Lost Data

Employees are storing more and more confidential, mission-critical information on personal workstations and internal networks every day. Financial and employee records, trade secrets and internal emails are all at risk should a malicious virus choose to corrupt or destroy them.

Should any or all of this information be attacked by a virus or worm, documents stored on user machines and email servers risk destruction or corruption, rendering days or weeks worth of work useless. While some of work may be recoverable, help desk resource utilization and third-party forensic experts will add to total cost of attack.

Reputation and Credibility Erosion

Falling victim to a virus attack will likely result in lost confidence from business partners and customers and affect your enterprise’s perceived trustworthiness in marketplace. According to Gartner, “Enterprises that spread viruses, worms, spam and denial-of-service attacks will find not only that malicious software can hinder their profitability, but also that other businesses will disconnect from them if they are considered to be risky.” While an attack may not be your fault, it is most certainly your problem.

Stay a Step Ahead of Enemy

Fully understanding risks posed by viruses and worms is only beginning of your battle against them. To learn how to confront numerous dangers to your enterprise network, read CipherTrust’s FREE whitepaper, “Next-Generation Virus Defense: An Overview of IronMail Zero-Day Virus Protection.”

Part III of this series will consider issues involved in determining ROI for email policy enforcement as it relates to regulatory compliance, asset/IP protection, liability and reputation.

The role of email in Sarbanes-Oxley compliance cannot be overstated. The Sarbanes-Oxley Act of 2002 and associated rules adopted by Securities and Exchange Commission (SEC) require certain businesses to report on effectiveness of their internal controls over financial reporting. Effective internal controls ensure information integrity by mandating confidentiality, privacy, availability, controlled access, monitoring and reporting of corporate or customer financial information. Companies that must comply with Sarbanes-Oxley include U.S. public companies, foreign filers in U.S. markets and privately held companies with public debt. U.S. companies with market cap greater than $75M and on an accelerated (2004) filing deadline are required to comply for fiscal years ending on or after Nov. 15, 2004. All others are required to comply for fiscal years ending on or after April 15, 2005.

Because bulk of information in most corporations is created, stored, transmitted and maintained electronically, IT departments are responsible for ensuring that sound practices, including corporate wide information security policies and enforced implementation of those policies, are in place for employees at all levels. Information security policies should govern following items: •Network security •Access controls •Authentication •Encryption •Logging •Monitoring and alerting •Pre-planning coordinated incident response •Forensics Most of us would agree that today email is primary internal and external communication tool for corporations. Unfortunately, it is also one of most exposed areas of a technology infrastructure. Email systems are critical to ensuring effective internal control over financial reporting, encryption of external messages and active policy enforcement, all essential elements of compliance. Companies must install a solution that actively enforces policy, stops offending mail both inbound and outbound and halts threats before internal controls are compromised, as opposed to passively noting violations as they occur. An effective email security solution must address all aspects of controlling access to electronically stored company financial information. Given wide functionality of email, ensuring appropriate information access control for all of these points requires: •A capable policy enforcement mechanism to set rules in accordance with each company’s systems of internal controls; •Encryption capabilities to ensure privacy and confidentiality through secure and authenticated transport and delivery of email messages; •Secure remote access to enable remote access for authorized users while preventing access from unauthorized users; •Anti-spam and anti-phishing technology to prevent malicious code from entering a machine and to prevent private information from being provided to unauthorized parties. On a final note, some clear guidelines for a good and effective email policy include following points: a) Emails should comply with proper RFC protocols for email, 2) Employees should not attempt to obscure content or messages in emails, 3) Companies should post privacy policies where they can be read and understood, prior to submission of a request, 4) Employees should not send email to unverified or nonexistent email addresses, 5) Companies should offer users opportunities to opt-out of programs. Given that developments in email and Internet are changing so rapidly, it is essential to review email policy at least once every quarter. Keep an eye on new developments in email and Internet law so that you are aware of any new regulations and opportunities. When you release new updates, it is preferable to have each user sign as acknowledgment of their receipt of policy. With all of this said, if you want to reduce electronic risks in workplace you must take initiative. Electronic disasters can ruin businesses, sink careers, send stock prices plummeting, and generate public relations nightmares. Do not wait for a disaster to strike; prevention is always your best defense. Visit www.AntiSpamLeague.org and they will help you develop and implement written email usage and privacy policies that clearly reflect your organization's expected standards of electronic behavior, along with privacy and monitoring policies.