Best practices for email security

Former Secretary of State Hillary Clinton’s use of a private email server to conduct State Department business has left IT pros dumbfounded. They thought the days of executives acting autonomously were over and that governance within organizations was sound enough to prevent these actions.

“When you’re doing official business for an organization, you should use an official account,” says John Pescatore, director of emerging security trends at the SANS Institute. Otherwise, organizations cannot follow regulatory and compliance mandates, protect intellectual property or maintain proper records.

But Pescatore acknowledges that progress still has to be made in the email best practices arena to ease the burden on users and IT. For instance, mandating that someone use two devices – the issue Clinton cited as reason to circumvent State Department policy – is antiquated thanks to software that supports secure access to multiple accounts on a single device. “IT no longer can say ‘this can’t be done’,” Pescatore says. “There has to be a compromise and then a recommendation from IT.”

+ ALSO ON NETWORK WORLD: Top security tools in the fight against cybercrime +

At the same time, hacks like the one at Sony Corp. have organizations on edge about email security. Craig Gormé, information security manager at academic health center University of Florida Health, says organizations must adapt their policies and practices to the changing threat landscape. “We used to be concerned about malware and anti-virus coming through email, but tools have solved that. Now the biggest threat is phishing,” he says, adding that best practices must reflect this evolution.

Here are some ways to update your email best practices.

1. Re-evaluate the role of email in your organization.

“Companies understand that security is important, yet they still do email in an insecure way,” says Seth Robinson, senior director of technology analysis at CompTIA.

He recommends studying how your organization uses email and ensuring that it matches your risk tolerance. “What do you need to accomplish with email?” Robinson says to consider and then protect the entire system, including application, server and connection, accordingly. He adds that many organizations built their email infrastructure long ago and have not reviewed their vulnerabilities since.

Seth Robinson, senior director of technology analysis at CompTIA

Mandates like HIPAA have forced Gormé’s organization to revisit email guidelines, especially when it comes to those that include personal health information (PHI). “Users can only send emails with PHI internally. They cannot send it to outside email addresses and we prohibit the use of third-party email systems,” he says.

If they need to send communications with PHI, then they must find another more secure method such as encrypted messages or secure file transfer. Another option, Gormé says, is to deploy automated policy-based encryption, which scans all email for medical record numbers, Social Security numbers or other personally identifiable information. If it is found, the data is held for inspection or re-routed to an encrypted pathway.

Duke Prestridge, CIO of Community One Bank in North Carolina, says his institution has had to be very clear with users: “Corporate email is just that – corporate email. It’s not to be used for personal use.”

He credits regulatory oversight for his ability to keep a tight rein on email and to keep users from litigious situations. “FINRA standards dictate that we have to manage all email and save it for seven years,” he says. The organization itself, though, has to determine how to deal with the influx of embedded video and attachments. “We need more policies around how to handle them,” he says.

2. Revisit governance.

As he grapples with federal and financial industry mandates, Prestridge says he is glad that his bank’s executives have his back. “Email policies have to have teeth in them,” he says, and the only way to do that is with proper governance, enforcement and solid backing from business leaders.

Like many of his peers, Prestridge believes Clinton’s situation could have stemmed from the CIO not having adequate support to uphold email policies. “When we first established our corporate standards based on regulatory guidelines we got pushback, but not since then,” he says. Executives fully endorse his position as CIO and as a risk manager. “As things change risk-wise with public breaches like those at Target and Home Depot, the position of CIO must be elevated and given the authority needed to protect the organization,” Prestridge says.

Peter Firstbrook, vice president at research firm Gartner, says a finely tuned governance body could help broker a tricky situation like when an executive uses rogue resources. A cross-functional body (with representatives from departments such as legal, IT and human resources) could explain the compliance risk of using non-compliant resources to the executive while encouraging IT to help find a secure workaround.

Pescatore says governance bodies also can help ensure that if an organization switches to cloud-based email, incident response processes are tested regularly. If a server is on-premises and something bad happens, IT can turn it off quickly. Organizations must understand and test the equivalent process in the cloud, he says.

3. Make acceptable use policies usable.

Governance bodies also can ensure that acceptable use policies are updated to address mobility, the cloud, social networking and other essential topics.

“We have found that organizations don’t have thorough acceptable use policies and that they don’t train users well enough on them or remind them enough about them,” says Michael Osterman, president of Osterman Research.

Gormé believes acceptable use policies should be refreshed annually and should become more user friendly. “Customers need to clearly understand what and what not to do and more importantly why,” he says.

For instance, many acceptable use policies are presented blandly on a Web site or on paper. In the future, he would like to see them shared in ways that users communicate, such as text.

Also, he feels users should be made to take a quiz to show their understanding of the policy. That, he feels, would help IT fill the gaps in user knowledge.

To Prestridge, it’s important for users to understand the delta from previous acceptable use policies. “We need to explain the business reason and risk of why they can’t do certain things with email anymore,” he says.

For instance, users might not fully understand that when they forward an email, they might be forwarding an entire thread that includes sensitive or confidential information. By pointing it out as an example in an acceptable use policy, users might comprehend the risk and avoid doing it.

4. Consider educated users your best weapon against phishers.

Hand in hand with acceptable use policies should be education about phishing, according to Osterman. “People are still very gullible and don’t think hard enough about the content they receive,” he says.

While technology such as data loss prevention (DLP) can help detect phishing attempts, users need to be the first line of defense, according to Osterman. “The integration of email and social file sharing is opening up possibilities for bad things to happen,” he says.

Educating users also helps you plug more security holes with less budget. “Organizations sometimes feel training is too expensive, but avoiding one average-size phishing incident every five years puts you ahead of the game cost-wise,” SANS’ Pescatore says.

5. Personal email and corporate email can coexist… on the same device.

Like Clinton and the State Department, Prestridge and his bank faced the multiple device issue. Users did not want to carry two smartphones or tablets but Prestridge didn’t want personal and private email accounts to co-mingle insecurely either.

Rather than saying no and risking data leakage, Prestridge deployed Good Technology’s container service on users’ personal devices. He did away with corporate Blackberrys and the Blackberry Enterprise Server and reallocated that money to subsidizing users for a portion of their iPhone and Android devices as well as supplying the Good application.

To access corporate data, users must download the Good app onto their mobile device. Good ensures that personal email accounts are apart from corporate accounts and that users are not able to copy or forward corporate data. Good keeps a record of user activity so if data is leaked or stolen, IT can backtrack to find it.

Also if the device is lost or stolen, it can quickly be located and/or scrubbed.

“Users still have full functionality of their devices without compromising data security,” Prestridge says.

While Prestridge has addressed email security and compliance for now, he knows email best practices will change again in the near future as technology evolves.

Take unified communications. He wants to see what regulators will require for voicemail integrated with email systems. Would financial institutions have to save them similarly as traditional email? If so, best practices would be needed for that realm as well.

Gormé is expecting two-factor authentication, such as having a code sent to your phone, to be a best practice for email systems soon, especially in the healthcare arena. “I see us getting away from passwords and more into tokens and the like,” he says.

There are many instances, Firstbrook says, where a best practice could be not to use email at all. For example, if a board wants to discuss the latest financials or executives and the CFO have to work with a rival company on a purchase, then email is just not a secure option. Instead, users should go out of band to a private portal or a confidential platform that erases data as soon as the session ends and does not allow for copying or forwarding.

Firstbrook also says, “but then again, you could just pick up the phone.”

Gittlen is a freelance writer. She can be reached at sgittlen@verizon.net.