Maximizing E-mail Security ROI - Part IV - The Digital Monsters
under Your Bed: E-Mail Intruders
Th
is is the last of a five-part series on Maximizing Email
Security ROI.
Remember your kid fears? As soon as the lights went out, the
monsters under your bed began plotting ways to get you. Somehow,
though, you always managed to outsmart them and make it through
the night. Then one night you grew up, and the monsters went
away for good.
Well, they're back. And they've unionized.
International rings of hackers, many backed by funds from
organized crime groups, are the new monsters hiding under your
bed-only now they'll attack in broad daylight. They've realized
that there's money to be made by breaking into your network-lots
of money-and they want their "fair share." They have advanced
degrees, financial motivation and plenty of time to figure out
ways around software-based e-mail intrusion "solutions" (yes,
even the really, really expensive one you just installed-sorry).
Once hackers have discovered a way into your network, all bets
are off. They have access to any information residing on your
servers, including your customer database, employee personnel
files, bank account numbers and proprietary product information.
They can run denial-of-service attacks to take down mail servers
and disrupt your work environment. They can hijack your servers
and use them as "spam cannons," sending millions of fraudulent
e-mails purporting to be from your company. In short, they can
do whatever they want.
This week's newsletter will identify the specific dangers posed
by network intrusions and explain how keeping these new monsters
from stealing the digital lifeblood of your enterprise can
ensure that your investment in network security is handsomely
rewarded.
Determining E-mail Security ROI
When attempting to extract meaningful hard-cost data to evaluate
e-mail security ROI, damages can be broken into two categories:
Ongoing or Catastrophic. Ongoing costs tend to occur continually
and increase in scale. For instance, a 10% increase in spam
volume will result in 10% higher costs. Catastrophic costs, on
the other hand, are "one-and-done" losses that are intermittent
but categorically high when they occur. An example of a
catastrophic cost would be a single security breach that allowed
theft of proprietary intellectual property, causing millions of
dollars in losses. In general, failure to prevent e-mail
intrusions will result in expenditures that qualify as
catastrophic. Liability
Last week's IronMail Insider
discussed the costs associated with allowing inappropriate
material to cross the enterprise gateway or pass between
workstations. The lawsuits resulting from companies failing to
enforce e-mail policy and being held responsible for the
messages crossing their networks all resulted in catastrophic
costs to the enterprise.
As with policy enforcement (and encryption, the topic of next
week's newsletter), intrusion prevention is paramount to a
company's efforts to comply with legislation regarding customer,
financial and patient information security. Federal legislation
such as HIPAA, Sarbanes-Oxley and GLBA provides for steep
financial penalties for corporations which fail to take the
necessary steps to ensure information security (up to $250,000
per incident). In addition, potential arrests and criminal
charges for company officers, and costly lawsuits from customers
and patients should provide all the incentive necessary for
companies to do anything possible to protect classified
information.
A terrifying example of the liability faced by an organization
which fails to prevent intrusions happened very recently. On
August 1, 2004, a database intrusion occurred through one
unsecured computer at the University of California - Berkeley.
The intrusion wasn't discovered until August 30, meaning the
hackers had a full month of unfettered access to the personal
information of as many as 1.4 million disabled and elderly
Californians, opening the door to a potentially devastating
class action suit by those affected. This incident serves as a
disturbing reminder that a single workstation can sacrifice the
identities of millions.
Reputation
Loss of trust from partners and customers due to a company's
failure to prevent hackers from accessing their network can be
just as destructive as any lawsuit. Failure to prevent
intrusions into an e-mail system will leave administrators with
few, if any, options after the damage is done. Business partners
will be understandably reluctant to share any of their
proprietary information, and customers will likely look to your
competitors to ensure that their private data is safe.
Not surprisingly, most companies will go to great lengths to
hide the fact that their systems have been compromised. Over 50%
of respondents to the 2004 Computer Crime and Security Survey by
the FBI and Computer Security Institute indicated that they did
not report system intrusions to law enforcement or legal council
because of fear of negative publicity. Of course, if they'd had
effective intrusion prevention in the first place, there
wouldn't be anything to report. Asset/IP protection
The only way to ensure that all information residing on, or
accessible through, e-mail servers is protected is to make it
completely invisible to hackers and other would-be intruders.
While some software-based approaches do serviceable jobs of
detecting intrusion attempts and thwarting them when they
happen, the mere fact that the hacker knows where the network is
provides motivation enough to keep trying to find a way in.
When your company's intellectual property is stolen or otherwise
compromised, the catastrophic costs can be staggering. According
to the 2004 Computer Crime and Security Survey, a total of 269
respondents from U.S. corporations, government agencies,
financial institutions, medical institutions and universities
reported intellectual property losses totaling $11,460,000 in
damages from theft of proprietary information. An unfortunate
side note to this statistic: 98% of the survey respondents had
firewall protection in place, a revealing testament to the
ineffectiveness of stand-alone security components.
Get Rid of the Modern-Day Monsters
A comprehensive e-mail security approach including elements of
anti-spam, anti-virus, policy enforcement, intrusion prevention
and encryption is the most effective defense against all
external and internal threats. For more information on how to
protect your enterprise network from all manner of e-mail
threats, download CipherTrust's FREE whitepaper,