E-Mail Can Jeopardize Company Security

Jolly Technologies, a California software maker, reported earlier this month that an employee at its recently launched research-and-development center in Mumbai, India, stole portions of its source code and proprietary design documents. The insider allegedly used her free Yahoo E-mail account to upload and send the files from the research facility, according to a company statement. Last year, the Office of the Comptroller of the Currency fined two former banking employees of Grand Valley National Bank for violating privacy provisions of the Gramm-Leach-Bliley Act by E-mailing confidential loan files to an unauthorized third party.

E-mail-based virus attacks might threaten business operations and managing spam can drain productivity, but inappropriate employee use of E-mail can place intellectual property at risk and potentially open businesses to lawsuits.

While a majority of companies provide their personnel with guidelines on the appropriate use of E-mail, few actually monitor the content of E-mail communications. And this poses a security risk.

How big of a risk? The Computer Security Institute/FBI 2003 Computer Crime and Security Survey found that of 488 companies surveyed, 77% suspect a disgruntled employee as the source of a security breach. It also reveals that one in five sites suffered some type of theft of proprietary information. Losses attributed to the theft of intellectual property cost U.S. businesses an estimated $70 million last year.

As more employees and companies are fined or face other penalties for violating regulations such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act, expect to see increased use of enterprise digital-rights-management software and E-mail monitoring. Companies also likely will lock down the capabilities to copy information to recordable DVDs, CDs, and USB storage devices as cases such as Jolly Technologies' surface.

What's the best deterrent against the loss of intellectual property? Share your recommendations with us at the address below.

George V. Hulme
Senior Editor
[email protected]

Message Screening

Is the content of your company's outbound E-mail messages monitored?

Despite the possible threat that E-mail poses to intellectual property, companies generally lack safeguards to ensure against loss. Less than a quarter of the 3,171 U.S. companies in InformationWeek Research's 2004 Global Information Security Survey monitor the content of their companies' outbound E-mail messages. This constitutes a weakness in companies' security practices.

Policy Coverage

Is appropriate use of E-mail and the Web part of your company's security policy?

Although outbound E-mails are generally going unmonitored, this doesn't mean that companies aren't recognizing the potential risk that E-mail poses to company confidentiality. Three-quarters of sites in InformationWeek Research's 2004 Global Information Security Survey cover the appropriate use of E-mail in their security policies. By comparison, only 55% include appropriate use of the Web.

Company Guidelines

Does your company have in place customer data-privacy safeguards that inform employees of privacy and behavior standards?

Security policies aren't the only way companies are ensuring that proprietary information remains safe. The Federal Trade Commission released a survey in September reporting that 27.3 million Americans were victims of identity theft in the last five years--4.6% of the U.S. population. To ensure the protection of customer privacy, three-quarters of sites in InformationWeek Research's security survey say they provide employees with company privacy and behavior standards.

Who's To Blame?

Whom do you suspect as the source of security breaches in the past year?

Disgruntled employees aren't the only threat to business operations. Former employees also pose a threat to computer-based operations. According to our information-security study, companies have had their share of security problems caused by employees. Of 1,115 U.S. sites reporting a security breach in the past year, 30% suspect unauthorized employees as being behind the incident, 17% suspect authorized workers, and 15% former employees.