Electronic Dilemma

THE EMAIL EXPLOSION POSES TRICKY CHALLENGES TO CEOs

November 1 2004 by Chief Executive


 

Philip J. Kaplan, the dot-com generation’s Michael Moore, is one person you don’t want reading your email.

Kaplan, author of the best-selling book F’d Companies, runs a Web site that posts emails about layoffs, outsourcing moves and other gossip tidbits that weren’t supposed to travel beyond the corporate walls. During the dot-com implosion, layoff victims and disgruntled employees forwarded hundreds of emails to Kaplan to post. Today, his site contains an even broader mix of confidential memos from across all industries.

In the digital age, it’s difficult to stop the free flow of information among employees, consultants, competitors and rumor hunters. Aware of the risks, more than 40 percent of large companies now employ staff to monitor outbound messages, and 75 percent say it will be either “important” or “very important” to reduce the financial and legal risks associated with outbound mail over the next 12 months, according to Forrester Research in Framingham, Mass.

Still, at most companies manually monitoring every outbound (or inbound) message isn’t a viable option. The average corporate inbox processes more than 10 megabytes of email per day, according to the Radicati Group, a research firm in Palo Alto, Calif. That figure is expected to top 42 megabytes per day in 2005, due to the growing wave of spam and multimedia attachments. Overall, email volume is growing 35 to 40 percent annually, estimates Osterman Research of Black Diamond, Wash.

Making matters worse, Uncle Sam insists that businesses somehow tackle the issue€¦quot;quickly. Under various government mandates such as the Gramm-Leach-Bliley Act, Sarbanes-Oxley and the Heath Insurance Portability and Accountability Act, companies must ensure the privacy of their digital communications and also retain business-oriented messages for designated periods of time, typically three years or more. Companies that don’t properly manage their digital assets can wind up paying steep fines.

As a result, CEOs need a secure messaging system that both protects information and makes it easily auditable and retrievable. Moreover, the email security solution needs to be easy to use, offering functions such as strong end-to-end encryption, mutual authentication and robust auditing features. One of the key technical issues is whether to embrace Secure/Multipurpose Internet Mail Extensions, an email security standard that requires a corporate email server to issue a “digital certificate” to each user. Users must have a “private key” to open messages.

At least one company has found a secure email solution, based on our company’s product. UST, a $1.6 billion tobacco, wine and spirits company based in Greenwich, Conn., needed a single, secure messaging system that extended internally to all employees and externally to partners, customers and business associates.

Rather than forcing UST to scrap its existing email infrastructure, our secure email gateway and client software were layered onto existing messaging systems. “We wanted internal users to be able to use their own standard email system,” says Paul Lourd, director of information technology at UST. “And we needed security to be transparent to users, with no action or extra steps required.”

Of course, not everyone is going to buy Sigaba’s product, but I think there are some principles that should shape the technology architecture. Standards-based security should separate encryption or “key” services from authentication services, and policy management should automate auditing and reporting for end-to-end messaging security. The architecture should also enable messaging workflow and content filtering (for spam, viruses, etc.).

Moreover, these emerging systems should be added to an organization’s existing messaging system; they shouldn’t force it to be ripped out. And all systems should be simple for users, requiring no extra steps to get access to their email.

Over the next few years, analysts expect customers to flock to federated authentication because it can establish “networks of trust” between businesses, customers, partners and other third parties. Looking ahead, federated authentication€¦quot;based on standards such as the Liberty Alliance€¦quot;will make it easier and easier to establish such networks of trust. Ultimately, the free flow of information will be protected from the hidden costs.

Robert Cook is chairman and chief executive officer of Sigaba, a privately held company in San Mateo, Calif.