Every now and then a study comes along in IT that makes you wonder if the public will ever listen to security alert messages as some of these studies yield results that quite literally make you want to throw your hands up in frustration. A case in point is the recently released study by Message Anti-Abuse Working Group MAAWG) entitled “A Look at Consumers’ Awareness of Email Security and Practices.” However it is the report’s subtitle “Of Course, I Never Reply to Spam – Except Sometimes” is what gets to the heart of the matter and what frustrates me as it shows that email users do understand the risks of spam yet still click on the message.
This report provided some interesting insight that reveals how pervasive email usage is in corporations and more importantly how users view email:
- 98% had both work and home email addresses
- The 24-54 age group is more likely to access email at work than at home
- The most important email function as identified by users was email from friends and family
- 1 in 6 people surveyed admitted to clicking on spam
After reading through these statistics (especially the last one) it became clear that even with all of the education and security alerts around email, current email usage policies coupled with virus and spam controls are not enough. Users continue to engage in unsafe email behavior and since most users rightly or wrongly view their work email address as their primary email address, the risks that email misuse presents to organizations are extensive.
Through my IT career I have seen the rise of anti-virus software and, more recently, anti-spam solutions aimed at the enterprise. For the most part organizations now see the risk/reward to installing these types of products but the effectiveness of both the solutions and risks of not implementing the right ones vary widely from company-to-company.
This study highlights some of these risks which include:
- What attachments are being sent or received?What are the chances that trade secrets or attachments with confidential or proprietary information are being sent from the company without its knowledge or permission?
- Are users using email outside established policy thereby putting your company at risk?The most important function of email for users according to this survey is communicating with friends and family. There is no problem with that but how comfortable are organizations with the knowledge that their employees are using their email system solely for work purposes? Further, are the emails being sent and received in violation of policy and do they, in a worst case scenario, present a legal risk to the organization?
- Is a large volume of e-mail being sent from a specific user? Can you identify a rapid acceleration of sent e-mail being sent from a specific user? This type of email velocity could point to a compromised PC being used as a “bot”
These risks beg the question “What else is going on?” as there are undoubtedly other risks to which companies are unknowingly exposed that are not being taken into consideration in this study. Statistics like these scream out the obvious: Companies need to take control of their email. To do so companies need tools to ensure their employees do not expose them to unnecessary risks.
New technologies now mitigate some of these risks. Products such as Estorian’s LookingGlass alleviate the risks outlined above as it fully indexes incoming and outgoing emails and their attachments. In so doing, LookingGlass provides companies the assurance that all emails that their employees send and receive adhere to existing policies in real-time and, if they do not, are blocked and alerts are generated
These notifications warn when a policy has been violated and sends the information to the individuals responsible for taking action, such as HR or an internal security team. Email analytics features included in LookingGlass can track email by user, hour, day and beyond which provides insight into items such as the number of emails sent and received. This can provide important quantitative information on email velocity and identify a small problem before it becomes a big one.
The MAAWG study highlighted that employees do not always differentiate between home and work email. Because of this, organizations need some means of enforcing email policies to deter employees from jeopardizing a company from their ill-advised email behaviors. Taking control of email requires having tools that proactively monitor the information contained in emails so organizations are protected from the potentially abusive or dangerous content that is shared and sent in emails. Products such as Estorian LookingGlass provide this level of control that products such as anti-spam, anti-virus and even other email management products yet lack.