The 2006 Messaging Security Benchmark Report: Strategies for Securing Corporate Communications

The results reveal that while most IT organizations still view messaging security as an inbound threat centered on preventing spam, malware, and viruses to enter corporate networks through email, best-in-class companies are also addressing the risk of outbound information leaks. Best-in-class companies also understand that messaging is reaching beyond email to encompass instant messenger (IM) communications, as well as web based messaging and are proactively implementing solutions that embrace these mediums while bringing them under the protective cover of corporate security policy and control.

Under increasing pressure to meet regulatory and policy requirements, and an increased sensitivity to and understanding of the impact of confidential data leaks, IT organizations should take a new look at their messaging security plans and understand the gaps that might be present and the risks these gaps represent to their companys operation and financial health. In addition, IT organizations have the opportunity to harness the power of messaging mediums other than email, such as IM, in a way that improves operational efficiency for their organizations while addressing the very real risk that these mediums currently represent.

Though most IT organizations have made investments to control the inbound threat of spam and virus laden emails, many have not addressed the equally important risk of inadvertent or intentional outbound data leaks. Many are still struggling to adapt current solutions to constantly changing risks as well as lack an understanding of the security requirements to implement effective outbound messaging security. The biggest challenge most organizations face is in the area of training. The number one challenge faced by companies is ensuring compliance to policies and procedures by staff, which is often ignored through ignorance or the perceived need of business expedience. The chief information security officer for a large medical company reported that shortly after implementing a messaging security tool, senior-level management followed up regarding how the tool was being used and how the policies set by the tool were being enforced for end users. The ability to effectively monitor the productivity of the software was key in this customers messaging solution choice.

A variety of solutions exist to ensure effective security of both inbound and outbound messages. Mature technologies exist to block inbound email spam and message based malware. The technology to monitor and control the contents of outbound communications has grown out of its infancy and now offers a broad range of products to effectively control and protect the outbound flow of sensitive data. Message encryption technology allows companies to protect sensitive contents during the delivery process and actually acts as a business enabler allowing the secure transmission of sensitive data, such as account information and patient data, which could not normally be trusted to open messaging systems. To understand the effectiveness of messaging solutions better, Aberdeen Group surveyed more than 116 companies to determine the degree to which IT organizations are leveraging processes and messaging security products to improve the efficiency of their organizations and the integrity of their messaging.

Key Business Value Findings

Our research unsurprisingly shows that 90% of the surveyed companies considered email to be business critical to their organization. Interestingly, while only 7% considered IM to be business critical, 73% allowed its use. Since a vast majority of IM traffic is through non corporate controlled services such AOL, MSN and Yahoo, this means that a great deal of IM communication is going on without any corporate control. Similarly, 20% considered web based messaging to be business critical, and 90% allowed its use. Employees are generally educated enough with current corporate policies to understand that their corporate email may be monitored, and companies often encourage employees to use personal email accounts for personal message traffic. If an employee is planning illicit activity, are they more likely to use their IT monitored email system or one that is outside the control of the company? Common sense would lead us to believe employees with improper intentions would make a conscious effort to circumvent company controlled messaging systems.

From a risk perspective, 91% consider virus and malware, and 86% consider spam to be a medium or high threat. Interestingly, 72% consider the external interception of confidential data to be a medium or high threat though only 25% have implemented messaging encryption solutions to mitigate the threat. 80% are concerned with the loss of confidential data by insiders while only 43% have implemented outbound message security solutions. In fairness, 25% plan on implementing encryption solutions within the next 12 months and 16% plan on implementing integrated inbound/outbound security solutions.

Fifty-seven percent indicate that compliance is a component in their messaging security strategy, with HR policy, federal privacy, and SOX requirements being the top three drivers in their strategy. On the flip side, the majority of respondents (on average 55%) dont know the actual annual financial risk that a compliance failure might represent. Although some companies do not have the resources available to conduct a formal assessment of the financial risk of non-compliance, other companies found such an analysis to be unnecessary because compliance is not a questionit is a necessity. We didn’t bother with formally trying to figure out the impact of a regulatory violation as part of our planning because we believe that proactively protecting health care information is a necessary requirement, said Ken Patterson, Chief Information Security Officer for Harvard Pilgrim Health Care.

Implications and Analysis

Spam and virus outbreaks are very visible security breaches that in the best case generate unneeded help desk calls and in the worst case openly disrupt the operation of an organization. The increased help desk load is a cost that is easily calculated within IT. As a result, IT departments have focused on minimizing the impact of these threats armed with ROI arguments that are fairly easy to compute. Calculating the cost of the loss of confidential data or a compliance violation is often harder to calculate and generally must involve cross functional discussion. A senior manager/technologist that provides data management solutions for clinical trials and drug safety indicated that his company outsourced the analysis of data loss and compliance violations due to the fact that the resources were unavailable within his organization. After quantifying the risk of noncompliance, his organization determined that compliance failure would cost millions. For the companies that knew the cost of a compliance failure, the costs can be significant.

Messaging security solutions can have a beneficial impact on day to day operations while improving an organizations security posture. 15% of respondents were able to reduce security staffing requirements, 15% reduced messaging operations staffing, and 12% reduced messaging services related capital requirements by implementing automated security solutions.

Recommendations for Action

Companies need to review their messaging security plans to ensure that their processes and technologies address not only the traditional inbound threat, but outbound data leak risks and the protection of the transmission of sensitive data to protect against interception.

If necessary, the process of updating the security policy should:

1. Create clear security related policies and practices and ensure they are understood by all staff (not just IT).
2. Quantify risks. Cross functional teams should be assembled (including IT, Finance, and HR at a minimum) to calculate at least a reasonable estimate of the impact and cost of a security or compliance failure. This exercise will assist in ranking the priority of the risks that must be addressed as well as provide the base for the justification of acquiring new technology if required.
3. Analyze the coverage of current solutions to identify gaps in coverage.
4. Select and leverage automated solutions to enforce security polices on an ongoing basis.

When considering solutions to address risk, organizations should take the opportunity to use security technology as a business enabler. Rather than blocking IM, embrace and control it and make use of the power of quick communication to tie teams closer together. Leverage encryption solutions to improve process workflow and enable secure communications with partners and customers. Messaging security solutions, if properly leveraged, enable companies to actually improve the bottom line while providing stronger protection of corporate systems and sensitive data.

To download the complete version of this benchmark report from Aberdeen Group, visit our Web site.