Sending unprotected e-mails is like writing your private details on a postcard and mailing it. Isn't it time companies spend more on securing their e-mail systems, asks Paran Chandrasekaran.
Just over half of companies suffered a data abuse incident in 2002 with each attack costing on average £30,000, according to the DTI.
Increasingly the focal point for data attacks is the wealth of private and confidential information sent, received and stored on e-mail.
Unprotected e-mail, which constitutes the vast majority of all messages sent, is easy to intercept, modify, spoof and turn to almost any malicious purpose possible.
The most accurate analogy is that sending an unprotected e-mail is like putting private information on a postcard. This tool that we depend on so much has become a major security threat to businesses.
According to Diligence Information Security, more than 70% of the IT security breaches in a company are committed by its own staff, with intercepting and reading other people's e-mail without permission a primary factor.
In many cases, sensitive information ends up being sent to the press or to competitors, resulting in lost credibility and lost earnings.
Barclaycard is a classic example. It recently won an industrial tribunal defending its right to sack a worker who intercepted confidential information on e-mail and sent it to competitors. But the damage to its name and intellectual property had already been done.
While internal security breaches are the most common risk with e-mail, hacking by external third parties is a serious and widespread problem.
External hacks range from "man in the middle" attacks, where criminals intercept e-mail across the internet without their victims knowing, to the growing problem of "spoofing".
Scottish law firm Blackadders is counting the cost of a spoofed e-mail that a hacker sent to thousands of addresses, purporting to be from a prominent partner at the firm who would be excessively aggressive on behalf of his clients in legal proceedings.
Against this background of frequent attacks, protecting electronic communications is considered an essential legal requirement by the UK Data Protection Act 1998, EU data security directive 95/46, the 2002 security guidelines of the Organisation for Economic Co-operation and Development, and the widely recognised international security standards, BS7799 and ISO7799.
By ignoring best practice guidelines on information security, any company sending an unprotected e-mail, which is then intercepted, is open to claims for damages from the intended recipient.
Several insurance claims relating to e-mail security breaches have taken place in the US and this trend is likely to reach the UK soon.
In this climate, more and more companies are taking precautions to secure their e-mail. The old misconception that antivirus and firewall software constituted complete security is being replaced by a growing realisation that neither solution protects the content of e-mail messages nor verifies the identity of the user.
Instead, true e-mail security involves using encryption to protect confidentiality and digital signatures to ensure authenticity, integrity and non-repudiation of messages.
The only obstacle to adopting e-mail security has been cumbersome client-centric technology, which is expensive to implement, complex for individuals to use and time-consuming for IT staff to manage.
However, new server-centric e-mail security solutions have eliminated these issues. They allow IT staff to roll out security at a fraction of the cost of client-centric solutions, and manage secure e-mail accounts across any number of PCs, laptops and office sites from a central point. Seamlessly integrating into popular e-mail applications, modern security solutions protect e-mail without compromising its ease-of-use.
According to IDC, the IT security market in Western Europe will grow from $1.9bn (£1.2bn) today to $5.9bn in 2006. With e-mail protection the last remaining blind spot in most companies’ electronic security strategies, e-mail security should be one of the primary recipients of this spend.
What do you think?
What are you doing to protect your e-mails? Tell us in an e-mail >> ComputerWeekly.com reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.
Paran Chandrasekaran is chief executive officer of internet security specialist Indicii Salus. He will be delivering a seminar on the need for e-mail security at Infosecurity Europe 2003, Olympia, London, 29 April – 1st May www.infosec.co.uk