In the face of successive waves of email, data transfer and data protection regulations, compliance continues to be an area of major business risk; yet most UK organisations still cannot tell whether their email or data has been tampered with. 

With 26 billion e-mails whizzing round the world in any one day, and the numbers going up, email compliance is a matter that many companies often put on the ‘back burner’. The consequences of this approach can result in litigation, financial penalties, HR problems as well as damage to company reputation. Corporate governance requires organizations retain their records for a specific period of time, which by default includes e-mails. Although much legislation pre-dates the Internet the regulations relating to email are subject to the same ones as paper documents.

Disciplinary action for new technology related offences (e-mail and internet abuse) now exceeds the combined total for dishonesty, violence and health and safety breaches according to the Chartered Institute of Personnel and Development. A recent survey also revealed that 32% of Fortune 1000 companies have discovered employees passing confidential information to a third party.

True forensic email compliance solutions ensure that all customers benefit from:

• Exceptionally high standards of data privacy and protection, with strict auditing of searches to protect users’ rights during investigations
• Rapid access to data in response to disputes and information access requests
• Tamper-proof trails of all stored emails and a permanent forensic and compliant email archive

Email Compliance – A Simple 5 Step Guide

A simple 5 step guide to email compliance, specifically geared to the non-technical amongst us.
 
Rule 1

Take responsibility for archiving emails away from the user. Don’t burden them with the decision making process of selecting which e-mail is important and which one is not, simply automate the whole process. Capture all e-mails that have been sent or received either internally or externally in their original format and archive them permanently in a secure place.

Automatically archive them away from your Mail Server or user Mailboxes to for example a SQL database with a pointer to a separate data folder for the emails. The e-mails in the data folder can be encrypted and compressed so that they cannot be changed or altered, and less file space is needed. The benefits of the SQL database approach is that the archiving process is completely separated from your Mail Server so if one or the other crashes then all is not lost. SQL database will also give you fast access when searching, finding and retrieving archived e-mails as well as easier backup and restore processes.

Rule 2

Ensure that the emails cannot be changed or deleted. By using encryption and compression no alterations can be made and a forensically sound copy can be produced, in the e-mail’s original format, when retrieved from the compliance archive. This is particularly important in legal situations, as you must be able to produce the original email and not one that could have or had been edited in any way.

Rule 3

Enable any email or group of e-mails to be easily and quickly found and viewed from the compliance database. You need to be able to search on things that you are likely to remember for example a date range, part of an email address, words or phrases in the text or subject line as well as specific data such as Contract Number, Invoice Number. Having constructed a search you then need to be able to refine the results by then ‘searching within results’. It’s pointless having an e-mail compliance archive if you cannot get to the emails you want to view quickly and easily. 

It's  important to be able to retrieve a copy of emails from the compliance archive back into the user’s mailbox, with the original still remaining in the compliance archive.

Many users save emails to their own private mailbox either on their local ‘C’ drive or on their mailbox server ‘just in case I might need it some day’. The amount of storage they need grows and grows because they never clear out any ‘dead’ emails often taking up several gigabyte of disk storage per user.

A more pragmatic approach would be to encourage users to only keep current and ‘active topic’ emails in their own private mailboxes and delete ‘dead’ emails. If they ever needed an ‘old’ or ‘dead’ e-mail then it can be easily and quickly recovered from the compliance archive. This process will save considerable amounts of user disk storage space, help with user disk quotas as well as improving the performance of the Mail server.

Rule 4

Ensure that the whole email compliance process is auditable. Log files and counts need to be maintained as evidential proof of all actions taken relating to the email compliance archive. Log files must prove that no emails can bypass the capturing of all emails. Any or all emails can then be searched for, found and viewed in their original format together with attachments.

Rule 5

Advise your users that you have an e-mail compliance archive which captures all incoming and outgoing emails irrespective of whether they are internal or external. Tell them that they can access the email compliance archive to find and view any e-mail and that they have access rights to e.g. their name is shown as the ‘From’ or ‘To’ or CC’ed or BCC’ed or they are part of a group that has been set up in Active Directory (they cannot see e-mails that they are not entitled to view).

In adopting an ‘open’ policy, users will be aware that Systems Administrators or similarly privileged users can view all or any e-mails together with attachments in the email compliance data base and this awareness can act as a deterrent to email abuse. Compliance is increasingly critical to the way in which businesses operate and by applying the above five rules you will be going a long way to taming the email compliance sleeping tiger and putting a large tick in the email compliance box. Ignoring email compliance now could result in expensive and time consuming costs in the future. Remember email compliance need not be costly, it should run seamlessly in the background improving day to day operations, and not inhibiting them.

 

Email Threats

Although email security is often viewed as a single issue, it is actually a conglomeration of several different threats that work individually to damage computers and defraud recipients, as well as to undermine the effectiveness, reliability and trust of email systems.

Email threats can be divided into several distinct categories:

Viruses, Worms and Trojan Horses:
Delivered as email attachments, destructive code can devastate a host system's data, turn computers into remote control slaves known as botnets and cause recipients to lose serious money. Trojan horse keyloggers, for example, can surreptitiously record system activities, giving unauthorized external parties access to corporate bank accounts, internal business Web sites and other private resources.

Phishing:
According to the Anti-Phishing Working Group — a trade organization that consists of financial organizations, software publishers and other concerned parties — phishing attacks utilize social engineering to steal consumers' personal and financial data. The attacks rely on "spoofed" emails that direct recipients to bogus Web sites that are designed to trick them into revealing confidential financial data such as credit-card numbers, account usernames, passwords and Social Security numbers. Phishing perpetrators typically operate by hiding under phony identities that they have stolen from banks, online merchants and credit-card companies.

Spam:
Although not an overt threat like a virus-infected attachment, junk email can quickly overwhelm an inbox, making it difficult or even impossible for its owner to view legitimate messages. The spam problem has gotten so bad that it is commonplace for users to abandon email accounts that are overrun with spam rather than try to fight the problem. Spam is also the delivery medium of choice for both phishers and virus attackers. So just how bad is the problem in terms of numbers? Tens of billions of spam messages are sent every day.


Email Safeguards
Protecting email users and their systems from attackers is a 24/7 job that requires the use of multiple security tools:

Client Security:
Virtually all major email clients now offer security settings, anti-spam tools, phishing filters and other features that are designed to snare and isolate dangerous messages before they can inflict harm. Email users should investigate all of these features and use them as their first line of defense.

Firewall:
A firewall can bolster email security by filtering out malware-laden attachments and other types of unwanted material that don't meet pre-configured rules.

Encryption:
Rendering messages indecipherable to unauthorized recipients is a popular way of protecting outbound emails. Encryption software isn't perfect, however, since even the best products consume both processor speed and storage space. Users can also lose or forget passwords. Encryption can be handled by the firewall or additional software.

Anti-Virus Tools:
Leading anti-virus products and services generally do a good job of spotting and removing viruses, worms and Trojan horses from incoming email messages.

Spam Filters:
A good spam filter can differentiate between legitimate email and spam, freeing a user's inbox from mounds of digital debris. A drawback to this technology is that a poor spam filter, or one that has not been properly tuned, will remove a certain number of legitimate emails from a user's view while letting some spam pass through untouched. Improved spam-recognition technologies are making spam filters more accurate — most vendors now promise 99 percent-plus accuracy rates — but even the best spam filter will incorrectly categorize at least some emails.

Education:
One primary email-defense tool is education. Users who are aware of email threats are less likely to open potentially virus-infected attachments, click phishing links or perform other risky actions.

Email threats will continue to exist for as long as there are people and organizations that thrive on the misery they inflict upon others. Therefore, the practices and tools that constitute email security are likely to exist for as long as email itself.