Sending unprotected e-mails is like writing your private
details on a postcard and mailing it. Isn't it time companies spend
more on securing their e-mail systems, asks Paran
Chandrasekaran.
Just over half of companies suffered a data abuse
incident in 2002 with each attack costing on average £30,000,
according to the DTI.
Increasingly the focal point for data attacks is the wealth of
private and confidential information sent, received and stored on
e-mail.
Unprotected e-mail, which constitutes the vast majority of all
messages sent, is easy to intercept, modify, spoof and turn to
almost any malicious purpose possible.
The most accurate analogy is that sending an unprotected e-mail
is like putting private information on a postcard. This tool that
we depend on so much has become a major security threat to
businesses.
According to Diligence Information Security, more than 70% of
the IT security breaches in a company are committed by its own
staff, with intercepting and reading other people's e-mail without
permission a primary factor.
In many cases, sensitive information ends up being sent to the
press or to competitors, resulting in lost credibility and lost
earnings.
Barclaycard is a classic example. It recently won an industrial
tribunal defending its right to sack a worker who intercepted
confidential information on e-mail and sent it to competitors. But
the damage to its name and intellectual property had already been
done.
While internal security breaches are the most common risk with
e-mail, hacking by external third parties is a serious and
widespread problem.
External hacks range from "man in the middle" attacks, where
criminals intercept e-mail across the internet without their
victims knowing, to the growing problem of "spoofing".
Scottish law firm Blackadders is counting the cost of a spoofed
e-mail that a hacker sent to thousands of addresses, purporting to
be from a prominent partner at the firm who would be excessively
aggressive on behalf of his clients in legal proceedings.
Against this background of frequent attacks, protecting
electronic communications is considered an essential legal
requirement by the UK Data Protection Act 1998, EU data security
directive 95/46, the 2002 security guidelines of the Organisation
for Economic Co-operation and Development, and the widely
recognised international security standards, BS7799 and
ISO7799.
By ignoring best practice guidelines on information security,
any company sending an unprotected e-mail, which is then
intercepted, is open to claims for damages from the intended
recipient.
Several insurance claims relating to e-mail security breaches
have taken place in the US and this trend is likely to reach the UK
soon.
In this climate, more and more companies are taking precautions
to secure their e-mail. The old misconception that antivirus and
firewall software constituted complete security is being replaced
by a growing realisation that neither solution protects the content
of e-mail messages nor verifies the identity of the user.
Instead, true e-mail security involves using encryption to
protect confidentiality and digital signatures to ensure
authenticity, integrity and non-repudiation of messages.
The only obstacle to adopting e-mail security has been
cumbersome client-centric technology, which is expensive to
implement, complex for individuals to use and time-consuming for IT
staff to manage.
However, new server-centric e-mail security solutions have
eliminated these issues. They allow IT staff to roll out security
at a fraction of the cost of client-centric solutions, and manage
secure e-mail accounts across any number of PCs, laptops and office
sites from a central point. Seamlessly integrating into popular
e-mail applications, modern security solutions protect e-mail
without compromising its ease-of-use.
According to IDC, the IT security market in Western Europe will
grow from $1.9bn (£1.2bn) today to $5.9bn in 2006. With e-mail
protection the last remaining blind spot in most companies’
electronic security strategies, e-mail security should be one of
the primary recipients of this spend.
What do you think?
What are you doing to protect your e-mails?
Tell us in an e-mail >> ComputerWeekly.com
reserves the right to edit and publish answers on the website.
Please state if your answer is not for publication.
Paran Chandrasekaran is chief executive
officer of internet security specialist Indicii Salus. He will be
delivering a seminar on the need for e-mail security at
Infosecurity Europe 2003, Olympia, London, 29 April – 1st May
www.infosec.co.uk