While he was on vacation, Anthony De Fezakas received a number of e-mail messages regarding clients being pursued by a law firm and strategies for landing the business — not unusual for a lawyer.
De Fezakas, though, is a lawyer for a rival law firm. His contact information had been mistakenly
added to the firm’s e-mail distribution list, and he was receiving a competitor’s sensitive information.
De Fezakas called the firm and alerted them to the error as soon as he recognized it, but the company had already exposed itself to considerable competitive risk. It’s an object lesson in the potential harm of e-mail management errors, and the ease with which they can occur.
De Fezakas, an associate counsel for Miller Thomson LLP in Toronto in the area of intellectual property, has decided neither he nor his clients will be victims of an e-mail fiasco — he’s turned to encryption software from Toronto-based E-Witness Inc.
“”Everyone’s so e-mail-happy these days, and it really concerned me when I was getting draft patent applications over the Internet from clients expecting me to reply to them over the Internet,”” says De Fezakas.
“”This is sensitive client data that you don’t want to end up in the wrong hands, and that could conceivably happen.””
De Fezakas and his firm are piloting E-Witness’s StrongPost secure Web e-mail system, which allows users to send S/MIME-encoded e-mail that can be encrypted and digitally signed. StrongPost, now integrated into Miller Thomson’s existing e-mail system, encrypts both e-mail messages and their attachments.
Ray Wagner, a Nashville, Tenn.-based research director in information security strategies at Gartner Inc., said that with the introduction of regulatory directives in the U.S. and Canada, organizations are being forced to tighten messaging security, but have few options.
“”We just don’t have a great way to do it right now, and it seems unlikely that we’re going to have a great way without an international registration system to manage the identities of all people using e-mail, and that’s not likely to be anytime soon,”” Wagner says.
Available technologies include browser-based applications such as S/MIME digital certificates, which work fine as long as you have control over all identities, Wagner says.
Wagner notes that it is not always a simple task to “”share a secret”” or a decryption key with every client. He gives the example of the challenges an insurance company with thousands of customers would face trying to set up and manage individual digital certificates. “”This could become difficult and expensive,”” he says.
George Johnson started using a different kind of e-mail security product at Murphy Oil as a precautionary measure. The manager of special projects says the Calgary-based oil and gas company recognized that sending e-mail containing confidential field information was risky, so the company selected a product called RightsEnforcer by RightsMarket.
RightsEnforcer allows users to track and control e-mail by setting up rules for how its recipient can handle it. For example, a sender can decide that its recipient can view an e-mail and its attachments, but not print, forward or copy and paste text from it.
“”We’re moving documents to an electronic environment that have been traditionally routed on paper, and the safeguards just aren’t there. We’re using this for documents that we don’t feel comfortable having floating around all over the place,”” Johnson says.
He says the company chose this type of product because there’s more to e-mail security than just encryption.
Another strategy to secure e-mail messaging is a staging approach. E-mail sent outside of an organization is kept on a Web server. The recipient receives a message to check for e-mail on the server, and the session is secured through secure socket layer. SSL, an open standard technology developed by Netscape Communications for electronic commerce, uses public key encryption to prevent electronic eavesdropping on messages and transactions. The message is encoded using a private key; recipients with the appropriate public key can restore the message to an unencoded, readable state.
“”Again, it’s an issue of a shared secret with that person”” logging onto the Web site, Wagner says.
According to Wagner, the issue of e-mail security is easier solved within smaller organizations, where the industry is seeing a fair amount of uptake.
Larger organizations are leaning towards controls for the spread of viruses and spam.
“”Outbound systems are using e-mail filtering these days, scanning for things like intellectual property leakage, confidential information and things totally separate from secured e-mail,”” Wagner says.
“”It seemed that e-mail was relatively secure because the technology was obscure, but in a world where anyone can download tools to scan e-mail traffic, it turns out that it’s not as secure as we thought,”” Wagner says.
A recent Gartner Research report, “”E-mail in 2003: The Risk Level Rises,”” predicts that by 2005, the average e-mail message will be “”systematically scanned at least twice in its travels.””
According to the report, senders and recipients of e-mail must understand that information in an e-mail is about as private as a business discussion in a restaurant.
“”Like the telephone a century ago, e-mail is a new medium for human interaction and conversation that we must learn to manage,”” says the report. “”The rising risks we see in e-mail do not constitute a new threat, just a new medium for exploitation.
“”The biggest difference between e-mail and previous communications media types is that it is being monitored, inspected and recorded. Enterprises can no longer be complacent regarding the management of their e-mail data.””
As new communications media like instant messaging continuing to emerge, they will have to be dealt with, too, according to Gartner.