Email compliance is always a hot issue. Yet even while there are laws and regulations governing how certain industries send, receive, store and secure email messages, 73.7% of people who responded to a survey admitted that they had violated email compliance policies at their workplace.

It is important to note as well that this number represents those who knowingly violate company email policies. The same survey showed that 42.7% of those asked claim that their company either doesn’t have email compliance policies, or they were unsure if such a policy was in place.

So what are some of the most common violations of these policies? Take a look:

1. Sending confidential information

When it comes to industries like education, healthcare and finance, sending personal and confidential information via email can violate not only company and organizational policies, but also federal regulations.

Still 45.7% of respondents claim to have accidentally sent information via email that violated regulatory compliance and 28% admitted to having done so intentionally.

This also leads to another serious problem, printing confidential emails. While most of the time these emails are printed and immediately filed away, there have been stories of confidential emails left on the printers at trade shows, hotels and airport lounges. Worse still, the information contained in the email almost always remains electronically stored on the printer itself as well.

2. Sending work-related emails from personal accounts

According to a report from a security vendor 71% of people surveyed have been educated on the risks associated with sending work-related email from their personal accounts. 47% of them don’t agree with these policies however, and deem it acceptable to use their personal accounts for work. In fact the same survey showed this to be a major concern among younger employees with 85% of workers under the age of 25 regularly sending work related emails from their personal accounts.

3. Sending inappropriate emails

Nothing can be more damaging to the reputation of a company, or individual employee, than an inappropriate email.

This is a hard statistic to measure because most often, people think of inappropriate emails as those that make the headlines due to racist remarks or sexual references. But these types of emails are only the tip of the iceberg.

Inappropriate emails include sending emails when angry, sending emails with poor grammar and spelling, jokes, slide show presentations, pictures of the grandkids and just about anything else that people find offensive or bosses find to be not related to work.

Most people think that the later list is mostly harmless but when you add up the hours lost in productivity and the customers you lose because you consistently spell the as teh, you can see where it can become a problem.

4. Inappropriate use of the email signature

If a company has a well written email compliance policy in place then it will most certainly contain some guidance as to how employees should write their email signature. Most people will ignore this.

Frequently, companies restrict signatures to the person’s name, contact information and a link to the company’s web site. Sometimes they will specifically address the use of quotations or sayings in the signature line – but this is often ignored.

Email signatures that violate compliance policies can also be spotted by the font and color used as well. Generally, it is not consider professional looking to use multi-colored text or fancy fonts for the email signature.

5. Using work email for personal communications

Policy flaunters aren’t only using personal emails for work, but vice versa as well. One common misstep when it comes to email compliance is to fire off a quick email to a friend or spouse from your work account. Many people still don’t realize that the contents of their emails are subject to review by their employer. Even those who are aware of this continue to send personal emails from work or use their work email address to register for web sites or mailing lists online.

To reduce the number of people who violate email policies in the workplace, email administrators need to clearly define their expectations to all employees and take the time to enforce these policies. When people understand the rules and see that they are frequently, but fairly, enforced they will be far less likely to try to circumvent them.

5 Most Common Violations of Email Compliance

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

At one time or another, most email administrators are tasked with the responsibility of writing up policies that govern the use of email in an organization. These policies are necessary to:

• Protect against email based threats and vulnerabilities
• Reduce the organization’s liability if email is used inappropriately by employees
• Prevent misconduct when it comes to email use
• Educate employees on email etiquette
• Inform employees of email monitoring policies.

However, many email administrators find it tough to sell their coworkers, and even management, on certain aspects of the policies created. Instances of a company’s employees, brushing off email policies as insignificant, or simply ignoring them altogether, are far too common in today’s workplace.

Despite the importance of email policies, most people simply see them as either a barrier to getting work done or as a way that management can monitor and control their activity.

As email administrators, we can certainly do a better job when it comes to getting buy-in from our coworkers. To help with this, we have compiled a list of tips that can help you present new email policies, or changes in existing policies, with as little friction as possible.

1. Understand why you are creating these policies

The first step begins with the people tasked with creating these policies. As email (or IT) administrators, we have to realize that our number one job is to help our coworkers do their jobs more effectively. Too often, IT policies are influenced by things that make life easier for the IT staff and often at the expense of other departments. This immediately creates friction and a type of civil disobedience often follows.

If other employees see that any policies in place are not just to make life easy on IT, but exist to help the company as a whole, there is often less justification for not following them.

2. Explain the risks

Users often need to understand the reasons why they have to do something in order for them to comply. But taking a “because you are supposed to” attitude isn’t explanation enough. Provide them real life scenarios that show what can happen if they don’t follow the policies that are put in place. Oddly enough, people often find these examples intriguing and captivating. Compliance usually increases after they are presented with stories like these, but after a while the fear factor wears off. Keep users in touch with the various risks giving them a reminder every so often through company newsletters or blogs.

3. Review policies with other departments

One of the biggest threats to compliance is when upper management doesn’t buy in to your policies. This often happens when they feel that the email policies put in place restrict their team from being productive.

4. Provide data

If you are serious about email policies then there should be some way to track data. Provide users with data from your organization to help show a need for policies. For instance, if you have a policy in place regarding not responding to junk mail then show your coworkers how this helps reduce spam in your workplace. If you block executable files from being attached to email messages, provide evidence that this measure helps prevent malware outbreaks.

5. Realize that not every policy has to do with security

More often than not, email policies are looked at from a security/productivity standpoint. They help keep emails and information secure and confidential, and they help keep workers on task.

However email policies can also help protect and promote your organization’s brand.

By regulating how users write emails and how they craft their signature lines can really improve how current and potential clients see your company.

Even though other forms of communication are becoming more popular, businesses will continue to rely on email as the primary means of communication for years to come. Those who work to make sure email communications run smoothly will always find that compliance with policies that govern email use is often neglected. However when the right approach is used, the headaches that often accompany email related problems will most certainly decrease giving you more time to deal with projects you probably find a bit more interesting and much more worthwhile.

5 Ways To Increase Email Policy Compliance

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Back in October of 2009 the City of Los Angeles voted unanimously to outsource their email services to Google. While many other organizations have made similar moves, this move made Los Angeles the largest city in the United States to hand over its messaging services to Google, Inc.

For $7.2 million, all 30,000 city employees would be turning to the cloud for email.

This was a huge win for Google because not only did they beat out their rival, Microsoft, but a successful implementation would easily pave the way for future business with local governments.

Fast forward two years and one Los Angeles city councilman is asking why nearly half of the 30,000 employees haven’t yet moved to the new Google Mail system.

The answer is Google has “been unable to meet the security requirements of the city and LAPD for all data and information.”

Basically, there have been legal obstacles concerning whether or not Google can house law enforcement data, such as criminal histories and data related to investigations, on its servers.

Shame on Google?

From an outsider’s point of view, it looks as if Google is to blame for this catastrophe.

Especially when news stories lead in with headlines like, “Google ‘unable to meet’ security needs of city email.”

However Google isn’t exactly at fault here. They claim that working with the regulations surrounding municipalities, “is so new that the legal requirements around data protection are still evolving — and that some of those regulations came to light only after the contract was signed in late 2009.”

Instead of making the jump, the LAPD and other agencies have remained on their older email system using Novell’s email software with Google footing the bill.

But costs aren’t the only thing at stake. Using two different email systems has caused headaches and productivity problems for city employees, especially the IT department.

Who is to blame?

In all actuality, it is the Los Angeles City Council who is at fault here.

Google provides a product. When a customer wants to use that product, they have to do their research.

Most likely, the question arose at some point, “will our information be secure with you?” And most likely Google answered yes.

But that can’t be sufficient. When you are talking to a salesperson, you need to understand that A) the nature of their job is to sell you a product and B) their legal knowledge will not be on the same level as that of a lawyer’s. Before the vote even came before the city council a thorough review of the product and its adherence to federal, state and local regulations should have been completed by the legal team for the city or an outside agency. End of story.

Best practices

There are plenty of news articles floating around in cyber space about how a school district or government agency dropped the ball when making a huge technology purchase.

A simple search of Google Apps for Government + regulations in the time period of October 2007 to October 2009 returns quite a few results about how Google is ramping up its offerings for government agencies. There are even some pretty high profile publications that covered what Google is doing to get ready for what it hoped would be a wave of government clients.

But if you go past the first few pages of the search results you start to see a different picture. Many more results caution users who need to adhere to specific regulations to stay away from cloud based providers for certain services. Email being one of them.

Of course quite a bit has changed since 2009, and Google has gone a long way to make sure that their products are certified under FISMA (The Federal Information Security Management Act of 2002) so that the federal government regulations that govern email are met.

And while Los Angeles still sorts out its email mess, other municipalities and agencies continue to move email services to the cloud. Some of them successful, some of them plagued by problems.

However one thing that hasn’t changed is that organizations will continue to sign large contract for products and services without getting the whole picture ahead of time.

For Los Angeles, Not Every Cloud Has A Silver Lining

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

In Understanding Email Encryption Part 1 I covered not only why encrypting email is important, but also the two different types of email encryption: asymmetrical and symmetrical.

There was another section that briefly mentioned some of the barriers that impede buy-in from management when it comes to an encryption solution. But these were only touched upon.

Unfortunately when it comes to making a pitch for encryption, those who understand the need for it are an easy sell. Those who either don’t understand it or see the need for it often cite one or more of these stigmas that are attached to email encryption as reason to avoid it.

Should you find yourself being stonewalled when giving your reasons for email encryption, here are a few points you can make to counter any disbelievers.

Of course the consequences that come from disputing your boss in front of others is something that encryption can’t protect against, so use them at your own risk.

Encryption makes us look paranoid

In the previous post I quoted a survey respondent as saying: “normal people don’t encrypt normal email messages” when asked about adopting encryption for email.

The problem is that society does tend to raise an eyebrow at those who act paranoid. Let’s be honest here, they are outright ridiculed.

And no one wants to be made fun of. But that is playground thinking. As a customer, client or employee I want to know that my personal or confidential information is being protected. Email encryption can make me look silly if I am sending a joke to a friend and I use DES cryptography, but if account information is being sent from my bank I want to see a bit of protection put in place.

One way to counter this is to ask, “would you rather someone think you a bit paranoid, or would you rather be in the news like the Oak Ridge Laboratory, CitiGroup, Sony, Target, Chase, etc.”

Encryption is too complicated for most users

15 years ago, email was too complicated for most users. There was a time when the telephone was complicated technology.

And yes, there was a time when cryptography for email messages was quite a bit of work but now it is rather simple and solutions operate seamlessly with your company’s email client.

Outlook offers two separate methods of encrypting email messages. You can encrypt a single message, using 3DES by going to the Message tab in the Options group and click on the Encrypt Message Contents and Attachments button.

After that you simply write your message and send it on its way.

Encrypting all messages can be done as well but that requires all recipients to have your digital ID to decrypt the contents.

Still, that doesn’t seem too difficult now does it?

Encryption is too expensive for us

Another stigma is that encryption is for large companies, not small or medium sized businesses – this isn’t entirely accurate.

Sure, an organization can spend a good deal of money on an expensive appliance that requires add-ons and plug-ins. But you don’t have to spend that much.

With Software as a Service models, even the smallest company can purchase a service contract for only what they need. Be it one user or a thousand.

There are even companies that cater these services to smaller organizations specifically to keep costs within reason.

Software as a Service solutions can also help negate the belief that encryption will be too much of an undertaking for your IT staff as well. Since the company is buying the service, there is nothing for the IT people to set up, configure, troubleshoot, monitor, etc.

Encryption, like any other technology, has changed over the years. But so has the need for it. There was a time when email wasn’t such a lucrative target for attackers. There was a time when regulations mandated certain security baselines be put in place. There was a time when using encryption required a Master’s Degree in Computer Engineering. But all that has changed. Let your company know it’s about time their mentality regarding protecting email messages does as well.

Understanding Email Encryption (Part 2)

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

When looking at solutions on securing email, many people don’t take into consideration the type of business environment they work in. All too often, after spending a great amount of time and money, small to medium-sized enterprises find out that what works for a company the size of Bank of America doesn’t quite work for them.

To better help SMBs find solutions scaled to their needs when it comes to email security, I have compiled a list of 5 tips that address the risks and restraints that they face.

1. Get the right solution

Email security can come in any number of packages. Security solutions can be software based, deployed through an appliance or even in a hosted environment. Each type has a variety of advantages, but there may be some disadvantages based on your company size or industry so it is important that you weigh your options carefully.

It is also important to look to solutions that can provide the protection your company needs at a cost that works. Too many times people are under the impression that security appliances are seriously out of reach for most small to medium sized businesses. This isn’t the case. There are many solutions that organizations find affordable and feature rich.

Make content filtering a standard practice

Content filtering needs to be a two way street. Of course, you want to filter out inappropriate content from being received by employees and certain types of attachments need to be blocked to prevent the spread of malware and expose vulnerabilities. However how often do you consider filtering what leaves your business via email?

Many industries nowadays are highly regulated and sending sensitive, or even financial, information out through email can not only bring compliance issues to your business, but it may also give competitors an edge. Filtering what users send out can be just as important as filtering what they receive when it comes to securing your company’s email.

Practice recovery as well as backup and archiving

Do you brush just half of your teeth? Then why would you only test half of your backup and recovery solution? Many companies find out, only when it is too late, that their backup and recovery solution was not configured properly or that there is some sort of problem.

This can be alleviated by regularly testing the recovery portion of your backup. By simply setting up a server (or virtual server) on which you can replicate your email system you can frequently test the validity of your backups in a way that will not disrupt your current email process.

Create fair policies that management will enforce

One of the biggest mistakes that SMBs make when it comes to email security is to take an overly aggressive approach. Without the manpower and resources to fine tune security policies, it becomes easier to just restrict anything that could be a perceived threat. This becomes especially true in small IT departments because they are tasked with so many other responsibilities.

When creating policies, it is important to bring other departments to the table so that these policies do not restrict anyone from getting their work done efficiently and effectively. Involving others at the management level also helps them better understand the reasons behind email policies and the ramifications for not following them. Gaining this support will help when it comes time to enforce these policies and discipline those who violate them.

Educate your staff

When it comes to security, it is a common misconception that bigger, state of the art, expensive solutions provide the best protection. Even though this isn’t true, SMBs often feel that they are at a disadvantage when it comes to email security because they cannot afford to deploy such solutions.

What many SMBs don’t see is that they have a distinct advantage over their larger counterparts when it comes to educating end users. When you have a smaller number of employees to train you have the advantage of being able to spend more time with them to make sure they understand the material you are delivering. You also have the opportunity to be readily available to answer questions or address any concerns or issues that your users may have.

Developing a solid training series for email security can also help free up time for IT departments that find themselves tasked with too many responsibilities because users who are informed and educated require less oversight and less attention.

5 Essential Tips for SMB Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Advanced persistent threats make email security a necessity

Most email administrators consider security to be a large part of what they do. With so many laws and regulations governing the storage, discovery and retrieval of email messages, security has become a second job to many.

Unfortunately, many administrators either forget, or simply aren’t aware, that securing email requires much more effort than hardening the email servers against attack. In order to fully protect your organization’s email and their contents the mailbox also needs to be defended. Especially when you consider how popular Advanced Persistent Threats are becoming with large cyber crime syndicates who use email not only as a way to harvest sensitive information, but also as a method of attack through phishing and social engineering.

By implementing the following tips into your security plan you can help protect against these, and the many other threats that your organization may face:

Create email policies to regulate the communication of confidential information

Email communication has become second nature in the workplace. It is quick, easy and it gives us a record of our conversation so we can refer back to any information at a later date. However, if the conversation contains sensitive information like login credentials, financials, personal information, and the like, then it can be extremely valuable to anyone who may harvest those emails.

By simply setting up, and enforcing, policies that restrict certain information from being sent via email you can mitigate the damage done if emails are exposed. At the very least, your policy should state that user logins and passwords (and/or PINs) not be communicated via email.

Teach users to encrypt their messages

One of the best analogies I have seen to describe the need for encrypting emails is one that compares email to a postcard. Basically, anyone who comes across it can read the contents if they want. This can be stopped by encrypting emails to prevent eavesdropping.

Encryption is a hard thing for many people. It requires additional steps, training and, in some cases, third-party software (such as PGP) yet it is really the only way to keep your messages private in transit.

Encryption shouldn’t be limited to sending and receiving messages alone. Any email that is stored on a hard drive (think personal folders), a network drive, backup servers or archive systems should also be protected from any prying eyes.

Get rid of old email

A long time ago, storage space was a precious resource. Nowadays inboxes can be easily scaled to hold enormous amounts of data. Unfortunately that provides a greater possibility that an attacker will find something valuable.

Email should be moved, or deleted, when their life cycle is up. Make sure to check with any regulations regarding discovery and archiving before getting rid of the old stuff, but if you combine this with encryption you will be taking great strides to protect older emails.

Practice good network security habits

Make sure that desktops are continually scanned for malware that could possibly expose email login credentials, filter Internet content to protect against malicious websites, understand how to properly use a firewall and update server and client software as needed.

In addition to the employing technology to help secure your email systems you should also consider human factors as well. One of the ways that people first discover that their systems have been compromised is by noticing an anomaly. Be on the lookout for log-ins that just don’t seem right whether it be the IP address, the time of day or even the length of time.

This can be one of the most tedious tasks to undertake when it comes to security but it is by far the most important.

Put the right solutions in place

In many small and medium-sized enterprises, the email administrator alone cannot be as vigilant as he or she would like. Even in organizations where there is team of professionals dedicated to security use necessary security tools to help them do their jobs. Smaller companies need to understand this as well.

By employing technologies that help manage email, backup and recovery, archiving and security, you are plugging the little holes that provide that chink in the armor most attackers are looking for.

No one said that email security is going to be an easy task, but it is one that cannot be ignored just because it’s too hard or it costs too much.

Tips for Better Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Getting your co-workers to adhere to policies that govern the use of email in the workplace can be tough. Despite your best efforts, email is still used to send jokes, chain letters, pictures, slide shows and other inappropriate content.

For whatever reason, people don’t quite get that not only are email policies in place to protect them and the company brand, but there are consequences for violating these policies. Unfortunately, the only time when people begin to comprehend just how serious email policies are is when it is too late.

To better help your co-workers and employees understand why it is important to adhere to email regulations and company policies, here are a few real life examples that you can use to get the point across:

Sarah Palin

The mistake: Using personal email to conduct business.

Nothing of note was found when her official email archives were released to the press recently but remember back when her personal Yahoo! account was cracked? She had to answer questions regarding the use of her personal email to conduct state business instead of her official account that is subject to laws and regulations regarding public records.

Mark Foley

The mistake: Sending inappropriate messages while intoxicated.

The congressman from Florida was caught up in an email scandal when he sent a message to a former Congressional page requesting a photo. Although the email was sent from his personal account it did open up the floodgates and it was found that he had also sent suggestive text messages to the same young man. Foley later explained that he had a drinking problem and that the messages were all sent when he was intoxicated. After all this surfaced he was told to either resign or he would be expelled from the House of Representatives.

Neal Patterson

The mistake: Expectations that emails are private communications and bad etiquette.

Whenever a paper trail exists there should be no expectation that the communication will remain private. In 2001 Neal Patterson, CEO of the Cerner Corporation, learned this when an email he sent out to his senior staff was leaked.

The email, which berated and threatened managers by stating, “As managers, you either do not know what your EMPLOYEES are doing or you do not CARE. In either case, you have a problem and you will fix it or I will replace you,” caused a 22 percent drop in the company’s stock.

Climate Research Unit, England

The mistake: Confirming a cover-up using email.

Much of the research from the CRU is used by the United Nations for its global climate reports so when an email surfaced from Phil Jones, the head of the CRU, that read, “I’ve just completed Mike’s [science journal] Nature trick of adding in the real temps to each series for the last 20 years and from 1961 for Keith’s to hide the decline,” you can imagine what happened to the credibility of this group.

Galleon Group

The mistakes: Fake emails to cover up security fraud.

Galleon founder, Raj Rajaratnam told employees to create a fake email trail to make it appear to the SEC that some of his recent stock purchases were based on price rather than inside information he had received.

“You just have to be careful, right?” Mr. Rajaratnam told the former Galleon employees in a taped conversation. He later explained that he would send an email asking about a stock “so that we just protect ourselves.”

He was found guilty on 14 counts of conspiracy and securities fraud and faces sentencing on July 29^th.

Lee Abrams

The mistake: Sending offensive content via his company’s email system.

The chief innovation officer of the Tribune Co. resigned in 2010 because he sent an email memo with a link to a video that he thought was funny. Some of the people who received the email didn’t quite see it in the same light. In fact, they found it offensive and complained. Originally, Abrams was suspended by the company indefinitely but later left his position.

As you can see, and hopefully your co-workers understand, that when it comes to the inappropriate use of email the intent isn’t taken into consideration. Even something that the sender views as harmless often carries the same consequences as something done maliciously.

Email Scandals That Should Make Us Think Twice

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

In just one week Google, the International Monetary Fund and Citigroup have all made headlines as a result of email associated with them being under attack. The reason we continue to see companies make the news as a result of email attacks is that email security is sometimes ignored when it comes to training users properly and making good decisions. In some cases, having the latest and greatest when it comes to security tools even creates a false sense of security that causes us, and our users, to overlook the little things. A multi-layered defense that has been properly configured with all the best technology can be rendered useless if the little things are forgotten.

This list displays some of the most common mistakes that are made when it comes to email security and a brief description of what you can do to prevent them.

Leaky emails

There are many times when sensitive information is passed along via email. If everything is encrypted properly you, and your users, often assume that it will only be seen by the appropriate people. Unfortunately this isn’t always the case. Too many times a recipient may answer an email with sensitive information and hit the reply all button without checking to see who will be receiving the email.

The fix: Put a policy in place that addresses sensitive emails and reply to emails. However a policy alone isn’t enough. Make users aware of the policy through training and keep a record that all users were trained/informed of the policy and repercussions of not adhering to it.

Trusting others

When we receive emails from family, friends and business colleagues we often blindly open them without much concern. Especially if they are contacts we communicate with on a regular basis. However malware can easily be spread through emails by attachment or embedded code and links.

The fix: HTML in emails should be blocked if this is a concern, as should the ability for your users to receive attachments that are scripts or executable files.

Passwords that are easy to guess

Remember when Sarah Palin’s personal email account was breached? It was because her password was easy to guess using information the attacker found on her Wikipedia page. Companies often list information on corporate sites that provide attackers enough information to guess passwords as well.

The fix: Enforce strong passwords or password phrases for all users. Also, make sure that people don’t give up information that may be used to guess their passwords when providing bios.

Ignoring malware protection on the desktop

While scanning all emails for malware needs to be done, the desktop should not be ignored. And all too often it is. Malware definitions are outdated, software is not configured to run properly or protection is completely left to the user.

Even if you have a policy that enforces strong passwords, a keystroke logger can easily give up even the most complex password combination.

The fix: Email administrators should work closely with IT security to make sure that the desktop and network security isn’t lax so passwords are tougher to expose.

Failing to check on backups

Some companies and industries are required, by law, to back up and archive emails for a set period of time. Others are not required to do so. Regardless of the laws, every person and company should be in the practice of backing up emails. Emails often provide important records and information that could be lost.

But what happens if you need to restore your emails and find that something went wrong? Maybe the backup was incorrectly configured or the backup location was insecure. In any event, the inability to restore emails from a backup can render the entire solution useless.

The fix: Frequently test the ability of your backup solution, and staff, to restore emails.

These five tips may seem basic and simple. But that is the point. Working in IT we often gravitate towards the more complex issues and ignore simple techniques and solutions until it is too late. By taking the time to do the little things when it comes to security, we build an even stronger foundation for all the bells, whistles and technologies that really impress us and our bosses.

5 Simple Mistakes When it Comes to Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Developments in cloud based computing have shown quite a bit of excitement and promise, especially when it comes to small to medium sized businesses. Those who evangelize the cloud will often cite the many benefits of moving to a cloud based email service. The litany of favorable reasons to examine moving email services off site that are oft quoted fall into line with the reasons used to move to any new technology:

• Ease of scalability
• Ease of software updates
• Email access anywhere
• Better disaster recovery
• Ease of implementation
• And of course, reduced costs

So when a vendor, or even someone in your own organization, throw these at management looking to save money and increase productivity then it seems like the question moves from why should we move to the cloud? to why has it taken us so long to move our email to the cloud?

Is it really that easy?

Cloud based email services make a whole lot of sense for many organizations. By doing a bit of research, you are certain to find at least one case study on how moving your email to the cloud helped someone in your specific industry. Yet even with good reasons and plenty of research to support this decision, nothing should be done without considering every angle because over the years if we have learned one thing, when it comes to IT nothing is risk-free.

So what does an interested SMB need to consider when all the arrows point to moving to the cloud? Let’s take a look.

1. Control

When your email resides on servers that are housed at your location, you are responsible for configuring the software, maintaining the hardware, updating and patching the server(s), cooling the room, etc. But you also have complete control over your email and backups. Moving to the cloud means you are giving up control and possibly ownership. This lack of control can lead to real world problems. For instance, if your organization has a one year deletion policy, is your cloud provider able to adhere to that? Conversely, if you have a no delete policy can this be achieved as well?

A rarer occurrence, but one that has much harsher repercussions is the event that an investigation needs to take place. Will emails be available for forensics when needed? If so, will there be any issues with the chain of custody and proving that the investigation was tamper proof?

2. Availability

Unless you have been living under a rock you are well aware of the attacks against Gmail over the recent months. The decision to move email services to a cloud provider should always be based on how well the provider can ensure that mail servers will deliver an acceptable percentage of uptime. Of course it’s one thing to say that you guarantee 99.9999 percent uptime and quite another to deliver so when a cloud provider makes a claim regarding availability, make sure your IT team speaks with the sales engineers, not just the salesperson, to see what exactly is in place to eliminate things like interruptions and denial of service attacks.

3. Security and Spam Protection

One of the biggest draws to the cloud for email is the fact that the provider will take care of security and anti-spam. Again, this is something that you are entrusting to the provider and giving up control over. If you are unhappy with the amount of spam that gets by the filters, or if the false positive rate is higher than an acceptable rate you can’t simply switch to a different solution.

This should be at the forefront of any discussions you have with potential email service providers. Find out what solutions they have in place and research them just as if you were buying the protection for your own servers.

4. Cost

Of course cost is always the number one reason SMBs look to the cloud. It is hard to find anyone who will say that a cloud based solution isn’t less expensive in the long run than running, securing and maintaining your own email servers. However the numbers may not always equal the level of service you expect. Costs may not always be transparent. A cloud provider may charge extra for business grade anti-spam protection. Perimeter security or virus scanning may also require additional costs. Finally, storage is never a one size fits all solution so this will always present itself as a variable.

The cloud is definitely a solution worth looking into for a number of reasons, however as a smart business move it would be equally prudent to look at all of the considerations as well prior to signing any type of contract.

4 Considerations for Cloud Based Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Just about every business organization is aware of the need to archive email for compliance purposes, and many understand how an effective email archiving solution can help reduce the amount of resources wasted by the company’s mail server(s).

Unfortunately, the new wave of employees doesn’t quite get that. According to a recent study of how younger employees use corporate email, businesses could find themselves at risk due to the social media savvy employees who find corporate email too restrictive.

The root of the problem

As companies hire younger workers who grew up with social media, there is a shift in how the workforce balances their work life with their social life. To the younger crowd, using social media as a way to be more productive at what they do for work appears to be perfectly acceptable because they are using the tools at their disposal to get things done. While most managers may think that this divergent style of thinking is productive, you would be hard pressed to find an IT department so welcoming of this trend.

When it comes to email, policies often dictate the size of an email inbox. In addition to the amount of storage permitted, email policies often block certain types of attachments as well to help protect against malware infections on the corporate network.

In order to get things done, it is common for younger workers to work around these restrictions by using personal email accounts and social media to communicate when they find corporate email too confining. From the numbers, you can see just how rampant the use of personal email is:

• 79 percent claim that they send work emails from their personal email accounts and one in five claims to do this on a regular basis
• 71 percent realize that there are security risks inherent to using communication tools outside of the corporate email environment
• 47 percent feel that it is perfectly acceptable to send work emails and documents to their personal email accounts
• 36 percent of incoming mail sent to work inboxes is not work related
• 52 percent stated that their personal email is better than their work email compared to 29 percent of people over the age of 55 who feel the same way

The security risks associated with using personal, unrestricted email in the corporate environment are clear. There is no consistency with spam prevention, no consistency with content filtering and no consistency with malware prevention. However what most people still fail to understand is that there are also legal issues that this practice brings about and that comes into play with email archiving.

Messages sent to and from personal email accounts are not included in the company’s archival storage because it is not part of the corporate email server. All it takes is a reminder of how Morgan Stanley was fined 15 million dollars in 2006 for delays in handing over requested emails to the SEC for anyone to see just how serious it is that all communications that are readily accessible.

But compliance isn’t the only reason that corporate emails need to be archived properly and not left to chance in someone’s personal inbox. As nearly all companies face litigation at one time or another, the need to produce evidence relevant to a case is just as important as being able to produce emails for a government agency. This simply can’t be done effectively and efficiently if important emails are sent or received through an employee’s personal email.

The solution?

The need for email archiving is not going away. If anything, the need to save and store communications is growing. The solution to the younger workforce’s reliance on rogue email communication is to realize what it is that makes these workers effective and work with those skills.

No football team would ever draft a quarterback with a rocket arm and pinpoint accuracy and then declare themselves a running team so why would a company hire technologically savvy workers and then try to restrict that which makes them so desirable in the first place.

The corporate culture needs to educate new hires as to the importance of email archiving and how business is done while still finding the room to make concessions that allow the younger generation of workers to be successful.

The Problem of the Tech Savvy Workforce

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

With so many businesses still trying to figure out how to leverage social media in the workplace, email continues to be the primary method of communication among employees. Whether they are communicating with co-workers, managers, customers or distributors email still reigns supreme. In fact, 94 percent of all American Internet users send or read email every day according to the Pew Research Center. In the workplace it is estimated that workers spend 41 percent of their day handling email according to the Radicati Group.

While email is still a primary means of communication among people in the workplace, many businesses fail to put in place a policy that governs how employees use email while they are on the clock. Business owners or IT managers tend to overlook laws and regulations that dictate how email should be used and stored. In small-medium sized businesses there is less of a perceived need for a email policy because employers sometimes don’t see the need to regulate things such as email and Internet use. Unfortunately this can land them in legal trouble.

Current laws state that employers can be held legally liable for the content of email sent from computers owned by the company. Furthermore, failing to retain emails sent by employees can also put businesses out of compliance for Sarbanes-Oxley and other regulations.

To protect your business from legal troubles you can either abolish email altogether, or govern how your employees use this tool in the workplace with a documented policy on email usage.

Since the latter is much more practical, let’s look at five things that your email policy needs to address:

1. Personal use of the email system. Some businesses allow employees to use company email for personal communication. Some strictly forbid it. Others take a hybrid approach, allowing personal use to take place during non-work hours granted the emails sent and received abide by other policies. Whichever route you take, make sure that it is clearly spelled out in your policy in a way that cannot be misconstrued.
2. Rules governing what can and cannot be sent over the company email system. Email can be used to share files, multimedia, pictures, etc. While any IT department would most certainly want to keep large attachments to a minimum to conserve bandwidth and storage space, this usually isn’t what causes most of the problems. Obviously it is necessary for your email policy should explain what is inappropriate to send using the company email system. Make sure to cover the distribution of any offensive, or disruptive messages, including messages containing offensive comments about race, gender, age, sexual orientation, pornography, religious or political beliefs, national origin or disability.
3. Email retention policies. If your company is required to comply with Sarbanes-Oxley then you have an obligation to make sure that records, including emails, are retained for a certain period of time. You also have an obligation to inform employees that emails will be archived and how long they will be retained for. Even if you are not required by law, keeping an archive of emails can help your company fight a lawsuit or investigate issues dealing with employees. Make sure this is a part of your email policy and follow up with your IT staff with a records audit from time to time.
4. Email monitoring. As the owner of your email system you have the right to monitor employee email messages at any time but you do need to inform your employees of this. Explain to them that any messages sent, or received, using company equipment are subject to being viewed even if the employee considers them to be of personal nature.  Having this policy in place protects you should a situation ever arise where you need to monitor an employee’s email and it helps curb inappropriate use of the email system but it is rather sensitive so you should check with your company’s lawyer on how to word this properly.
5. Best practices for email usage. You should also use this section to explain expectations for email protocol when it comes to writing and addressing messages. An email sent out can be the first impression a potential client or partner gets of your company and you want it to look professional. For example, some basic email etiquette rules include not writing emails in all capitals, enabling spell checking, including a signature that conforms to your company format, using proper grammar and punctuation.

Once you have drafted your email policy it is important to understand that if a policy is put in place but then not enforced cannot be later relied upon to discipline an employee who violates the policy. So while creating a reasonable email policy is important, enforcing it is necessary as well. Don’t put anything in writing that you do not plan on enforcing later.

Five Things Your Email Policy Needs to Have

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Recently a close family member spent some time in the hospital. Luckily everything turned out okay and they have since returned home. But while there I noticed that the hospital staff was very rigorous in their guarding of patient’s privacy and of their records in particular.

Only immediate family members were understandably allowed to be in the room. Information was freely given which helped us to understand our family member’s illness. But never were any hospital records left in our view. And even at the nurse’s station all records and patient related information were out of view.

All medical documents have to be completed and protected as per the laws which govern patient’s privacy. And anything electronic must also meet requirements and standard for the medical industry. Likewise, email for that field must conform to rules and regulations that protect patient information.

Protection and compliance with privacy laws is not just for the healthcare field alone. All email administrators must be aware of the email laws and regulations that are specific to their own business fields as well. Luckily there are many technologies that can be used for the various industries. Those technologies include:  authentication, encryption, content filtering, hardened message server software, and archiving, as well as anti-spam and anti-virus software.

Here then is a list of the various email compliance laws that exist for a majority of businesses and industries:

1. HIPAA – The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was passed by congress to ensure that the healthcare industry handled patient information in a secure manner. Many of the requirements affected how securely information was communicated. HIPAA mandated that healthcare organizations must protect email messages that contain health information whether they are encrypted or not. Even email messages that are referenced from unencrypted links must be protected. It also specifies that sender and recipient identities must be authenticated and verified. Both stored information and transmitted information must be protected to adhere to HIPAA standards. Security technologies such as encryption are used to protect electronic health information from unauthorized access.
2. SOX – The Sarbanes-Oxley Act (SOX) was enacted on July 30, 2002. The Sarbanes-Oxley Act was named after its sponsors, Senator Paul Sarbanes and Representative Michael Oxley. Its main purpose was to ensure that a high level of accountability and transparency was maintained by public companies. It defined significant financial reporting and auditing practices for publicly traded companies. There are two sections of the legislation which affect the transmission of electronic messages: sections 302 and 404. Taken together, these sections specify the secure measures that must be applied to the electronic message systems of publicly traded companies. These security requirements include: Identification of information that must be kept confidential; Identification of individual message senders; Secure transmission of email; Hardening of email servers that store confidential information; Tracking and logging of message communications; Auditing capabilities; Message indexing; archiving; and retention.
3. GLBA – The Gramm-Leach Bliley Act (GLBA) was signed in 1999 and became fully effective in 2001. It is specific to the financial services industry and is meant to protect consumers’ private financial data. The act defines private data as “Nonpublic Personal Information”, also known as NPI. The GLB is similar to the HIPAA security requirements with respect to data that is stored and in transit – both data states must be encrypted. Within the GLBA are several rules which apply to the security of email traffic. For instance the Safeguards Rule refers to tools that can help to encrypt or block email traffic based on sender, recipient, and content. It describes the process by which companies must take actions to protect NPI data. Companies must also demonstrate logging and reporting capabilities, anti-spam, anti-phishing and protection from viruses.  The Financial Privacy Rule allows for opt-out policies, privacy notices and basically the collection and use of NPI data.
4. The securities industry is governed by the Securities Exchange Commission (SEC) and National Association of Securities Dealers (NASD). Both organizations have enacted regulations mandating the archival, indexing, and storing and retrieval of electronic communications including email.
5. The hedge fund industry is also governed by the Securities and Exchange Commission (SEC). Hedge funds, also known as private investment pools, must meet security requirements related to the securing, managing and archiving of all electronic communication, including email and instant messages.

In addition, the OCC Advisory on Electronic Record Keeping mandated security standards for electronic retention systems that are to be implemented by the banking industry.

5 Email Compliance Mandates and Regulations

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Email administrators can add compliance to their list of growing costs on their budgets, according to a report released recently by the Security for Business Innovation Council, which is a group of security executives from companies in the Global 1000.

The report, “A New Era of Compliance: Raising the Bar for Organizations Worldwide,” maintained that a new compliance landscape is forming, one that will be driving up costs and risks for businesses around the world.

“As the compliance landscape gets more complex, demonstrating compliance gets more time consuming and costly,” it said.

Four trends were identified in the report as factors driving organizations to take their security responsibilities more seriously than they have in the past.

1. Strengthened enforcement.
2. Global spread of data breach notification laws.
3. Increasingly prescriptive regulations.
4. Growing business partner requirements.

Although enforcement of existing regulations has been weak in many jurisdictions worldwide, the report said, regulators and standards bodies are now tightening enforcement through expanded powers, higher penalties and harsh enforcement actions.

“Compliance is the best and worst thing that ever happened to security,” FedEx chief information security officer and corporate vice president Denise Wood declared in the report.

“[Compliance] gives you awareness,” she continued. “It gives you real life justification for good security practices. But at the same time, especially when regulations get prescriptive, it can make it more difficult to have a truly risk-based program where your highest risk items always get your financial investment.”

If regulations call for a risk-based approach to securing data, the report explained, an organization can base their investments in security by weighing their security controls against their appetite for risk. They can tailor their security measures to meet their business needs. When they have to comply with prescriptive measures ordered by regulators, they have to spend budget dollars implementing technology specified by regulatory requirements rather than technology which helps manage risks, the report reasoned.

Another source of rising compliance costs will be the need for everyone in the businesses food chain to assure each other that they’re in compliance. Regulators are making it clear, the report said, that enterprises are on the hook for ensuring the protection of their data when it is being processed by a business partner including cloud service providers.

“[N]ot only are requests coming from regulators and auditors, but also from customers and partners,” the report said. “Most organizations continue to rely mostly on manual efforts and reams of paper for data collection and reporting, which consumes inordinate amounts of resources.”

“Increased responsibility for information security across the extended enterprise also has a significant cost impact on organizations,” the report asserted.

“For example,” it continued, “organizations must undertake exhaustive work to evaluate and oversee service providers’ security practices. At the same time, service providers must invest in developing assessment processes so that they can give customers the required assurances.”

For many organizations, tough attitudes toward enforcing compliance could help their managers focus on security, the report said, “but if they take a check-list approach” to compliance it will detract from actually managing risk and may not improve security.”

Administrators need not feel singled out by regulators for tough treatment; it’s a societal trend, the legacy of the financial meltdown that triggered a global depression. “Regulators are moving away from light-touch to more interventionist regulation,” Stewart Room, a partner with Field Fisher Waterhouse in the firm’s privacy and information law group, said in a statement.

“That’s clear in all senses of society and economy, so it’s not surprising regulation is tightening up in the data protection field,” he continued. “As I see it, the trajectory of the law here is one way only, which is towards more frequent regulatory intervention, more disputes, more arguments, and more litigation.”

That litigation will involve everyone managing data in an organization, including email administrators, as Comerica Bank recently discovered. It was sued by one of its business customers, Experi-Metal, because the bank sent the company’s customers an email asking them to update the financial institution’s security software by clicking a link in the message. Messages from phishers commonly contain such instructions under the guise of legitimate institutions like banks.

Experi-Metal argues that the bank’s email campaign made the company’s customers more likely to click on links from phishers claiming to be from Comerica. Such an attack clipped $500,000 from the company.

Compliance driving up security costs, report says

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

More and more companies are finding themselves in the crosshairs of lawyers filing lawsuits against them. That’s become a concern for electronic information managers because the first thing those legal beagles want to sniff is a company’s data stores. That means anything stashed on your Exchange servers is fair game for them. Previous versions of Exchange were weak in preserving data to meet the “discovery” demands generated by lawyers or regulators. Microsoft has changed that, though, with Exchange 2010.

With the arrival of that version of Exchange, administrators at last have a way to preserve documents  that might be needed to fulfill legal obligations imposed on them by outside forces. Placing a hold on a mailbox preserves a user’s deleted and edited items, including email messages, calendar entries and tasks. The hold applies to both the user’s primary mailbox and archive mailbox.

In the RTM version of Exchange 2010, the only way to implement a litigation hold was through the software’s shell structure with a statement like Set-Mailbox -identity “Name” -LitigationHoldEnabled $true. With the arrival of the SP1 beta of the application, though, holds can be created through the Management Console or Control Panel.

To set up a hold using the Console, you go to a mailbox recipient’s configuration and right click on the mailbox to access its properties. From the properties screen, you drill down to the properties settings for the Messaging Records Management item. There you can activate your hold by checking the box beside Enable Litigation Hold. You can also add a URL for a web page describing your organization’s policy governing holds, as well as any comments you may want users to see when they access their mailboxes after a hold has been imposed on them.

In Exchange Control Panel, you go to Manage My Organization, click Users & Groups and Mailboxes and choose the user you want to slap the hold on. From the screen that appears next, click Details. That will display a screen of options about the mailbox. One of them will be Mailbox Features. When you expand that item, you’ll see Litigation Hold listed. By selecting it and clicking enable, the hold will be implemented. As with Console, you’ll be able to add a URL to your organization’s retention policies and a note for the mailbox’s user.

Of course, since nothing is being deleted when a litigation hold is placed on a mailbox, email bloat is inevitable. For example, the storage requirements for a user who sends and receives 100 messages a day could balloon to 1.4GB in a year. That could have posed a problem with the RTM version of Exchange because a user’s personal archive had to be stored in the same database as his or her primary mailbox. That’s not necessary with SP1, though. The archive can be stored in a separate database or even in the cloud.

That addresses the location problem, but what about the size problem? With Exchange’s support of large mailboxes–up to 100 databases per Exchange 2010 server and up to 2TB of storage per database–that shouldn’t cause a fuss.

Data placed on litigation hold is stashed in the Recoverable Items Folder. That folder replaces the Dumpster scheme used in older versions of the software. Although items appeared in Dumpster, they were never actually moved from their native locations. That “view” approach had to be scrapped when Microsoft got serious about litigation holds. Hence, Dumpster gave way to the Recoverable Items Folder.

Ordinarily, the Recoverable Items Folder has limits on its size by default–30GB, with a warning at 20GB. That limitation is designed to foil denial-of-service attacks that place large amounts of data in the folder to bring network activity to a crawl. However, legal hold items aren’t subject to those limitations so it’s important to monitor the space on  drives that contain databases with legal hold mailboxes.

Before Microsoft bolstered Exchange’s legal hold features, organizations had to resort to third-party software to meet those needs. Will those features reduce the demand for that kind of software? “I think the jury is still out on this,” Brian Posey wrote for SearchExchange.com.

“Exchange Server 2010 hasn’t been available long enough to know for certain how well the Legal Hold feature will work in real-world situations,” he continued. “However, I’m willing to bet that larger organizations may still need third-party software.”

Exchange SP1 won’t trash your important stuff

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

In their February 2009 email blog for Travis County, Texas, written by Steven Broberg and Shawn Malone, as government records managers for Travis County, they were debating how best to create an email policy which would support over 4000 end users without adding more confusion about state directives and standards on records retention policies. They proposed three general directions for their email retention policy and asked readers for their feedback.

As I have seen in many enterprises, and as the authors have also noted in their blog, there is always resistance to change that will be encountered anytime new ideas are proposed especially in large enterprises where business processes that are not broken will be defended as not needing to change.

One of their options, “Maintaining the Status Quo”, offered the least resistance by end users to accept as a general direction for records management. And it was also, of course, the least costly. If end users are at the front end of this direction – and also the endorsers – then the back end opponents included: security specialists, lawyers, vendors, NARA, TSLAC, etc.

With option one it is very unlikely that the company could maintain that mode as sooner or later there would be a need for email records that would be the subject of electronic discovery procedures and legal litigation. “Maintaining the Status Quo”, in my opinion, is not a viable option but merely one to list as a possible, though not probable, general email retention direction.

Their second option was to allow every employee using email to be their own records keeper. This direction would include publishing a records management set of rules and guidelines that all email users would have to adhere to. And to assist the employees in staying within the guidelines of a company’s record management policy the IT department would provide tools and training.

From my perspective this is how most companies operate today. When it comes down to who is responsible and who will have to produce email records it will be the IT department that hands over the retained emails to the company attorneys for use in court. It is usually not simply an employee of a company that is the subject of litigation but an entire company that is most often either the plaintiff or the defendant in a court of law. In my opinion the ultimate responsibility for records management lies with the IT department.

The third general direction for records management which Travis County considered was that of retaining “all” email. As they noted it is this third option which provides the most protection from electronic discovery requests as no emails are lost and all have been retained. Although this option involves the expenses of storage and administration those costs can be balanced against the costs of having to analyze each electronic record when deciding which email records to keep and for how long.

In their blog post, http://traviscountyemailretention.blogspot.com/
, on February 11, 2009, Steven Broberg and Shawn Malone responded to a comment from one of their readers, Patricia Kay Galloway, Associate Professor, Archival Enterprise and Digital Asset Management, School of Information, University of Texas at Austin, in which she wrote:

“We would like to think of mindful record keepers gracefully dealing with their records … [A]utomation is promising, but if I were the public and you proposed to me that you would do automatic classification using a proprietary method of some kind that even you don’t know, I would be very disturbed (and I say to my IR colleagues, it’s all very well for you to use these fancy algorithms, but you can always go back to the corpus of records to test whether you are right — once it’s gone, we can’t) … keep it all is my favorite, especially for government records — we’re all supposed to be transparent, right? …. If you don’t get pushback from elected officials and can somehow manage to deal with privacy and confidentiality statutes by either time-based restriction or redaction, then why not? It’s almost to the point that you can get a terabyte of storage for $100. But the snag is not the email texts; it’s the attachments in zillions of formats, and what to do with them?”

In her comment, Professor Galloway raises the question of confidentiality that can be a cause for concern during the decision making retention analysis phase. She also points out that any automatic classification of documents will have to deal with the many different formats that exist out there. Her comment highlights the additional costs of an automated classification system as compared to the potentially lower cost of just keep everything. This is where an efficient archival system can save money for a company over the long run.

If readers wish to follow-up on the progress of Travis County and their records management policy then readers can review their blog at: http://aiimcertified.com/default.aspx which begins their topic, “Travis County Email Retention”, with their cordial request of “Records Managers, your advice is sought!”

E-Discovery Record Keeping

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

In Steve Bailey’s blog, http://rmfuturewatch.blogspot.com/, the author has written about his recent attendance at the European Conference on Archiving (ECA) in Geneva in April, 2010. Steve has observed that in previous years at the conference most discussions were about the technical complexities of digital archival, the many different approaches to digital archival practices and the ensuing problems associated with false assumptions.

In earlier years Information Records managers were also concerned with the durability and shelf life of digital media as compared to earlier technologies and referenced against the famous Domesday Book and our electronic counterparts of today.

This year, at the ECA, it was reported to have a different atmosphere with more conversations and subjects revolving around case studies further suggesting that the challenges of archiving digital content material have been met and are almost of a “routine” nature these days. So the question of “can” or “how” do we preserve data without future data loss – and this is of concern to email administrator and IT departments – is now a question of the past.

For email administrators and records managers the concerns of how do we protect our company from not losing data has been replaced with the concern of how do we manage this huge amount of data where no data or emails are in danger of being lost anymore. Indeed, new technologies such as cloud computing are allowing administrators to ask for new tools to help them manage this soon to become massive amount of data that is coming at them like a tidal wave of information that is growing exponentially.

In his blog post on this subject, Steve Bailey, raises the eight-hundred pound gorilla in the room question of what about the growing impact of the cloud and of how safe is it to have your company’s data, emails, company confidential information, etc. stored in the archives of the cloud. More so, he raises the question of how long before they lose that control and what happens then.

I agree with him that these are issues that records managers must plan for when they and their IT departments are working out the details during the initial planning stages of the who and how of data storage as it relates to a company’s data whether it be for emails, their attachments or much larger documents.

Each year, during budgetary planning sessions and long term IT strategy meetings, administrators, company legal departments and records managers must meet and discuss the subject of will their company’s IT department continue to administer all or some of their operations of which email administration and retention is a big part of. During these discussions many options are proposed. And the proposal which is most often discussed these days is that of email hosting being performed off-site.

There are several companies out there who offer fully hosted email services including email security within a cloud environment. This shift to external email hosting can help reduce the costs of many IT departments who are part of any company whose core business is other than that of information systems management.
 
As I’ve mentioned in previous blog posts the proposal of tapping into the cloud computing environment has usually been met with resistance because not only is cloud computing a change in the business processes of a company – such as email security and records management – but also because trusting your own internal IT departments email administration and data to another company that is offering a cloud solution is asking for a big commitment and level of trust by any organization.

But as mentioned earlier the tidal wave of information is not only coming at us but is upon us – upon email administrators as well as IT managers.

One approach that administrators can consider is that of a hybrid solution where the best of on-site administration and practices are combined with the best of hosted records or email management in the cloud. In terms of reporting and tracking features necessary for compliance reasons most inbound email scanning can be performed in the cloud as well as within a hybrid approach without loss in performance.

Large companies can benefit from the capacity and scalability that cloud computing has to offer while at the same time they can keep their data loss prevention technologies and related business processes in-house.

Record Keeping Maturity

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The Pyramid of Compliance.

Most business initiatives need employee “buy in” to work and compliance is no exception. Automated systems can impose a degree of uniformity in enforcing initiatives, but where the rubber meets the road will always be where your workforce interacts with your systems. An employee that embraces your policies and procedures can be your best protection from threats like email borne malware, as well as assurance that your organization is complying with industry and regulatory mandates.

How do you focus your people on compliance? Here are five suggestions from Ernie Hardin, founder and owner of 443 Consulting, an information security and business continuity consultancy in North Bend, Wash.

1. Get’em at the Door

Probably the easiest worker to obtain buy-in from is the new hire. He or she is a clean slate without some of the baggage of existing workers. New hires are also eager to please their new employer so they’re more willing to accept your compliance rules.

What should be included in a new hire’s introduction to compliance? A message from your company’s CEO emphasizing the employee’s role in the security of the firm can be very valuable in attaching importance to compliance. Of course the nuts and bolts of external rules and regulations that your business has to comply with–HIPAA for medical facilities, for example, or Sarbanes-Oxley for publicly traded companies–need to be explained, as well as your firm’s appropriate use policy relating to email and Internet usage.

2. Get ‘em Where They Eat

“Brown Bag” training sessions can be a useful approach to getting current employees onboard with your compliance program. The key to making these successful, though, is to bait them with something that appeals to the worker’s self interest. Free lunches are hard to resist, but tailoring your message is important, too. For example, Hardin point out that a session could be structured around computer security at home–a topic  of some importance to most of your workers. Since good security practices at home would overlap good security practices at the office, the session would be killing two birds with one stone.

“Fortunately, this training also reinforces good security habits, which, in turn, employees tend to bring back to the work environment,” Hardin writes.

3. Get ‘em in the Corner Offices

In addition to the rank and file in your organization, you’ll want your top brass in on the compliance party, too. Sure, your CEO is aware of the importance of compliance–he says so in the materials for new hires, didn’t he?–but other execs need to stay current on developments, too. A good way to do that, according to Hardin, is to take advantage of news events relative to the subject. When a data breach or email born virus makes headlines, you can offer to brief executives about the event. The briefing doesn’t have to be a face to face session. It can be a short memo about the event, why it could or couldn’t occur  at the company, what safeguards and policies are in place to prevent a similar mishap and what additional measures could be taken to bolster what’s  already in place.

4. Get ‘em prepared

No one likes fire drills until there’s a fire. The same is true of security training exercises. Hardin recommends that the exercises be interactive and involve problem solving. They should also have a brainstorming component.

“The idea behind these exercises is to get everyone’s ideas on how to make current processes better and more useful should real events like this occur,” Hardin noted.

5. Get ‘em focused

When spreading the compliance gospel, you don’t need to confine the burden to the apostles in your security team. Creating focused work groups made up of managers and employees to discuss compliance issues can facilitate understanding and extend the reach of your team in the workplace. Knowledgeable managers and employees can aid in the enforcement of compliance policies and lighten the workload on your security resources.

“The underlying theme of these approaches is to educate and train at any opportunity,” Hardin explained. “Recognize that the employees are critical to the successful defense of your company.”

“Also,” he continued, “recognize that they can be part of your security implementation program as well as part of your enforcement team, and you’re well on your way to a more-compliant organization and a less-stressed security team.”

Five ways to focus your workers on compliance

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

IT managers must account for many demands on their time and resources. Storage is always an issue and having to estimate the growth needs of the company and all the various departments can be a time-consuming and sometimes thankless job.

Estimating email storage needs can be started by making assumptions about the average size in bytes that attachments will require, the hours of day that the email servers will be the busiest and the number of users per email server. Those three variables multiplied together are a good starting point in estimating how much storage to allocate for email servers.

And the same computations can also be used when estimating how much storage to allocate for archiving purposes.

Archiving email messages can save an IT data center in many ways. Some of the reasons for archiving email messages include:

1. Freeing up storage on email servers. Email clients and servers provide a valuable function in any corporation and employees have come to rely on them for not just sending and receiving email messages accompanied with large attachments but also now for collaboration with co-workers. Most email applications now have integrated address books, calendar functions, “to do” lists and some have also included instant messaging as part of their email package.  But with all of these newly added capabilities there has also been a corresponding growth in the storage needs of these more robust applications. IT departments can benefit by reducing their storage needs through the use of archival media.
2. Compliance regulations. Corporations must comply with many regulations within their industries as well as many governmental regulations such as the Sarbanes Oxley Act (SOX) of 2002. When companies find themselves having to provide information to various governmental agencies then they have to be able to rely on systems, policies and their IT departments to be able to retrieve the necessary data such as email messages in a timely manner. So IT departments have to stay current and be a part of all corporate discussions involving regulations and industry standards related to communications particularly related to email communications. In addition to SOX there are other government regulations to be made aware of such as: GLBA, SEC, FINRA, HIPAA, BASEL II, FOI, etc
3. Electronic discovery. As of December 1, 2006, Federal amendments went into effect which mandated that companies must be prepared to locate, retrieve, respond to data requests and be able to filter out data not necessary for a litigation action. Such data includes email messages, attachments and calendar entries. These amendments are known as the Federal Rules of Civil Procedure and apply to any organization that can be subject to litigation.
4. Disaster recovery. An added benefit of having email messages that are archived is that messages can be retrieved in the event that your primary server goes down and backups are not current. If your archival systems have been set up to replicate data continuously from the primary mail server then your loss of email messages can be almost eliminated.
5. Improved email management. An automated email archival system can improve the management of emails through the use of rules and policies that can be customized for any organization. The time it takes to store, search and retrieve email messages can be greatly improved when performed automatically as opposed to a manual process. Documents which are methodically saved and stored can expeditiously be retrieved and help to avoid potential lawsuits when time constraints are critical particularly in litigious matters.
6. Increased employee productivity. Most employees spend a lot of time managing their email folders and moving data from folders to local storage. All this time managing their email can and would be better spent working on company projects.
7. Reporting and monitoring of email. HR departments cannot enforce the corporate policies without knowing that all communications that occur in an organization are within the proper guidelines as mandated by company policy. Searches can be conducted that look for suspicious patterns within company emails which can be exposed through pattern recognition software and various monitoring tools that are offered as additional services by archival management systems.

An email archival system can help many businesses with their management and storage of all email messages both incoming and outgoing. Storage space savings, increased productivity, regulatory compliance, satisfaction of discovery mandates and guaranteed retrieval are all benefits of a well maintained and administered email archival system.

7 Reasons for Email Archiving

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Encryption is an important component to an email system so choosing an encryption solution should be done carefully. What should be considered when evaluating an encryption protection scheme for an organization’s email system? Here are some suggestions to keep in mind.

One important consideration is whether or not a solution uses open standards. Since email is based on an open standard, there are advantages to basing any protection placed on top of it on open standards, too.

One advantage is open standards assure that data can be recovered in the future. If your vendor uses open standards, then you don’t have to worry about accessing your data should you decide to move to another provider in the future or should your vendor go belly up during the next recession.

Another consideration when choosing an encryption solution is mobility. Mobility is important because email must be accessible to a variety of devices from anywhere. Wherever an organization’s workers travel, they’ll want to check their messages and an email encryption solution needs to accommodate that without creating any hassles.

A solid encryption solution should be able to use a mobile device’s native email application. You don’t want to force your workers to learn another interface for their mobile device or leave an email program they’ve become accustomed to in order to work with encrypted messages. Making things harder for users is a sure fire way to invite them to look for ways to circumvent the system. Those ways are almost always insecure and make your organization vulnerable to a raft of unsavory cyber types.

How will the new encryption solution jibe with your existing architecture? For example, do you want only outbound mail to be encrypted, or do you want mail within your organization encrypted, too? A flexible encryption solution will mesh with what you have in place. You want the encryption solution to acclimate itself to your needs and not have to bend your needs to accommodate the solution.

A flexible encryption system is also important for dealing with future uncertainty. Companies grow. Today’s 500 user company is tomorrow’s 1000 user one. Your encryption system needs to be able to adjust to those kinds of changes. If it can’t, it can affect the system architecture for your entire organization down the road. It can lock you into architectural models that are inadequate to meet the new needs of your company.

For example, today you may be satisfied with an encryption solution that just handles your email. Tomorrow, you may want to expand the scope of that encryption solution to include protecting files, folders, disks and other devices. If that’s the case, then you need to ask yourself, will the encryption solution force you to alter your infrastructure to accommodate that kind of expansion? Will it require you to create a new set of encryption keys for your users? Will it involve embarking on a training program for your organization to learn the new system?

In addition, an organization has to look beyond its own walls when picking an encryption solution. Will it be interoperable with your partners or others you do business with? Just as your users won’t be happy with a solution that forces them to alter established work practices, your organization’s customers and business partners won’t be enamored with a solution that imposes burdens on their existing systems. So when evaluating solution alternatives, interoperability with a variety of encryption systems is an important feature to consider.

With more and more companies coming under regulatory scrutiny and being compelled to comply with rules, regulations and laws governing how data is treated by organizations, as well as the growing pressure to incorporate cloud services into business operations, encryption solutions are becoming more important than ever. In some cases, encryption is required to meet legal requirements–as in Nevada where businesses must encrypt any personal information of a customer that is electronically transmitted. In the case of the cloud, encrypting data sent there just makes good sense to ensure information can’t be snooped either in transit or wherever it’s stored in the nimbus. For those reasons, among others, choosing an email encryption solution for your organization that satisfies not only external demands on it but its internal needs, both in the present and in the future is a decision that needs judicious consideration.

What to look for in an email encryption solution

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Better security is changing iPhone's image in IT departments.

While the iPhone’s “cool factor” has made it a hit among status conscious corporate executives, the mopho has been greeted with skepticism from the rank and file in the IT trenches. From their point of view, competing products like Research in Motion’s Blackberry and smartphones built on Microsoft’s Windows Mobile platform offer better security for their organizations. With the introduction of the latest version of the iPhone’s operating system, version 3.0, and iPhone Configuration Utility, version 2.0, IT resistance to letting Apple’s handset into the corporate tent seems to be weakening.

What has bugged IT folks in the past about the iPhone? For one thing, user profiles can’t be managed over-the-air as they can with a Blackberry and Blackberry Enterprise server or Motorola Good for enterprise servers. Another irritant is there’s no way to ensure that corporate policies on email, encryption, etc. have been installed or updated on the phones. What’s more, it’s difficult to preconfigure the units with settings for email, VPN access and such.

Apple’s update of the iPhone’s configuration utility, which gives network administrators a rich set of policy controls, has addressed some of those concerns and may be why IT doubters are relenting on their staunch opposition to the hardware.

For example, password entry into a phone can be required. The composition of the password, when passwords should be changed, rules on reuse of passwords and the number of failed password attempts before a phone automatically wipes out all the data on it can all be controlled by an IT department.

Specific content can be blocked on the phones, although that’s not true for specific applications. A workaround for that situation is to install all necessary apps when the phone is issued, then turn off the ability to install any more programs. The problem with that approach, however, is a user won’t be able to upgrade the existing apps on the phone.

Credentials can also be created for use in user profiles for their phones. They’re a stronger form of authentication than plain text passwords. What’s more, they’re less portable than passwords, which can be copied, pasted and used outside the phone.

Another sweet treat for administrators is the ability to layer profiles in the phone. Instead of customizing configuration settings for each unit, a set of profiles can be created and issued based on user need. A basic profile could be created for all phones, for instance, and tasks like VPN or WiFi access could be included in separate profiles that would be added to the basic one for mobile jocks who need them.

Getting users to install profile changes after they’re issued their phones and monitoring those updates, however, still remains a problem. That’s because users, not administrators, must install the upgrades. Moreover, once installed, there’s no feedback to the administrator that the upgrade was completed. Presumably, if an upgrade is necessary for performing essential tasks like checking email and accessing a corporate network, users, by necessity, will install it. Many organizations may be able to live with that presumption, but those that must meet compliance rules, such as HIPPA, cannot.

Security settings for the iPhone can also be controlled through its support of Microsoft Exchange  ActiveSync, but what can be done there pales to what can be accomplished with the config utility.

As with config, an administrator can impose password rules–determine password characteristics, set time for password changes, require re-entry of a password after a prolonged idle state and pick the number of retries necessary before there’s a shutdown and wipe of the hardware.

However, there’s no control of the Safari browser, iTunes and Application stores or YouTube. Neither are there configuration settings for WiFi, VPN or LDAP.

On the other hand, a “kill switch” can be flipped over-the-air by an administrator which will wipe all sensitive information from the phone. Users can also perform that task from Outlook Web Access, but that can only be done through Exchange 2007.

The encryption issue is addressed on the latest version of the iPhone, the 3GS, but what data is encrypted and how it’s done hasn’t been shared with the public by Apple.

The arrival of iPhone OS 3.0 and config utility 2.0 is a good start toward getting Apple’s smartphone accepted by IT organizations, but these improvements  could really change the hearts and minds of corporate data guardians:

• The ability to control application and firmware downloads over-the-air;
• A lock on the boot loader to prevent jailbreaking; and;
• Some form of multi-tasking to allow third-party security vendors to monitor and control some of the iPhone’s lower level OS and device functions.

Security skeptics less skeptic about iPhone

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators