It’s that time of year, GonzoGoblins, when we carve the pumpkins, make sure our dental plan is current, don our favorite guise and embark into the night yelling those favorite words – Trick or Treat! Ah yes, Halloween, the night when the gremlins surface and, if you are a parent, you spend most of the evening examining your children’s “loot” for anything suspicious. I am always reminded of the urban legends about razor blades or needles being pushed into fruit or some ’60s throwbacks dipping their goodies into a vat of LSD. Still, nowadays you can’t be too careful. You never really know what is inside that pretty wrapper until you open it up and take that first bite. Yes, it is a conundrum, but no child should be denied the opportunity to enjoy a festive night of trick or treating.
Email has become, at least in my warped mind, a parallel to trick or treating. The email box has become the “loot” bag, and all day long “tricks or treats” are being dropped into it. Just as no parent should deny his or her child the opportunity to trick or treat, no organization today would consider switching off its email or Internet access.
According to The Radicati Group there are about 686 million email users worldwide, with over 1.2 billion active email accounts. Worldwide email traffic per day totals about 141 billion messages, and 64 percent of the messages are tricks, not treats. The average end-user generates and receives about 84 emails per day, which require about 10 megabytes of storage daily. Radicati forecasts that by 2008, emails will require around 15.8 MB of space daily. Another research group, IDC, claims that in the United States alone, 35 billion email messages are generated every business day.
Okay, so we all like to send and receive emails. I will be the first to admit that I would get worried if I didn’t meet my quota of 84 emails a day. However, the proliferation of email usage brings with it the inevitable increase in risks.
The Dark Side of Email
And if the dam breaks open many years too soon
And if there is no room upon the hill
And if your head explodes with dark forebodings too
I’ll see you on the dark side of the moon.
–Roger Waters, Brain Damage
According to Clearswift, there are four primary threats email can bring to an organization:
Friends, I don’t think I need to remind anyone of the hell we are going through complying with Sarbanes-Oxley, the Gramm-Leach-Bliley Act (GLBA), NYSE Regulations, SEC and NASD Rules and Regulations, and the numerous other government regulations that have been thrust our way the past few years. Yet how many of us have looked closely at how some of the aforementioned effect our daily email communication?
Sarbanes-Oxley’s Impact on Email Security
The Sarbanes-Oxley Act of 2002, affectionately known as SOX, took effect in June 2004 and requires CEOs, CFOs, independent auditors and audit committees to certify the accuracy, confidentiality, privacy and integrity of financial statements – not to mention the internal controls and procedures for financial reporting. The two sections most relevant to email security are these:
What this means is that we are required to ensure that sensitive information remains secure. The easy answer would be end-user encryption; however, as with all government regulations, there is a catch. Encryption is usually implemented by installing an application on the end-user’s desktop that automatically encrypts and decrypts all incoming and outgoing messages. Okay, so let’s just buy some software, slap it on every desktop in the bank, and problem solved. Not so fast. Here is the catch:
SOX prevents organizations from installing end-user encryption techniques because if end-users encrypt their emails, the contents of the emails cannot be filtered for inappropriate information or trade secrets as they move through the email servers. Therefore, emails should be sent to the server as clear-text (i.e. not encrypted). Only when the content has been cleared for release by the organization’s governance policies, which are installed on a centralized server, should the message be encrypted.
Gramm-Leach-Bliley Act’s Impact on Email Security
The GLBA was signed by Bubba Clinton in 1999 and made fully effective on July 1, 2001. The core regulatory requirement of the GLBA is to ensure the security, integrity and confidentiality of Customer Nonpublic Personal financial Information (NPI). More specifically:
There are two fundamental requirements that must be complied with in the transfer of NPI. In other words, organizations that email customers or third parties must do the following:
Are they serious?
Let me break it down this way. Financial institutions are faced with the need to protect confidential data; comply with numerous government regulations; keep the network up, running, and secure; and, by the way, operate on a budget.
Is it just me or has our government ingested too much candy dipped in LSD? Come on, who is going to pay for all of this compliance? Sadly, we already know the answer, and every day the pain grows.
Say we don’t comply. What is the worst that could happen?
Let’s see – in 2004, a federal court sanctioned Philip Morris $2.75 million for deleting senior executives’ emails. In 2005, UBS Warbug was fined $29.3 million for its failure to preserve email evidence. JPMorgan reached a $2.1 million settlement with the SEC in February of this year for its failure to retain company email. GonzoBankers, I think the message is clear – crystal clear.
Email Best Practices
Banks that are committed to complying with government regulations (which I know includes everyone reading this), preventing accidental and/or intentional email abuse, and reducing the risk of litigation and all the other potential email disasters are encouraged to adopt some internal best practices. The ePolicy Institute outlines the following best practices be applied to email risk management:
I realize these may sound too simple, but aren’t best practices usually that way – the basics?
Gonzos, we must begin treating email as a business record. For financial institutions the failure to retain email according to regulatory guidelines can – and frequently does – lead to multi-million dollar fines, criminal charges, civil lawsuits, and, last but not least, damaging publicity. Organizations that treat email lightly should stop. This is not an IT-only problem, friends. Ultimately it comes down to process, procedures, and their enforcement.
A word of caution to IT shops that have locked down their email systems so tightly end-users refuse to use the bank-wide standard email application. If those same end-users have Internet access, I will bet you my Halloween candy they are using their personal Yahoo or Google email accounts to send and receive information via their browsers. Guess what? Your security just became its own worst nightmare.
Gonzo ghouls and goblins, the intent here is not to get you to turn off your email. Because what type of parents prevents their child from experiencing Halloween? Everyone deserves to go trick or treating. The key is being prepared for the unforeseen gremlins that truly go bump in the night.
See you Monday night, and you better have some good candy.
-tj