What is at risk? Not just the convenience of e-mail or a fast network, but the data in the network and the business itself. Losing data too often creates a financial and operational burden that can scuttle your enterprise, and conventional firewall/antivirus solutions are no longer sufficient against all threats.
E-mail – we hate it, but we love it – and we need it. As businesses rely more and more on e-mail communication, their networks become more vulnerable to the proliferation of increasingly sophisticated malware programs including computer viruses, worms, trojan horses, and spyware. According to Gartner, the information technology (IT) research group, 90 percent of all viruses and worms infect organizations via e-mail. And those are just the external threats, none of which are any greater than the threats that network users can pose from the inside.
What is at risk? Not just the convenience of e-mail or a fast network, but the data in the network and the business itself. Losing data too often creates a financial and operational burden that can scuttle your enterprise, and conventional firewall/antivirus solutions are no longer sufficient against all threats. Effective security solutions evolve continually to incorporate advanced security technologies and security-conscious business practices.
Isolation: Network Appliances and Hosted Services
To enhance e-mail security beyond common firewall and anti-virus solutions, small businesses today have an ever-growing range of options, from high-end software solutions to network appliances or managed third party services.
Separating e-mail servers from applications and storage servers, with beefed up security and filtering, helps shield the business from e-mail attack. Additionally, it is easy, efficient and cost-effective to have a separate security appliance. There is very little human effort needed to maintain such security measures, which makes upkeep simple and inexpensive. Alternatively, many businesses are moving to hosted e-mail security services, which are transparent to network users and allow management to focus on other matters with assurance that they have the latest security tools are in place.
Organizations should implement countermeasures to mitigate the effects of spam and malicious e-mail content, but e-mail security is a two-way problem – what leaves an organization in e-mail can be as harmful to it as what comes in. Highly regulated organizations such as financial institutions and healthcare providers, or those who contract with them, face legal exposure and liabilities if employees send out sensitive client or patient information, from Social Security and account numbers to confidential records.
For this reason, small businesses are increasing use of e-mail content filtering, including the ability to block discrete attachments based on content, both inbound and outbound. Content filtering can alleviate the increasing challenges of compliance with corporate governance or regulatory compliance measures such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and Sarbanes-Oxley (SOX).
Human Software For all of the sophisticated hardware and software available to tighten e-mail security, the most powerful component in an effective solution is a community of informed and compliant users guided by savvy leadership. Training users to avoid risky behaviors is the first step, and then there are other practical steps that management can take to improve e-mail security:
Implement an e-mail archiving system and establish a retention policy for e-mail that is consistent with your corporate culture, regulatory requirements and industry. Specify policies and controls for what can be stored on user desktops and laptops and for how long, so important data gets to storage devices that you can control and protect. Empower your network administrators to enforce those policies, and that means giving them the tools to do so.
Make sure all key departments within your organization, such as Legal, IT and HR, understand the process and approve of your e-mail filtering, retention, retrieval and analysis policies.
Don't lose sight of the big picture. Stay tuned to how threats and anti-threat solutions are evolving, identify issues before they turn into problem areas for your business, and proactively take the steps to guard against them. If you don’t think you have the time to stay informed, lean on a trusted technology partner who does – and keep in mind that the time and investment to be proactive can be far less of a burden than the costs of procrastination.
We say this ad nauseum, and yet it seems we must: Educate your staff on how to prevent viruses and worms from spreading via e-mail attachments, and be sure they recognize phishing scams when they see them. Make sure all employees know not to open executable files, or any attachment from an unfamiliar address. Further, they should know that viruses are not just spread from attachments, but can be found in embedded items as well. The bottom line? Don’t open spam or any e-mails from unknown senders.
Talk to other small businesses and see what is and isn't working for them. Get your budget approved and do the necessary leg work – you’ll be glad you did.
In a society where instant communication is the norm, we take e-mail for granted. Although it’s easy to do so, there is no excuse for taking shortcuts when it could compromise a carefully thought out security strategy. E-mail should be treated like any other type of corporate data – or any other opening to your building, for that matter – and should be managed accordingly. E-mail security is a valuable component of business security.
1. Gartner Research – http://www.spamclam.co.uk/email-threat-statistics.html