Locking the inbox

Email is absolutely vital to the way that most modern employees work. Consider the following from recent Osterman Research surveys of corporate email users:

• A March 2008 survey conducted by Osterman Research found that 92 percent of users consider email on their desktop to be valuable or extremely valuable, and 87 percent of users feel this way about email on their laptop computer.
• The same survey found that 53 percent consider instant messaging to be valuable or extremely valuable, while 41 percent consider Web conferencing tools to be this valuable.
• A May 2008 Osterman Research survey found that the typical user spends a mean of 17.3 hours per week doing something in their email client, or 36 percent of their workweek.

However, threats directed against messaging users are becoming more sophisticated and more severe. For example, spam today represents between 81 percent and 90 percent of the 130 billion emails sent across the Internet each day. Zombies send more than 80 percent of spam and phishing messages and more than 350,000 zombies are activated every 24 hours. Malicious code attacks directed against instant messaging systems – used heavily in the financial services industry – are increasing rapidly.

That bottom line is that users in the financial services industry have an absolutely critical set of communication and information tools upon which they depend heavily, but these capabilities are being attacked by a flood of increasingly sophisticated and malicious attacks. This results in the need for greater efforts directed at threat remediation by anyone that uses email, instant messaging or other communication or collaboration technologies.

Key trends
There are several key trends that organizations in the financial services industry need to address over the next 12 to 18 months:

Data loss prevention
Data loss prevention (DLP) systems will be a growing market in 2008 and 2009 as most organizations will actively seek to prevent the loss of sensitive information through inadvertent or malicious behavior on the part of their users. Because financial institutions transmit and store a great deal of sensitive information, including account numbers, records of financial transactions and the like, DLP will be a critical technology for deployment over the next 12 to 18 months.

Phishing is becoming more of a problem
Phishing can cause enormous problems for business in all industries, but perhaps no more so than in the financial services industry. Phishers have targeted financial services firms, in particular, seeking access to customer accounts, leaving email as a much less effective tool for legitimate communication by these organizations.

Phishing is becoming more targeted, spoofing businesses that have smaller customer bases (e.g., local banks) to increase the effectiveness of the social engineering tricks used. Phishing will also continue to expand beyond online banks to include more retailers, online gaming and other online sources that process confidential account information.

Email storage is a continuing issue
Email storage growth continues to confound messaging architects. Over the past two-plus years, Osterman Research surveys of IT decision makers have consistently found that email storage growth is the leading problem, cited by three out of five decision makers as a serious or very serious problem.

Techniques to remediate the problems include the use of archiving that will automatically offload content from users’ mailboxes into less expensive archival storage, and attachment management systems that move attachments to dedicated transmission and storage facilities. Both techniques can reduce the amount of storage on ‘live’ servers by 80 percent or more while leaving this information readily accessible to end-users.

Reputation analysis will be critical
Traditional content filtering will not be enough to keep up with spam growth. Spammers are using image-based spam, PDF spam, calendar spam, spam in Microsoft Excel files and other techniques to avoid content filters. Blocking these messages by leveraging conventional content-filtering technologies takes an enormous toll on anti-spam server or appliance CPU cycles.

At the same time, content-filtering systems need to be smarter in what they block. Since last year, false positives have increased significantly. Organizations are looking at a number of defensive technologies, such as reputation-based systems, to compete with spammer’s increasing sophistication. Few companies expect to purchase a reputation service outright. Instead, most expect the technology to be integrated with some other device, such as a messaging security appliance, standard perimeter mail server software, or a hosted/managed offering.

Hybrid solutions will become more important
Hybrid solutions, in which on-premise security solutions are supplemented with an “in-the-cloud” solution as a sort of pre-filter, will become much more popular. This will be due, in large part, to the fact that sudden spikes in spam volumes can overwhelm on-premise capabilities, resulting in message delivery problems or system crashes, more IT time required to address these problems, and additions to the on-premise infrastructure of appliances or servers.

Integrated management will become increasingly Important
There is a strong interest in a capability that pulls together all security functions, although there is some disagreement over whether this should be performed by a single appliance or different vendors’ solutions integrated through a common console. Whatever the approach, this uber security device should include reputation and encryption services. Nearly one-half of respondents in a recent Osterman Research survey would prefer to have all email security capabilities integrated into a common platform.

What should you allow to be used in your organization?
Organizations have some reasonably strong thoughts about legitimate and illegitimate applications. Most organizations give the thumbs up to Web conferencing as a legitimate application for use in the enterprise, chat tools, consumer-grade Webmail and even consumer-grade instant messaging clients. However, decision makers are more negative on peer-to-peer file sharing (nearly three-quarters considering this to be illegitimate in a workplace context) and Skype (mentioned by three out of five decision makers as an illegitimate application).

Risks posed by instant messaging
Instant messaging is widely used in the financial services industry because of its ubiquity, the real time nature of communications and its low cost. However, many organizations continue to downplay instant messaging’s security risks, with respondents ranking spam over instant messaging (SpIM) the least of the 44 threats about which we inquired in a recent survey. Nevertheless, Osterman Research has found that 90 percent of organizations have consumer-grade instant messaging somewhere in their premises. What’s more, SpIM threats continue to grow: Akonix, for example, noted that in April 2008 there was a 162 percent increase in SpIM compared to the month before. According to our research, the use of instant messaging security is expected to grow by 15 percent next year.

Instant messaging exploits, which often are blended threats, take the form of either “social engineering” techniques that will direct victims to an infected Web site; or via viruses, spyware or other malicious content that are delivered directly to the instant messaging client via a downloaded file. Instant messaging threats are particularly insidious, since the opt-in nature of instant messaging contact lists motivates recipients to trust that messages they receive are from valid senders whom they have previously authorized to send them content.

SaaS and hosted services
SaaS and hosted services are increasing in popularity and offer another option for organizations to implement a variety of threat-protection capabilities. The primary advantages of this model are that no investments in infrastructure are required, up-front costs are minimal, ongoing costs are predictable, and all management and upgrades of the system are provided by the SaaS or hosted service.

Archiving is critical
While not a messaging security issue per se, the North American market for messaging archiving technologies has traditionally been focused heavily on the financial services industry, most notably among broker-dealers, but more recently among hedge fund managers, investment advisors and the like. Because communications with customers – whether by email or instant messaging – must be preserved according to SEC, FINRA and NYSE requirements, archiving will continue to be a critical consideration in the planning for messaging system managers in the financial services space.

Summary
Messaging security is difficult to manage because of the growing number and sophistication of threats and attacks directed against users of email, instant messaging and other electronic communication tools. However, because of the importance of these tools to financial services institutions of all types, security must be the most important priority for these organizations as they seek to protect the integrity of their communications with customers, business partners and others.

Michael Osterman is President of Osterman Research.