Should you, as an individual, have a policy around email security? What is email security anyway??
In this interview with Paul Herbka from South Seas Corporation (policy and email security solutions review company based out of Colorado), we go in depth in a discussion of email security, and why it’s important for any individual or business to seriously consider what their policy is for email security.
He also goes into a review of email security products and services.
You can listen to the interview, and/or read the transcript below, for free. (Paul even offers you a discount if you mention this interview when you call him.)
Download the interview about what Email Security is in MP3 Format”
The following is a presentation of IdentityTheftSecrets.com.
Identity Theft Secrets: This is Jonathan Kraft and welcome back to Identity Theft Secrets. I’m here again today with Paul Herbka who does a whole bunch of things in the security protection industry. Works with a company, out of Colorado, called South Seas Corporation that does a bunch of different compliance issues and helps companies with their security issues. He’s also the President of the Information Systems Security Association, the Denver chapter; Vice President of South Seas Corporation; is a Certified Identity Theft Risk Management Specialist (CITRMS) and he has a whole other bunch of things that he’s done in this arena. He’s spoken at a few different conferences. Paul, how are you doing today?
Paul (email security expert): I’m doing well thanks. How are you today?
Identity Theft Secrets: I’m doing awesome! Thank you for taking a few more minutes with us today to talk about email security. I think what’s interesting — people have heard a lot about worms and viruses and trojans and malware and all this stuff and most people don’t even know what it is that is coming at their computer through their email. But most people now today also have installed some sort of protection, or they think they’ve installed some sort of protection, on their computer. Why should people still be concerned about email security?
Paul (email security expert): Well, there are really lots of reasons but probably the top two reasons would be; because on the inbound traffic, you can get all those bad viruses from the trojans and other things that then let people “own” your machine and then get your information out of it. The second reason would be because people can accidentally send stuff out not knowing it’s confidential or that it’s proprietary information or maybe they think it’s ok with who they’re sending it to and don’t realize that other people can find that information out on email, that it’s not secure, depending on how you have your email set up. So probably those would be the two biggest reasons – you can boil it down to: you can lose information whether it’s on the inbound, people getting access or control. Or on the outbound, people getting information because it’s being sent, whether it’s accidentally or on purpose, or just they didn’t realize that email wasn’t secure.
I know I’ve had conversations with people and they’ve say, “well, I sent that to my friends over email – but no one can see that right?” (Laughs) For you and I, people that are in the world of security — we laugh. But of course, that’s open to the world! Anyone can see it, anywhere in the world — it’s on the worldwide web. That’s the stream that it follows! So, depending on how they have their email set up; if people are using Yahoo or Hotmail or whatever. So then that’s an interesting question; but yes, the biggest reason is because you’re responsible for your people’s information, whether it’s your customers or your employees, or both. And that’s an easy way, a door that just opens and swinging all day long, so it’s an easy way to lose information.
Identity Theft Secrets: Sure, that definitely makes sense. Well and you’re talking about from a company perspective, like if you have employees or something, and they’re sending out your customer information or your employee information, that could be a pretty serious security threat to your company on an ongoing basis, right?
Paul (email security expert): Absolutely and in fact there are a ton of compliance laws that now make it more than just a security issue and make it more of a business issue – a business risk; because there are now fines and notification laws and other actions and responsibilities that you have to do if that information gets out. So say for example, if someone emails a spreadsheet — they were supposed to send some information on a customer to someone and they just send the whole spreadsheet. Well now, that information can be out there and even if that other person on the other end didn’t get it, someone may have caught it on the interim and it can be a problem.
The other thing is that the FBI has done a lot of studies and they find that over 70% of breaches are actually internal jobs. And they split it out into different percentages; some of them are malicious, some are just people didn’t realize what they were sending and other times people just didn’t realize they were sending this stuff to someone who didn’t have an official obligation or an official capacity to have that information and they just sent it, not knowing — just thinking they were being a good citizen or doing their job as a corporate employee. So you see a lot of that and really email seems to be one of the easiest ways – and again it happens both the inbound and outbound but it’s different.
So I thought I’d take just a minute and talk about some of the inbound issues versus the outbound and then go from there. Is that ok?
Identity Theft Secrets: Sure! What are the top issues that people in this arena are facing? If I own the company, or even if I’m just at my home computer, what are the top issues that I should be aware of?
Paul (email security expert): Sure! So the first one is – everybody is deciding if they want to go green and they want to spend less on gas and so what they’re doing is they are saying, “hey, let’s do webinars and let’s do this free web conferencing and web access and a whole bunch of different company products where they’re doing webinars or web information and that’s great! And you say, well, what does that have to do with email? Well, when you set those up, most of those say “open up Active X, install Active X” and you do that. Also for emails, a lot of people like the color and interactive emails that are more flashy and more fun to read and cooler to print out, less DOS looking, so they want the XML, HTML etc. Well, by adding all those things to the computer, now when I read email, I can open up an attachment and it may just be a simple picture but there may be some malware attached to that picture, whether it’s a virus or a trojan or something that’s going to be used to do either do a root kit or take over that computer, make it part of a botnet. So there’s a lot more things that it can do and now, because of the cool abilities within Active X and Java and all these other new technologies – now you don’t even need as much work being done from the end-user – they don’t have to open something and run an application – they just have to open the email and look at the picture. In some cases, they just have to open the email and then it runs it for them. In other cases, depending on what Active X or what not you have in place, you just need to get the email and then depending on how you’re doing your email reading, it could actually activate some of those Active X or different controls and run malware as well. So it’s become a world where everything is more powerful and does things behind the scenes — which is great — until you put it in the wrong hands and now it becomes an easier tool to hack into your company. So that’s on the inbound side.
On the outbound side, it’s really a lot of people not realizing, “opps, this is confidential information,” because they deal with it all day long. So people become desensitized to “This is Confidential” or “This is Proprietary Information,” etc., and as much as you tell them about it and talk about it and put it on there, if you put it on all your documents, eventually they say, “oh that’s on everything, I’m just going to send it anyway.” They’re just trying to help speed-up the process and make more business and make things happen quicker. So they think they’re doing something good, but they’re actually giving away something that they shouldn’t.
Identity Theft Secrets: Right – so how do you fix that?
Paul (email security expert): Well, one of the easiest fixes, which is unpopular with the end-users, but popular in the tech field, is just to turn off all those cool applications and applets and things, such as Active X and Java and HTML email and things like that. Unfortunately, many times the owners of the company are the end-user that likes the “pretty,” that likes the other stuff and says, “no, we’re going to enable that because I like getting my emails with all the pretty pictures and who it’s from and the logos and all that. I don’t want to just look at boring black and white.” So that’s one challenge to that solution.
So some other solutions that are out there are solutions that will actually filter email and filter out attachments, filter out web content that they’re looking at and really help with that. The other option is to get some kind of a solution that actually does encryption so that as you’re doing things, it’s encrypted and you’re only working with secure people. Now the challenges, that’s only if you’re in a world where you’re not getting emails from a lot of unknown people, that you have known people that you’re going to work with and you can kind of set up that encryption. Or number two, it’s really good for outbound stuff but it’s very hard for the inbound stuff. So typically what we find is that you need to find something that does filtering on the inbound stuff — that looks at the email and will cut up/strip-off all the negative applications and there are some that actually bring them in and run them in a virtual world – like a little VPN environment and see if it has that code in it and if it does, it doesn’t allow it in and if it doesn’t, then they allow it through.
So those are the types of solutions that I think people are going to start moving to because they allow the end-user to have the pretty, cool-looking applications that are self-automated while still getting the security for the corporation. So that’s the trend I see happening really in the inbound email protection or email scanning. And most of the top competitors are adding those things, they’ve got the anti-virus, anti-spyware, anti-spamware, you name it and anti-this, that and the other thing and they’re adding the suites, but they keep finding that their solution still isn’t complete enough because the bad guys find one other way to attach it or sneak it in or hide it under the radar. So I think we’ll continue to see those being developed.
On the outbound, there are several things you can do and there’s a number of products are probably smaller as far as what can fix things on the outbound and what can really scan for that. In particular, there’s a product out there called Vontu DLP8 and what it does, Vontu was actually bought a little while ago by Symantec, so most people have heard of Symantec, and what it does is it actually does scanning and it’s pretty cool because it will do, really it works with data at rest, it works with endpoint protection, it works with network data and it actually does a full enforcement so that it will actually look at things going out anywhere from email, instant messaging, web traffic, secure web traffic, HTTPS, etc., and it will actually look for that and stop things. One of the neat things that it does – especially in today’s world of compliance, is that it will look specifically for things such as social security numbers or credit card numbers or whatever specific things that you put together. It actually does something called a “fingerprint” of that information. So let’s say that you have internal documents that are Confidential or Proprietary Information, it will say, “hey, anytime this document is trying to be sent out, don’t let it.” And the cool thing is you can actually set it for your own policies, so you can say, “hey, let it, but make the end-user pick, here’s why I can let it out, here’s the justification, I’m sending it to a business partner under a NDA or I’m sending it to a customer and it’s their own information or I’m sending it to an approved partner or whatever.” That’s one option.
Identity Theft Secrets: Can I ask you a quick question about that?
Paul (email security expert): Oh absolutely!
Identity Theft Secrets: How much time do you figure that adds in for the end-user, I mean for the company. Because obviously, if every email you’re sending or every third email you’re sending has a little box that pops up and says, “this is potentially a harmful email to send, why can you send this?” And obviously they check that box – it’s fine, it’s good. But, that adds in time into the workday which ends up costing an employer more. How much time do you figure that adds in and how do you factor in that added cost factor?
Paul (email security expert): That’s a great question, great question! So, first and foremost is it only does that, it only has that pop-up for things that contain the credit cards or social security numbers, etc. So, hopefully, the number of emails that have that stuff in it are few and far in between. Unless you’re with a credit processing company and then you may say, “I’m going to turn that rule off and I’m just going to log everything. So I won’t ask, I’ll just notify and log or I’ll just log it, but I’ll go ahead and send it anyway.” Or, depending if that’s not the type of information that normally should be going out, maybe you just have them block it no matter what and when the pop-up comes and says, “hey, you’re trying to send out information you shouldn’t be” and that works.
So yes, that’s a great question – you really need to justify, do I have that on for everyone or do I not have it on? So it depends upon how much of that type of information you’re sending out. Now if you’re the approver for home loans and you’re always sending that information out, then clearly you’re not going to want to pick the option where they have to justify live unless you need that for auditing and logging and then you may want it because it makes them more aware –they’ve got to say exactly why they’re sending it and think about, is this only for the customer that I’m sending it to or is this a partner that is truly under a NDA. So while I say it could add to the cost, the other calculation you need to see is how many millions of dollars are we going to lose in business in customer name, or name recognition or brand quality and/or in fines and notification fees if we do have a breach. So there’s always two sides to the coin; one is what is it going to cost us proactively and then what is it going to cost us reactively? And the proactive costs are always less expensive than the reactive costs.
Identity Theft Secrets: Sure, that makes sense.
Paul (email security expert): So that would be how I look at that and justify that and figure out which solution works there. It’s funny because you’re seeing now, at least I’m seeing the trend of many DLP products; whether it’s data leakage prevention, or data loss prevention products out there and they all do different levels of things. And really I think the best one that I’ve seen is Vontu, it’s the most complete, it’s the most granular and yet it’s very flexible in that you can set it to be granular or not based on your needs for those departments or those people.
Identity Theft Secrets: When you say “granular” – what do you mean?
Paul (email security expert): When I say granular I mean I can actually say, “look for any numbers, “x” number of numbers, dash “x” number of numbers, dash “x” number of numbers or any strings of nine digits.” I can look for any variance; I can get as granular as I want to look for ….
Identity Theft Secrets: So you just mean really detailed that can get …
Paul (email security expert): Yes, very detailed exactly. Very granular in what it can filter and what it can look for and then also granular or detailed in the actions I can do. So the other really cool action that is important about that product is that it allows you to do logging, right? So it’s one thing to be able to say, look this employee was sending out bad information and it’s another thing to be able to log it so that either when you fire them or when you sue them for sending out all your information, or you get sued for that breach, that you can then turn it around and point it to that person because you have the data and the logging of that data to show where the breach happened and it wasn’t your company being lackadaisical about security, it was just a bad employee.
Identity Theft Secrets: So basically this is all about CYA.
Paul (email security expert): Oh, one hundred percent! In the business world unfortunately, I think most security comes down to CYA. First and foremost hopefully it comes down to — this is the right thing to do to protect our data, our customer’s data and our own employee’s data. But on the business level, it’s definitely a CYA and an insurance policy against if it does happen, how do we minimize our risk, our exposure and our fines?
Identity Theft Secrets: So talking about fines – I know that government likes to get involved in all of this to try and regulate it, to try and help people and a lot of times in the process, they create rules which penalize the people who are being most penalized anyway, a lot of times that comes back to the business owner or the individual. Are there any recent compliance changes in this arena as far as email security is concerned that people need to be aware of?
Paul (email security expert): Well, I think the biggest one is that they’re now starting to say, “it doesn’t matter what size of business you are, we’re going to come after you if you lose your customer’s data; and we don’t care if it a thousand names or a hundred names of customers from a small Mom and Pop shop or it’s a hundred names or a thousand names from a large IBM-type company.” They’re really trying to crack down and make the businesses pay and so a lot of the issues out there come down to that.
The other thing is in the payment card industry arena, they’ve added some more information and laws that say, “hey, we’re going to track this and we’re going to make sure that you’re compliant. And not only are you compliant but now all of the business partners or sub-contractors you use have to be compliant as well.” So that trend is now waning and the ripple effect is now coming down to the small Mom and Pop shops, the small one-man contractors, five-person contractor shops. Whereas before, they didn’t have to be compliant, but the big company that they were a sub-contractor to did. Well now, they’re coming down to the rules saying, “Nope, everyone along the chain has to be compliant and therefore we’re going to make you do audits as well. We’re going to make sure you prove your compliance.” And email is one of the easiest links to show that someone is not compliant on and is one of the most widely used. I don’t know anyone who doesn’t use email. I take that back, I know one person who doesn’t use email, but that person is retired and is happy …
Identity Theft Secrets: Living in Fiji!
Paul (email security expert): …and is happy not to be using it. For the majority of us out there, email is a way of life and it’s a requirement and so you just need to make sure that it’s secure.
Identity Theft Secrets: Obviously you guys offer some solutions, or as a company, you come in and do offer some solutions to people as well. I know you partner with a lot of people; you’ve mentioned Vontu a couple of times here in the conversation. If people wanted to get a hold of you for help with their email security, what would be the best way for them to go about doing that?
Paul (email security expert): I think this best way to do that is if they send a gold bullion cube to me directly and then I will be very responsive on the help and support for them.
Identity Theft Secrets: Gold bullion cube?! How much gold is in a gold bullion cube?
Paul (email security expert): Well, it depends, if it’s a one-ounce one or a hundred-ounce one …
Identity Theft Secrets: Right! A hundred ounces will get you quicker results!
Paul (email security expert): That’s right, that’s right! No, to be serious though, customer service is very important, we don’t care if you’re a large customer or a small customer our business is built on references and it’s built on good customer service and a good reputation. So you don’t have to send the gold; if you do, I’ll keep it and will cheerfully accept it!
But the easiest way would probably be through our 800 number, that number is 1-866-794-1655, 1-866-794-1655 or they can call me directly at 303-798-7588 or even easier, they can use email which we just discussed everyone uses, most everyone uses. My email address is pherbka@SouthSeasCorp.com.
Identity Theft Secrets: And you mentioned in a previous interview, I’m sorry to interrupt you there, but you mentioned in a previous interview we did actually, that if people mentioned, when they are a new customer of yours, that you would give them a discount if they heard about it through this interview.
Paul (email security expert): Absolutely and we will give them a discount – it will be somewhere between 2 and 5% depending on the product or the solution that they pick. But I’ll guarantee them 2% discount and up to 5% discount on any of the solutions they have just for mentioning that they saw it here on your network.
Identity Theft Secrets: Great! Well, thank you very much and obviously you are a wealth of knowledge — appreciate you taking a few minutes to talk with us today about email security.
Paul (email security expert): Thank you and have a great day!