Beware the post impressionists

For a long time now, enterprise IT managers have been holding off a flood of spam, while all the time keeping their eyes open for spyware, viruses and trojans sneaking in through the back door. Email security is still at the forefront of many IT managers' minds, with a recent global security survey by professional services firm Deloitte Touche Tohmatsu (DTT) finding that around 26 per cent of global enterprises in the financial services sector had experienced information security attacks from external sources during 2005, compared to 23 per cent in 2004.

But while anti-virus software is now estimated to be used by 98 per cent of firms, virtual private networks by 79 per cent, and content filtering and monitoring by 76 per cent, DTT found that the incremental growth in attacks is primarily driven by the increasing danger from phishing and pharming, which essentially make use of misleading emails and false websites to trick information out of users.

More worryingly, the study found that internal infosec attacks are outgrowing external attacks, with 35 per cent of respondents encountering attacks from inside their organisation within the past 12 months, up from 14 per cent in 2004.

To some extent, IT managers are on the right track in terms of addressing email security. DTT believes the shift from external to internal attacks and human-based exploits is due to the improved use of IT security software and appliances such as those outlined above. But it advises that strong authentication, good training and increased awareness can play a significant role in narrowing the security gap. "With threats such as identity theft and phishing on the rise, organisations should be implementing ID management, encompassing access, vulnerability, patch and security event management," says the report, with augmentations provided by increased security training and awareness.

But a major concern is that training and awareness are being shunted to the bottom of enterprises' security initiatives list. In fact, new security training and awareness measurements implemented in the past 12 months have declined from 77 per cent in 2004 to 65 per cent this year.

Regulatory compliance is another growing concern. In an age when the pressure to meet information security demands is intensified by the need for compliance, failure to implement security training and awareness strategies is akin to signing an economic death warrant. As the role of information in companies grows more critical, so do the challenges involved in managing it, particularly when you consider the consequences of not complying with regulations such as Sarbanes-Oxley, the Data Protection Act and the EU's 8th Directive.

Ernst & Young recently noted in its eighth annual Global Information Security Survey that around 66 per cent of global companies, government agencies and non-profit organisations cite compliance with regulations as the primary driver behind information security, surpassing even the traditional threats of worms and viruses. However, a surprisingly low number of enterprises are thought to actually have even the most basic form of email management system in place.

While it might be tempting to think that regulatory compliance only affects a few industries such as the financial services sector, the truth is it more likely affects most industries, and companies.

Another issue is how to securely archive your data. With companies now expected to hold onto emails for considerable periods of time, as well as being able to retrieve certain data from these archives at the drop of a hat, Ernst & Young argues that organisations are actually missing out on the rare investment opportunities that compliance offers to promote information security as an integral part of their business.

"Compliance is proving to be more of a distraction than a catalyst for information security to become strategically aligned within organisations," warns Edwin Bennett, global director of Ernst & Young's Technology and Security Risk Services. "One might assume that with the attention information security is receiving due to regulatory compliance, organisations' infosec postures are improving and infosec as a function is becoming more integral to their strategic initiatives. Unfortunately, this is not happening on a consistent basis. The gap continues to widen between the growing risks brought on by rapid changes in the global business environment and what infosec is doing to address those risks."

With proper organisational alignment and execution, adds Bennett, information security can make significant contributions to the organisation's strategic initiatives and overall risk management.

But isn't security about management, not technology? For the NHS messaging system NHSnet, one of the largest self-contained email networks in the world, security and risk management is paramount. It requires 29,000 GPs, 575 trusts and over 1.2 million NHS staff to communicate via email, protected from inbound threats such as spam, viruses, worms and trojans, while ensuring that all outbound communications remain compliant with NHSnet email policy.

To this end, the UK health service asked CipherTrust to deliver a package of its specially configured IronMail appliances and TrustedSource servers to integrate with NHSnet to address the email security challenges faced by the industry. The package is specifically designed for the differing needs of NHS trusts from inbound-only email protection to total encryption of all messages.

Adrian Louth, managing director of Visus, a CipherTrust reseller and health sector specialist, adds: "Email security is a major challenge for the health sector. In particular, outbound email needs added safeguards such as encryption due to the sensitive nature of the information contained in patients' medical records."

From this point of view, the industry is heading in the right direction, with companies seeking out email security products that combine multiple email security and management functions.

According to research group In-Stat, the email security market is poised for strong growth over the next few years. It is predicted to reach £2 billion by 2009, with 66 per cent of companies around the world purchasing email security and management products over the next two years, with appliances such as those used by the NHS expected to overtake software as the preferred delivery model for email security solutions.

And such investment is crucial. In the increasingly digitally connected world, one of the primary functions of email management software is to capture and analyse all incoming and outgoing mail in context, and flag up questionable communications.

In this area, research group Forrester notes that while many security offerings are limited by their crude detection capabilities based on keywords and phrases, these implementations are still well suited to enforcing simple policies around inappropriate dialogue or blatant disclosures of privileged information.

However, attempts to provide more subtle detection are ineffective, and Forrester predicts the emergence of a new breed of information leak prevention products to address this – monitoring, measuring and protecting these information assets, identifying structured information like database records and personal information, as well as more unstructured information like important fragments of a sensitive document and spreadsheets. Moreover, as with encryption implementations, although digital certificate technologies such as PKI have grown, and will continue to grow exponentially, they will do so behind the scenes, becoming essential, but invisible.

On a different note, with enterprises ever fearful about what they can and cannot delete, leaving them with a sizeable amount of information residing in their systems, what is being done to maximise the value that can be derived from all this data? At present, very little.

Although awareness about infosec has risen as a critical issue at board level and among executive management, the people at the top continue to focus information security activities on operational and tactical issues, such as those outlined above, at the expense of addressing more strategic concerns.

A growing consideration in this area is the implementation of email or Information Lifecycle Management (ILM), as an initiative for aligning your IT infrastructure and business software applications with the needs and demands of your enterprise. US vendor EMC, with its background in archiving technology, defines ILM as a method of enabling your company to get the most value from information at every point in its lifecycle, at the lowest total cost of ownership. In a nutshell, this means storing the right amount of information in the right place for the right amount of time, based on the volume of that data.

At this point, it should be made clear that while many vendors can promise varying degrees of ILM, ILM itself is a strategy, not a product, and as such it delivers policy-based, application-specific strategies based on the vendor's definition. Such initiatives are currently being championed by the likes of EMC, AXS-One, IBM, Hummingbird, OpenText, Interwoven and FileNet, as well as the traditional security companies such as Symantec.

What we are looking at here are tools for securely archiving multiple servers into a single email repository for easier access, while reducing the time it takes to shift data around and creating smaller backup times and system restores in the event of failure.

For those organisations that already use email management software or similar integrated security appliances, there might already be an option available to implement an additional software module, which could be cheaper and easier to maintain than implementing an entirely new system. Companies which do not already use management software should be looking at options depending on why, and how often, they need to access archived data.

When implemented effectively, ILM can address many goals, such as higher availability of data, lower total cost of ownership, and reduced backup and restore times, while also reacting to the increasing demands of regulatory compliance. As analyst firm Kahn Consulting puts it: "The ability to properly classify information is at the heart of any ILM strategy. Only by knowing what data is, and why it is valuable to the organisation, can good decisions be made about where and how it should be stored."