In just one week Google, the International Monetary Fund and Citigroup have all made headlines as a result of email associated with them being under attack. The reason we continue to see companies make the news as a result of email attacks is that email security is sometimes ignored when it comes to training users properly and making good decisions. In some cases, having the latest and greatest when it comes to security tools even creates a false sense of security that causes us, and our users, to overlook the little things. A multi-layered defense that has been properly configured with all the best technology can be rendered useless if the little things are forgotten.

Continue reading 5 Simple Mistakes When it Comes to Email Security

All of us know how critical email is in business today. We realise how dangerous this mission critical communications channel can be to the company and how many risks to our information systems email can present. We do everything we can to secure ourselves against the threat of incoming email; we scan for malware, we scan for spam. We use filters at our borders, and we parse lists of sender addresses to reduce the chance that an email carrying a threat will get into our systems.

But what about outbound mail? Do we do anything at all about outgoing mail? Do we look at it as a potential threat, or do we trust it implicitly, since, after all, it was generated internally by one of our users? Scanning outbound email for malware is just good security sense. The embarrassment and ill well a company could incur sending an infected email to a customer is one aspect. Another is leakage of sensitive information. Data Loss Prevention looks at the ways to protect information from loss of confidentiality, integrity, and availability, with an emphasis on ensuring that mission critical information does not leak to the outside world. Email, being the largest source of outbound information most companies experience is a key area to focus on in your Data Loss Prevention efforts.

Continue reading Scanning outbound email could save your company millions

Email administrators can add compliance to their list of growing costs on their budgets, according to a report released recently by the Security for Business Innovation Council, which is a group of security executives from companies in the Global 1000.

The report, “A New Era of Compliance: Raising the Bar for Organizations Worldwide,” maintained that a new compliance landscape is forming, one that will be driving up costs and risks for businesses around the world.

“As the compliance landscape gets more complex, demonstrating compliance gets more time consuming and costly,” it said.

Four trends were identified in the report as factors driving organizations to take their security responsibilities more seriously than they have in the past.

1. Strengthened enforcement.
2. Global spread of data breach notification laws.
3. Increasingly prescriptive regulations.
4. Growing business partner requirements.

Continue reading Compliance driving up security costs, report says

We hear a lot of talk these days about the benefits of a hosted Exchange deployment.  Probably reflecting the desires of IT managers on the ground, Microsoft’s latest and greatest version of the Exchange messaging server, better known as Exchange 2010, was touted by Microsoft to be “designed from the ground up” to be equally at ease running as a hosted service or as an on-premise solution.

While running one’s Exchange server on a hosted service certainly does have its allure, e-mail administrators or IT managers ultimately need to consider and weigh the merits of both scenarios carefully.  So when does it make sense for organizations to opt for an on-premise deployment of Exchange?

Let’s take a look at some of them today.

More choice of anti-spam and anti-malware solutions

The state of spam and malware proliferation via e-mail today means there is little tolerance for any Exchange installation that is not protected by some sort of spam and malware filtering.  While most hosted Exchange providers incorporate some form of spam protection, choices offered might be limited or expensive.  The alternative would be to opt for a cloud-based anti-spam service by using MX forwarding, though adding in another hosted service does increase the recurring cost of the hosted Exchange deployment.

On the other hand, an on-premise installation of Microsoft Exchange gives businesses a free rein on whether they want to rely on a cloud-based anti-spam service or a traditional server-deployed solution such as GFI MailEssentials, which allows for a greater degree of configurability.  In fact, it is entirely feasible to deploy both in tandem if necessary.

Continue reading Some Reasons for an On-Premise Deployment of Exchange Server

The Pyramid of Compliance.

Most business initiatives need employee “buy in” to work and compliance is no exception. Automated systems can impose a degree of uniformity in enforcing initiatives, but where the rubber meets the road will always be where your workforce interacts with your systems. An employee that embraces your policies and procedures can be your best protection from threats like email borne malware, as well as assurance that your organization is complying with industry and regulatory mandates.

How do you focus your people on compliance? Here are five suggestions from Ernie Hardin, founder and owner of 443 Consulting, an information security and business continuity consultancy in North Bend, Wash.

1. Get’em at the Door

Probably the easiest worker to obtain buy-in from is the new hire. He or she is a clean slate without some of the baggage of existing workers. New hires are also eager to please their new employer so they’re more willing to accept your compliance rules.

What should be included in a new hire’s introduction to compliance? A message from your company’s CEO emphasizing the employee’s role in the security of the firm can be very valuable in attaching importance to compliance. Of course the nuts and bolts of external rules and regulations that your business has to comply with–HIPAA for medical facilities, for example, or Sarbanes-Oxley for publicly traded companies–need to be explained, as well as your firm’s appropriate use policy relating to email and Internet usage.

2. Get ‘em Where They Eat

“Brown Bag” training sessions can be a useful approach to getting current employees onboard with your compliance program. The key to making these successful, though, is to bait them with something that appeals to the worker’s self interest. Free lunches are hard to resist, but tailoring your message is important, too. For example, Hardin point out that a session could be structured around computer security at home–a topic  of some importance to most of your workers. Since good security practices at home would overlap good security practices at the office, the session would be killing two birds with one stone.

“Fortunately, this training also reinforces good security habits, which, in turn, employees tend to bring back to the work environment,” Hardin writes.

Continue reading Five ways to focus your workers on compliance

Clark: "We hire attorneys for their IP and not their IT."

Electronic discovery has increased demands on storage systems, and that’s likely to continue.

According to Michael A. Clark, a managing director at EDDix LLC, an electronic discovery consulting firm, corporations with revenues greater than $1 billion is carrying around a caseload 150 active matters, 35 to 40 percent of which involve electronic discovery. With the new rules of Federal Civil Procedure adopted last December, he observed, “we’re going to see an ink blotting downward of electronic discovery to ever smaller matters.” He projects that within the next three years that 35 to 40 percent will move to 75 percent.

Finding information within the enterprise has always been a challenging task for legal ferrets, but those challenges have ballooned in recent times, according to Clark. “There are now not only more things to find, but more places to look for them than there had been before,” he said in a video interview posted at SearchStorage.com.

Finding information is a big challenge to operators of an enterprise network, but so too is deciding what should be stored and how long to store it, Clark noted.

“A number of corporations are devoting considerable resources to creating retention policies and then trying to enforce those policies,” he observed.

Continue reading E-discovery demands to double in three years

The administrator may appropriately be tasked with administering, or at least overseeing, the process of email archiving, if for no other reason than the fact that end-users are not likely to do it themselves. The process of archiving emails, if left to individual end-users, would be chaotic at best. Uniform standards must apply, and archiving needs to be done according to a rule-based procedure; without such a rule-based procedure, the enterprise risks falling out of compliance with one or more legislative mandates.

But there are two pieces to the archiving puzzle: Putting things into it, and taking things out of it. The first part can be largely automated and done according to a set of rules that specify that emails get archived after a certain period of time. But as for the other end—searching the archives—that’s another story entirely.

Continue reading Self-service retrieval

While the rest of us are struggling under threat of penalty to comply with an ever-increasing array of security-related regulations, the federal government itself is failing miserably in practicing what it’s been preaching.

The GAO issued a report this week on how government agencies have been responding to the Federal Information Security Management Act of 2002 (FISMA), which requires government agencies to create agencywide information security programs with supporting security architectures.

The report concluded that out of 24 government agencies, 23 of them had inadequate authorization controls, and 22 said that information security was a “major management challenge.” The agencies also came up short in several other security-related areas, and poor IT security continues to be seen throughout government. According to the report, all 24 agencies have reported multiple security incidents wehre sensitive information has been either lost or stolen. Continue reading Agencies fizzle on FISMA compliance

If you are subject to compliance with a regulation like HIPAA or Sarbanes-Oxley, you need to know your own internal systems are safe and secure and customer data is kept private, and you also need to know that the systems of your partners are equally protected.

That’s the hard part of compliance. You have control over how you implement security and impose email protections inside your own company, but you have less control over companies that are separate from yours but within your sphere of influence.

A study recently showed that 20 percent of security professionals are “cheating” to pass an audit, especially if it is a self-audit. In such audits, which are ran largely on the honor system, you attempt to satisfy your compliance requirements by providing a checklist to your partners that have access to your systems or data. The partner verifies that they have done certain things, or have implemented certain precautions, and sends the list back. All bases are covered, right? Not always–without an external auditor, there is no validation, and there may be a risk of falling out of compliance.

PST (Personal Storage Tables) can be a nuisance and a cause of some difficulties. There are plenty of how-to’s out there on how to manage them, tweak them, and manipulate them, but the best strategy of all is to avoid them altogether.

The PST files can be stored either on the Exchange server or locally. The immediate advantage of local storage of the PST files is that it provides an easy and readily accessible location for old emails. But although a great many email environments are set up for local storage of PST files, it goes without saying that the local storage option is a bad idea that offers very little in the way of protection against disaster, loss, or attack.

However, with more companies falling under the purview of one or more compliance-related legislative mandates, usage of PST files must be revisited. If there is a retention requirement that calls for storing emails for a certain period of time, it’s pretty easy to get around that requirement. Electronic discovery may also be a problem if PST files are used and stored locally, even temporarily.

Continue reading Reduce dependency on PST files