<b>Online Exclusive:</b> Best Practices for E-mail Security

E-mail has a tremendous potential to become the source of leakage of information from any organization, but chief security officers are rapidly taking advantage of new technologies to stop leaks while enabling the flow of appropriate information.

'Seventy-percent of corporate data lives in e-mail today,' said Rami Habal, director of product marketing for Proofpoint, in a Webinar offered last week by Proofpoint. '[In other words], it is highly available through channels such as e-mail, blogs, instant messaging, and, increasingly, through peer-to-peer networks.'

For legal as well as business reasons, review of outbound e-mail is critical, and so is encrypting messages that go out with individuals' or private corporate information. 'Legal contracts, earning releases, and many other digital assets ' are easily exposed now, and this can have a huge impact on a business,' said Habal.

Habal said that companies should develop e-mail security programs that have these five fundamental characteristics:

• Accurate detection. Minimize incidence of false positives (such as a Social Security number, which would not be allowed in an outgoing e-mail, confused with a routing number). Minimize incidence of false negatives (such as making sure proprietary price information stays in-house).
• 'Frictionless' deployment and management. Many critical functions can be automated, such as updates from software security vendors and new security protocols from the company's security department.
• No need for inside expertise. A good vendor will keep track of federal and state regulations and adjust e-mail protocols appropriately.
• Granularity. Ability to adjust e-mail filters for different purposes, different user groups, exceptions, etc.
• Simplicity of use. System should be managed through point-and-click procedures.

Companies should seriously consider the consequences of ignoring e-mail problems, Habal added. According to a study done by Proofpoint last year based on some of its typical customers, an organization will average 3-5 violations per day for every 1000 employees. Assuming a 40-hour workweek and 52-week year, this amounts to more than 6200 violations per year. Given that each violation will cost an organization about $90, on average, to resolve (a number generated by privacy consulting firm Gartner and Associates), the cost of violations reaches more than $560,000 per 1000 employees per year.

'This is the fundamental question you must wrestle with,' said Habal. 'What is the cost you will incur upfront to stop these violations ' or are you willing to consider them the cost of doing business?'

E-mail has a tremendous potential to become the source of leakage of information from any organization, but chief security officers are rapidly taking advantage of new technologies to stop leaks while enabling the flow of appropriate information.

'Seventy-percent of corporate data lives in e-mail today,' said Rami Habal, director of product marketing for Proofpoint, in a Webinar offered last week by Proofpoint. '[In other words], it is highly available through channels such as e-mail, blogs, instant messaging, and, increasingly, through peer-to-peer networks.'

For legal as well as business reasons, review of outbound e-mail is critical, and so is encrypting messages that go out with individuals' or private corporate information. 'Legal contracts, earning releases, and many other digital assets ' are easily exposed now, and this can have a huge impact on a business,' said Habal.

Habal said that companies should develop e-mail security programs that have these five fundamental characteristics:

• Accurate detection. Minimize incidence of false positives (such as a Social Security number, which would not be allowed in an outgoing e-mail, confused with a routing number). Minimize incidence of false negatives (such as making sure proprietary price information stays in-house).
• 'Frictionless' deployment and management. Many critical functions can be automated, such as updates from software security vendors and new security protocols from the company's security department.
• No need for inside expertise. A good vendor will keep track of federal and state regulations and adjust e-mail protocols appropriately.
• Granularity. Ability to adjust e-mail filters for different purposes, different user groups, exceptions, etc.
• Simplicity of use. System should be managed through point-and-click procedures.

Companies should seriously consider the consequences of ignoring e-mail problems, Habal added. According to a study done by Proofpoint last year based on some of its typical customers, an organization will average 3-5 violations per day for every 1000 employees. Assuming a 40-hour workweek and 52-week year, this amounts to more than 6200 violations per year. Given that each violation will cost an organization about $90, on average, to resolve (a number generated by privacy consulting firm Gartner and Associates), the cost of violations reaches more than $560,000 per 1000 employees per year.

'This is the fundamental question you must wrestle with,' said Habal. 'What is the cost you will incur upfront to stop these violations ' or are you willing to consider them the cost of doing business?'