After 40 years, email security still elusive, experts say

According to the survey, conducted by secure messaging provider VaporSteam Inc., nearly three-fourths of respondents from large companies say they've violated compliance rules via email.

By George V. Hulme

April 29, 2011CSO

It's been precisely 40 years this fall since email was invented. Despite it's age, however, it remains elusive to secure, a survey released this week reveals.

According to the survey, conducted by secure messaging provider VaporSteam Inc., nearly three-fourths of respondents from large companies, reported that they've violated compliance rules via email. About a third of those surveyed said they did so intentionally.

More on email security: Lessons learned from Epsilon data breach

While this won't surprise security professionals, it is a reminder how difficult it is to secure even the most widely used applications, and begs the question of why we can't make it more secure without killing its functionality? "Because people use technology," says Scott Crawford, managing research director, Enterprise Management Associates. "And email is simply copying and communicating text from one relay to another. But that simplicity hides a paradox: messaging, collaboration, social -- all these technologies are designed to enable people to express themselves. The more constraint we put on them, the more difficult it can be to use technology to communicate," he says.

Mike Rothman, an analyst at security research firm Securosis and former executive at secure email vendor CipherTrust, isn't surprised by the lackadaisical approach to email security by users. "As soon as they start monitoring outbound communications they start seeing everything that's being sent," he says. "They'll see social security numbers, account numbers, and other forms of controlled information. It opens their eyes and that's when they investigate."

"Most of the time the employees are just trying to do the right thing, emailing files to their home to get work done over the weekend. Most of it isn't malicious," Rothman says.

Experts agree there's no easy security email fix on the way: whether training or technical. "The answer is not more training and education, says John Pescatore, security analyst at Gartner. "20 years of that has not gotten us very far. More monitoring, via Database Activity Monitoring and Data Leak Prevention (DLP) is definitely needed," he says. "Monitoring to detect those conditions is important for both near term security and for figuring out what IT processes need to change so that users can get their jobs done without using email insecurely."

Also see: Epsilon hack: Notification letters

"Technical controls, like DLP and web content filtering work from pretty okay to pretty not okay, depending on the technology, your goals, and the type of data you are trying to secure," says Rothman. "Every company has to evaluate the risk and the cost with lowering it, and how disruptive monitoring and DLP would be to workflow," he says.

RESOURCE CENTER