Some companies lull themselves into a false sense of security upon installing a firewall. This is a wise step to protect their intranet, but it is not enough: Firewalls prevent network access by unauthorized users. But they do not check the content of mail being sent and received by those authorized to use the system, for instance. More targeted measures are needed to counteract this and other security loopholes in a corporate network.
Information leaks
Organizations often fail to
acknowledge that there is a
greater risk of crucial data
being stolen from within the
company rather than from
outside.
Various studies have shown how
employees use email to send out
confidential corporate
information. Be it because they
are disgruntled and revengeful,
or because they fail to realize
the potentially harmful impact
of such a practice, employees
use email to share sensitive
data that was officially
intended to remain in-house.
FBI statistics, for example,
reveal that among Fortune 500
companies, most data thefts in
1998 were by internal users.
Again, research results carried
in PC Week in March 1999 report
that, out of 800 workers
surveyed, 21-31% admitted to
sending confidential information
- like financial or product data
- to recipients outside the
company by email. Ten per cent
of those surveyed disclosed that
they had received email
containing company-confidential
information.
Malicious or offensive content
Emails carrying sensitive
information, or unsolicited mail
messages sent out by corporate
users are not the only problem a
company has to tackle with
regard to employees' email use.
Emails sent by staff containing
racist, sexist or other
offensive material could prove
equally troublesome, not to
mention embarrassing - and
expensive!
This factor hit the headlines
during the much-publicized
antitrust case against Microsoft
Corp., when the US government
presented as evidence the
contents of emails written by
top Microsoft executives
describing plans to topple
competitors. On a similar note,
Chevron recently had to pay $2.2
million to settle a lawsuit
resulting from an email message
bearing sexist contents.
Under British law, employers are
held responsible for emails
written by employees in the
course of their employment,
whether or not the employer
consented to the mail. The
insurance company Norwich Union
was asked to pay $450,000 in an
out-of-court settlement as a
result of emailed comments
relating to competition.
Besides, offensive emails can
cause considerable damage to the
work environment simply by
generating an unpleasant,
hostile or unprofessional
atmosphere.
Viruses
Viruses are a major email security hazard that companies simply cannot afford to ignore. Over 11,000 different computer viruses exist to date and some 300 new ones are created each month. Their effects range from negligible to bothersome to destructive.
The extent of the problem is so great that today many companies have even begun to prohibit the use of email attachments, as this is where viruses are often embedded. Unless forewarned, users are generally unaware that they have received a virus until they open the infected attachment. By this time, it is too late: the virus is activated and starts to take over, completely infecting the hard drive and the messaging network.
The danger of viruses transmitted through macros, another common form of virus transmission, is that they allow the user to continue working and sharing documents. This way, the virus spreads faster, infecting more and more users. One such macro virus, known as Melissa, reared its ugly head on March 26, 1999. Melissa forced organizations the world over - among them Microsoft and Intel - to suspend all email transactions. This may well have been an effective response to the new viral onslaught, when timely action was taken - but it also signified incalculable productivity loss, despite stemming data loss. As a result, Melissa left a huge dent in corporate coffers: "It is responsible for millions of dollars worth of damage", an April 1999 issue of InfoWorld reported.
Other fiercely destructive viruses followed fast on Melissa's trail, such as the Chernobyl (CIH) virus and the Explore Worm, both of which wipe out files, resulting in data loss. Again, companies like Microsoft, Intel, Boeing and Forrester Research were reported in the press as having shut down their mail servers when hit by the Explore Worm outbreak in June 1999. And, as if all this were not enough, anti-virus researchers predict that more damaging email viruses are yet to come.
Spam
About 90 per cent of email
users receive spam - or
unsolicited commercial mail - at
least once a week, a survey
conducted by the Gartner Group
shows. The research results,
issued in June 1999, revealed
that almost half those surveyed
were spammed six or more times a
week. The study surveyed 13,000
email users.
Although the U.S. Congress and
state legislatures are seeking
to ban spam, and the Federal
Trade Commission sues spammers
whose junk mail deceives
consumers, unwanted mail is on
the increase.
As well as consuming bandwidth
and slowing down email systems,
spam is a frustrating
time-waster, forcing employees
to sift through and delete
mounds of junk mail. It also
proves irritating and offensive
to recipients who feel their
privacy has been invaded.
However, there is a third aspect
to spam: it constitutes a
security hazard.
Spammers can use a corporate
mail server to send out their
unsolicited messages, often
bringing trouble upon the
unwitting organization. Virgin
Net recently underwent such an
experience when one of its
subscribers apparently used its
network to send out 250,000 junk
messages. As a result of this
individual's actions, Virgin Net
was put onto the Real-time
Blackhole List (RBL), an
undesirable listing which leads
other ISPs to reject mail coming
from that company.