Definitions: E-mail Security
Created on: Jan 25, 2009 7:00 PM by CrystalBedell - Last Modified: Jan 25, 2009 7:02 PM by CrystalBedell
Definition
E-mail security refers to the measures used to protect e-mail systems against a multitude of threats, including malicious code and data loss. There is a breadth of hardware, software and procedural methods that support e-mail security, and they are often used together to help ensure optimal protection.
Business applications
E-mail is a popular attack route for those attempting to steal sensitive information or disrupt business operations. E-mail also is considered a mission-critical application for many businesses, so its availability and integrity is of utmost importance. Businesses that neglect e-mail security are putting their companies at great risk.
Businesses can choose to deploy their own technologies as part of their e-mail security, or they can choose to outsource e-mail security to a service provider that filters incoming e-mail for malware, spam and other objectionable content.
Deployment Concerns
Businesses should be careful not to oversimplify e-mail security. Desktop antivirus alone will not protect systems. Not only does e-mail face a variety of threats due to its very nature, it is also used differently by users and whole departments within an organization. Thus, implementing an e-mail security policy and the technology to support it can be challenging. Some users may be using e-mail as a filing system that, as a result, holds sensitive data, while departments may have varying levels of tolerance for e-mails that could pass as spam. Businesses should be sure to involve representatives from different departments to help ensure that all business needs are met while addressing otherwise hidden security vulnerabilities.
Of course businesses also have to keep up with e-mail security technologies. According to a survey by IDC, 72 percent of companies are unable to stop data leaks via e-mail and 9 out of 10 companies do not have effective spam filters in place. New e-mail security solutions come on the heels of new threats. Businesses must keep their technology updated to remain protected against the latest threats, whether that means updating threat signatures or replacing hardware altogether.
Businesses interested in outsourcing their e-mail security should consider who will be controlling a critical piece of infrastructure. The business no longer has control over the e-mail systems when they are outsourced. For this reason, it’s especially important that businesses consider the e-mail security strategy adopted by the service provider, who is just as vulnerable to e-mail security threats as its customers. Businesses might also consider the potential delays that might result from adding one more “hop” in the e-mail route. Although many service providers have mitigated this concern by building a fully redundant infrastructure that is load-balanced across multiple data centers.
Technical details
E-mail security appliances are an all-in-one approach to e-mail security. These hardware devices sit on the network, near the firewall. Incoming and outgoing e-mail is intercepted by the appliance, which scans messages for malware, spam and sensitive data. Some e-mail security appliances offer advanced features, and can also be configured to enforce security policies and regulatory compliance requirements.
A variety of software is also available to support e-mail security efforts, including encryption, antivirus, content filtering, anti-spam, anti-spyware and security suites, which package different software together into a single application.
Other network security technologies such as routers, intrusion-detection systems, and content filters can also support e-mail security efforts.
Budget & Finance Toolkit for IT - 2010 Edition
Download a comprehensive collection of templates, forms, instruction and advice that will help you to plan and submit your 2010 IT Budget.
The Complete IT Policy Kit
Download a comprehensive bundle containing over 40 IT policy templates. Each can be modified to align with your specific business requirements. Complete instructions are included.
We practice Disaster Awareness, Preparedness and Recovery (DAPR). Basically, best practice dictates that you first strive to prevent disaster - DR sounds reactive. DAPR's principles state that "In the realm of risk, unmanaged possibilities become probabilities." Under this statement, any IT leader can then show risk to business, and make the logical case to Business for some measure of budget. Price Waterhouse Cooper and Carnegie-Mellon’s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. As CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has a great chapter on security, and also reinforcing elements in many other chapters. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a bad outcome.