How to Avoid 5 Common Email Management Mistakes
Email managers have a lot at stake.
By Susan Perschke, Network World
Email managers have a lot at stake. After all, the volume of global electronic messages sent via email dwarfs all other forms of electronic communication, including social networking. Since the inception of electronic mail, which, according to some Internet historians, can be traced to a small mainframe app called 'MAILBOX' from the mid-1960s, human-to-human messages have been created, transmitted and stored in electronic format. But early email administrators could hardly have envisioned the complexity of current email infrastructure and the concomitant maze of technical, security, business and regulatory challenges.
Here are five common mistakes made by email managers, and how to avoid them by developing and implementing your own action plan.
Mistake 1: Pigeonholing email as just an IT function
But these functions represent just one of the many elements necessary to achieve fully effective email management.
Corporate espionage is on the rise. According to a recent report by the U.S. Office of the National Counterintelligence Executive, "The pace of foreign economic collection and industrial espionage activities against major U.S. corporations and U.S. government agencies is accelerating." Email has been identified as a primary means of leaking corporate secrets.
In a relatively small number of cases, security breaches are intentionally committed by individuals with malicious intent, but devastating security leaks can also occur quite innocently in organizations where policies, procedures and defense mechanisms are weak or non-existent.
Despite the fact that high-profile data thefts are made public almost daily, research shows that many email managers do not have adequate measures in place to protect against "exfiltration" of sensitive data. In a recent eMedia survey commissioned by Mimecast, a staggering 94% of network managers said they had no mechanisms in place to prevent confidential information leaving their network. Clearly there is a greater need for vigilance.
E-mail management mistakes
The take-away here is two-pronged -- setting and maintaining corporate-wide data loss prevention policies and deploying DLP mechanisms -- is a must.
Another area of email management that frequently falls outside the purview of the IT department is regulatory compliance and data retention. There are a number of regulatory requirements that can affect email policymaking (view chart at networkworld.com).
For instance, health organizations may need to establish point-to-point email security to meet Health Insurance Portability and Accountability Act (HIPAA) requirements. Failure to adequately address policy and regulatory issues can subject an organization to fines or administrative penalties, and weak or non-existent email policies may expose the company's intellectual property or sensitive customer data to undue risks.
Mistake 2: Complacency with regard to spam and phishing
Indeed, technology advances, coupled with more aggressive anti-spam legislation, have made significant inroads in the battle to control spam and phishing, but the fight is far from over. A random daily sampling from mail preprocessor MailArmory in April 2012 still reported spam as comprising 87.2% of its preprocessed email traffic. But the preprocessed spam mercifully no longer lands in the user's email account. The captured messages can be reviewed and released from the MailArmory server, or simply ignored, in which case the suspect emails will be deleted.
On another anti-spam, anti-phishing front, industry titans including Google, Microsoft, PayPal, Bank of America and Facebook, just to name a few, recently collaborated to support DMARC (Domain-based Message Authentication, Reporting & Conformance).
The new DMARC specification is a promising step in the right direction that uses existing technology such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to combat spam and phishing messages. In short it provides a way for email senders to inform receivers that their emails are protected by SPF/DKIM and the receivers can in turn authenticate messages based on whether a message is aligned with what the receiver knows about the sender. If this standard becomes widely implemented it should make it more difficult for third-party spammers to spoof messages and have them delivered to end users.
Agari, an early developer and provider of DMARC services, currently processes more than 1.5 billion messages per day using DMARC. Agari CEO and Founder Patrick Peterson says that clear text messaging, which is how the vast majority of email is still transmitted, is "profoundly insecure." However, in the grand scheme of things, it actually poses a much smaller risk than alternative attack methodologies currently in use, such as advanced persistent threats (APT).
End-to-end email secured communication via SSL or TLS, the putative solution to clear-text transmission, is fraught with practical snares. "It takes two to tango," says Peterson, who noted that less than one-tenth of one percent of emails are currently transmitted over secure channels. Peterson says end-to-end is primarily used by governmental agencies and healthcare providers, who are required by law to secure their communications.
Another method for fighting spam/phishing is hardware-based. David Cahill, information security officer at Irish mortgage lender EBS, says his company needed to centrally manage email security for more than 1,100 employees and chose an appliance partly because of the ease of migrating it into the company's existing email infrastructure and also the product's centralized management framework.
Regardless of the technology used to combat spam/phishing, it is still nearly impossible to prevent at least some spam from arriving at the user's in-box. Phishing emails have reached such a degree of sophistication that in some cases they can deliver malware just by being opened, even without the recipient clicking on anything in the contents.
Mistake 3: Failing to consider business critical factors when trusting email to the cloud
Technically, the steps can be straightforward. It only takes moments to redirect MX records. But approached too hastily, the expediency of the cloud may have a downside. There are other important considerations email managers need to take into account before trusting such a vital business function to a third party.
Mistake 4: Not protecting failover servers
Given the seemingly interminable number of steps required to configure and secure a highly-available email server, ongoing maintenance, etc., it is easy to understand why the seldom-used backup server may not command the same attention to detail as the primary email server. However, hackers and spammers also understand this weakness, and may use it to bypass the main email server altogether, carrying out their exploits instead on more easily-compromised backup servers. These 'end-run' attacks may also evade detection if the backup mail servers are not actively monitored.
Note: In what is becoming a more commonplace practice, to reduce the risks of vulnerable backup servers, some email providers do not use "hot secondaries," but instead utilize offline mail servers that can be promoted in the case of failure of the primary. This reduces the attack surface, but requires a rapid response if the main email host goes down.
Mistake 5: Failure to plan for IPv6
Even if your organization doesn't contemplate migrating to IPv6 for web hosting and email, IPv6 migrations are happening everywhere and at some point in the near future your ISP will probably become IPv6 capable. This fact alone means your IPv4-only infrastructure could be found wanting, and may provide spammers and hackers the perfect route to the heart of your email server and beyond.
Original appearance at networkworld.com
We combine deep industry, implementation, development, and project management expertise, practical tools, and innovative thinking to catalyze the achievement of your business objectives Read more...