retain all business-related electronic communications…”.

A court found that Samsung, in its recent litigation with Apple, had a duty to impose a legal hold on relevant email beginning in August 2010. However, Samsung did not disable its email system’s auto-delete capability and so was not able to produce relevant email that Apple had requested, resulting in an adverse inference instruction to the jury in the case.

However, most organizations have not addressed the issue adequately according to a study that we published in August:

While 99% of mid-sized and large organizations have an email policy, only 38% report that it is a detailed and thorough policy—61% report that their email policy is basic and covers only general use of email.
Only 34% have a detailed and thorough policy covering use of employer-supplied smartphones.
Only 33% have a detailed and thorough policy covering use of the Web.
Only 31% have a detailed and thorough policy covering use of personally owned smartphones.
Only 21% have a detailed and thorough policy covering use of Facebook.
Only 17% have a detailed and thorough policy covering use of Twitter.

The message here is that organizations are vulnerable to a variety of negative consequences arising from inappropriate or malicious use of electronic communication, but relatively few are taking the proactive steps necessary to prevent or minimize these risks.

Social Media as Time Machine

Michael Osterman — Mon, 16 Jan 2012 01:50:33 +0000

Outside of the financial services industry, very few companies actually monitor what their employees say on Twitter, Facebook, LinkedIn or any of the 1,000+ other social media sites around the world. Few companies scan short URLs for potential links to malware sites. Few have deployed systems to protect against spam delivered via social media. Few have deployed systems to capture whatever business records or other important content might be posted to social media sites.

In a way, social media use in the vast majority of organizations is like email was back around 1997—not much in the way of anti-spam, anti-malware, content filtering or archiving is in place to protect organizations from all sorts of harm. Use social media today and—at least from the perspective of how protected you’ll be against spam and malware—you can recreate your email experience from yesteryear.

Should you be concerned about? Yes:

Facebook says that about 4% of its content is spam and Twitter said that 1.5% of its tweets were spam-like in 2010 (numbers not dissimilar to email spam figures back in the mid- to late 1990s). However, Imperium estimates that 400 million Facebook are victims of social spam each day.
Last week, malware stole login credentials for 45,000 Facebook accounts—a small proportion of the approximately 800 million accounts in use today—but 45,000 nonetheless.
Imperium estimates that 40% of the social profiles in existence today are frauds.
Our own research indicates that only a small proportion of organizations are archiving their social media content, despite the fact that some of this content is potentially actionable or might be subject to legal or regulatory scrutiny at some point.

Clearly, there is a problem: lots of malware and spam floating around, millions of tweets and posts that probably should be archived, and few companies doing anything about it.

We are in the process of writing a white paper that addresses these topics, and will be launching a major study within the week on how social media is used and perceived, and what organizations are doing to protect themselves. Let us know if you’re interested in what we will be finding from the research.

An Email Policy Can Reduce Liability and Prevent Data Leaks

Stephanie Jordan — Thu, 29 Sep 2011 17:49:14 +0000

With so much buzz around social media and collaboration it is easy to take little notice of email these days. Quietly steady and having emerged somewhat victorious from spam attacks and malware, email is the backbone of business communications, but as such email deserves to be protected with rules and use guidelines.

While email as a technology is very stable and reliable, the people using it are not quite as consistent. With the continued reliance on email for the most sensitive, as well as the day-to-day conducting of business, organizations of all sizes should have a well-thought-out email policy to help protect the company and its employees.

A recent Ponemon Institute survey of 830 IT and IT security practitioners (as well as IT compliance, legal and other specialists) found everyday email practices and mobile email security caused significant concerns for data protection and regulatory compliance among 59 percent of respondents. The human element, it seems, is still our greatest risk.

The survey, done in conjunction with Zix Corporation and announced last week, points to everyday email practices that contribute to leaks (such as ignoring policies, mistakenly emailing data, etc.)

Deborah Galea, co-founder and COO of Red Earth Software, believes one of the most important steps to securing the small-to-mid-sized business is a solid email policy. “It is important that employees understand what the risks are when they use email and that you have guidelines to ensure that these risks are minimized.”

On its Web site the company—providers of email content security software Policy Patrol for Microsoft Exchange Server and recently introduced Policy Patrol Archiver for Exchange—offers a sample email policy to download.

“Our products are aimed at the smaller sized businesses between 25 and 250 users, although we have customers that are larger,” says Galea. While the product offers threat protection, it also inspects emails for certain content or attachments. “It checks for inappropriate or confidential emails leaving the organization.”

What should be included in an email policy? Guidelines on personal use, confidential information, passwords, email retention, encryption, and a review of best practices, for starters. Understanding the consequences of not following the email policy or what is defined as libelous, defamatory, or offensive should be clearly articulated to all employees. Employees also need to realize that they personally and / or the company can be held legally liable. Every employee ought to be required to read and sign a copy.

In the Ponemon study, nearly 70 percent of respondents believe employees ignore policies about emailing unencrypted sensitive or confidential documents through insecure channels.

“Email is essential to business productivity and collaboration,” comments Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “It is such a significant tool that employees are inclined to circumvent policy and email sensitive information, so they can effectively perform their responsibilities in a timely manner.”

Educating employees includes letting them know that emails might be monitored. Policies need to clearly state that the content of emails is being inspected. Without this advanced notice to employees, organizations might be liable for privacy infringement.

Beyond signing the email policy, employees also need to be instructed on how to be defensive. “There are not many ways for spammers to invent their way out of today’s spam blocks,” comments Galea. “I think spam is under control after 10 years and also phishing. Now the concern is spear phishing. This is how they are trying to circumvent the spam filters. Education, training employees is something that all companies should be doing,” recommends Galea. (Spear phishing scams are extremely targeted toward high-value and specific organizations or people for identity theft and other fraudulent purposes.)

In addition, says Galea, employees need to be reminded of email etiquette so that communications going outside the company are professional and in keeping with the organizations principles. Red Earth offers a list of 20 Email Etiquette Tips.

For most businesses, email is still king. Even though social media is alluring, it is not best for business communications of significance. Why? Because, at the moment, with social media we have to rely strictly on user training for managing the content. “On Twitter, for example,” says Galea, “you have no control over the messages. You can’t centrally record them, like you can with an email archive or search. It is very difficult to retrieve this information.” For regulated industries and companies that have concern for legal discovery, this can be very important. As time goes on treatment of social media is becoming more aligned with email rules, however we are not nearly there when it comes to automated tools for content managing and archiving.

For business, with so many social media platforms available, there has to be strict rules on what can be said through social media and what cannot. “It is not a good method for business communications for anything that could be relevant later,” believes Galea.

So for now, employees should be instructed to use email instead of social media for any communication that could be of relevance for a company. As for companies, email policies can function on a number of levels from etiquette to best practices to security to legal protection and beyond.

Financial Services, Social Networking, and FINRA

Stephanie Jordan — Thu, 15 Sep 2011 04:41:01 +0000

Last month FINRA (Financial Industry Regulatory Authority) issued Regulatory Notice 11-39 to provide “guidance on social networking Web sites and business communications” for financial firms and brokers.

Regulatory Notice 11-39 is intended as a response to growing questions in regards to the application of January 2010 Regulatory Notice 10-06’s rules about communications with the public on social media sites as it pertains to recordkeeping, content requirements, and general compliance.

Stephen Marsh, founder and CEO of Smarsh, offered his take on the significance of last month’s announcement: “FINRA 11-39 is significant in that it adds more context and detail to FINRA’s approach to social media and personal devices which was originally laid out in 10-06. The biggest takeaway for broker-dealers is that it’s about the message – not the medium. If the message is business-related, then it doesn’t matter if it’s a tweet, a text from your personal BlackBerry or an email from your work computer – you must retain, retrieve and supervise it.”

According to a recent Smarsh survey, while 70% of respondents reported that their compliance policy addresses the use of email for business purposes, less than half have policies to address other forms of electronic communication, such as instant messaging (45%), text messaging (35%), LinkedIn (47%), Facebook (42%) and Twitter (34%).

“FINRA 11-39 is just the latest reminder to firms that they need to take a proactive approach to manage their compliance obligations and minimize the risks that come with these new communications channels,” says Marsh.

Even if your organization is not in the financial services industry, it is well to be aware of these best-practices as set forth by the agency and consider incorporating elements into your company’s communication policies.

Who Will Be Next Victim in Breach and Hacks? Nintendo Joins List Including Google, RSA Security, PBS, Lockheed Martin, Sony

Stephanie Jordan — Tue, 07 Jun 2011 10:16:19 +0000

While only half-way through the year, 2011 may be best remembered as the year of spectacular hacking and breaches. The headlines this year are full of well-known brands being attacked. From the RSA Security breach earlier this year, to news that Lockheed Martin had been compromised, to Google admitting that Gmail hackers have targeted U.S. government and military personnel, there is no shortage of news on the subject of hacking.

While Google is pointing an accusing finger at China, which China denies, others are wondering why government personnel have Gmail accounts at all. In a Friday post Sharon Gaudin asks that very question and quotes Brad Shimmin, an analyst with Current Analysis, who says Google has been “pushing hard to get government agencies - all the way from small and local to big, federal organizations - to move to Google Apps.” The article goes on to offer more possible reasons for having the accounts.

But Google, while perhaps the most well-covered, is not alone in its troubles. Hotmail and Yahoo! Mail have also reported being targeted. These phishers are very exacting moving from spear-phishing (the targeting of a specific organization) to possible whaling (the targeting of a particular person). A number of blogs have offered possible reasons behind the attacks – I found Nart Villeneuve with Trend Micro account interesting reading.

Also, don’t miss reading last week’s: How to Stop Your Gmail Account Being Hacked by Graham Cluley, senior technology consultant with Sophos, where he suggests steps to reduce the chances of your Gmail account being hacked:

Set up two-step verification
Check if your Gmail messages are being forwarded without your permission
Where is your Gmail account being accessed from?
Choose a unique, hard-to-crack password
Secure your computer
Why are you using Gmail anyway?

Meanwhile, Lulz Security (or LulzSec) is loud and proud of its recent exploits – which include compromising PBS’s website and posting a story that Tupac Shakur is “alive and well” as well as infiltrating servers at Sony Pictures. The group is also taking credit for replacing the homepage of a FBI partner (InfraGard) with a YouTube joke video and publishing an internal configuration file for one of Nintendo’s U.S. servers.

In the case of InfraGard, according to reports, “The server’s user database was apparently not properly protected. LulzSec published the personal data of 180 InfraGard members and a number of passwords in plain text. They also made 700 MB of emails available as a torrent download.”

Further, the group tested the InfraGard user database and found that many of the passwords were being re-used on other websites making the payload even sweeter.

In the case of Sony, LulzSec compromised millions of user records gaining access to names, passwords, email addresses, birth dates and home addresses. After the multiple attacks, Sony’s brand is reeling amid questions of poor data management.

In the wake of the PBS hack last week, Chester Wisniewski, a senior security advisor at Sophos Canada wrote in a blog last week, “Whether you are related to political causes or not, an easy way to ensure you aren’t the next victim is to make sure that you protect the information you are entrusted with. Data stored insecurely is a bomb waiting to detonate. Security must be a proactive attitude because reacting is simply too dangerous.”

Hear, hear.

The "State of Application Security Survey" - 88 Percent Spend More on Coffee Than Security

Melisa LaBancz-Bleasdale — Sun, 10 Apr 2011 21:46:17 +0000

Back in February, Barracuda Networks Inc., Cenzic Inc. and the Ponemon Institute released the“State of Application Security Survey,” which found that 73 percent of organizations had been hacked at least once in the last 24 months through insecure web applications. The news that web apps are insecure isn’t really shocking, but the percentage of organizations that fell prey to attacks is certainly eyebrow raising. I chose to address this report now, because it appears that companies just haven’t gotten around to determining the best way to handle the influx of insecure web apps exposing their organizations to increasingly sophisticated and damaging attacks.

In one of those, “It’s so awful it’s funny” findings, the survey notes that even though website attacks are the biggest concern for companies, 88 percent of them spend more on coffee than securing their web apps. Don’t get me wrong, I love me some coffee, but I also love me some secure banking and private medical files. I think it would be illuminating for an IT manager to use this data point in a meeting, “Last June we spent 50K on our Colombian roast and 2K our web security products. We’ve been hacked 187 times but our coffee is really, really good.”

The results of the survey reveal respondents’ perceptions and experiences protecting web applications. It underscores the lack of adequate protection currently in use and overall insufficient resources and knowledge around Web application security in general.

Strangely, (or not?), the report found that 69 percent of organizations rely on network layer firewalls to protect their websites, leaving web applications wide open for attack. Haven’t we all learned that firewalls are like long underwear? They offer some protection but won’t cut it on Mt. Everest. I was mystified to find that organizations still feel this is an adequate defense mechanism.

What wasn’t surprising to me was the finding that 72 percent of organizations test less than 10 percent of their web applications for security holes, some knowing they have been hacked in the past. I don’t actually know of any organization that runs the recommended regular security checks. This frustrates the analysts and security experts but time, resources, and competing priorities usually get in the way of such things as routine maintenance and ensuring the safety of the corporate network. I do think it should be required for all financial institutions, government agencies, medical organizations and any other company that deals with sensitive amounts of customer data—which is pretty much everyone right?

According to 74 percent of respondents, web application security is either more critical or equally critical to other security issues faced by their organizations. Despite this, the study shows there are many misconceptions around the methods used to secure Web applications, primarily web application firewalls and vulnerability assessment.

“While it is encouraging to see that web application security is on the minds of most organizations, there still seems to be a real disconnect between the desire and implementation of security countermeasures required for Web application security,” said Dr. Paul Judge, chief research officer and VP for Barracuda Networks. “The fact that 69 percent of respondents are relying upon network firewalls to secure web applications is like relying upon a cardboard shield for protection in a sword fight—eventually your shield will prove that it’s insufficient and an attack will reach you that can fly past a network firewall.” I agree. It’s probably never a good idea to use a cardboard shield whilst wearing your long underwear to a sword fight.

Mandeep Khera, CMO for Cenzic says it’s a huge red flag that a quarter of respondents could not provide a range for how many web applications they have. He expressed shock that 20 percent of organizations do not test at all and 40 percent test only 5 percent of their web applications, but as I mentioned above, it’s just never really been part of the day-to-day risk mitigation plan (and it should be). It is shocking though that most of these companies have been hacked multiple times through insecure web applications. “If you know that burglars come through a broken door repeatedly wouldn’t you want to fix that door?” asks Khera.

Other key findings in the study include:

Data protection (62 percent) and compliance (51 percent) were the top reasons for securing web apps. Job protection was also a significant reason cited by 15 percent of respondents.

Despite 51 percent listing compliance as a key driver for web application security, 43 percent are not familiar with or have no knowledge of OWASP, a key component to compliance standards like PCI.

With 41 percent reporting they have over 100 web applications or more, the majority (66 percent) test less than 25 percent of these applications for vulnerabilities.

More than half (53 percent) expect their web hosting provider to secure their web applications.

Of those respondents who own a web application firewall, nearly 2 times agreed that a reverse proxy is a better and more secure technology than a transparent bridge technology.

“While IT practitioners recognize the criticality of secure web applications, their organizations do not provide adequate resources and expertise to manage the risk,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Over half of the respondents we polled believe they do not have resources to detect and remediate insecure web applications, and 64 percent said they believe that their organization have inadequate governance and usage policies.”

The results of the survey from the Ponemon Institute are based on responses from 637 practitioners in a variety of industries with an average of 11 years of experience in their profession.

Most SMEs Investing in Web Monitoring and Filtering in Support of Policies

Stephanie Jordan — Mon, 18 Oct 2010 05:00:00 +0000

In the last installment of the Messaging News Small Business Dispatch, I noted that many online scams rely on brand names to add legitimacy to the nefarious requests for credit card numbers, bank details, passwords and to plant malware. The need to monitor site traffic as a Web security tactic grows as this kind of activity continues. Organizations of all sizes are using Web monitoring and Web filtering solutions, including 69.9 percent of small and medium-sized enterprises (SMEs), according to a new survey by GFI Software. GFI reports that SMEs use the technology “to block offensive sites, stop malware infections from downloaded files and to prevent malware attacks from drive-by downloads.” The GFI survey respondents were either IT management or IT staff working in network management and administration. Only 8.9 percent had over 500 employees.

Employees, Social Networking, and Cyberslacking

“Cyberslacking.” Sounds fun doesn’t it? No doubt it is, but not necessarily desirable when you are paying employees for a work product. But blocking social media is not really possible anymore, especially as businesses continue to seek ways to use the medium as part of a business strategy. In fact, GFI notes that the most valuable brands in the world are experiencing a direct correlation between top financial performance and deep social media engagement. If it needs to be open for business, how do you close it off for personal employee use? The simple answer is, most companies don’t. In GFI’s survey of SMEs, respondents were asked if employees were allowed to surf the Internet for personal reasons during breaks. Eighty-five percent said yes, however, all used Web filtering to restrict what employees can view and access.

This restriction is well founded, not only to prevent cyberslackers from whiling away the hours, but also to keep threats at bay. In its Q3 2010 Internet Threat Trend Report, out this week, Commtouch Labs shows that hyperlinked malware and HTML attachments saw a “significant increase” as attachments either “displayed phishing pages or redirected users to sites hosting malware or spam.” Unsuspecting users can easily be fooled by these very sophisticated ploys.

Acceptable Use Policy Guidelines

GFI notes that: “While organizations are happy to allow employees to access the Internet for personal reasons, they are not giving them access to sites that are known to contribute most to loss in productivity / cyberslacking and those sites that are bandwidth-hungry. It also may be the case that organizations are only allowing access at certain times of the day, for example, during employees’ lunch break or after hours. Blogs and news sites are the categories of Websites blocked the least by respondents to the survey.”

Commtouch Labs reports that during the third quarter of 2010, the Web sites most likely to be compromised with malware continue to be pornographic sites—parked domains, business, computers & technology, and education round out the top five. For phishing threats, the top five are games, sex education, shopping, travel and computers & technology.

The use of Web monitoring is gaining acceptance among employees. Of those in the GFI survey, 92.5 percent inform their employees that online activity inside the organization may be monitored. Along with notifying employees of the policy, management should also work to educate employees on the “why” and learn about the potential risks they may bring into their company.