Maximizing E-mail Security ROI - Part IV - The Digital Monsters under Your Bed: E-Mail Intruders

Th is is the last of a five-part series on Maximizing Email Security ROI. Remember your kid fears? As soon as the lights went out, the monsters under your bed began plotting ways to get you. Somehow, though, you always managed to outsmart them and make it through the night. Then one night you grew up, and the monsters went away for good. Well, they're back. And they've unionized. International rings of hackers, many backed by funds from organized crime groups, are the new monsters hiding under your bed-only now they'll attack in broad daylight. They've realized that there's money to be made by breaking into your network-lots of money-and they want their "fair share." They have advanced degrees, financial motivation and plenty of time to figure out ways around software-based e-mail intrusion "solutions" (yes, even the really, really expensive one you just installed-sorry). Once hackers have discovered a way into your network, all bets are off. They have access to any information residing on your servers, including your customer database, employee personnel files, bank account numbers and proprietary product information. They can run denial-of-service attacks to take down mail servers and disrupt your work environment. They can hijack your servers and use them as "spam cannons," sending millions of fraudulent e-mails purporting to be from your company. In short, they can do whatever they want. This week's newsletter will identify the specific dangers posed by network intrusions and explain how keeping these new monsters from stealing the digital lifeblood of your enterprise can ensure that your investment in network security is handsomely rewarded.

Determining E-mail Security ROI

When attempting to extract meaningful hard-cost data to evaluate e-mail security ROI, damages can be broken into two categories: Ongoing or Catastrophic. Ongoing costs tend to occur continually and increase in scale. For instance, a 10% increase in spam volume will result in 10% higher costs. Catastrophic costs, on the other hand, are "one-and-done" losses that are intermittent but categorically high when they occur. An example of a catastrophic cost would be a single security breach that allowed theft of proprietary intellectual property, causing millions of dollars in losses. In general, failure to prevent e-mail intrusions will result in expenditures that qualify as catastrophic.

Liability

Last week's IronMail Insider discussed the costs associated with allowing inappropriate material to cross the enterprise gateway or pass between workstations. The lawsuits resulting from companies failing to enforce e-mail policy and being held responsible for the messages crossing their networks all resulted in catastrophic costs to the enterprise. As with policy enforcement (and encryption, the topic of next week's newsletter), intrusion prevention is paramount to a company's efforts to comply with legislation regarding customer, financial and patient information security. Federal legislation such as HIPAA, Sarbanes-Oxley and GLBA provides for steep financial penalties for corporations which fail to take the necessary steps to ensure information security (up to $250,000 per incident). In addition, potential arrests and criminal charges for company officers, and costly lawsuits from customers and patients should provide all the incentive necessary for companies to do anything possible to protect classified information. A terrifying example of the liability faced by an organization which fails to prevent intrusions happened very recently. On August 1, 2004, a database intrusion occurred through one unsecured computer at the University of California - Berkeley. The intrusion wasn't discovered until August 30, meaning the hackers had a full month of unfettered access to the personal information of as many as 1.4 million disabled and elderly Californians, opening the door to a potentially devastating class action suit by those affected. This incident serves as a disturbing reminder that a single workstation can sacrifice the identities of millions.

Reputation

Loss of trust from partners and customers due to a company's failure to prevent hackers from accessing their network can be just as destructive as any lawsuit. Failure to prevent intrusions into an e-mail system will leave administrators with few, if any, options after the damage is done. Business partners will be understandably reluctant to share any of their proprietary information, and customers will likely look to your competitors to ensure that their private data is safe. Not surprisingly, most companies will go to great lengths to hide the fact that their systems have been compromised. Over 50% of respondents to the 2004 Computer Crime and Security Survey by the FBI and Computer Security Institute indicated that they did not report system intrusions to law enforcement or legal council because of fear of negative publicity. Of course, if they'd had effective intrusion prevention in the first place, there wouldn't be anything to report.

Asset/IP protection

The only way to ensure that all information residing on, or accessible through, e-mail servers is protected is to make it completely invisible to hackers and other would-be intruders. While some software-based approaches do serviceable jobs of detecting intrusion attempts and thwarting them when they happen, the mere fact that the hacker knows where the network is provides motivation enough to keep trying to find a way in. When your company's intellectual property is stolen or otherwise compromised, the catastrophic costs can be staggering. According to the 2004 Computer Crime and Security Survey, a total of 269 respondents from U.S. corporations, government agencies, financial institutions, medical institutions and universities reported intellectual property losses totaling $11,460,000 in damages from theft of proprietary information. An unfortunate side note to this statistic: 98% of the survey respondents had firewall protection in place, a revealing testament to the ineffectiveness of stand-alone security components.

Get Rid of the Modern-Day Monsters

A comprehensive e-mail security approach including elements of anti-spam, anti-virus, policy enforcement, intrusion prevention and encryption is the most effective defense against all external and internal threats. For more information on how to protect your enterprise network from all manner of e-mail threats, download CipherTrust's FREE whitepaper,