Could it be that the proliferation of e-mail is fostering a dangerous shift in corporate mentality? We look at how new technologies are inadvertently beginning to undermine the true value of corporate information.
A report published by Jupiter Research suggests that 49.5% of chief executives considered the sensitivity of their company's data to be 'low'. In a world where the threat of information security breaches is an everyday consideration, this is either a representation of gross naivety or total negligence.

The reality is that, by opening up networks and building knowledge-based infrastructures that empower employees to access a wider portfolio of company information, organisations have inadvertently opened the floodgates for mismanaged data – and fostered a climate of undervalued information.

Technologies such as e-mail pose a potentially dangerous shift in corporate mentality. A shift that is seeing the sensitivity of corporate data increasingly undermined through an ability to circulate information with a degree of immediacy unthinkable just a few short years ago.

Sensitive company documents – once upon a time physically filed, marked as being 'confidential' and sealed in an envelope when sent to an external party – are now easily accessible from a corporate network by large numbers of employees. Employees who have the means at their disposal to routinely circulate that information around the world without giving the matter a second thought.

The management of data
While a great deal of attention is given to the security of data passing the perimeter of an enterprise, many organisations have been unsuccessful in managing the data itself. The growing volume of material held within the average company is now so large that, although freely available through company Intranets and directories, its level of confidentiality is often left uncategorised. It is this unchallenged availability – and the ease with which data can be circulated by an employee with an e-mail connection – that is presenting a security risk so far largely unnoticed.

In most cases, the circulation of sensitive data – perhaps a sales forecast – is not conducted maliciously. Instead, it's carried out by the growing army of employees to whom e-mail is second nature. Employees who perhaps don't assign as much importance to a piece of data as their contemporaries would have done ten years ago.

For centuries, technology has been the root cause of change in business practices. The telephone, facsimilie machine and PC are all typical modern day examples of how, once accepted as mainstream, technology can lead us along a new path of increased profitability, efficiency and communication.

In the majority of cases, such changes are welcomed. This is certainly the case with e-mail, a technology adopted with such speed and ferocity that to anyone aged under 21 it seems hard to imagine life without it.

The problem is compounded by the rise in information security breaches, with many organisations reacting to such occurrences by battening down the hatches and ring fencing corporate software networks with the latest software solutions. Yet despite these measures, many organisations continue to offer themselves up as easy prey by not giving a second thought to the unclassified material attached to their e-mails.

Of course, the suggestion is not to restrict e-mail access across an enterprise. After all, the advent of electronic communication certainly offers more benefits than pitfalls. Not only have once mundane work processes been simplified, but employees have a far wider perspective of understanding thanks to the availability of data that would once have been locked away in a filing cabinet. Knowledge workers must be allowed to search, retrieve and manage both data and e-mail within a secure yet collaborative environment.

e-mail as a business tool
Many e-mail solution vendors have been slow to recognise the growing demands placed on e-mail as a business tool, undoubtedly fertilising the trend towards free information flow whatever the cost. It should be remembered that e-mail was never intended to be used as a tool for high value communication. Only when it became a viable mass-market technology did it begin to flourish in industries where the confidentiality of information is critical.

While a great deal of attention is given to the security of data passing the perimeter of an enterprise, many organisations have been unsuccessful in managing the data itself. The growing volume of material held within the average company is now so large

Efforts to secure data circulated by e-mail have largely been pooled around encryption technologies, yet the problem lies further down the chain – at the root source of unmanaged company information.

The way in which organisations are conducting business highlights the need to automatically classify e-mail content in its native form from within a corporate directory – based on defined rules of usage unique to each organisation. Wrapping low level data (such as company telephone lists or staff memos) in security mechanisms achieves nothing other than restricting use and accessibility.

One sector that has long understood the importance of classifying information is the military. Using security labelling technology, electronic communications are 'tagged' before dispatch. Usually applied within the default e-mail client, the labels allow the sender to quickly assign a level of confidentiality suitable to a particular item of mail and its content. The label then automatically applies the appropriate level of security for the level of confidentiality selected.

A message of the highest confidentiality will therefore be subject to digital signing, data encryption and any other mechanism in place to guarantee the integrity of the data. Depending on its content, a staff memo may well pass through the gateway untouched.

Security labelling is now being applied within the corporate environment, with a new generation of software adopting a more pragmatic approach by managing e-mail on the boundary between the organisation and the outside world. This approach offers the benefit of configurable policy setting at a server level, allowing the definition and management of e-mail policies from a corporate perspective regardless of desktop set-up.

The responsibility of applying security is thus removed from the user and passed back to the organisation.

Breaches in confidentiality
It seems it isn't just the information that's undervalued, but also the resulting effects of mismanaged data and the possibility of a breach in confidentiality. Online IT resource centre TechRepublic conducted a survey in January last year in which nearly 2000 respondents were questioned about Internet and e-mail usage. Surprisingly, only 18% of those questioned considered the leakage of confidential company information as 'extremely serious'.

Employees actually cited the accessing of pornographic content via the Web as being far more important and more of a threat. Unbelievably, just 9% of those people surveyed felt the problem of company data misuse was 'serious' (less than half of those that cited the serious nature of downloading unauthorised files such as MP3s).

End users are the weakest link
The age-old adage that the user is the weakest link in any electronic network still holds true. Organisations really must begin to look internally at how employees are trained to use information, and create an understanding that corporate data is an asset and not a by-product of modern business.

There is now a strong argument that responsibility for security and confidentiality of information must be moved away from the user and managed centrally (without restricting access, of course).

Source

SMT

Postscript

Humphrey Browning is head of technical consultancy at Nexor