Much time and money has been spent protecting e-mail systems, and the industry has done a good job of reducing the threats that led to infamous meltdowns, such as the Melissa and ILOVEYOU viruses of 1999 and 2000, respectively. The spending, much of which now is focused on the related challenges of spam and botnet prevention, continues.
This Processor story does a good job of describing just how broad the e-mail security challenge has become. The takeaway is that e-mail has become so ingrained in just about everything an organization does that the dangers cross many lines. Thinking that the problem is handled easily by running current antivirus software is simplistic.
For instance, many employees use their e-mail systems as a "de facto filing system," says one executive quoted in the piece. That means that a tremendous amount of sensitive data no doubt resides in the system. This, obviously, has implications for the level of security afforded e-mail archives. Also, employees use e-mail to steal proprietary data. Neither of these two problems has anything to do with viruses, and both demand responses that have technical and policy components.
Folks also are lazy. This story in ITNews is based on a survey done in Europe. There is no reason, however, to think that the basic findings are not relevant in the U.S. The study, which was done by Mesmo, found that 82 percent of personal assistants to corporate managers accidentally read confidential e-mail. The reason was that the messages were inadvertently sent to low-security shared mailboxes.
Experts talk about the need for security policies on a number of issues, including e-mail. The Processor article points out that every department must be involved in creating e-mail policies. This can be more complicated that it seems, since there generally are several agendas in play at any given point. For instance, the story says, the marketing department may want spam rules that allow a higher portion of outside marketing materials to be delivered, while the legal folks require a disclaimer at the bottom of each message.
It's safe to add that at some points the various agendas may be in conflict. It is important to understand that the entire organization -- not just IT -- must have a say in how the e-mail system is configured and the nature of the rules controlling it. Inclusive approaches likely will reduce instances in which employees try to circumvent the rules.
IT managers and security personnel must see the big picture in e-mail security and then protect their networks accordingly. Today, it seems, as many threats rely on human misjudgments as malevolent code.