Most business people would be surprised to learn that e-mail is actually nearly as old as fax. The world’s first recognised e-mailing was in 1971 when a senior scientist sent a message (QWERTYUIOP) to all users on ARPANET, the US military precursor of the Internet. But it was of course only in the 90’s that the Internet gained anything like general use. It remained largely the preserve of the groves of academe, government agencies and large corporations until the arrival of the World Wide Web.
It has been the Web, with its colourful graphics capability, that has driven universal Internet usage and e-mail. E-mail is now so much a part of people’s daily business lives that we all take it for granted. Yet has anybody come across an in-company training programme on the use of e-mail?
Does your own organisation have a written e-mail manual and policy guide? Everyone knows about – or hears about – the dangers of viruses, worms and other security threats related to e-mail. But do they really grasp the ways in which the attacks can be delivered and how essential it is to take precautions? As for spam, a nuisance for individuals has developed into a resource-grabbing monster for larger organisations.
Vital communication tool
The basic and most important point is that e-mail has rapidly developed into one of the most important communications media today – and for many purposes and organisations it is the primary channel. Yet perhaps because it is so easy to set up and use initially, many organisations have given comparatively little attention to the ongoing management and even development of e-mail other than to implement anti-virus and to a lesser extent spam filtering solutions.
Today we have e-mail as the core element of unified messaging systems that can combine fax and even voice messages (sent as e-mail attachments) with the newer Instant Messaging (IM) and or mobile text messaging (SMS). That messaging function is becoming more complex even as it becomes more essential to all organisations. It requires management of the technical aspects as a service to users in the organisation. Using e-mail when away from base, for example, is now standard for all but the permanently desk-bound. But it also requires serious attention to the business administration, from the now well publicised dangers of inappropriate e-mail conduct and content – and possible law suits – to the growing requirements of regulated industries and professions for the retention of email in an auditable manner.
Corporate challenges
When you look objectively at the corporate use of e-mail today there are three distinct challenges or areas to be concerned about, according to IBM’s Stuart McRae, IBM Workplace Strategist, Lotus Business Transformation: “Security is clearly top of most people’s list because of the well known threats of viruses, worms, spyware etc. which are mostly carried by e-mail. Spam is now figuring because it wastes resources and reduces productivity. Compliance in every sense is now recognised as important – we have to do business appropriately and minimise any legal risks whatever the sector.” What is common to all of these, he points out, is identity: when we are sure of who is who at each end of an email transaction we have solved most of the problems of managing it.
The trouble is that in general Internet e-mail usage we do not yet have really good ways of managing identity. “Within an organisation there are good systems – single sign-on using strong authentication is user-friendly and then either the Microsoft solutions or the Lotus Notes and Domino architecture from ourselves will give consistent management of all of the messaging. But outside of the organisation and especially with internet e-mail and Instant Messaging you no longer have that enterprise identity infrastructure to trust. There are no universal solutions.” He points out that almost all of the problems stem from the basic fact that we have grown to use email – and IM recently – to perform useful tasks for which they were never intended i.e. carrying file attachments.
Better ways of doing such things are available, like using email simply to point to document libraries or other files to which authorized people then gain access using some secure channel. “But email is easy, universal and processes have grown up around it. So changing user habits is a challenge.”
E-mail extended
The point about e-mail being stretched to do things never intended is echoed by Conor Flynn, Technical Director of RITS Information Security, who believes many organisations are not approaching it seriously enough: “They will tell you how mission-critical e-mail is to their operations – but then you see that the resources allocated to this essential business tool are modest, even grudging.” He also believes that we are barely getting to grips with the spam epidemic. “Anti-virus and content monitoring now have mature products to deal with problems but spam protection is still at the toddler stage. Both managed e-mail services and the best of the software tools will take out perhaps 60 to 70% of spam, particularly working from black lists of known relay addresses. But service providers and internal IT people are terrified of false positives – because rejecting even one genuine and important message could be so critical. The other side of that, of course, is that tighter management control of filters could raise the barriers higher with minimal error. But so far the consensus everywhere is to take a level of spam as inevitable rather than risk mistakes – with the resultant waste of resources daily.”
Case in point
Irish Life & Permanent is a major Irish financial services organisation that went in search of a robust e-mail security option earlier this year. It selected Tumbleweed’s Email Firewall, a product which defends e-mail infrastructures by providing proactive comprehensive anti-spam, anti-virus, anti-phishing and anti-hacker protection at the gateway. “We have already seen an increase in functionality, reliability and spam capture rates, “ says Martin Farrelly, Group IT Manager of Information Security and Network Services. “Tumbleweed also introduces a robust architecture which results in significantly lower hardware requirements, a fact which was equally welcome.” The Tumbleweed products are distributed in Ireland by Kerna Communications, who points out that the product is also a service as systems automatically update their recognition database three times daily. “Everything in or out over the Internet is a threat. They may not put it like that but I reckon that’s their mantra,” says David Keating, Security Manager of Data Solutions talking about SurfControl.
This is one of the longest established Internet security vendors and to date is believed by most in the industry to be the only complete solution to managing Internet risk. “The key point is that it protects everything, e-mail, IM and even peer-to-peer and works on every platform. Instant Messaging, for example, can be downright dangerous because it was designed with firewalls in mind. In order to be user-friendly it works on the basis that the sender has given permission and finds its way through the firewall using a return path even when the ports are nominally protected. Of course there are ways to block such behaviour in a corporate scenario.” David Keating’s point is that many organisations are not yet taking the threat seriously enough. An IM can carry a file attachment and therefore a dangerous payload just like e-mail.
“A lot of the risks of IM stem from the fact that it is relatively new and sexy and the disciplines have not been put in place – nor have the tools to control it,” says Mark Smith, Solutions Architect with HP Services. “IM can be a very useful tool in business.
Either the Lotus Notes or the Microsoft versions are great for collaboration within an enterprise – and complement phone and e-mail within an integrated security infrastructure. But web IM like MSN Messenger, Yahoo and so on is a real threat if users are using it on corporate machines, desktop or laptop. A virus can latch on to your ‘buddy list’ and spread literally in an instant.” Too many organisations have not yet grasped the dangers of IM and configured their security to cope, Mark Smith suggests, and even fewer have assessed their risks and published policies for acceptable IM use.
Mobile etiquette
Acceptable laptop use is an important element in managing e-mail and communications, David Keating was keen to emphasise, and difficult to enforce. “A laptop is a corporate asset just like the desktop PC, but people treat them in many ways as personal and use them for web browsing at home, personal e-mail and IM and so on. Which is fine, but they should then be prepared to have their machines checked and managed from a security point of view just as an office PC would be. Good security tools will scan user machines for everything every time at the point of log-on.” Like others we spoke to, he reckons that perhaps 90% of e-mail use on the move these days involves logging on to the office network over the Internet by VPN. “This should be a secure solution, since the e-mail in essence always travels through the corporate server and security system. Where you need to be extra vigilant is when the same machine is used for web e-mail and IM, because malware could slip past precisely because the laptop – or rather is owner – is trusted by the network once logged on.”
Managed e-mail in VHI
An increasingly common answer to the rising threat level is to choose a managed e-mail service. EuroKom, originally a UCD campus technology company even before the dot.com days, has been offering managed e-mail for over 20 years. “We have over 60,000 e-mail users in a range of major organisations from Aer Rianta and government departments to Glanbia and Superquinn,” says technical director Tom Wade. “Last month our system blocked over three million spam messages and 1.2 million e-mails with virus attachments. That is a measure of how bad it has become.” One of its customers is VHI, where Paul Stobie is Operations Manager of IT Services: “It takes a lot of the pain out of anti-virus and spam control – in fact it combines with our own systems to give us the belt and braces security we are comfortable with! We do an independent security audit at least annually and so far the systems have rejected all of the nasties thrown at them in tests.” But he points out that firm security policies back up the technology. There are many file types VHI will simply not accept via e-mail, even including .Zip compressed files. “Even when we are expecting them, say of medical scans or reports, we check that they are from the trusted source then download them manually from the EuroKom server.” On the other hand, VHI encourages e-mail from its members so there is a sophisticated routing and heading/content management system to ensure that emails to info@vhi.ie or other generic addresses within the VHI are properly acknowledged and dealt with by the appropriate department.
Plethora of services
There is a growing choice of managed e-mail services, including Eircom.net managed e-mail aimed at smaller businesses using its Internet access, TopSec Technology (formerly Systemhouse), Netsource and Commtech. Justin Owens, Commtech managing director, believes that for many organisations the appliance approach to anti-virus scanning is a clean, technically efficient solution: “These are black boxes as far as the user is concerned, they pull down their own updates, will not allow relaying and are independent of patches for applications or operating systems, for example.” Commtech also offers a managed email service through its product resellers that retails at EUR*24 per user or e-mail address per year: “In essence everything is flushed though our systems. Marginal e-mails are quarantined and the clients sent a list of senders and headings once a day. A simple Web check and if any legit messages have been trapped you just click to download and the system knows better next time!”
Compliancy issues for e-mail
A major and growing driver of best practice e-mail management is the need in many regulated sectors to retain all e-mail traffic in a secure, auditable and tamper-proof way for minimum periods – up to seven years in some instances, much to the delight of the data storage vendors. Financial services post-Enron and following the Sarbanes-Oxley diktats are probably top of the list, Pharmachem Industries under the watchful gaze of the US FDA are on it and we cannot forget e-government and all of that citizen e-services traffic plus the Freedom of Information Act. But in point of fact there are many other instances where e-mail retention is essential in order to prove who said/did what and when if any dispute arises later. That could be in a supply chain, for example, and it certainly applies in construction project management where a range of professionals and sub-contractors are collaborating. E-mail retention could even in many circumstances come under the general heading of Directors’ responsibilities – and liabilities. “The important thing for management is to ascertain exactly what the compliance parameters are – and for all of the organization’s activities,” advises Shaun Fothergill, Security and IT Strategist in Computer Associates. “That would go hand in glove with your email and IM risk assessment.” You have actually assessed your risks, haven’t you?
Email is simple – really!
But although Internet e-mail is a multi-million user communications tool today, the technology behind the scenes is still tied to the systems and standards that go right back to the origins of the internet. In fact business e-mail requires some understanding of the underlying systems in order to use it properly and safely For a start, all internet e-mail is fundamentally text-based. It uses and recognises only the character set devised for telex and then computer use – the American Standard Code for Information Interchange (ASCII). It also works through a network of servers throughout the world, as everybody knows. What is less well understood is that these all run on the Unix operating system or its young grand-nephew Linux, which are also exclusively text-based for inter-computer communications.
So practically all of what you see on your screen every day is actually totally irrelevant to e-mail – including the way your messages are shown. The typeface comes from the operating system, for example, and the screen layout – addresses, headings, folders, colours and so on – from whatever e-mail program you are using. All that passes through the network, Internet or private, is a string of letters, numbers and punctuation marks plus a few special characters to indicate end of line, paragraph, etc. That is why an e-mail message in itself cannot carry a virus. There is quite simply no computer code involved. Viruses come through attachments and some new forms of e-mail that exchange formatted documents between consenting (i.e. similarly equipped) computers.
The other fundamental thing about Internet e-mail is the addressing system. We all understand that somewhere out there is a giant Post Office that sorts and routes our e-mail – and we collect from our designated box. But the postal analogy and user-friendly web e-mail addresses and domains (joe@joesplace.ie) conceal the rigorously numerical system of Internet Protocol (IP) devised nearly three decades ago to give every connected machine a numeric address. So an e-mail to scope.ie is actually going to something like 123.321.456.654. If there is more than one e-mail address for that domain, some local system has to sort the incoming mail. This rigidly numerical system also explains why even a single letter wrong in an e-mail address means the message simply disappears into cyberspace – there is no sensible human postman to interpret what you might have meant. More importantly, there is no automatic ‘return to sender’ system to let you know when you have goofed. We have all had messages ‘bounce’ from time to time, but the trouble is inconsistency. Most large organisations have ‘catch all’ e-mail handling for their domains, so most incoming e-mails will get through and it will then depend on the internal system to deal with miscellaneous and mis-addressed e-mails. So a core problem with Internet e-mail is that it is not point-to-point so there is no universal system to confirm that a message has been received.
Most e-mail programs have the facility to request a confirmation of receipt of a particular message, but that is still at the recipient’s discretion. Where there are legal or business implications, such as an order or indeed a cancellation, you can reasonably ask but you can’t expect confirmation of routine correspondence.
Subscribers 0
Fans 0
Followers 0
Followers