Maximizing Email Security ROI: Part II - Stop Viruses Before They Stop YouWritten by CipherTrust
This is second of a five-part series on Maximizing Email Security ROI.
Across spectrum of information security risks, most casual users understand dangers posed by viruses and worms. Network administrators have even more reason to fear a virus attack, as a successful assault can cripple corporate networks for days. The lasting damage, however, is much more difficult to determine with precision, as residual financial impact of a virus infection extends long after actual attack is over. Lost employee productivity, consumption of IT and Help Desk resources and potential for lost data can all exponentially increase hard costs of a virus attack on an enterprise.
The recent proliferation of new “Zero-Day” virus attacks such as May 2004 Sasser worm, which raced across world in minutes and caused $3.5 billion in damages, has once again brought virus protection to forefront of collective consciences of network administrators and CIOs. Quantifying risks posed by viruses and worms to CEOs and CFOs to justify expenditures on network security, however, can be a real challenge. This week, second installment in The IronMail Insider’s five-part series on maximizing email security ROI will shed some light on how to accurately calculate potential for loss due to virus attack, and more importantly, how to explain that potential to controller of corporate purse strings.
Lost Employee Productivity
Now that email is undisputable primary communication method for most organizations, loss of email due to attack can severely affect enterprise operations. Beyond immediate financial expenses involved in restoring network, an attack on your enterprise email system also directly results in countless lost work hours for employees for as long as network remains inoperable. In addition, time spent by end users contacting help desk resources, waiting for infected workstations and servers to be cleaned, and installing patches and updates will negatively impact company’s bottom line until last workstation has been cleaned and last user has returned to productivity.
Consumption of IT and Help Desk Resources
Bandwidth consumed by spread of a virus or worm slows network speed to a crawl or shuts entire network down at once, and infected workstations frequently lock up due to processing power consumed by virus. After attack, Help Desk employees spend days and weeks cleaning individual workstations, repairing servers and applying patches in hopes that another attack can be avoided, when they should be available to end-users to solve more mundane issues.
Attacks that take down entire networks cause exponentially higher levels of lost productivity than those that take down only individual workstations. According to The Computer Virus Prevalence Survey, in 2003 almost a third of businesses worldwide had suffered a virus "disaster," defined as 25 or more computers infected by a single virus in same incident, costing an average of almost $100,000 to clean up each time. More than three quarters suffered outages that caused a loss of productivity, and two thirds indicated that a major effect of an attack was to make a PC inaccessible.
Corporate email policies lower unnecessary legal and security risks.Written by Anti Spam League
What comes to your mind when you think about your email? Email makes possible almost instant communication with your co-workers without leaving your desk, a quick note to a family member who lives far away, but also has a very annoying downside such as junk mail. Since introduction of Internet, email has been one of its primary uses. The fact that it is a fast, cheap and easy means of communication, makes email a great business tool. But there are also a series of threats for employers associated with email usage. Email threats such as confidentiality breaches, legal liability, lost productivity and damage to reputation cost organizations millions of dollars each year. In majority of cases, companies are held responsible for all information transmitted on or from their systems. As a result, inappropriate emails can result in multi-million dollar penalties in addition to other costs. For example, a Federal Communications Commission (FCC) employee unintentionally sent a dirty joke entitled ‘Nuns in Heaven’ to 6,000 journalists and government officials on agency's group email list. This employee's lapse in judgment and electronic mistake resulted in negative publicity and national embarrassment for FCC. In US, Chevron settled a case filed by four female employees for $2.2 million. The employees alleged that sexually harassing emails sent through company’s email system caused a threatening work environment. One of sexually offensive messages was a joke sheet titled ’25 reasons why beer is better than women’. A company can also be liable if one of its employees sends an email containing a virus. Confidentiality breaches can be accidental, for instance when an employee selects a wrong contact name in ‘To:’ field, or intentional, such as case where an employee uses his corporate email account to send confidential information to one of company’s competitors. In latter case, both employee and recipient could be charged with trade secret theft. Nonetheless, whether it is by mistake or on purpose, result of loss of confidential data is same. Lost productivity due to inappropriate use of a firm’s email system is becoming a growing area of concern. A recent survey revealed that 86 per cent of workers used their company email to send and receive personal emails. Given that it has become very hard in our modern world to segregate people's personal lives outside of workday, companies struggle to find effective ways of balancing employee freedoms and corporate protection. In addition to personal emails, unwanted spam messages are a significant time waster. Spam and personal abuse of email can also cause a corporation’s email system to waste valuable bandwidth resources. A Gartner Group study held under 13,000 email users found that 90 percent receive spam at least once a week, and almost 50 percent get spammed more than 6 times a week. Personal emails cause network congestion since they are not only unnecessary, but tend to be mailed to a large list of recipients and often include large attachments such as mp3, executable or video files that users do not zip. Adopting an anti-spam system alone has not proven effective to stop spam. The combination of spam- blockers with other methods of spam control technologies such as SIDF, SPF, Bayesian Filters, Blacklists, Whitelists, Anomaly Detection, and Spam Signatures has proven to be much more effective. There are also special organizations such as Anti SPAM League.org that give Internet users chance to report those individuals and companies that are responsible of spamming. You can become a member for free and learn how to control spam problem by visiting their website at www.antispamleague.org. For more details on how to deal with spam, read article ‘How Can I Stop It? - The Challenging Task of Controlling Spam’. How can a company protect itself from these threats? The first step in securing your organization is to create an email usage policy. Every company needs to establish a policy regarding use of and access to company email systems, and then tell all employees what its policy is. After you have created your email policy you must make sure it is actually implemented. This can be done by providing regular trainings and by monitoring employees’ email using some type of email security software. The email policy should be made available and easily accessible to all employees and should be included in employee handbooks and company intranets. It is best to include email policy, or a short statement regarding policy, in employment contracts. In this way employee must acknowledge in writing that he/she is aware of email policy and of obligation to adhere to it.
What are some of benefits of having a clear and effective email policy? First, it helps prevent email threats, since it makes your staff aware of corporate rules and guidelines. Second, it can help stop any misconduct at an early stage by asking employees to come forward as soon as they receive an offensive email. Keeping incidents to a minimum can help avoid legal liability. For example, in case of Morgan Stanley, a US investment bank that faced an employee court case, court ruled that a single email communication - a racist joke, in this case - cannot create a hostile work environment and dismissed case against them. Third, if an incident does occur, an email policy can minimize corporation’s liability for employee’s actions. Previous cases have proven that existence of an email policy can prove that company has taken steps to prevent inappropriate use of email system and therefore can be freed of liability. Fourth, if you are going to use email filtering software to check contents of your employee’s emails, you must have an email policy that states this clearly. Some employees may argue that by monitoring their emails, companies are violating their privacy rights. However, court cases have shown that if employer has warned employee beforehand that their email might be monitored, employer has a right to do so. People usually respond better when they know where they stand and what is expected of them. The recent spike in volume of spam traveling across Internet, combined with dangers of phishing and virus attacks that frequently accompany these messages, has forced corporations to reconsider how they determine which messages will be allowed into their network. For years, companies have addressed their email security needs through a mixture of third party software solutions designed to address specific areas of vulnerability. Today, however, this approach appears to be ineffective. New threats adapt to even latest security technology, helping hackers and spammers stay a step ahead of most stand-alone protective measures. System administrators remain in a reactionary mode, waiting for next attack and hoping their mixed bag of security software is up to test.