Here’s another section from MessageGate’s recent MarketInsight report – Reshaping Information Security.  This section deals with the very real and pressing need for all companies to get a thorough understanding of how email and other types of messaging are currently being used. 

Understanding Current Usage

A key element in reshaping information security for enterprise messaging is to gain a clear and timely understanding of what is coming and going.  Many companies had some type of basic content filtering in place that was prone to false positives and/or of limited business value either due to staffing cuts or lack relevancy in the reported results.  Having the ability to act on something when it happens depends on being able to know it occurred.

Simple things like knowing how much “noise” is coming and going via email – status, alerts, newsletters, and out of office replies are essential first steps.  Tackling the expanding email volume as Blackberries and other mobile devices are placed in the hands of employees as well as trying to harness the knowledge management aspects of email requires measuring and understanding usage and how it changes over time.

In many cases, questions arising around the need or worth of doing something were directly answered in the affirmative after a thorough review and audit of messaging activity.  This is about much more than just monthly email volume and statistics, but a window into usage and how email is the de facto workflow tool in the organization.

The last section from our Reshaping Information Security MarketInsight report.  This section covers the myriad of regulatory and legal issues that come with taking a proactive stance around corporate messaging. 

Legal & Regulatory Climate

There was a significant amount off discussion about legal and regulatory requirements and constraints across all industries and geographies.  Rather than get confused or seek out interpretation of all current and future regulations, start with “Common Security 101.”  Doing the basics will cover most areas and, when complete, then look to see what additional things might be warranted based on known regulations with clear policies.  Focus on starting with good practices versus chasing statutes.

As for what to do about an incident or event once it is detected, there were two main points.  The first was that monitoring has huge legal and cultural implications and “if I know, I have to do something about it.”  Secondly, IT does not want to take the lead on this issue, rather the business needs to lead IT and identify the operational requirements that must be met.  There is even a definitional difference between what is an “event” versus an “incident” with the latter being more formal/serious.  Unfortunately, executives and legal personnel don’t understand the technology enough in terms of tools and capabilities to know what is realistic and IT needs guidance from legal on what system controls to implement.

Defining what is appropriate versus inappropriate has proven very difficult.  There are certainly black and white scenarios, but what about the gray area in between?  There is not a list of what is appropriate to balance details around what is inappropriate and when you try to define what is appropriate, you are trying to define the world.  It is easier to define what not to do than what to do leading several participants to ask – what is meant by “authorized?”

As for conflicting rules and regulations based on country, take the least risk policy globally and implement it organization-wide because different countries have different rules.  You can’t get 100% coverage, but you can get a good program of governance.

The second part of the post on End User Behaviors from our MarketInsight report.

End-user Behaviors (continued)

The topic of training came up repeatedly whether we were talking about encryption and how its proper use relies on end-user training or that, at a high-level, it makes a lot more sense to educate people than to react to incidents once they have occurred.  There was general agreement that expenditures on technology could actually be less with proper (re)training programs in place to provide constant education and build awareness.

There is a deep down expectation of privacy that most, if not all, employees have about their corporate email even though none exists.  Most companies allow “reasonable personal use” but struggle with how to define it or where to draw the line, but many participants admitted that even they did the things they were telling people not to do – underscoring the difficulty in solving the problem and that this is not just about technology but people.

Providing immediate feedback to the user is one way to create awareness and to change behaviors.  When providing feedback, the wording of the message can prove to be difficult to nail down requiring much iteration with corporate legal departments.  In one case, a log-in banner was rewritten due to the welcoming tone of the message and was interpreted to be “too welcoming” and that it might construed as inviting unauthorized users on to the network. 

Other forms of awareness building included “email awareness emails” (the irony of which is apparent) and one company cited how they provided people cell phone reminder cards showing employees how much a cell phone could cost above and beyond a land line.  This simple awareness program reduced cell phone expenditures by some 25%!

Awareness and education were certainly viewed as the best possible avenues to address the people aspects of email usage however as one CISO pointed out the next generation of workers will enter the workplace with mobile phone, their own laptops, etc. and a certain sense of “entitlement” to intellectual property as they grew up with freeware/shareware and limited to no concern for copyrights or information protection. 

No matter what, an effective information security program for email will rely on the employees and their awareness as key ingredient in changing culture and behaviors.  As another participant summed up, “everybody speeds” but we “have to teach them” about the limitations and risks as smart people will continue to find workarounds if safeguards are perceived to be barriers placed in their way.

One of the more compelling sections from our recent Reshaping Information Security MarketInsight study.  This section (broken into two parts due to length) is about the central issue companies face as it relates to the messaging technologies they deploy – how people use the technology available to them. 

End-user Behaviors

Another consistent point of view was the role the end-user plays (or doesn’t play) in ensuring proper procedures are followed and risks avoided.  One participant remarked “it is essential to protect employees from themselves.”  Maybe a bit alarmist, but the point remains that there is a huge need for and associated gap in training, awareness, and understanding.

Certainly it is unrealistic to expect every employee to think through every rule, policy, legal precedent, and applicable regulation before hitting the “send” button.  Because email is the clearest record of events, it prompted one participant to suggest a “Miranda Warning” for email in that anything you say can and will be held against you.

There is a challenge to define and draw the line between reasonable personal use and unauthorized or unacceptable use of corporate email.  Companies have approached this gray area in a variety of ways including providing education “early and often” hoping that repeating the message will “eventually change behavior” or even disabling access if routine training is not completed.  On-line programs are provided for security awareness training and those workers that are temporary or contract are required to take it more often than full time employees.

The key challenge here is that the solution must be designed for the least effective employee regardless of their employment status and we heard over and over that the higher up the chain of command you go, the worse the offenders can be – making leadership by example a key element to changing end-user behaviors.  As with any enforcement program, there must be consequences to breaking the rules and some organizations are reluctant to do this based on a specific person’s role or perceived importance.  Ultimately, people must own responsibility for their actions and although maybe most are not malicious they are certainly intentional – and many times without consequence which merely exacerbates the problem.

I just finished reading The Influentials by Jon Berry.  This is another book that I was reading for some time and managed to put to bed on my flight to Boston.  Great read.  It is heavily referenced in Applebee’s America and is a required reading (I believe) for anyone claiming marketing chops these days. 

Understand that the market is heavily driven by these types of people – whether you are selling a candidate, a product, or a service.  Read and learn.  One of the things that really stuck in my mind (in addition to more than enough stats) was the desire of this group for a high pace, high peace lifestyle.

When they are on, they are on.  When they are off, they seek "peace" time just as aggressively. 

Good analogy in this book about being a water stop on a road race.  Give them what they need, when they need it, then get the hell out of the way. 

Another post from our Reshaping Information Security MarketInsight study.  This section covers the topic of email archiving and retention – something all companies regardless of industry are struggling with both from a records management and compliance perspective.  This part of the discussion pointed to the need to separate high-value from low-value email correspondence prior to archival and do so in a way that was practical, auditable, and accurate. 

Archiving & Retention

One area that was consistently at the top of the list interest-wise was the topic of email archiving and retention.  There was a great deal of variance in both policy and clarity as it relates to what a company should be doing.  One participant’s company policy is to not get rid of email….ever.  They have records dating back to 1991 in various formats and locations.

There was general agreement that email is used as a document storage system and that any limitation on the size of an inbox or the amount of time an email record is stored creates angst and negative feedback from the user community.  In fact, one company was struggling with a mandated 7 day retention policy after which email was deleted as a way to mitigate litigation risk, but the company used it for order that normally ran 3-4 months in lead time and all subsequent purchasing negotiations.  In this case email stopped being “transitory” business communication and was a primary generator of business records – although the line between the two is very gray.  One recurring them was to have a defensible policy in place that is consistent and does not change as a result of or during a possible inquiry or investigation.  Also, you must go with the strongest/most restrictive rule that applies to you as a starting point for retention.

Several firms placed a 90 day delete policy on the Inbox so that if the user wanted to keep a copy or if it was a formal business record, they were responsible for moving it (a managed folders approach).  The downside to this is that the user must make the retention decisions.  Yet another company sponsored “spring cleaning” exercises as a way to clean out old emails and paper content that was no longer needed.

Attempts to utilize public folders have proven fruitless and overall email storage is out of control with volumes continually increasing.  Trying to implement a classification schema is difficult because without automation, the end-user is left to make the decision.  In fact, one participant compared any attempts to reduce folder sizes to squeezing a balloon on one end – all the air just goes to the other side.  So limiting mailbox sizes merely increases .pst file sizes and nothing gets deleted, just moved.

Even though storage is deemed to be “cheap”, the costs of maintaining and managing it are not so unlimited storage is not an alternative.  Even duplication can create serious headaches as the same emails are stored over and over again.  Categorization technology that promises to “auto-magically” organize email into the buckets you want is “just not there yet.” 

Not sure where I came across this the first time, but it is an
interesting take on what collaboration in the enterprise will could look
like in the future from Scott Gavin although something tells me that email will still be a part of the equation as will other messaging formats (IM, text, etc.)

https://s3.amazonaws.com:443/slideshare/ssplayer.swf?id=42907&doc=meet-charlie-what-is-enterprise20-29751

More from our Reshaping Information Security MarketInsight study.  This section tackles the topic of Information Safeguards and how a practical approach is essential. 

Information Safeguards

Another issue top of mind for the participants was how to control the release of sensitive information.  The guidance provided by many was to take a “common sense” approach and that any technology solution deployed must be practical.

Most participants had some sort of content filtering in place but were struggling with false positives, lack of deep inspection (including attachments), and the overall effort required to manage the system which was providing limited-to-no relevant and actionable information.  In fact, some perceived monitoring to be a “Pandora’s Box” with more headaches than benefits and several participants advocated balancing the risk present versus the acceptable risk you are willing to take as a way to tackle this issue without draining IT resources to police it.  All were incident driven and reactive versus proactive in approach with limited knowledge of what was leaving via email or what was being forwarded outside the company.

Taking inventory of where your information assets reside and who has access to them is essential although digital rights management (DRM) was only in the early evaluation stages at several companies.
After much discussion, there was consensus that there is not perfect technology to address this issue, but that you must demonstrate that you have done your due diligence and implemented basic or minimum safeguards.  Technology supports the solution, but people are still the ones that distribute information via email.  Controlling access in order to ensure only authorized personnel can get sensitive information is a mandatory step and identifying what could be confidential or sensitive must occur at some level.  How that is done is more complex – be it through establishing an “asset risk management function” or getting the business owners to identify what to look for – keywords, documents, fingerprints, etc.  Building awareness, enforcement through exception monitoring, and implementing the guidance through system controls will begin to safeguard company information.

Implementing system controls to safeguard company information “doesn’t earn money” and their time is better spent on projects that are good for the top line (i.e., revenue growth).  Although you cannot stop the determined insider and eliminating all the exposure that email creates is not feasible, you must try.  But, as previously pointed out, “squeezing one end of a balloon” and clamping down in one place will only push it to another.

We announced the release of this whitepaper earlier this week and have gotten some good feedback on it.  We have worked with Brian Babineau and team from ESG for some time and I am a huge fan.  Brian is really knowledgeable and very approachable – things it takes to be a great industry analyst.  Here is a short podcast overview and here is a link to the EDD Blog with their take.  You can download it here or send me note and I’ll get you a copy.

Many years ago while at Arthur Andersen I had the opportunity to work on a series of projects looking at the impact, drivers, and opportunity around mobile communications – both satellite based as referenced in this post and terrestrial cellular build out.  During that time, I became acquainted with the International Telecommunications Union (ITU) out of Geneva, Switzerland and their role in understanding, advocating, and setting policy around global telecommunications and their very Flash Gordon-like logo (to the left).

One of the many metrics that I spent a great deal of time analyzing for various markets was teledensity or the number of telephone lines per 100 people.  Fast forward 10+ years and this is now measured as "effective teledensity" which includes both mobile and fixed lines per 100 people.  Teledensity is an indicator of economic development for a country and those that are below 1 have a difficult if not impossible task of getting above it.  One was perceived to be the tipping point to accelerate the connectivity of a population and, by default, economic well-being. Moving from 10 to 30 is defined as the "teledensity transition" where at 30 the majority of households and nearly all businesses have access to telecommunications.

From the ITU:

For the developed economies in the Asia-Pacific region, it took between 8 and 35 years (average 16 years) to make the transition between 1935 and 1995, with a progressive acceleration over time. However, for a sample of developing economies in the same region, it took only between 2 and 6 years (average 3 years) to make the transition between 1995 and 2006.  The main difference between the two charts is that the developed countries made the transition using fixed-line networks, whereas the developing economies have invariably made the transition using mobile networks.

Don’t think that communications (especially mobile) is making an impact on the world, accelerating connectivity among people, and improving economies?  Think again.