How to Avoid 5 Common Email Management Mistakes

Email managers have a lot at stake.

By Susan Perschke, Network World

Email managers have a lot at stake. After all, the volume of global electronic messages sent via email dwarfs all other forms of electronic communication, including social networking. Since the inception of electronic mail, which, according to some Internet historians, can be traced to a small mainframe app called 'MAILBOX' from the mid-1960s, human-to-human messages have been created, transmitted and stored in electronic format. But early email administrators could hardly have envisioned the complexity of current email infrastructure and the concomitant maze of technical, security, business and regulatory challenges.

Here are five common mistakes made by email managers, and how to avoid them by developing and implementing your own action plan.

Mistake 1: Pigeonholing email as just an IT function
Business managers know they have a working mail server and trusted individuals to maintain it. Box checked -- or is it? The mail administrator on the IT side is charged with keeping the mail server operational, performing backups, patching servers, supporting users and all the other technical and security details that attach to mail server administration.

But these functions represent just one of the many elements necessary to achieve fully effective email management.

Corporate espionage is on the rise. According to a recent report by the U.S. Office of the National Counterintelligence Executive, "The pace of foreign economic collection and industrial espionage activities against major U.S. corporations and U.S. government agencies is accelerating." Email has been identified as a primary means of leaking corporate secrets.

In a relatively small number of cases, security breaches are intentionally committed by individuals with malicious intent, but devastating security leaks can also occur quite innocently in organizations where policies, procedures and defense mechanisms are weak or non-existent.

Despite the fact that high-profile data thefts are made public almost daily, research shows that many email managers do not have adequate measures in place to protect against "exfiltration" of sensitive data. In a recent eMedia survey commissioned by Mimecast, a staggering 94% of network managers said they had no mechanisms in place to prevent confidential information leaving their network. Clearly there is a greater need for vigilance.

E-mail management mistakes
As it pertains to email, Data Loss Prevention (DLP) can be accomplished by inspecting and analyzing outbound email traffic (data in motion) through a variety of hardware and software-based technology solutions, combined with non-technology-based DLP policies. Several DLP solutions are built to extend common firewall platforms. A good DLP solution can also address regulatory compliance as an added bonus.

The take-away here is two-pronged -- setting and maintaining corporate-wide data loss prevention policies and deploying DLP mechanisms -- is a must.

Action Plan
1. Email policy administration should have buy-in from top management and be enforced at all levels.
2. Research, then implement appropriate company-wide DLP.
3. Create and enforce "acceptable-use" policies. For example, spell out whether users can check their personal email using work computers and whether they can use their work email for personal online business.
4. Educate employees and make sure they understand that compliance with e-mail policies is mandatory.

Another area of email management that frequently falls outside the purview of the IT department is regulatory compliance and data retention. There are a number of regulatory requirements that can affect email policymaking (view chart at networkworld.com).

For instance, health organizations may need to establish point-to-point email security to meet Health Insurance Portability and Accountability Act (HIPAA) requirements. Failure to adequately address policy and regulatory issues can subject an organization to fines or administrative penalties, and weak or non-existent email policies may expose the company's intellectual property or sensitive customer data to undue risks.

Action Plan:
1. Know the compliance and data retention requirements applicable to your organization's size and industry
2. Set up secure, point-to-point email connections where indicated
3. Appoint a compliance officer to act as a liaison between management and IT to ensure compliance with corporate policies and regulatory requirements.

Mistake 2: Complacency with regard to spam and phishing
Fifteen years ago a single individual dubbed the 'Spam King,' easily made $20,000 per day in what is still considered by many to be the world's largest spam operation. Robert Soloway, who was eventually jailed for violating anti-spam laws, freely admits that making money on spam these days is a losing business proposition.

Indeed, technology advances, coupled with more aggressive anti-spam legislation, have made significant inroads in the battle to control spam and phishing, but the fight is far from over. A random daily sampling from mail preprocessor MailArmory in April 2012 still reported spam as comprising 87.2% of its preprocessed email traffic. But the preprocessed spam mercifully no longer lands in the user's email account. The captured messages can be reviewed and released from the MailArmory server, or simply ignored, in which case the suspect emails will be deleted.

On another anti-spam, anti-phishing front, industry titans including Google, Microsoft, PayPal, Bank of America and Facebook, just to name a few, recently collaborated to support DMARC (Domain-based Message Authentication, Reporting & Conformance).

The new DMARC specification is a promising step in the right direction that uses existing technology such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to combat spam and phishing messages. In short it provides a way for email senders to inform receivers that their emails are protected by SPF/DKIM and the receivers can in turn authenticate messages based on whether a message is aligned with what the receiver knows about the sender. If this standard becomes widely implemented it should make it more difficult for third-party spammers to spoof messages and have them delivered to end users.

Agari, an early developer and provider of DMARC services, currently processes more than 1.5 billion messages per day using DMARC. Agari CEO and Founder Patrick Peterson says that clear text messaging, which is how the vast majority of email is still transmitted, is "profoundly insecure." However, in the grand scheme of things, it actually poses a much smaller risk than alternative attack methodologies currently in use, such as advanced persistent threats (APT).

End-to-end email secured communication via SSL or TLS, the putative solution to clear-text transmission, is fraught with practical snares. "It takes two to tango," says Peterson, who noted that less than one-tenth of one percent of emails are currently transmitted over secure channels. Peterson says end-to-end is primarily used by governmental agencies and healthcare providers, who are required by law to secure their communications.

Another method for fighting spam/phishing is hardware-based. David Cahill, information security officer at Irish mortgage lender EBS, says his company needed to centrally manage email security for more than 1,100 employees and chose an appliance partly because of the ease of migrating it into the company's existing email infrastructure and also the product's centralized management framework.

Regardless of the technology used to combat spam/phishing, it is still nearly impossible to prevent at least some spam from arriving at the user's in-box. Phishing emails have reached such a degree of sophistication that in some cases they can deliver malware just by being opened, even without the recipient clicking on anything in the contents.

Action plan:
1. Reduce spam and phishing messages by implementing preprocessing technologies suitable for your organization.
2. Make sure your email policy clearly advises employees on what steps to take when encountering suspicious emails.

Mistake 3: Failing to consider business critical factors when trusting email to the cloud
Many cloud providers can help companies offload the resource-intensive job of email management. But organizations need to fully understand the impact.

Technically, the steps can be straightforward. It only takes moments to redirect MX records. But approached too hastily, the expediency of the cloud may have a downside. There are other important considerations email managers need to take into account before trusting such a vital business function to a third party.

Action Plan:
1. Understand your cloud provider's service-level agreement (SLA) and make sure both your organization and the provider have a Plan B in case of a service outage.
2. Make sure the host provides reliable backups and that you have adequate access/control to data needed to meet your organization's data retention and regulatory compliance requirements.
3. Ensure that the host has adequate safeguards in place to ensure DLP
4. Perform the necessary due diligence to be able to place full trust and confidence in the provider
5. Get legal advice to analyze impact on trade secrets or other confidential intellectual property when email is entrusted to third party

Mistake 4: Not protecting failover servers
Most email administrators are cognizant of the core requirements for operating a fault-tolerant mail server, including the need for one or more 'failover' servers. Specified with secondary DNS MX records, a failover server is designated to handle email traffic in the event the primary server fails, until the primary server is brought back online. Unfortunately, in some organizations the backup servers may not be up to par with the primary email server in terms of security features and outbound policy enforcement.

Given the seemingly interminable number of steps required to configure and secure a highly-available email server, ongoing maintenance, etc., it is easy to understand why the seldom-used backup server may not command the same attention to detail as the primary email server. However, hackers and spammers also understand this weakness, and may use it to bypass the main email server altogether, carrying out their exploits instead on more easily-compromised backup servers. These 'end-run' attacks may also evade detection if the backup mail servers are not actively monitored.

Action Plan:
1. Make sure your secondary mail servers are as secure and up to date as your primary; patch and update them as if they were production servers
2. Set up monitoring devices to automatically recognize and monitor the failover server when it is brought online without manual intervention

Note: In what is becoming a more commonplace practice, to reduce the risks of vulnerable backup servers, some email providers do not use "hot secondaries," but instead utilize offline mail servers that can be promoted in the case of failure of the primary. This reduces the attack surface, but requires a rapid response if the main email host goes down.

Mistake 5: Failure to plan for IPv6
At this point, virtually no one actively involved in IT can credibly claim not to have seen the buzz about IPv6.

Even if your organization doesn't contemplate migrating to IPv6 for web hosting and email, IPv6 migrations are happening everywhere and at some point in the near future your ISP will probably become IPv6 capable. This fact alone means your IPv4-only infrastructure could be found wanting, and may provide spammers and hackers the perfect route to the heart of your email server and beyond.

Action Plan:
1. Develop a plan for IPv6 in general and IPv6 impact on email specifically.
2. Update outmoded IPv4-only routers and switches that cannot perform deep-packet inspection of IPv6 traffic.
3. Be aware that reverse lookups might become obsolete because of the immense number (in the quintillions) of IPv6 addresses; research changes needed to combat spam through blacklisting and reputation services.

Original appearance at networkworld.com