After 40 years, email security still elusive, experts say

By George V. Hulme, CSO |  Security, email security

It's been precisely 40 years this fall since email was invented. Despite it's age, however, it remains elusive to secure, a survey released this week reveals.

According to the survey, conducted by secure messaging provider VaporSteam Inc., nearly three-fourths of respondents from large companies, reported that they've violated compliance rules via email. About a third of those surveyed said they did so intentionally.

More on email security: Lessons learned from Epsilon data breach

While this won't surprise security professionals, it is a reminder how difficult it is to secure even the most widely used applications, and begs the question of why we can't make it more secure without killing its functionality? "Because people use technology," says Scott Crawford, managing research director, Enterprise Management Associates. "And email is simply copying and communicating text from one relay to another. But that simplicity hides a paradox: messaging, collaboration, social -- all these technologies are designed to enable people to express themselves. The more constraint we put on them, the more difficult it can be to use technology to communicate," he says.

Mike Rothman, an analyst at security research firm Securosis and former executive at secure email vendor CipherTrust, isn't surprised by the lackadaisical approach to email security by users. "As soon as they start monitoring outbound communications they start seeing everything that's being sent," he says. "They'll see social security numbers, account numbers, and other forms of controlled information. It opens their eyes and that's when they investigate."

"Most of the time the employees are just trying to do the right thing, emailing files to their home to get work done over the weekend. Most of it isn't malicious," Rothman says.

Experts agree there's no easy security email fix on the way: whether training or technical. "The answer is not more training and education, says John Pescatore, security analyst at Gartner. "20 years of that has not gotten us very far. More monitoring, via Database Activity Monitoring and Data Leak Prevention (DLP) is definitely needed," he says. "Monitoring to detect those conditions is important for both near term security and for figuring out what IT processes need to change so that users can get their jobs done without using email insecurely."

Also see: Epsilon hack: Notification letters


Originally published on CSO |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness