I want you all to go grab your favourite marketing person and make them read this post. You know the ones I am talking about. The one that doesn’t understand why they have to take the 3600dpi 8GB PDF that could be blown up to the size of the Empire State Building without looking grainy, and reduce it for sending over email to a customer. The one who came in early last week to send an email blast to a 1000 person customer list that they bought from a guy they know, which resulted in your corporate network being placed on every RDNS blacklist on the planet. The one who doesn’t understand why when he sends an email, the customer doesn’t have it open to read before he lets goes of the mouse. The one whose laptop you secretly want to replace with an Etch-a-Sketch.

You know the one I am talking about… the one who just doesn’t “get” what you keep trying to tell him. I want you to share this blog post with him…maybe even forward it to him </wink>. This blog post is a list of seven things that non-technical folks should NOT do in email, unless of course, the objective is to lose customers and infuriate people.

1. Create form letters without testing them
   Here’s an example of something I got in my email today:
   
   And here’s the first thing I zoomed in on and clicked.
   
   If you are going to send out bulk email, either address it to “valued customer” so we’re at least honest about how impersonal it is, or test your program on your own personal account and a few of your cow-orkers before you fill your customers’ inboxes with junk.
2. Email an attachment that should have been the body of the email
   How many times have you gotten an email with an attachment and had to open the attachment to find that it either could have been incorporated in the body of the message, or left on a webserver and the email should have just included the link? That just wastes everyone’s time, and bandwidth, and also raises the chance your message will be blocked before the user even sees it.
3. Use a fixed width format that cannot be viewed on a mobile device
   If I have to scroll back and forth or pinch and zoom to read your message, I’ll probably just delete it unless it was something I specifically asked for. When you are trying to get your message out, make sure it can be received on any of the myriad devices your (potential) customers might use; full PC mail client, smartphone, e-reader, tablet, etc.
4. Use micro-fonts
   The saying is that 12 is the new 10. As devices get smaller, and as folks’ eyes get worse from staring at screens all day, one very bad thing you can do to people is make them squint to read your message. Yes, of course they can zoom in; but they could have also gone to your website instead of reading your email. Any extra effort or inconvenience is that much more reason for someone to delete you message unread.
5. Send read-receipt requested email
   If you want to know for a fact I got something, deliver it in person. Anything else is invasive and rude. When people do that to me internally, I make it a point to go over to their office and read the message out loud to them from my phone, asking for help with the big words. When sales people do it on unsolicited messages, I add them to the junk senders list.
6. Send an email to a large list of people where the only thing they have in common is that they’re in your address book or on your list
   It’s called BCC, and if you aren’t using it, you’re doing a huge disservice to your customers by exposing their information to people they’d just as soon not have their contact details. Hey admins? Why aren’t you limiting recipients per message to prevent the “mistakes” from happening?
7. Do not include your phone number in your email
   If you don’t want to take a customer call, you can always let it go into voice mail, but if you actually got our attention, and maybe we want to talk to you about what you’re selling, don’t make us hunt for your telephone number!

Readers, this is a chance for you to sound off about the things people do in email that drive you up a wall. Leave a comment (you don’t even have to register) and share your horror stories, pet peeves, or the worst affronts you’ve personally witnessed. Hello Internet, I’m listening.

How to Lose Customers and Infuriate People

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

When starting out, many small businesses set up their email using one of the free accounts available to them. Services like Gmail by Google, Hotmail from Microsoft or Yahoo!’s mail service, provide a working email address with almost no maintenance for a business just getting its feet wet.

However this may not be the best way to make a first impression with your potential customers.

Listed below are seven reasons why you need to ditch the yourcompany@freeemail.com and go with an address that better reflects the image you want your company to have.

1. Free email looks less professional

People associate free email services like Gmail or Hotmail as a personal accounts. Businesses, on the other hand, should have an email address that looks more professional. In fact, a study by Visible Logic in Amsterdam found that 70 percent of people view email messages coming from free email services as less professional when used by a business.

2. Free email looks spammy

Over the years, people have been burned so often by spam that they have become very adept at spotting shady looking emails in their inbox. One way to spot an email that may have malicious intent is by looking at the address. If you email address doesn’t look legitimate, your messages may be overlooked by overly cautious recipients.

3. Free email looks cheap

When people receive an email from your company and it has the @freeemail.com trailing it, your company looks cheap. For less than five bucks a month, you can set up an email address with your company’s domain. Sometimes you can even get a few of these for free when you host your company’s website. Customers who see that you are unwilling to spend a few dollars on this are often left to wonder what else your company may be skimping on.

4. You lose credibility when you use free email

A legitimate, professional looking email address tells your customers that you are here to stay.

Not only that, but having multiple email addresses such as: info@yourcompany.com, sales@yourcompany.com or service@yourcompany.com shows others that you are a well structured organization. The impression one gets when there is one, free email as the sole contact is that one person is handling everything for a company. This may scare larger clients away for fear that the company cannot handle their needs.

In today’s business atmosphere, trust is everything. Especially when it comes to online sales. Every little thing your company can do to establish trust and credibility will help your business grow.

5. Free email is less secure

Remember the old saying: there is no such thing as a free lunch? Well that applies to email as well.

True, Google, Yahoo!, Microsoft and the other free email providers do everything they can to make sure that their email services are as secure as possible, but things can slip through the cracks.

To pay for “free” email, users are subject to advertisements. While these help pay for the servers and storage space, they also have been linked to spam and hijacking. There have been several cases where businesses have had bank accounts and other confidential information compromised by cyber criminals who intercept email messages of companies that use free email services.

6. Free email may put you out of compliance

Nowadays, there are regulations and laws that govern so many industries and their record keeping that many large companies have entire legal teams dedicated to just compliance related issues.

But smaller companies are not immune to compliance. Companies of all sizes need to be aware of HIPPA when it comes to healthcare, PCI DSS when dealing with credit cards, and CAN-SPAM Act when it comes to marketing.

Free email likely does not offer you the tools required to be in compliance with any of these, or the many other, laws or regulations for email use.

7. You miss out on marketing your brand

Having your website’s domain name in every email you send out gives you the opportunity to build your company’s brand. Info@yourcompany.com puts your web site address in the minds of your customers. They know where to turn to when they need your services because they are so used to seeing your domain in every communication from you.

7 Reasons to Ditch That Free Email Address

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

If your organization is part of a regulated industry, is publicly traded, or has business units that might need to engage in different operations that could present a conflict of interest, you may find yourself tasked with deploying an ethical wall within your Exchange organization. While it may sound intimidating, it is actually an easy and straightforward task which Exchange handles well. This post will discuss ethical walls, and then show you how to set them up with Exchange 2010.

In business or legal terms, ethical walls (sometimes called Chinese walls) are communication and information barriers set up between individuals or business units to ensure that no information or communication can be exchanged between parties. They can be required when a business has competing interests, like when a financial company has a group A that advises businesses and is privy to sensitive information, and has a group B that advises others on investments. If A is working on something that could impact stock prices and is not public information, B could take advantage of that information to the benefit of their clients, which would be considered insider trading and highly illegal. It’s also common to find ethical walls within law firms, should two different attorneys in the same firm find themselves representing the interests of different parties.

In Exchange, an ethical wall helps ensure that no email can be sent or received between anyone in A and anyone else in B, preventing accidental or intentional sharing of information between those groups. Exchange 2010 uses transport rules to establish an ethical wall. Since all messages between users are handled by the Hub Transport server role, your Hub Transport server will be able to apply the appropriate transport rules to all messages.

The best way to approach building an ethical wall starts with creating distribution lists that contain the users for each “side” of the wall. That way, you can create your transport rules and apply them to messages between the two groups without altering other DLs in your environment. Should someone in A send an email to someone in B, your ethical wall can block the message and respond with an NDR. You may also want to set up a web page on your intranet that you can use in the NDR to refer violators to the reason, and to provide appropriate legal or HR contacts.

Note: it is very important to test your transport rules before applying them to production, to ensure that you stop all messages appropriately without impacting other critical email communications (internal or external).

One you have identified your users, and created the appropriate DLs, there are eight steps to creating an ethical wall in Exchange:

1. Launch the EMC and navigate to Organization Configuration, Hub Transport.
2. Create a New Transport Rule.
3. Enter a name, a comment that explains what the rule is for, and whether or not you want the rule created as Enabled or not, then click Next.
4. On the Conditions page, select the option “between members of distribution list and distribution list.” Click the first distribution list link in the lower pane and add the first DL you created for A. Then click the second link and add the DL for B. Then click Next.
5. On the Actions page, you need to configure the transport rule to “send rejection message to sender with enhanced status code.” Then click “rejection message” and enter text to display in the diagnostic information for administrators and click OK. Regular users won’t see this. Then click the “enhanced status code” and specify something in the 5.7.x range. I suggest you start with x=228 and work your way down from there if multiple rules are necessary. It is this that you will alter shortly to display a link to the users. Then click Next.
6. Set up any exceptions that are required, but be sure that these are approved by legal and HR. When setting up an ethical wall, there will rarely be any exceptions. Click Next.
7. On the “Create Rule” page, review the summary and then click Finish.
8. Open the EMS, and use the “new-systemmessage” command to create text to go along with the 5.7.228 enhanced status code you created. Here is an example, where your intranet site is http://intranet and you have created a page policy1.html off the root to provide more information.

New-SystemMessage –DsnCode 5.7.228 –Internal $true
–Text “This message is prohibited by policy. See
 <a href=http://intranet/policy1.html>Policy 1 </a> for
details.”

When a user tries to send a message that violates the transport rule, it will be rejected, and the NDR sent back to the sender will contain that message with the link to read more about why their email is prohibited.

Of course, email is only one form of communication between individuals or groups, and Exchange cannot control phone calls, conversations in elevators, or secret messages sent by carrier pigeon. If you do need to implement an ethical wall, work with your legal department to make sure you have your messaging requirements covered, but make sure everyone understands the limits of the technology.

Inside Exchange: Ethical Walls

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

When you don’t understand something that your job requires you to know, the most logical thing to do is research the topic and learn as much as you can about it. For many people who find security as part of their job description, learning as you go is the only option available. Yet despite the fact that there is so much information readily available to us, misconceptions regarding email security still confuse many professionals tasked with maintaining the confidentiality, integrity and availability of email services.

Blocking executable files will stop malware from being spread among users

Filtering all attachments that include .exe or .msi, was once a common way to keep users from sending infected files to one another through email. This is still considered by many to be a best practice for securing email systems, however as more tech savvy workers entered the workforce, they found ways around this. Generally, people will simply change the extension on a file and send it in an email attachment to a co-worker, friend, or family member. The recipient simply downloads the file and changes it back to the correct file extension. If that file has malware attached to it, the recipient will become infected when the file is opened and that could spread to other machines on your network.

Another scenario that dates this method of securing email, and is much more common, is when a user receives an email with a link in it. This link takes the user to a seemingly harmless website that is hosting drive-by downloads that install malware onto a computer when the person visits the site. No action on the part of the user is necessary other than clicking on the link.

Email security solutions need to address both of these scenarios in order to truly offer protection.

Attackers target large companies because that is where the rewards are greater

We often hear about how large financial institutions are hit by attackers where the number of users whose confidential information is stolen tops up to millions; or maybe it’s an attack against a huge government organization like the Oak Ridge National Lab attack that makes the headlines. At the same time, we almost never hear of a mom and pop store where the same thing happens. That’s because it’s not sensational. A small business being breached doesn’t warrant enough interest from the major networks but that doesn’t mean it never happens. It actually happens more frequently to small and medium sized enterprises than it does to the big corporations.

Large companies often have the budget to better secure email systems against attack where smaller companies often rely on security by obscurity as their solution and attackers know this. Whether they are looking for the lower hanging fruit, or simply trying to hone their skills, SMBs are frequent targets of email security attacks.

Finding security products that are geared towards SMBs is essential not only because they are affordable, but because they are tailored to the needs of these organizations.

Email encryption is only for healthcare and financial institutions.

It is true that these two industries are required by certain regulations to encrypt email messages, while other industries have nothing that says encryption is necessary it still is good practice to make sure your emails aren’t sent in plain text across the Internet.

There are many reasons why a smaller company would want to protect information sent via email. You could be sending confidential information about employees, details about an investigation, sensitive company financial data, strategies for growing your business… the list is endless. But no matter what the reason for keeping a lid on the contents of your message, if it is not encrypted then anyone with the know-how can capture and read these emails.

Email stored behind your firewall is more secure than email stored in the cloud

Cloud security is one of the most hotly debated topics when it comes to email security. Moving email services to the cloud will certainly take security and control out of your hands and put that responsibility on your cloud provider. But that doesn’t always have to be a bad thing.

If you research cloud providers and find one that takes security seriously and is open to answering questions about your email and data, then odds are their staff will be better able to handle security than a small IT department where the staff wears many different hats.

Cloud providers also have multiple data centers to handle back-up and recovery, as well as multiple layers of security.

Getting the right information when it comes to security can be rather difficult. There are many supposed “experts” who make a great deal of money selling snake oil to companies whether it is in the form of a security solution or education. The key is to read as much as you can and always look for the counterpoints when it comes to finding the best solution. If you spend enough time doing your homework up front, you will spend less time in the future dealing with mistakes.

Misconceptions About Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

When looking at solutions on securing email, many people don’t take into consideration the type of business environment they work in. All too often, after spending a great amount of time and money, small to medium-sized enterprises find out that what works for a company the size of Bank of America doesn’t quite work for them.

To better help SMBs find solutions scaled to their needs when it comes to email security, I have compiled a list of 5 tips that address the risks and restraints that they face.

1. Get the right solution

Email security can come in any number of packages. Security solutions can be software based, deployed through an appliance or even in a hosted environment. Each type has a variety of advantages, but there may be some disadvantages based on your company size or industry so it is important that you weigh your options carefully.

It is also important to look to solutions that can provide the protection your company needs at a cost that works. Too many times people are under the impression that security appliances are seriously out of reach for most small to medium sized businesses. This isn’t the case. There are many solutions that organizations find affordable and feature rich.

Make content filtering a standard practice

Content filtering needs to be a two way street. Of course, you want to filter out inappropriate content from being received by employees and certain types of attachments need to be blocked to prevent the spread of malware and expose vulnerabilities. However how often do you consider filtering what leaves your business via email?

Many industries nowadays are highly regulated and sending sensitive, or even financial, information out through email can not only bring compliance issues to your business, but it may also give competitors an edge. Filtering what users send out can be just as important as filtering what they receive when it comes to securing your company’s email.

Practice recovery as well as backup and archiving

Do you brush just half of your teeth? Then why would you only test half of your backup and recovery solution? Many companies find out, only when it is too late, that their backup and recovery solution was not configured properly or that there is some sort of problem.

This can be alleviated by regularly testing the recovery portion of your backup. By simply setting up a server (or virtual server) on which you can replicate your email system you can frequently test the validity of your backups in a way that will not disrupt your current email process.

Create fair policies that management will enforce

One of the biggest mistakes that SMBs make when it comes to email security is to take an overly aggressive approach. Without the manpower and resources to fine tune security policies, it becomes easier to just restrict anything that could be a perceived threat. This becomes especially true in small IT departments because they are tasked with so many other responsibilities.

When creating policies, it is important to bring other departments to the table so that these policies do not restrict anyone from getting their work done efficiently and effectively. Involving others at the management level also helps them better understand the reasons behind email policies and the ramifications for not following them. Gaining this support will help when it comes time to enforce these policies and discipline those who violate them.

Educate your staff

When it comes to security, it is a common misconception that bigger, state of the art, expensive solutions provide the best protection. Even though this isn’t true, SMBs often feel that they are at a disadvantage when it comes to email security because they cannot afford to deploy such solutions.

What many SMBs don’t see is that they have a distinct advantage over their larger counterparts when it comes to educating end users. When you have a smaller number of employees to train you have the advantage of being able to spend more time with them to make sure they understand the material you are delivering. You also have the opportunity to be readily available to answer questions or address any concerns or issues that your users may have.

Developing a solid training series for email security can also help free up time for IT departments that find themselves tasked with too many responsibilities because users who are informed and educated require less oversight and less attention.

5 Essential Tips for SMB Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

When Epsilon Data Management disclosed a breach of its email system panic struck cyberspace. Names like JP Morgan Chase, Citi Bank, Staples, Verizon and Hilton were listed as some of the customer databases that had been compromised as a result.

As many customers of these companies started receiving emails explaining that their email was exposed in the breach and could be used in illicit activities, email administrators starting looking at what they could learn as a result of this catastrophe.

Lesson One – Take Security Seriously

A Ponemon Institute study titled The State of IT Security: A Study of Utilities and Energy Companies stated that companies were more concerned with preventing network downtime than they were stopping a cyber-attack.

Of course, no one should find this surprising. After all, if an e-commerce site or CRM portal goes down, business can come to a halt. No business means no income so by all means this is going to take precedence. Besides, anyone who has been tasked with securing any type of technology doesn’t have the ROI that upper management is looking for when giving a project the go ahead.

In order to prevent another incident like Epsilon from happening, cyber security needs to be at the forefront of IT and management’s agendas. With the increasing problem of Advanced Persistent Threats, email security needs to be looked at and any weaknesses shored up.

Lesson Two – React Appropriately

The breach of Epsilon happened on March 30^th. By April 1^st it was disclosed to the public. This gave Epsilon, and their clients, ample time to put together a response based on the details of the data breach. For this, they should be applauded.

Far too often companies who are victims of this type of cyber crime spend so much time spinning their wheels deciding how to soften the blow of negative press that they forget the ramifications it can have on individual customers.

By making the details known from the beginning, the customers of Epsilon’s corporate clients were able to receive fair warning about phishing scams and other illicit activity that would certainly be a result of their email being exposed.

Lesson Three – Heed the Warning Signs

Another thing Epsilon did right was that they discovered the breach quickly. Had they not recognized that there was unusual activity going on, the breach would have yielded much more than the 2 percent of the customer base that had be compromised.

Epsilon was warned, along with other companies, that there was a high likelihood of a malicious hacking attack that would take place against email distributors. To mitigate this threat Epsilon beefed up its monitoring capabilities to watch for anomalies.

Lesson Four – Segment Your Data

Security professionals who have analyzed the data breach, such as Anup Ghosh, Founder and Chief Scientist for Invincea, think that this may be the work of a single attack.

“As we learn more about this breach, it could be very possible that a single intrusion was utilized to gain access to the data across all of these brands. Is this indicative of a potentially broader threat from a cloud perspective? Maybe yes, maybe no – only time will tell as we learn more and pull back more layers of both onions,” he went on to say.

It is a common suggestion in the security world that data should be segmented. For example, Client A’s data should be kept apart from Client B and Client C, or data should not be stored on the same server as web applications (which is common when it comes to default installations). Yet while this is often suggested, it is hardly ever practiced.

Segmenting data protects you because in the event one data set, application, network segment, etc. is compromised, all of your stored is not exposed as a result. It basically makes the attacker work harder for a big pay day. Of course if you are monitoring appropriately you will be able to spot the intrusion before more data is stolen.

The truth is Epsilon was not the last large company to have sensitive information regarding customers stolen. It will happen again. However if we can take the lessons learned and make security even tighter, then the gap between such incidents will continue to widen.

Lessons We Should Learn From Epsilon

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Advanced persistent threats make email security a necessity

Most email administrators consider security to be a large part of what they do. With so many laws and regulations governing the storage, discovery and retrieval of email messages, security has become a second job to many.

Unfortunately, many administrators either forget, or simply aren’t aware, that securing email requires much more effort than hardening the email servers against attack. In order to fully protect your organization’s email and their contents the mailbox also needs to be defended. Especially when you consider how popular Advanced Persistent Threats are becoming with large cyber crime syndicates who use email not only as a way to harvest sensitive information, but also as a method of attack through phishing and social engineering.

By implementing the following tips into your security plan you can help protect against these, and the many other threats that your organization may face:

Create email policies to regulate the communication of confidential information

Email communication has become second nature in the workplace. It is quick, easy and it gives us a record of our conversation so we can refer back to any information at a later date. However, if the conversation contains sensitive information like login credentials, financials, personal information, and the like, then it can be extremely valuable to anyone who may harvest those emails.

By simply setting up, and enforcing, policies that restrict certain information from being sent via email you can mitigate the damage done if emails are exposed. At the very least, your policy should state that user logins and passwords (and/or PINs) not be communicated via email.

Teach users to encrypt their messages

One of the best analogies I have seen to describe the need for encrypting emails is one that compares email to a postcard. Basically, anyone who comes across it can read the contents if they want. This can be stopped by encrypting emails to prevent eavesdropping.

Encryption is a hard thing for many people. It requires additional steps, training and, in some cases, third-party software (such as PGP) yet it is really the only way to keep your messages private in transit.

Encryption shouldn’t be limited to sending and receiving messages alone. Any email that is stored on a hard drive (think personal folders), a network drive, backup servers or archive systems should also be protected from any prying eyes.

Get rid of old email

A long time ago, storage space was a precious resource. Nowadays inboxes can be easily scaled to hold enormous amounts of data. Unfortunately that provides a greater possibility that an attacker will find something valuable.

Email should be moved, or deleted, when their life cycle is up. Make sure to check with any regulations regarding discovery and archiving before getting rid of the old stuff, but if you combine this with encryption you will be taking great strides to protect older emails.

Practice good network security habits

Make sure that desktops are continually scanned for malware that could possibly expose email login credentials, filter Internet content to protect against malicious websites, understand how to properly use a firewall and update server and client software as needed.

In addition to the employing technology to help secure your email systems you should also consider human factors as well. One of the ways that people first discover that their systems have been compromised is by noticing an anomaly. Be on the lookout for log-ins that just don’t seem right whether it be the IP address, the time of day or even the length of time.

This can be one of the most tedious tasks to undertake when it comes to security but it is by far the most important.

Put the right solutions in place

In many small and medium-sized enterprises, the email administrator alone cannot be as vigilant as he or she would like. Even in organizations where there is team of professionals dedicated to security use necessary security tools to help them do their jobs. Smaller companies need to understand this as well.

By employing technologies that help manage email, backup and recovery, archiving and security, you are plugging the little holes that provide that chink in the armor most attackers are looking for.

No one said that email security is going to be an easy task, but it is one that cannot be ignored just because it’s too hard or it costs too much.

Tips for Better Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

In just one week Google, the International Monetary Fund and Citigroup have all made headlines as a result of email associated with them being under attack. The reason we continue to see companies make the news as a result of email attacks is that email security is sometimes ignored when it comes to training users properly and making good decisions. In some cases, having the latest and greatest when it comes to security tools even creates a false sense of security that causes us, and our users, to overlook the little things. A multi-layered defense that has been properly configured with all the best technology can be rendered useless if the little things are forgotten.

This list displays some of the most common mistakes that are made when it comes to email security and a brief description of what you can do to prevent them.

Leaky emails

There are many times when sensitive information is passed along via email. If everything is encrypted properly you, and your users, often assume that it will only be seen by the appropriate people. Unfortunately this isn’t always the case. Too many times a recipient may answer an email with sensitive information and hit the reply all button without checking to see who will be receiving the email.

The fix: Put a policy in place that addresses sensitive emails and reply to emails. However a policy alone isn’t enough. Make users aware of the policy through training and keep a record that all users were trained/informed of the policy and repercussions of not adhering to it.

Trusting others

When we receive emails from family, friends and business colleagues we often blindly open them without much concern. Especially if they are contacts we communicate with on a regular basis. However malware can easily be spread through emails by attachment or embedded code and links.

The fix: HTML in emails should be blocked if this is a concern, as should the ability for your users to receive attachments that are scripts or executable files.

Passwords that are easy to guess

Remember when Sarah Palin’s personal email account was breached? It was because her password was easy to guess using information the attacker found on her Wikipedia page. Companies often list information on corporate sites that provide attackers enough information to guess passwords as well.

The fix: Enforce strong passwords or password phrases for all users. Also, make sure that people don’t give up information that may be used to guess their passwords when providing bios.

Ignoring malware protection on the desktop

While scanning all emails for malware needs to be done, the desktop should not be ignored. And all too often it is. Malware definitions are outdated, software is not configured to run properly or protection is completely left to the user.

Even if you have a policy that enforces strong passwords, a keystroke logger can easily give up even the most complex password combination.

The fix: Email administrators should work closely with IT security to make sure that the desktop and network security isn’t lax so passwords are tougher to expose.

Failing to check on backups

Some companies and industries are required, by law, to back up and archive emails for a set period of time. Others are not required to do so. Regardless of the laws, every person and company should be in the practice of backing up emails. Emails often provide important records and information that could be lost.

But what happens if you need to restore your emails and find that something went wrong? Maybe the backup was incorrectly configured or the backup location was insecure. In any event, the inability to restore emails from a backup can render the entire solution useless.

The fix: Frequently test the ability of your backup solution, and staff, to restore emails.

These five tips may seem basic and simple. But that is the point. Working in IT we often gravitate towards the more complex issues and ignore simple techniques and solutions until it is too late. By taking the time to do the little things when it comes to security, we build an even stronger foundation for all the bells, whistles and technologies that really impress us and our bosses.

5 Simple Mistakes When it Comes to Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

All of us know how critical email is in business today. We realise how dangerous this mission critical communications channel can be to the company and how many risks to our information systems email can present. We do everything we can to secure ourselves against the threat of incoming email; we scan for malware, we scan for spam. We use filters at our borders, and we parse lists of sender addresses to reduce the chance that an email carrying a threat will get into our systems.

But what about outbound mail? Do we do anything at all about outgoing mail? Do we look at it as a potential threat, or do we trust it implicitly, since, after all, it was generated internally by one of our users? Scanning outbound email for malware is just good security sense. The embarrassment and ill well a company could incur sending an infected email to a customer is one aspect. Another is leakage of sensitive information. Data Loss Prevention looks at the ways to protect information from loss of confidentiality, integrity, and availability, with an emphasis on ensuring that mission critical information does not leak to the outside world. Email, being the largest source of outbound information most companies experience is a key area to focus on in your Data Loss Prevention efforts.

Take for example a recent case of data loss prevention that may cost the company millions of dollars in lost revenue. A recent case of data loss is covered in this article published on the SC Magazine website. An employee of Swiss bank UBS emailed out details of an upcoming flotation of General Motors. This email, containing extremely confidential information, was sent out to over one hundred people. While there is no clear indication that malicious or criminal intent was present, General Motors had to report the information disclosure to the United States Securities and Exchange Commission, and GM then decided to drop UBS as an underwriter of the upcoming deal. This business loss is expected to cost UBS some $10 million dollars.

How could an email data loss prevention solution prevent this? By scanning all outgoing email, and searching for key words, such an email could have been intercepted and held at the network border. Whether a held message is either reviewed by the information security department or the sender is simply prompted to review the message first to ensure it is safe to send to the intended recipients, this extra step would have prevented a $10 million mistake.

Scanning outgoing email for content can do more than simply search for keywords. Bayesian filters are supported by many of these products. Administrators can define filters to search for strings of numbers, enabling security departments to scan for numeric sequences that could be credit card numbers, social security numbers, or customer account numbers. Combining these searches with key words such as customer names, account names, the word “password,” and other content that could indicate sensitive information is contained in the email and should be examined before release. This can also assist with compliance. There are a number of regulations/laws regarding the transmission of customer NPI, health information, or financial information in an unencrypted form. Scanning outbound mail is an easy way to ensure that no one is sending out emails containing that sort of information without encrypting it.

Content scanning outbound email, in combination with antimalware scanning, and setting limits on number of recipients, size of file attachments, and any other limits appropriate to your business can help to make sure that your company’s outgoing email never causes a security incident, a public relations issue, or a loss of a customer.

Scanning outbound email could save your company millions

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Email administrators can add compliance to their list of growing costs on their budgets, according to a report released recently by the Security for Business Innovation Council, which is a group of security executives from companies in the Global 1000.

The report, “A New Era of Compliance: Raising the Bar for Organizations Worldwide,” maintained that a new compliance landscape is forming, one that will be driving up costs and risks for businesses around the world.

“As the compliance landscape gets more complex, demonstrating compliance gets more time consuming and costly,” it said.

Four trends were identified in the report as factors driving organizations to take their security responsibilities more seriously than they have in the past.

1. Strengthened enforcement.
2. Global spread of data breach notification laws.
3. Increasingly prescriptive regulations.
4. Growing business partner requirements.

Although enforcement of existing regulations has been weak in many jurisdictions worldwide, the report said, regulators and standards bodies are now tightening enforcement through expanded powers, higher penalties and harsh enforcement actions.

“Compliance is the best and worst thing that ever happened to security,” FedEx chief information security officer and corporate vice president Denise Wood declared in the report.

“[Compliance] gives you awareness,” she continued. “It gives you real life justification for good security practices. But at the same time, especially when regulations get prescriptive, it can make it more difficult to have a truly risk-based program where your highest risk items always get your financial investment.”

If regulations call for a risk-based approach to securing data, the report explained, an organization can base their investments in security by weighing their security controls against their appetite for risk. They can tailor their security measures to meet their business needs. When they have to comply with prescriptive measures ordered by regulators, they have to spend budget dollars implementing technology specified by regulatory requirements rather than technology which helps manage risks, the report reasoned.

Another source of rising compliance costs will be the need for everyone in the businesses food chain to assure each other that they’re in compliance. Regulators are making it clear, the report said, that enterprises are on the hook for ensuring the protection of their data when it is being processed by a business partner including cloud service providers.

“[N]ot only are requests coming from regulators and auditors, but also from customers and partners,” the report said. “Most organizations continue to rely mostly on manual efforts and reams of paper for data collection and reporting, which consumes inordinate amounts of resources.”

“Increased responsibility for information security across the extended enterprise also has a significant cost impact on organizations,” the report asserted.

“For example,” it continued, “organizations must undertake exhaustive work to evaluate and oversee service providers’ security practices. At the same time, service providers must invest in developing assessment processes so that they can give customers the required assurances.”

For many organizations, tough attitudes toward enforcing compliance could help their managers focus on security, the report said, “but if they take a check-list approach” to compliance it will detract from actually managing risk and may not improve security.”

Administrators need not feel singled out by regulators for tough treatment; it’s a societal trend, the legacy of the financial meltdown that triggered a global depression. “Regulators are moving away from light-touch to more interventionist regulation,” Stewart Room, a partner with Field Fisher Waterhouse in the firm’s privacy and information law group, said in a statement.

“That’s clear in all senses of society and economy, so it’s not surprising regulation is tightening up in the data protection field,” he continued. “As I see it, the trajectory of the law here is one way only, which is towards more frequent regulatory intervention, more disputes, more arguments, and more litigation.”

That litigation will involve everyone managing data in an organization, including email administrators, as Comerica Bank recently discovered. It was sued by one of its business customers, Experi-Metal, because the bank sent the company’s customers an email asking them to update the financial institution’s security software by clicking a link in the message. Messages from phishers commonly contain such instructions under the guise of legitimate institutions like banks.

Experi-Metal argues that the bank’s email campaign made the company’s customers more likely to click on links from phishers claiming to be from Comerica. Such an attack clipped $500,000 from the company.

Compliance driving up security costs, report says

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

We hear a lot of talk these days about the benefits of a hosted Exchange deployment.  Probably reflecting the desires of IT managers on the ground, Microsoft’s latest and greatest version of the Exchange messaging server, better known as Exchange 2010, was touted by Microsoft to be “designed from the ground up” to be equally at ease running as a hosted service or as an on-premise solution.

While running one’s Exchange server on a hosted service certainly does have its allure, e-mail administrators or IT managers ultimately need to consider and weigh the merits of both scenarios carefully.  So when does it make sense for organizations to opt for an on-premise deployment of Exchange?

Let’s take a look at some of them today.

More choice of anti-spam and anti-malware solutions

The state of spam and malware proliferation via e-mail today means there is little tolerance for any Exchange installation that is not protected by some sort of spam and malware filtering.  While most hosted Exchange providers incorporate some form of spam protection, choices offered might be limited or expensive.  The alternative would be to opt for a cloud-based anti-spam service by using MX forwarding, though adding in another hosted service does increase the recurring cost of the hosted Exchange deployment.

On the other hand, an on-premise installation of Microsoft Exchange gives businesses a free rein on whether they want to rely on a cloud-based anti-spam service or a traditional server-deployed solution such as GFI MailEssentials, which allows for a greater degree of configurability.  In fact, it is entirely feasible to deploy both in tandem if necessary.

Heightened confidentiality and compliance

Where there have been many prominent news reports of organizations shifting to a hosted e-mail deployment, a closer examination will show that they are often not companies in the financial, health or other tightly-regulated sectors.

The truth is that the outsourcing of critical installations does not exonerate an organization should something go wrong, as can be evidenced by the case of the prominent seven hours downtime experienced by Singapore bank DBS recently.  The fact that the affected infrastructure was operated and maintained by IT vendor IBM – and the mistake perpetuated by personnel from IBM, cut no ice with the government regulator, who slapped a number of measures on the bank to censure it for the outage.

Another complication inherent to an Exchange deployment has to do with how legal jurisdiction is typically applied based on the location of the physical server.  And what happens if the data is stored at an off-site location in yet another country?  In fact, compliance laws might mean that a hosted deployment might not even be legally possible in the first place – an aspect worth investigating first.

Increased Backup and Archival Options

Moving on, an on-premise Exchange deployment also offers much greater flexibility when it comes to e-mail archival and management of backups.  While all cloud providers will position their backup capabilities as a selling point, the recent data loss experienced by some users of online note-taking service Evernote is a sombre reminder that mistakes can and do happen.

Ultimately, an on-site installation presents the e-mail administrator with the largest number of tried-and-tested solutions that can be used to backup Exchange mailboxes under their charge.  In addition, companies interested in increasing their Exchange performance will also be able to make use of solutions such as GFI MailArchiver to help create backups of old e-mail without running afoul of e-mail retention policies.

Better performance

It is now an accepted practice to connect to Microsoft Exchange via HTTP, which contributes to administrators making the mistaken assumption that the performance for a local area network (LAN) deployment compared to that of a hosted Exchange server is similar. The truth is that an on-site deployment within the network will always perform better than any service hosted on the Internet – where it is subjected to the fluctuating conditions of one’s ISP connection or the bandwidth capacity of your hosting provider.

This is especially important since employees are increasingly using Microsoft Exchange not just for e-mails, but as a collaboration and productivity tool with which to track contacts, schedule meetings, or even to book company resources like meeting rooms and projectors.  And depending on company policies, IT managers might need to roll-out brand new workstations (or do a fresh install) every couple of years.  The performance of a local Exchange deployment will be much faster during these periods.

Some Reasons for an On-Premise Deployment of Exchange Server

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The Pyramid of Compliance.

Most business initiatives need employee “buy in” to work and compliance is no exception. Automated systems can impose a degree of uniformity in enforcing initiatives, but where the rubber meets the road will always be where your workforce interacts with your systems. An employee that embraces your policies and procedures can be your best protection from threats like email borne malware, as well as assurance that your organization is complying with industry and regulatory mandates.

How do you focus your people on compliance? Here are five suggestions from Ernie Hardin, founder and owner of 443 Consulting, an information security and business continuity consultancy in North Bend, Wash.

1. Get’em at the Door

Probably the easiest worker to obtain buy-in from is the new hire. He or she is a clean slate without some of the baggage of existing workers. New hires are also eager to please their new employer so they’re more willing to accept your compliance rules.

What should be included in a new hire’s introduction to compliance? A message from your company’s CEO emphasizing the employee’s role in the security of the firm can be very valuable in attaching importance to compliance. Of course the nuts and bolts of external rules and regulations that your business has to comply with–HIPAA for medical facilities, for example, or Sarbanes-Oxley for publicly traded companies–need to be explained, as well as your firm’s appropriate use policy relating to email and Internet usage.

2. Get ‘em Where They Eat

“Brown Bag” training sessions can be a useful approach to getting current employees onboard with your compliance program. The key to making these successful, though, is to bait them with something that appeals to the worker’s self interest. Free lunches are hard to resist, but tailoring your message is important, too. For example, Hardin point out that a session could be structured around computer security at home–a topic  of some importance to most of your workers. Since good security practices at home would overlap good security practices at the office, the session would be killing two birds with one stone.

“Fortunately, this training also reinforces good security habits, which, in turn, employees tend to bring back to the work environment,” Hardin writes.

3. Get ‘em in the Corner Offices

In addition to the rank and file in your organization, you’ll want your top brass in on the compliance party, too. Sure, your CEO is aware of the importance of compliance–he says so in the materials for new hires, didn’t he?–but other execs need to stay current on developments, too. A good way to do that, according to Hardin, is to take advantage of news events relative to the subject. When a data breach or email born virus makes headlines, you can offer to brief executives about the event. The briefing doesn’t have to be a face to face session. It can be a short memo about the event, why it could or couldn’t occur  at the company, what safeguards and policies are in place to prevent a similar mishap and what additional measures could be taken to bolster what’s  already in place.

4. Get ‘em prepared

No one likes fire drills until there’s a fire. The same is true of security training exercises. Hardin recommends that the exercises be interactive and involve problem solving. They should also have a brainstorming component.

“The idea behind these exercises is to get everyone’s ideas on how to make current processes better and more useful should real events like this occur,” Hardin noted.

5. Get ‘em focused

When spreading the compliance gospel, you don’t need to confine the burden to the apostles in your security team. Creating focused work groups made up of managers and employees to discuss compliance issues can facilitate understanding and extend the reach of your team in the workplace. Knowledgeable managers and employees can aid in the enforcement of compliance policies and lighten the workload on your security resources.

“The underlying theme of these approaches is to educate and train at any opportunity,” Hardin explained. “Recognize that the employees are critical to the successful defense of your company.”

“Also,” he continued, “recognize that they can be part of your security implementation program as well as part of your enforcement team, and you’re well on your way to a more-compliant organization and a less-stressed security team.”

Five ways to focus your workers on compliance

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Clark: "We hire attorneys for their IP and not their IT."

Electronic discovery has increased demands on storage systems, and that’s likely to continue.

According to Michael A. Clark, a managing director at EDDix LLC, an electronic discovery consulting firm, corporations with revenues greater than $1 billion is carrying around a caseload 150 active matters, 35 to 40 percent of which involve electronic discovery. With the new rules of Federal Civil Procedure adopted last December, he observed, “we’re going to see an ink blotting downward of electronic discovery to ever smaller matters.” He projects that within the next three years that 35 to 40 percent will move to 75 percent.

Finding information within the enterprise has always been a challenging task for legal ferrets, but those challenges have ballooned in recent times, according to Clark. “There are now not only more things to find, but more places to look for them than there had been before,” he said in a video interview posted at SearchStorage.com.

Finding information is a big challenge to operators of an enterprise network, but so too is deciding what should be stored and how long to store it, Clark noted.

“A number of corporations are devoting considerable resources to creating retention policies and then trying to enforce those policies,” he observed.

“You don’t want to be in the situation where you’re keeping everything forever,” he continued. “Corporations are telescoping the amount of time that they keep this stuff–not because it costs so much to store it, but a) it’s a liability and b) it costs an awful lot to go find it and retrieve it depending on what medium it’s on.”

When the discovery hammer is dropped on an IT department, it needs to be nimble enough to respond to the request, Clark said. “You need to preserve data when litigation is imminent,” he explained. “You need to be prepared to suspend all of the destruction processes that you have in place associated with the storage of that data.” Recycling of data tapes may have to be suspended, for instance, or “snapshots” taken of dynamic databases. In addition, the data should be in “litigation hold,” where it will be centralized and protected from alteration by users of the system.

Tools for collecting documents relevant to a litigation are very important to the discovery process, Clark said. The number one pain point from the general counsel’s point of view, he noted, is the ability to collect electronic documents. They must not only be collected from servers but from other places like desktops, laptops and other devices. For that kind of collection, there are programs that will create mirror images from desktops and laptops without disturbing the functions of those devices.

As the demands of electronic discovery increase, corporations, especially those in high litigation industries–financial services, energy, telecommunications, pharmaceuticals and tobacco–will begin to alter their infrastructures to accommodate those demands. Many of those companies, Clark said, are beginning to look at bringing some of the features and functions associated with electronic discovery–which heretofore may have been outsourced to a specialized electronic discovery services provider–inhouse so they can do some of those services themselves.

Among the services the companies will bring under their enterprise umbrella, he noted, are automated document collection and automated categorization of documents at the time of creation.

“So rather than looking at something forensically, after the fact, and then trying to figure out where it fits,” Clark explained, “we can add metadata to the document itself that would allow us to put it in buckets and more easily retrieve it and sort it downstream, with the presumption that all documents created are potentially evidence.”

In the storage area, he continued, businesses are looking more closely at near-line storage and archiving as an alternative to backup tapes. “Backup tapes were designed for disaster recovery and certainly were not designed and don’t function very well when we need to retrieve specific documents from specific custodians,” he argued.

He explained that the increased use of electronic discovery has raised the risk profile of corporations in litigation matters and pumped up compliance costs. Things like automated document collection and categorization, he continued, are being deployed in order to mitigate risk and cost.

Clark cautioned companies not to depend on attorneys for solutions to their electronic discovery problems. “Attorneys are not technologists and, by and large, not business people,” he explained. “What we’re talking about here is a business issue. It needs to be approached as a business process.”

“Attorneys have a tendency to be reactive,” he continued. “They tend not to be particularly proactive. Man-with-hair-on-fire is not a good way to live your life if you’re a corporation.”

“It’s the business people who are beginning to drive and should be driving many of the processes that represent best practices,” he added. “We hire attorneys for their IP and not their IT.”

E-discovery demands to double in three years

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The administrator may appropriately be tasked with administering, or at least overseeing, the process of email archiving, if for no other reason than the fact that end-users are not likely to do it themselves. The process of archiving emails, if left to individual end-users, would be chaotic at best. Uniform standards must apply, and archiving needs to be done according to a rule-based procedure; without such a rule-based procedure, the enterprise risks falling out of compliance with one or more legislative mandates.

But there are two pieces to the archiving puzzle: Putting things into it, and taking things out of it. The first part can be largely automated and done according to a set of rules that specify that emails get archived after a certain period of time. But as for the other end—searching the archives—that’s another story entirely.

The process of e-discovery for example, can be a nightmare, and lawyers have been known to cast a very wide net. The results can easily be tens of thousands of emails or more. Ultimately, this needs to be the domain of the legal department, who will be better equipped than IT staff to conduct a search designed to yield usable results.

But besides legal e-discovery, nearly every department will have a need for retrieval at some point. It is simply a waste of resources to require the IT department to conduct these retrievals. In the old days, it was necessary. Archives were kept on tape, on a shelf in a back room. The tape had to be physically retrieved and then loaded and read. But we’ve gone beyond that (hopefully) today.

Retrieval can take one of many different forms. Of course, when end users store their own emails locally in folders or PST files, they can do it themselves, but the process is decidedly clunky and inefficient and may be error-prone. The process instead needs to be rules-based, centralized, and automated. Exchange allows for easy integration with third-party services that allow for this.

In establishing a search and retrieval function, the IT department should implement a solution that gives end-users easy access, but access that is controlled with authentication and authorization to guarantee continued compliance with security requirements. Furthermore, the end-user interface should be web-based so that access can be gained from any browser, and lastly, the search function should be made efficient by allowing searches to be conducted not only from the subject header, but from the content as well. From a compliance perspective, most regulations will require an audit trail as well, and it will also be necessary to choose a solution that will log access.

Self-service retrieval

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

While the rest of us are struggling under threat of penalty to comply with an ever-increasing array of security-related regulations, the federal government itself is failing miserably in practicing what it’s been preaching.

The GAO issued a report this week on how government agencies have been responding to the Federal Information Security Management Act of 2002 (FISMA), which requires government agencies to create agencywide information security programs with supporting security architectures.

The report concluded that out of 24 government agencies, 23 of them had inadequate authorization controls, and 22 said that information security was a “major management challenge.” The agencies also came up short in several other security-related areas, and poor IT security continues to be seen throughout government. According to the report, all 24 agencies have reported multiple security incidents wehre sensitive information has been either lost or stolen.

The report did indicate that user awareness of security issues is rising among agencies however. FISMA requires security awareness training for agency personnel and contractors. FISMA is a very broad set of guidelines dealing with overall security; email admins within agencies must also be aware of FISMA to ensure compliance, especially in the areas of authentication.

Agencies fizzle on FISMA compliance

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

If you are subject to compliance with a regulation like HIPAA or Sarbanes-Oxley, you need to know your own internal systems are safe and secure and customer data is kept private, and you also need to know that the systems of your partners are equally protected.

That’s the hard part of compliance. You have control over how you implement security and impose email protections inside your own company, but you have less control over companies that are separate from yours but within your sphere of influence.

A study recently showed that 20 percent of security professionals are “cheating” to pass an audit, especially if it is a self-audit. In such audits, which are ran largely on the honor system, you attempt to satisfy your compliance requirements by providing a checklist to your partners that have access to your systems or data. The partner verifies that they have done certain things, or have implemented certain precautions, and sends the list back. All bases are covered, right? Not always–without an external auditor, there is no validation, and there may be a risk of falling out of compliance.

Who audits the auditor?

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

PST (Personal Storage Tables) can be a nuisance and a cause of some difficulties. There are plenty of how-to’s out there on how to manage them, tweak them, and manipulate them, but the best strategy of all is to avoid them altogether.

The PST files can be stored either on the Exchange server or locally. The immediate advantage of local storage of the PST files is that it provides an easy and readily accessible location for old emails. But although a great many email environments are set up for local storage of PST files, it goes without saying that the local storage option is a bad idea that offers very little in the way of protection against disaster, loss, or attack.

However, with more companies falling under the purview of one or more compliance-related legislative mandates, usage of PST files must be revisited. If there is a retention requirement that calls for storing emails for a certain period of time, it’s pretty easy to get around that requirement. Electronic discovery may also be a problem if PST files are used and stored locally, even temporarily.

By itself, although PST files are password-protected, this protection is somewhat flimsy, and there are numerous hacker tools available that can be used to easily remove the password on a PST.

Rather, the better option is a third-party archiving solution that works with Microsoft Exchange which delivers superior data security, as well as non-local storage that is readily accessible by authorized users.

Reduce dependency on PST files

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Sarbanes-Oxley, a set of rules that were put in place to combat corporate scandals, fraud, and improper financial reporting, has had a big impact on how corporations do business, and the impact reaches all the way across the board. While SOX is targeted at the money guys on the top floor, ultimately, it’s the IT guys in the back office that are responsible for implementing it and keeping the suits on the straight and narrow.

The most relevant part of SOX is the internal controls requirement, which mandates that several controls be put in place with regard to how financial reporting is done. At first glance, it would seem that email doesn’t pertain, but in reality, it does: SOX isn’t just about how financial data is stored, it’s also about how it’s transmitted–and a good Sarbanes-Oxley audit will almost always suggest security enhancements to the email infrastrucure to include encryption, and more rigorous adherence to policy and good practices. IT is mostly concerned with section 404 of the Sarbanes-Oxley Act, which deals with internal controls and how they are enforced.

So why does the email admin have to be worried about it? Besides the obvious reason of job preservation, Sarbanes-Oxley does mandate that access control be put into place to prevent “unauthorized use” of financial information. On the email side, that means, to begin with, making encryption available to any user who deals in financial information. Yes, it’s true–the bean counters do sometimes get careless and forget the sensitive nature of all those spreadsheets, and ship them around the Internet without much regard to whether or not somebody might see them who really shouldn’t.

Of course, along with the technology is the creation and enforcement of a good email usage policy. This policy will be reviewed by a third party conducting a Sarbanes-Oxley audit, and a good policy can go a long way towards helping to prevent big fines and corporate liability. More on creating a good policy in a later post–but the policy must deal with encryption specifically. That is, just having encryption available doesn’t mean it will be used–and so the policy must state specifically who must use encryption and under what circumstances, and for what kind of data.

Sarbanes-Oxley and email security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

In-the-cloud storage got a setback last week when both HP’s and Yahoo’s online storage services were shut down for good. HP’s Upline has had a rocky past, with the young service having experienced numerous problems and delays, and reports of malfunction and inappropriate access. Of course, there is no shortage of other cloud vendors taking their place–and the ads are full of “Do you need an alternative to Upline” come-ons.

We’re still hearing rumors, and most recently, “confirmed rumors”, that Google’s Gdrive is ready to roll. Gdrive sounds revolutionary in design. It wil supposedly offer unlimited storage–allowing you to actually store the entire contents of your hard drive in the cloud. Local and online files are synchronized through a web interface so for example, you could start working on a project at the office, and then later on pick it up at an Internet cafe–or even on your smartphone. Gdrive will also be integrated with other Google applications and services. The security ramifications are immense though, and there’s as of yet no word as to how security would be provided. I’m not so sure I would want my entire hard drive replicated in the cloud. Also, it would seem doubtful that users who have to comply with various regulations regarding storage and backup would be able to take advantage of it, but we’ll wait to see on that one.

Before moving to an online backup environment, it would be important for a corporate user to review their data retention policy and any compliance requirements they face, and make a judgment as to whether in-the-cloud backup could adequately meet those policies and requirements.

How compliant is in-the-cloud storage?

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Started in 2005, the Electronic Discovery Reference Model (EDRM) Project was created to address the lack of standards and guidelines in the electronic discovery market.  EDRM is a great reference tool to develop guidelines and standards for ediscovery consumers and service providers.  EDRM helps reduce the cost, time and manual work associated with ediscovery.

Referencing the  accompanying EDRM diagram on their web site, the 8 areas lay out a structured foundation for facilitating the implementation of an archiving software solution.  This makes life easier with providing all the players standard guidelines, as part of the archiving and information retrieval process related to legal and government requests.

We will cover a cursory overview of EDRM.

Information Management
Getting your electronic house in order to mitigate risk and expenses should electronic discovery become an issue. This covers the initial creation of electronically stored information all the way through its final disposition.

Identification
This refers to the process of learning the location of all data which a company has a duty to preserve and potentially disclose in an upcoming  legal proceeding.

Preservation
Preservation for electronic discovery has become a complicated, multi-faceted, steadily-changing concept in recent years.  Certain suggested standards and guidelines have been emerging to provide checklists for those preparing to respond to electronic requests for production.

Collection
The acquisition of electronic information, which is  tagged as potentially relevant in the identification phase.

Processing
Electronic discovery processing must accommodate a wide variety of unstructured data, handle each form in a manner appropriate to its file type, and generate output that is structured in accordance with review requirements that often vary from one law firm to the next.

Review
At its most basic level the document review is used to sort out documents the company will actually provide and privileged documents that will be withheld.

Analysis
During this process, important knowledge for a case can be discerned from the large body of collected documents and email messages.

Production
With the unprecedented increase in the amount of electronic data that is being created and stored in the corporate environment, there has been a corresponding increase in focus on how that data that has been collected and reviewed is ultimately produced in civil litigation and regulatory investigation

Presentation
Displaying electronic information in front of audiences (i.e. depositions, hearings, trials, etc.), especially in native or near native file formats.

For more details on EDRM visit the Electronic Discovery Reference Model Project web site.

EDRM Guides Archive Strategy

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators