This is last of a five-part series on Maximizing Email Security ROI.
Remember your kid fears? As soon as lights went out, monsters under your bed began plotting ways to get you. Somehow, though, you always managed to outsmart them and make it through night. Then one night you grew up, and monsters went away for good.
Well, they're back. And they've unionized.
International rings of hackers, many backed by funds from organized crime groups, are new monsters hiding under your bed-only now they'll attack in broad daylight. They've realized that there's money to be made by breaking into your network-lots of money-and they want their "fair share." They have advanced degrees, financial motivation and plenty of time to figure out ways around software-based e-mail intrusion "solutions" (yes, even really, really expensive one you just installed-sorry).
Once hackers have discovered a way into your network, all bets are off. They have access to any information residing on your servers, including your customer database, employee personnel files, bank account numbers and proprietary product information. They can run denial-of-service attacks to take down mail servers and disrupt your work environment. They can hijack your servers and use them as "spam cannons," sending millions of fraudulent e-mails purporting to be from your company. In short, they can do whatever they want.
This week's newsletter will identify specific dangers posed by network intrusions and explain how keeping these new monsters from stealing digital lifeblood of your enterprise can ensure that your investment in network security is handsomely rewarded.
Determining E-mail Security ROI
When attempting to extract meaningful hard-cost data to evaluate e-mail security ROI, damages can be broken into two categories: Ongoing or Catastrophic. Ongoing costs tend to occur continually and increase in scale. For instance, a 10% increase in spam volume will result in 10% higher costs. Catastrophic costs, on other hand, are "one-and-done" losses that are intermittent but categorically high when they occur. An example of a catastrophic cost would be a single security breach that allowed theft of proprietary intellectual property, causing millions of dollars in losses. In general, failure to prevent e-mail intrusions will result in expenditures that qualify as catastrophic.
Liability
Last week's IronMail Insider discussed costs associated with allowing inappropriate material to cross enterprise gateway or pass between workstations. The lawsuits resulting from companies failing to enforce e-mail policy and being held responsible for messages crossing their networks all resulted in catastrophic costs to enterprise.
As with policy enforcement (and encryption, topic of next week's newsletter), intrusion prevention is paramount to a company's efforts to comply with legislation regarding customer, financial and patient information security. Federal legislation such as HIPAA, Sarbanes-Oxley and GLBA provides for steep financial penalties for corporations which fail to take necessary steps to ensure information security (up to $250,000 per incident). In addition, potential arrests and criminal charges for company officers, and costly lawsuits from customers and patients should provide all incentive necessary for companies to do anything possible to protect classified information.