Email: Trick or Treat? - Gonzobanker

by Tripp Johnson

It’s that time of year, GonzoGoblins, when we carve the pumpkins, make sure our dental plan is current, don our favorite guise and embark into the night yelling those favorite words – Trick or Treat!  Ah yes, Halloween, the night when the gremlins surface and, if you are a parent, you spend most of the evening examining your children’s “loot” for anything suspicious.  I am always reminded of the urban legends about razor blades or needles being pushed into fruit or some ’60s throwbacks dipping their goodies into a vat of LSD.  Still, nowadays you can’t be too careful. You never really know what is inside that pretty wrapper until you open it up and take that first bite.  Yes, it is a conundrum, but no child should be denied the opportunity to enjoy a festive night of trick or treating.

Email has become, at least in my warped mind, a parallel to trick or treating.  The email box has become the “loot” bag, and all day long “tricks or treats” are being dropped into it.  Just as no parent should deny his or her child the opportunity to trick or treat, no organization today would consider switching off its email or Internet access. 

According to The Radicati Group there are about 686 million email users worldwide, with over 1.2 billion active email accounts.  Worldwide email traffic per day totals about 141 billion messages, and 64 percent of the messages are tricks, not treats.  The average end-user generates and receives about 84 emails per day, which require about 10 megabytes of storage daily.  Radicati forecasts that by 2008, emails will require around 15.8 MB of space daily.  Another research group, IDC, claims that in the United States alone, 35 billion email messages are generated every business day.

Okay, so we all like to send and receive emails.  I will be the first to admit that I would get worried if I didn’t meet my quota of 84 emails a day. However, the proliferation of email usage brings with it the inevitable increase in risks. 

The Dark Side of Email
And if the dam breaks open many years too soon
And if there is no room upon the hill
And if your head explodes with dark forebodings too
I’ll see you on the dark side of the moon. 
–Roger Waters, Brain Damage

According to Clearswift, there are four primary threats email can bring to an organization:

1. Corporate threats – these relate primarily to the loss of intellectual property and confidential information.
2. Social threats – any email activity that, while not necessarily illegal, is damaging to the company.
3. Digital threats – we have been hearing about these for a while and every organization’s infrastructure faces this danger.  To jog your memory, the major threats are:a. Spam – that unsolicited information about Viagra that you swear you didn’t request
   b. Worms – not the kind you fish with
   c. Trojans – nope, not the latex kind or the device used in Troy
   d. Spyware – only good if your business card reads 007
   e. Phishing – no images of Andy Griffith and Opie here
   f. Denial-of-Service – okay, this might be a new one for some, so let me briefly explain.  DoS attacks are where the corporate email server and/or Web site are overwhelmed by email volumes forcing them to be shut down.  (We seem to get that a lot here at Gonzo HQ. I wonder why.)
4. Legal threats – this is where the rubber meets the road, GonzoBankers.  This threat has two very broad categories:a. Offensive content – recently several high-profile executives have been taking early retirement following the exposure of inappropriate emails sent to subordinates.
   b. Compliance – this pertains to how companies are now more accountable for how information is stored, used, and distributed.  Yep, this includes emails – all 141 billion sent every day.

Friends, I don’t think I need to remind anyone of the hell we are going through complying with Sarbanes-Oxley, the Gramm-Leach-Bliley Act (GLBA), NYSE Regulations, SEC and NASD Rules and Regulations, and the numerous other government regulations that have been thrust our way the past few years. Yet how many of us have looked closely at how some of the aforementioned effect our daily email communication?

Sarbanes-Oxley’s Impact on Email Security
The Sarbanes-Oxley Act of 2002, affectionately known as SOX, took effect in June 2004 and requires CEOs, CFOs, independent auditors and audit committees to certify the accuracy, confidentiality, privacy and integrity of financial statements – not to mention the internal controls and procedures for financial reporting.  The two sections most relevant to email security are these:

• Section 404 deals with internal controls, and requires organizations to implement controls over the release of information to individuals or organizations outside the company’s network.
• Section 802 addresses records management, and how long and in what manner documents (yes, emails are considered documents) should be retained.

What this means is that we are required to ensure that sensitive information remains secure.  The easy answer would be end-user encryption; however, as with all government regulations, there is a catch.  Encryption is usually implemented by installing an application on the end-user’s desktop that automatically encrypts and decrypts all incoming and outgoing messages.  Okay, so let’s just buy some software, slap it on every desktop in the bank, and problem solved.  Not so fast.  Here is the catch:

SOX prevents organizations from installing end-user encryption techniques because if end-users encrypt their emails, the contents of the emails cannot be filtered for inappropriate information or trade secrets as they move through the email servers.  Therefore, emails should be sent to the server as clear-text (i.e. not encrypted).  Only when the content has been cleared for release by the organization’s governance policies, which are installed on a centralized server, should the message be encrypted.

Gramm-Leach-Bliley Act’s Impact on Email Security
The GLBA was signed by Bubba Clinton in 1999 and made fully effective on July 1, 2001.  The core regulatory requirement of the GLBA is to ensure the security, integrity and confidentiality of Customer Nonpublic Personal financial Information (NPI).  More specifically:

• Protect against any anticipated threats or hazards to the security or integrity of NPI
• Protect against unauthorized access to or use of NPI that could result in substantial harm or inconvenience

There are two fundamental requirements that must be complied with in the transfer of NPI. In other words, organizations that email customers or third parties must do the following:

• Ensure the receiver of NPI is contractually obligated to protect the information to the same standards as required by the sender.  An organization that sends NPI to another bank or third party vendor must make sure the other party’s standards match the organization’s standards.
• Ensure the appropriate technical and procedural measures are taken to make certain that NPI is disclosed only to an Authorized Receiver in an authenticated and encrypted method during transmission

Are they serious?
Let me break it down this way. Financial institutions are faced with the need to protect confidential data; comply with numerous government regulations; keep the network up, running, and secure; and, by the way, operate on a budget.

Is it just me or has our government ingested too much candy dipped in LSD?  Come on, who is going to pay for all of this compliance?  Sadly, we already know the answer, and every day the pain grows. 

Say we don’t comply. What is the worst that could happen?

Let’s see – in 2004, a federal court sanctioned Philip Morris $2.75 million for deleting senior executives’ emails.  In 2005, UBS Warbug was fined $29.3 million for its failure to preserve email evidence.  JPMorgan reached a $2.1 million settlement with the SEC in February of this year for its failure to retain company email.  GonzoBankers, I think the message is clear – crystal clear.

Email Best Practices
Banks that are committed to complying with government regulations (which I know includes everyone reading this), preventing accidental and/or intentional email abuse, and reducing the risk of litigation and all the other potential email disasters are encouraged to adopt some internal best practices. The ePolicy Institute outlines the following best practices be applied to email risk management:

1. Establish comprehensive, clearly written email rules, policies, and procedures for email usage, content, and retention.  When developing written email policies, keep in mind regulatory compliance, litigation concerns, security challenges, productivity issues, and business needs.
2. Email policies should be clearly written and easy for employees to access, understand, and adhere to. 
3. Update written email policies annually to ensure compliance with any new regulations.
4. Distribute a hard copy of the written email policy to all employees.  Mandate that each employee sign and date a copy.
5. Educate employees by supporting written email rules and policies with company-wide training.  Make sure employees comprehend that email policy compliance is mandatory, not optional.
6. Enforce your company’s written email rules and policies with a combination of disciplinary action and content security software. By installing policy-based content security software that works in conjunction with the email policy, management can block banned or inappropriate content from ever leaving or entering the email system, at the same time monitoring employees’ overall online activity.

I realize these may sound too simple, but aren’t best practices usually that way – the basics?

Gonzos, we must begin treating email as a business record.  For financial institutions the failure to retain email according to regulatory guidelines can – and frequently does – lead to multi-million dollar fines, criminal charges, civil lawsuits, and, last but not least, damaging publicity.  Organizations that treat email lightly should stop.  This is not an IT-only problem, friends. Ultimately it comes down to process, procedures, and their enforcement.

A word of caution to IT shops that have locked down their email systems so tightly end-users refuse to use the bank-wide standard email application. If those same end-users have Internet access, I will bet you my Halloween candy they are using their personal Yahoo or Google email accounts to send and receive information via their browsers. Guess what? Your security just became its own worst nightmare.

Gonzo ghouls and goblins, the intent here is not to get you to turn off your email.  Because what type of parents prevents their child from experiencing Halloween?  Everyone deserves to go trick or treating.  The key is being prepared for the unforeseen gremlins that truly go bump in the night.

See you Monday night, and you better have some good candy.
-tj