E-mail and instant messaging connect your network to the outside world -which makes them significant security risks. This article explores how midsize businesses can minimize those risks without impeding employee productivity.
In Summary:
| • | Policies are not enough: The average user needs education about how and why to comply. |
| • | Deploy multiple layers of defense to protect your network against threats. |
| • | Block applications and features that are not business-critical and may pose security risks. |
It's only a matter of time before one of your employees unwittingly opens the door to your network. And the price of a security breach could be large. Computer Economics, an IT research firm in Irvine, Calif., estimates that in 2005, viruses alone were responsible for losses of $14.2 billion to companies worldwide. BlackSpider Technology, an e-mail filtering vendor in the United Kingdom, found a virus in one of every 157 messages it screened in September 2006. Malicious code writers now incorporate several different kinds of malware into a single e-mail weapon designed to obliterate your network defenses.
"In one new attack, you get an e-mail alert that there's a new plug-in for your instant messaging program," says Eric M. Cole, a senior scientist at Lockheed Martin Information Technology in Washington, D.C. "When you click on the link," he continues, "it's a Trojan horse that installs a virus on your system, which spawns a worm that e-mails the same alert to everyone on your IM buddy list." Another type of attack instructs the virus code to recompile every time it runs. "It's a little different every time, and your antivirus software is always one step behind," adds Cole, author of five books about security.
Unfortunately, many companies are not prepared when it comes to e-mail and IM security, according to a recent Aberdeen Group study involving IT and business managers at companies in North America, Europe, and Asia. In the research firm's 2006 Messaging Security Benchmark Report, 72 percent of companies consider the external interception of confidential data to be a medium or high threat, yet only 25 percent have implemented messaging encryption solutions to fight back. As well, while 80 percent of participants are aware of the threat of confidential data loss by insiders, only 43 percent have implemented messaging security solutions.
If you don't already have a specific strategy for e-mail and IM protection, it's time to establish one. Here's how to get started.
1. Workforce education: The first line of defense
If one in every 157 envelopes delivered to your office contained a bomb, people would soon stop opening their mail. With electronic communication, though, they often assume the IT department has made sure the inbox is safe. It's not a good idea to trust that your employees can recognize something questionable, says Maurene Caplan Grey, an expert on electronic messaging.
The average user often ignores even the basics of safe computing:
| • | Do not open attachments from unknown senders. |
| • | Do not click on anything from an unfamiliar source. |
| • | Block instant messages from strangers. |
| • | Do not download or install unauthorized software. |
Grey, formerly an analyst with the research and consulting firm Gartner and now an independent consultant, recommends that even small companies develop an electronic communications policy and education program.
Although this may seem elementary, far too many businesses neglect this essential step, Cole notes. He suggests basing policies on the assumption that your employees know nothing about network security or, worse yet, think the rules don't apply to them.
Employee security guidelines might include the following information:
| • | A description of risky behavior; no one can plead ignorance if you describe forbidden practices and suspicious network activity |
| • | The potential consequences (downtime, budget cuts, lost sales, etc.) of a breach |
| • | Types of network traffic employees should report to the IT staff immediately |
| • | Penalties for failing to comply with policies |
It's crucial to not allow business managers to exempt themselves, says David Vella, product manager at GFI, a Microsoft Gold Certified security specialist based in Malta. You may never be able to achieve 100 percent compliance, but your chances improve when employees know the same rules apply to everyone, including the CEO.
2. Choose an all-in-one solution, hosted security, or both
For midsize companies with minimal IT expertise or budget, Grey suggests a hosted security solution such as Microsoft Exchange Hosted Filtering, which screens and filters e-mail before delivering it to your internal mail server. A hosted solution moves the basic tasks of e-mail management to the vendor's servers, freeing your own infrastructure and IT staff for other tasks.
If you prefer more direct control over network security, consider the Microsoft Forefront line of business security products, with layered protection against junk e-mail, viruses, and worms. Forefront applications, such as Microsoft Forefront Client Security, integrate with Microsoft Exchange Server, Microsoft Office SharePoint Server 2007, and Microsoft Office Communications Server 2007 for protection at multiple points in the e-mail infrastructure. A combination of solutions at both the e-mail gateway (through a hosted service) and the desktop doubles your chances of thwarting hackers. Depending on your business needs, you might choose this multilayered messaging security strategy.
3. Lock down your network: Prohibit all non-business uses
Don't waste time, energy, and money securing applications or features that are not core to your business. Some suggestions:
| • | Block consumer IM programs entirely. If you must use instant messaging, choose a secure enterprise IM application. |
| • | Block unauthorized applications and tools, and prohibit employees from downloading or installing them. |
| • | Disable macros on desktop applications to thwart macro viruses. |
| • | Set your firewall and e-mail filters to screen out messages that carry obvious or hidden executable programs. |
| • | Identify and map every computer, server, peripheral, and application on your network. Remove any unauthorized devices or programs immediately, before they can introduce security breaches. |
| • | If your business requires employees to exchange documents with contractors, customers, or remote users, eliminate the problem of attachments entirely by using a secure Web portal, such as Office SharePoint Server 2007, to exchange files (SharePoint Server 2007 also is a good solution for secure internal virtual workspaces). |
Yes, some people may complain, but employees have Internet access so they can do their jobs, not entertain themselves. Says Cole: "The pain of risking data security is greater than the pain of telling employees they can't just e-mail and IM anyone they want."
Fawn Fitter is a freelance writer in San Francisco, specializing in business and technology. She has written for publications including Fortune Small Business, Knowledge Management, and Computerworld.
Find IT Companies who specialise in Anti Virus or Network Security in your local area.