IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Report: Inadequate E-Mail Messaging Security in Most Organizations

E-mail messaging security leaves room for improvement in many large organizations, according to a survey of IT professionals.

Most organizations lack sufficient e-mail messaging security, according to a report released by Secure Computing, an enterprise security company. The report suggests that this security deficiency makes spam and unintentional data leakage bigger threats than they would be if proper protocols were in place.

Secure Computing commissioned IDC, a market research and advisory company, to survey 100 IT professionals in North American organizations with 500 or more employees. A small number of the participant groups were government agencies, according to Ken Rutsky, Secure Computing's vice president of product marketing.

In October 2008, the company disclosed the survey results in a white paper, Securing Email Against Today's Threats: A Wake-Up Call on the Benefits of Comprehensive Messaging Security, and also unveiled the results in a press release on Oct. 21.

According to the survey:

o 72 percent of organizations lacked a solution for preventing data leaks over e-mail.
o 89 percent of organizations lacked an effective anti-spam solution.
o 80 to 90 percent of data loss incidents are accidental - caused by employee insiders.
o Only 11 percent of organizations have adequate inbound threat protection.
o 85 percent of respondents reported concern about data leakage over e-mail, but only 28 percent implemented a system to prevent data leaks, while 56 percent planned to do so in the near future.

Employees sometimes unknowingly send out sensitive information over their workplace message programs. Rutsky mentioned a hypothetical scenario in which an employee attached a spreadsheet to an e-mail, but the spreadsheet contained a hidden column containing Social Security numbers. In a spreadsheet program like Microsoft Excel, users can "hide" columns so only certain information will show, but these obscured columns are often forgotten after they're hidden.

"People don't know the information is in there, or they know the information is in there, but they don't realize that it's confidential or risky to send that kind of information, or they trust the person they're sending it to, but that person then forwards it on to someone [else], so there's no record or audit trail of that information being sent," he said.

E-mails can also contain links to databases or sites with private information that should be available only to an organization's employees on the local intranet, but not to people outside of the organization on the Internet. Rutsky said he and his colleagues think protocols should be in place to safeguard against unintentional data leakage. According to the survey, 44 percent of organizations were extremely concerned about accidental data leakage, but only 5 percent felt the same way about employees deliberately revealing sensitive data.

Organizations are also vulnerable to spam infiltration, which might have malware that infests workplace machines. And even if spam doesn't have dangerous codes, employees are annoyed by large quantities of junk mail in their inboxes. Rutsky said organizations can drastically cut down on spam rates with sufficient protection.

"In a 1,000-person organization, you end up daily with 5,000 more spam e-mails in users' inboxes if you're at 95 percent [spam blockage] effectiveness than if you're at 99.8, and that'll translate into four to five malware infections every day that you should be avoiding," he said.

The survey reports that 60 percent of participating organizations claimed having less than 95 percent spam-blocking effectives while 11 percent claimed at least 99 percent. According to the survey, many organizations still use older technology that can't keep up with more sophisticated spamming techniques or increasing volumes.

Other survey results include:

o 56 percent of organizations were most concerned about e-mail-borne malware via Web links;
o 49 percent were concerned about phishing attacks; and
o 47 percent were concerned about e-mail-borne malware via attachments.

Sixty percent of respondents said that a hybrid approach - a combination of internal software and protection via hosted services or cloud computing - would be most effective at stopping inbound e-mail threats. Thirty-four percent of respondents plan to implement virtualization security within a year.

"You will hear arguments that you should diversify [when it comes to security]," Rutsky said. "More typically, that you should use one. The classic argument is you should use on [antivirus] vendor on the gateway and another on the desktop - that you should have different vendors at different points in the network."

However, Rutsky suggested that by eliminating unnecessary vendors, managing security is simpler and less expensive.

"I think organizations today - because of the economic pressure we're under - need to look for efficiency and cost-effectiveness and reducing the number of vendors you depend on for a critical area," he said.

Hilton Collins is a former staff writer for Government Technology and Emergency Management magazines.