06 Sep When the 'send' button brings trouble
On an average day in an average office, an employee composes in e-mail using a standard mail client and hits the “send” button. That’s where the trouble starts.
From that point forward, the message goes through a series of unsecured servers across the Internet before reaching its final destination in the recipient’s mailbox. Even if no trouble is encountered along that route, the company or the individual could be called upon years later to reproduce the message in a civil or criminal suit.
The ubiquity of e-mail and its ease of use can make it easy to lose sight of just how important it is to a company, and just how serious it can be when something goes wrong. Are companies doing enough to secure and archive their e-mail transactions?
“Business has changed in the last 10 years. Everything used to be formal, on letters and so forth,” said Dave Hynek, president of Mequon, Wis.-based consulting firm Business Fitness.
Hynek points out that there has been a steady decrease in formality with movement toward e-mail and instant messaging, leading some to take their eyes off a simple fact. “Bottom line, from every regulatory agency and from a legal point of view, an industry-governance standpoint: an e-mail is a document,” Hynek says.
At computer networking-related businesses such as Capital Data in Milwaukee, they’re hearing more from clients who are worried about e-mail and database security.
“Everyone is concerned,” said John Steindorf, executive vice president of Capital Data, an IT systems integrator specializing in data solutions.
But while Steindorf said “it’s essential” to control your organization’s flow of e-mail, “very few places do that well.”
One of the reasons for that failure to better control e-mail flow is the lack of return on investment for implementing such controls, he said. But with the Sarbanes-Oxley Act that imposes new mandates on businesses, “CEOs are saying ‘absolutely’ to the controls,” Steindorf added.
Administrators and users have shields up
E-mail carries with it multiple responsibilities for the user and the IT administrator, relating to protecting the user’s privacy, safety from viruses and spyware, and the ability to recover e-mail for future legal discovery processes.
Across enterprises, the dual tasks of maintaining security and long-term archives can be spread between the administrators and the users themselves. At UW-Madison, where the WiscMail can serve more than 65,000 accounts, those responsibilities are spread between both the end users and the system itself, according to Brian Rust, communications manager for the UW Division of Information Technology.
On the one hand, the system is very secure against the danger of viruses that might threaten the whole system. Anti-virus controls are placed at the server level, stripping messages of virus content and warning users who are checking their mail. Additionally, Norton Anti-Virus is distributed to every student and faculty member as a last line of defense.
On the other hand, it is simply unfeasible to maintain full archives of every single message. The system itself is so large and has such high turnover of the student body that they cannot keep track of every last user, and it would be difficult to set up a system that could easily distinguish between the discussion of hiring practices and other policies versus students discussing their social lives. Instead, the system logs individual transactions such as message deletion, while clear policies must be maintained for what content must be preserved by staff.
“Not on the system administration level, but I can see where that could be an issue for an individual department or a human resources group,” Rust said, addressing the concern that a future legal controversy could create problems if e-mails have been deleted.
E-mail archiving, a necessary cost
In an environment of corporate scandals and new oversight laws such as Sarbanes-Oxley, it is becoming more and more important for companies to be able to reproduce the right information at the right time.
“What we’re seeing on the litigation side is that there are large discovery requests that are happening for e-mail going back as much as 5-7 years,” said Kelley Hansen, CEO of Neohapsis, a Chicago-based network security firm that was founded in Milwaukee and maintains offices there, too.
While it’s important to maintain those archives, it’s also important to define what shouldn’t go into them, according to the company’s compliance specialist, Dave Stampley. Archives can pile up over the years to equal terabytes of data, so it’s important for employees to be able to identify items that must be retained, the more trivial items that can be erased, and what should not be done over company e-mail to begin with.
Beyond the necessity of being guaranteed against future litigation, there is also another use to maintaining archives, according to Chad Mattix. Mattix, who is now working at SecurePipe to help integrate the recently acquired MailMax suite that was bought from his former employer, MyCom, points to the need companies have to recover their records and get moving quickly again after a disaster, whether it’s from network failure or the physical loss of the storage units.
“Clearly, when events occur and there’s a disaster, having that type of ability is important across the board now,” Mattix said, pointing to the loss of businesses in the New Orleans disaster.
“The archive gives the organization that type of reserve now, and keeping it off-site has a lot of benefit because it’s going to be protected in a data center, and it can be redundant across multiple data centers,” Mattix added.
Security and privacy
While Hansen and Stampley credit virus attacks and security breaches such as those suffered by Bank of America with increasing the awareness of keeping company networks secure against malicious e-mails, there is still a lot to be done.
“This (network security) is, in some cases, coming up to the need of where it should have been, because of under-allocation in the past,” Stampley said.
Hansen noted a panic that sets in after a notable virus attack, which for a time increases the attention on IT security. However, the overall culture does not change.
“After a little while, the heat’s off. Nobody starts paying attention. The role of the security officer gets diminished again. And so it’s sort of this hot-cold, hot-cold relationship,” Hansen said, stressing the importance of emerging standards and an acceptance of security as a routine cost of doing business.
On the flipside, it can also be just as important to remember the threat to customers’ privacy that comes from the inside of a company in addition to the outside.
“We originally started off with the content control of in-bound messages,” Mattix said “Really, over the last two years there’s been a shift toward content control of outbound.”
When it comes to maintaining security and privacy in outbound messages, Mattix emphasized the need for strict rules on what should be automatically encrypted, most notably customers’ Social Security numbers and other identifying attributes.
What is notable about that goal, Mattix, noted, is that technology has been available to do it for years, but is only now coming into more widespread practice.
“We would have thought every hospital would have embraced this and get the IT director’s attention to get this off their plates and deployed,” Mattix said. Instead, what it has taken is to have commands from on high to get companies to make the effort. As an example, Mattix points to recent changes in HIPA standards to get messages containing Social Security numbers automatically encrypted.