Securing the Message

With e-mail remaining the most pervasive means of communication in the financial services industry, organizations are under increased scrutiny to protect both themselves and their customers from fraudulent and improper behavior.

The e-mail security market will see strong growth through 2010, driven by the ongoing need by organizations to secure their networks from an ever-increasing multitude of e-mail threats. According to a recent report released by The Radicati Group, a new class of comprehensive security solutions is emerging to offer increased functionality, such as encryption, archiving, compliance, support for instant messaging and much more. The study also finds that many organizations are layering two, three, and even four or more security solutions for added protection. According to the study, worldwide revenue in the market is expected to grow from nearly US$3.5 billion in 2006 to over US$6 billion in 2010.

In addition, e-mail archiving solutions offer interactive, efficient, cost-effective long-term storage of e-mail. They help organizations effectively manage storage space – in 2006 a typical corporate user is estimated to contribute about 3.8GB of electronic data per year to be stored and managed. Archiving solutions also help supervise the content of messages sent and received by employees, as well as enable organizations to comply with regulations such as the Sarbanes-Oxley Act. Revenues for e-mail archiving vendors are expected to approach US$796 million in 2006, and grow to almost US$7.8 billion by 2010. The message is clear: managing e-mail security and storage will continue to be a huge focus for financial institutions for the foreseeable future and beyond.

The Radicati Group is one of the most successful market research firms in the computer and telecommunications industry today. Started in 1993 with an initial focus on messaging and collaboration, the company has expanded today to cover all aspects of security, e-mail archiving, regulatory compliance, wireless technologies, web services, identity management, instant messaging, unified communications, voice over IP and more. Here, FST speaks to Sara Radicati, founder, President and CEO of the Palo Alto, California-based firm, to get her thoughts on where the message security and archiving industry is headed and what the implications of that are for the financial services industry.

FST. What are the key trends you’re seeing in the e-mail security space right now?

SR. The main trend we’re seeing is organizations are very concerned about e-mail security. They are more concerned than ever about different kinds of security threats. They realize that it’s more than just anti-spam and anti-virus, and that there are a variety of things that they could worry about – including compliance and content security overall, and so on.

FST. Most experts now recommend taking a proactive approach to security, but that doesn’t mean that the ability to react to the changing threat environment is redundant. What types of solutions are available to enable financial institutions to be both proactive and reactive in their approach to security threats?

SR. There are a wide range of products available and over the past couple years, we’ve seen more products begin to bundle a broader set of functionality that encompasses anti-virus, anti-spam, archiving, compliance and a variety of other things so certainly we’re seeing organizations pay more attention to these types of broader products and solutions. In general it’s also important for organizations to provide a great deal of user education because we find through our studies that a lot of users are still behaving inappropriately on the Internet and leaving their e-mail addresses where they shouldn’t be and basically not paying attention to good proper internet behavior.

FST. Do you think a lot of companies right now are embracing user education or do you think that it still needs greater attention?

SR. Well, no, we think from what we see in our research that companies tend to forget user education completely. They sort of assume that users know things and very often they don’t. Also, the malicious people out there that are trying to capture user addresses and so on are getting smarter about finding ways to lure unsuspecting users into leaving their e-mail addresses behind and so on in ways that can be utilized.

FST. With regulatory pressures increasing all the time, the security and availability of electronic messages has never been more important. What role does e-mail security play in a financial institution’s broader compliance and risk management strategies?

SR. Basically there’s no financial institution out there that can afford to be without some form of compliance and policy management solution. It’s very important especially for financial institutions to protect all of the information of their customers and to ensure that the communications that take place between their employees and the outside world are secure and well-protected, so it’s very important in particular for financial institutions to have products and solutions in place that assist with monitoring the information that’s being exchanged both inside and outside the organization as well as sometimes just within the organization.

FST. Can you talk about some of the examples of how compliance violations happen within the organization or how sometimes users commit those infractions unknowingly?

SR. I think users within the organization tend to get a little more relaxed sometimes and maybe they will inadvertently pass customer confidential information around in e-mails and so on and basically that needs to be caught early or stopped or protected somehow.

FST. When evaluating an e-mail security solution, what criteria should financial institutions consider?

SR. I think the main criteria is they need to look at the level of experience of the vendor and basically how long they’ve been around, how well they cover the market because essentially we’re dealing with a set of security threats that continue to evolve and change in nature and so you really want to get into a partnership with a vendor that has the technology capability to evolve with the threats and with the market needs so that’s probably the main criteria. Other criteria are probably finding a vendor that understands different types of security threats and basically has a strong broad solution that can address multiple threats in a cohesive manner. And then looking at the whole management and administration of the product, basically it’s very important to find products that are easily managed at a fairly low cost in terms of day-to-day operational management of the product.

FST. Do you have any implementation tips not related specifically to the solution you’re adopting but more towards organizational behavior when adopting an e-mail security solution?

SR. Yeah, I think I would go back to user education is very important and I think user education has to be an ongoing process with refresh every three or four months because threats evolve that quickly. Also, it’s important for the IT staff to be well-educated; it’s important again because the threats do change so quickly and there’s so much overlap between the technologies that may be getting deployed, it becomes important for the IT administrators to have the time to come up to speed on all the latest technologies and trends and approaches.

FST. What responsibility does the financial institution have to its customers in terms of ensuring the security of their e-mail communications? What are the consequences of not addressing this responsibility through the implementation of an effective e-mail security and archiving program?

SR. From a legal standpoint, financial organizations have a huge responsibility because they’re really being held accountable for all of the private confidential customer information that they’re given, so it’s very important that financial institutions protect that information. Basically there are all kinds of legislation today that impose penalties of various kinds if that level of trust is broken somehow. In terms of the consequences, we’re talking about lawsuits that may involve financial damage as well as potential jail term for executives in financial institutions that weren’t properly guarding customer information.

FST. On the note of archiving, why is it particularly important for a financial institution to have a comprehensive e-mail archiving program in place?

SR. Because basically more than other types of organizations, financial institutions have to be able to go back and prove or disprove various transactions that took place and also it’s very important for them as a way to defend themselves against possibly frivolous lawsuits and so on at various points. So it’s very important for financial institutions to obtain a full snapshot of past activity for as long as possible as a way of protecting against potential lawsuits.

FST. Beyond the simple storage and record-keeping aspects, what are some of the wider business benefits of implementing an e-mail archiving solution?

SR. It becomes very useful for organizations to look back and analyze the trends of what types of transactions took place, how those transactions were handled and so on because it does give them a good sense of their business and basically what the orientation of their business is and how well customer inquiries are being handled for instance and what types of customer inquiries are coming in and alternative things like that. It can become an exceptionally useful tool in understanding how their business is going and how it’s evolving.

FST. Over the last 18 months, instant messaging has emerged as an increasingly popular form of business communication. What security and/or compliance issues does IM present to financial institutions?

SR. IM has become increasingly popular with financial institutions because of its real-time nature, but at the same time the major risk that IM presents is because of its casual nature; it gives people the false impression that they can say anything, and we’ve noted very often that there’s a tendency to say or communicate things via IM that they wouldn’t typically put in an e-mail or put in a written formal letter. So it comes back to education and monitoring of IM communications to ensure that employees don’t inadvertently get so casual in their use of IM that they start leaking confidential information or making statements that are inappropriate, and so on.

FST. What can financial institutions do to address this risk?

SR. Again it comes down to user education and it will take some time – probably another couple of years – before users begin to understand that IM is just like any other form of e-mail or other form of written communication. So there’s an education piece, but then there are also a number of excellent products out there that do monitoring of IM communications and that enable organizations to more clearly understand whether their employees are making mistakes in their IM communications or communicating things that they shouldn’t.

FST. Are there any particular best practices that should be employed to help the IT department meet the growing challenges presented by message archiving, search and retrieval?

SR. No, I think that’s very specific to each particular organization and usually what particular vertical industry they’re in. It comes down to organizations doing a careful analysis of their needs and the trends of the types of information that they’ll be archiving so that they’ll design the most efficient policies for managing their archival information.

FST. Finally, how do you see the sector developing over the next 18 months?

SR. Well, we see a lot of new products coming into this market and probably a lot more of what we would call ‘full suite’ solutions that encompass a very broad range of functionality from security to archiving to compliance to content management security and so on. Basically, we expect to see a much broader set of products and we also expect to see more legislation that will clarify various aspects of what needs to be protected and how.