Laying down the law

While organisations would never go out of their way to expose their corporate secrets or leave their network open to viruses, many are doing just that. By failing to put technology in place that proactively manages these threats and by neglecting to establish and share formal IT usage policies with staff, your network - and your information - are more vulnerable that you would expect.

Hacking, phishing and spam methods have become increasingly sophisticated ways of collecting confidential information; of fraudulently obtaining account details or employee information; or simply as a way of spreading computer viruses and causing general business disruption. With the rise of instant messaging and spyware, the potential for system abuse is extending daily.

And it’s not just outside threats that need to be watched. Research by the Radichi Group (2006) has shown that six percent of workers admit e-mailing confidential company information when they shouldn’t. While figures from the American Management Association (AMA) and The ePolicy Institute in 2004 showed that 50% of workplace instant messenger users send or receive risky content including attachments, jokes, gossip, confidential info and porn. In terms of the impact on business productivity and efficiency, analysts Gartner found that non-work related web access activity accounts for 30-40 percent of productivity loss.

While employee behaviour poses a huge risk, there's also the minefield of compliance legislation to contend with. Post-Enron, WorldCom and other corporate accounting scandals, resulting legislation - such as Sarbanes-Oxley, Basel II and the International Accounting Standards - has quickly come into force to prevent organisational corruption and to establish good business practices. This includes making organisations legally liable for inappropriate e-mail content and internet abuse.

While the rules and regulations are firmly in place, compliant behaviour is still lacking from many quarters, with Gartner revealing that some 27 percent of Fortune 500 organisations have been sued due to the contents of an e-mail, and JP Morgan has already been pilloried in 2006 for failing to retrieve e-mail evidence relating to a court case. A separate poll also uncovered that 30 percent of organisations have dismissed staff due to inappropriate internet use. A study released by AMR Research predicts the cost of compliance over the next five years will reach the US$80 billion mark.

With a cocktail of financial losses, threat of prosecution, loss of productivity and intellectual property (including annual reports, financial reporting and product development), and fast-evaporating client and consumer trust, Internet abuse should be appearing on board room agendas without hesitation.

“Regulations, intellectual property protection, and brand preservation are all key issues that are driving organisations to take a closer look at their security policies and procedures,” confirms Ed Macnair, CEO of security software firm Marshal. “Smart financial services organisations are creating comprehensive security plans that give their stakeholders specific guidelines and support tools that vastly improve the protection of information assets and trade secrets. One of the more effective methods for turning employees from your weakest link into a frontline of defence is to apply technology solutions to security and productivity problems that combine and leverage both operational and security benefits.

“Spam is a perfect example,’ Macnair adds. “Many organisations deploy anti-spam solutions at the point where e-mail enters the network gateway. By using anti-spam security tools, an organisation can enhance its protection through effective e-mail filtering, while increasing overall productivity and minimising vulnerability to malicious viruses.”

Marshal Law

Marshal’s content solutions are designed to take a proactive approach to identifying e-mail and web vulnerabilities. The company has been building world class content security solutions for ten years and, as one of the top three vendors, currently protects over 19,000 international enterprises from Internet and email threats.
Marshal has been a trusted partner for organisations in the financial services sector for ten years. Currently, 72% of the world’s largest banks by assets use Marshal’s content security solutions, including four of the five largest commercial banks in the UK. On a European level, more than 60% of the European Fortune top 50 companies are Marshal customers.

Marshal’s solutions allow organisations to access information quickly and safely, providing an extra layer of security by checking the origin and destination of information before it enters or leaves a company network. Moreover, by monitoring e-mails, instant messages, web content and internet sites to protect confidential corporate data, executives can actually improve employee productivity, avoid prosecution and protect their organisation's reputation.

With the tools in place, the role of improving your policies and involving your people should not be overlooked. One critical method for strengthening content security is the Internet Acceptable Use Policy (AUP).

“Many organisations have impotent AUPs – policies that are printed on paper and filed away in a binder that sits on a shelf and never enforced,” Macnair explains.

“Organisations can take a more proactive approach to content security by leveraging anti-spam tools and solutions in order to operationalise their AUPs. By setting the proper requirements, they can use that tool to ensure employees are (1) aware of the policies, (2) educated on their rights with regards to privacy and (3) regularly trained in correct email usage, messaging and handling.”

In addition, organisations can use anti-spam filtering content at the mail gateway to monitor AUP compliance. Because e-mail has become such a popular channel for business communications, message traffic scanning has quickly become recognised as a necessary component of network protection and enforcement of the AUPs. Without it, there is an increased risk of employees accepting a virus, breaking privacy laws or infringing on the customer’s right to privacy.