April 29, 2011, 11:34 AM — It's been precisely 40 years this fall since email was invented. Despite it's age, however, it remains elusive to secure, a survey released this week reveals.
According to the survey, conducted by secure messaging provider VaporSteam Inc., nearly three-fourths of respondents from large companies, reported that they've violated compliance rules via email. About a third of those surveyed said they did so intentionally.
While this won't surprise security professionals, it is a reminder how difficult it is to secure even the most widely used applications, and begs the question of why we can't make it more secure without killing its functionality? "Because people use technology," says Scott Crawford, managing research director, Enterprise Management Associates. "And email is simply copying and communicating text from one relay to another. But that simplicity hides a paradox: messaging, collaboration, social -- all these technologies are designed to enable people to express themselves. The more constraint we put on them, the more difficult it can be to use technology to communicate," he says.
Mike Rothman, an analyst at security research firm Securosis and former executive at secure email vendor CipherTrust, isn't surprised by the lackadaisical approach to email security by users. "As soon as they start monitoring outbound communications they start seeing everything that's being sent," he says. "They'll see social security numbers, account numbers, and other forms of controlled information. It opens their eyes and that's when they investigate."
"Most of the time the employees are just trying to do the right thing, emailing files to their home to get work done over the weekend. Most of it isn't malicious," Rothman says.
Experts agree there's no easy security email fix on the way: whether training or technical. "The answer is not more training and education, says John Pescatore, security analyst at Gartner. "20 years of that has not gotten us very far. More monitoring, via Database Activity Monitoring and Data Leak Prevention (DLP) is definitely needed," he says. "Monitoring to detect those conditions is important for both near term security and for figuring out what IT processes need to change so that users can get their jobs done without using email insecurely."