Outbound email monitoring, filtering to prevent data leakage, breaches

Using a variety of email security management products and content filtering, companies have recently begun monitoring outbound messages in effort to reduce breaches, data loss and leakage.

We've all done it. Just after hitting the Send button, you realise that the email message and attachment you have just sent are on their way to the wrong Joe, Jim or Susan in your address book. The helpful auto-complete function in Outlook, designed to make life easier for you, has just landed you in trouble.

A quick follow-up message asking Joe, Jim or Susan to ignore and destroy the contents is usually enough to save further embarrassment. But it shows just how easily information can leak out via email unless you have controls in place.

And it's not just accidental leaks that can occur. Ed Macnair, CEO at email and Web security company Marshal Ltd., says he was called in recently to help a certain large soap manufacturer that was worried about a competitor stealing its ideas.

"The competitor had come out with very similar products within a timeframe that would not be possible from normal R&D cycles. They were suspicious," he says.

The company used Marshal to fingerprint certain confidential documents, and instructed both the WebMarshal and MailMarshal products to look out for them. "Within a week, they found two people were sending out confidential data to their competitors," says Macnair. In this instance, the perpetrators were using webmail to try and avoid detection.

While USB sticks have attracted most of the headlines about data leakage recently, email remains one of the most open (and obvious) channels for information to pass outside an organisation.

"We estimate around 80 per cent of the information leakage goes out via email, the reason being that it is so easy to use," says David Stanley, European managing director for Proofpoint Inc., an email management company. "It is much easier to send an email than transfer a file on to a USB stick and then lose it."

He says most organisations have concentrated on keeping out external threats and have only recently started to monitor outbound email, and the results can be surprising. In one instance last month, an NHS trust, suspecting that its security policies were not being followed, invited Proofpoint to monitor its outbound email traffic. The company discovered 137 security breaches in a single week.

In most cases, says Stanley, users were just trying to do their jobs and were cutting corners with no malicious intent. But some serious breaches were discovered and may result in punitive action.

Most email management systems provide users with filters and mechanisms to control outgoing messages, but up to now their use has been limited. Andrew Kellett, a consultant with the London-based Butler Group, says users are finally catching up with the technology.

"I think the vendors got the solutions in place before the marketplace was really ready for them," he says. "But control of outbound email is becoming more common now. In the general data leakage prevention strategy, the email channel is one where companies can most easily make a difference."

But as he points out, successful control depends on companies having a proper set of policies, which are properly communicated and protect the right information. "It is not a quick fix. You have to go through a lot of stages to do the job properly," he says.

James Blake, chief strategist at Mimecast Ltd., agrees: "Implementing an effective DLP strategy for email needs to be viewed in the context of an organisation's overall email compliance and risk management policy. Any email-oriented DLP solution must be content-aware as well as granular enough to deploy different policies for different users."

But as Sarah Deacon of Guidance Software Inc. points out, technology and policy have to track a moving target: "The majority of these systems rely on pre-created keywords, word weightings and document types to flag alerts and stop email travelling outside of an organisation. However, the type of information that can be leaked is ever changing and so there is a constant battle to maintain these criteria and traps."

It is also easy to overdo the security and create false positives, according to Patrick Walsh, marketing director at UTM (united threat management) vendor eSoft Inc. "In practice, monitoring outbound emails - flagging the emails with NHS numbers, licence numbers, or with 'Confidential' stamped on them - results in a lot of false positives," he says. "The 'confidential' tag, for example, is often found in the footer of emails sent by lawyers."

Much of the impetus to take control of outgoing email comes from the combined pressures of recent data-breach horror stories, and a need to comply with the growing body of regulation on data handling. But the security dangers are real, as an analysis of UK business by Forrester Research Inc. discovered early this year. The study found that two-thirds of UK companies were worried about email being used to disseminate company trade secrets or intellectual property, and 47 per cent had investigated a suspected leak of confidential or proprietary information via email in the previous 12 months.

And there are other advantages of monitoring email. According to Marshal's Ed Macnair, one company became so worried about its high level of staff turnover that it decided to check for any CVs going out over email. The CVs were not blocked, but the HR department was notified so that pre-emptive action could be taken to keep the employee in question. A pattern soon emerged: most of the applications were from staff working for the same unpopular manager. The staff turnover problem was soon solved.

Read more on Application security and coding requirements