WHITE PAPER: EMAIL ENCRYPTION........................................ Busting the Myth of Email Encryption Complexity Who should read this paper Companies looking for a simpler, more efficient way to encrypt their sensitive data.
WHITE PAPER: EMAIL ENCRYPTION Busting the Myth of Email Encryption Complexity Contents Executive Summary.................................................................................................... 1 The Value of Data...................................................................................................... 1 Data Loss Hurts........................................................................................................ 1 Rules and Regulations.................................................................................................. 2 Policy Led Security..................................................................................................... 2 Why Don t Companies Use Encryption?................................................................................... 3 The Symantec.cloud Solution............................................................................................ 3 More Information...................................................................................................... 5
Executive Summary Barely a month goes by without a big data protection story in the media. But where is the real threat and what can you do to protect your business? How do you protect data at rest and data in transit? If encryption is so important, why isn t everyone using it? Is there a simpler, more efficient way to encrypt your data? This white paper aims to answer these questions. Every day, around 294 billion emails fly around the internet. 1 Around three-quarters are spam, 2 leaving 75 billion legitimate personal and business emails. Only a tiny fraction of these are encrypted. The rest are like postcards anyone can read them between sender and recipient. In addition, email gives every employee a way to send company secrets instantly to virtually anyone in the world. Data at rest in your organization is equally under threat from espionage, hacktivism, spyware and insider negligence or wrongdoing. The Value of Data According to Dale Zabriskie, Principal Technologist at Symantec, 75 percent of a company s intellectual property can be found in emails, presentations and spreadsheets. This information is often stored and emailed without regard to its potential value and the risk of public disclosure, and usually without effective encryption. As if losing data to hackers and thieves wasn t embarrassing enough, the fallout from a data breach is highly toxic. Share prices fall, reputations are ruined and organizations suffer. With all these risks, regulations and problems, it seems extraordinary that companies are not encrypting their data and correspondence as a matter of course. Data Loss Hurts Recently, data loss stories have hit the front pages. It s a pressing issue for businesses and governments. Some recent examples underline the dangers: Hacktivism - WikiLeaks release of hundreds of thousands of unencrypted but confidential US government documents should have alerted all CIOs to the threat posed by data leaks. Unfortunately, the message fell on deaf ears. Months later, the Anonymous and LulzSec hacktivist networks got into the computers of strategy consulting firm Booz Allen Hamilton 3 and security consultancy HBGary. 4 Identity theft - When Sony s PlayStation Network was breached, as many as 77 million PlayStation users saw their personal information stolen by hackers. 5 The BBC reports that the information was stolen from an outdated database, highlighting the need to protect data throughout its life and as it moves from one system to another. Accidental loss - In 2007, HMRC lost two CDs in transit, containing personal details about 25 million people. 6 This highlights several problems. First, the need for a secure way to transmit data from one place to another. Sending those records by unencrypted email is just as risky as sending them by unencrypted CD. Second, it shows that employees will usually find a way to circumvent any security protocols or rules unless they can be implemented automatically. While the HMRC story is noteworthy, it is repeated thousands of times every day on a smaller scale. 1-http://email.about.com/od/emailtrivia/f/emails_per_day.htm 2-Symantec.cloud MessageLabs May 2011 Intelligence report 3-http://www.boozallen.com/media-center/press-releases/48399320/49321746 4-http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars 5-http://www.bbc.co.uk/news/technology-13256817 6-http://news.bbc.co.uk/1/hi/7103566.stm 1
Spyware - Symantec has a global network that manages email and related malware detection and prevention services for client companies. In its April 2011 intelligence report, Symantec reported it was stopping an average of 85 targeted attacks per day. Further they found that 1 in every 242 emails contained a phishing attack, and 1 in every 169 emails contained malware of some kind. 7 Espionage - UK Defense Secretary Liam Fox told businesspeople recently that the Ministry of Defense had blocked more than 1,000 attacks on its systems in 2010. 8 This was twice the number of attacks the year before. This comes on top of MI5 s warnings about the threats to UK businesses from Chinese hackers. 9 No one knows how many attacks get through. Detica, a security consultancy, estimates that the British Aerospace and defense sector loses $2.6 billion a year to espionage and theft of intellectual property. This is almost as much as it spends on R&D. 10 Rules and Regulations Several data protection laws are already in place in the US including the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Gramm-Leach-Bliley Act (GLBA) of 1999. Numerous states have also enacted laws to protect personally identifiable information. HIPAA mandates severe civil and criminal penalties for noncompliance, such as fines of up to $25,000 for multiple violations of a single standard in one calendar year and as much as $250,000 and ten years imprisonment for the misuse of health information. Another important data-security regulation is the GLBA which covers financial institutions. This standard requires that financial firms develop, implement and maintain administrative and technical safeguards to protect the security of customer information. Financial activities protected by GLBA include loan transactions, financial advisory services, tax planning or preparation services, credit counseling services and check cashing services. As with HIPAA, noncompliance with GLBA brings severe penalties, including civil action brought by the U.S. Attorney General and fines to financial institutions of up to $100,000. To address data breaches on the state level, Massachusetts and Nevada have established their own encryption laws. The Massachusetts mandate (201 CMR 17.00), which went into effect on March 1, 2010, requires that any organization in Massachusetts or elsewhere that owns, licenses, stores or maintains personal information about a Massachusetts resident follows a set of information-security requirements. Penalties for noncompliance include $5,000 fine for each violation. 11 The Nevada law (Senate Bill 227) requires all Nevada businesses to use encryption when data-storage devices containing personal customer data are moved beyond the physical or logical controls of the business. Penalties for noncompliance are undefined, but the law authorizes the state Attorney General to bring action to stop continuing or impending violations. 12 Currently, legislators in California, Michigan, Wisconsin and Washington are working on pending encryption laws for those states. Policy Led Security Every company needs policies that set out how staff can access, use, store, transmit and email company information. A high-level information policy can drive and shape staff policies, training, and technical decisions when it comes to encrypting data at rest and in transit. 7-Symantec Intelligence Report, April 2011 8-http://www.mod.uk/DefenceInternet/AboutDefence/People/Speeches/SofS/20110607CyberTheWarOfTheInvisibleEnemy.htm 9-http://www.pcpro.co.uk/news/143649/mi5-warns-of-cyber-threat-from-china 10-http://www.mod.uk/DefenceInternet/AboutDefence/People/Speeches/SofS/20110607CyberTheWarOfTheInvisibleEnemy.htm 11-http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf 12-http://www.leg.state.nv.us/75th2009/Bills/SB/SB227_EN.pdf 2
The Center for the Protection of the National Infrastructure (CPNI) in the UK offers the following general security advice. 13 Companies, it says, need constantly to ask themselves: Who would want access to our information and how could they acquire it? How could they benefit from its use? Can they sell it, amend it or even prevent staff or customers from accessing it? How damaging would the loss of data be? What would be the effect on our operations? CPNI suggests the following principles should be central to any decisions: 1. It is not possible to protect everything, so one must prioritize what to protect. 2. The measures should be proportionate to the threat. 3. The cost should not exceed the value of the asset being protected. Finally it notes, Security is more cost-effective when incorporated into longer-term planning. The first step is to classify data, in particular email. As Zabriskie says, When you classify information, then you re also able to encrypt the right information at the right time and in the right place. Why Don t Companies Use Encryption? There is a perception, cultivated by Hollywood and law enforcement agencies, that encryption is impossibly complicated and only for use by people with really important secrets. Inside this myth, there is a grain of truth. The mathematics that underpins modern cryptography is complex, but tools have evolved that make it easy, even completely transparent to use, while maintaining the security against unauthorized access. For example, voice conversations on Skype are encrypted and no one notices. Online stores use SSL encryption to protect credit card data and very few people notice. Most electronic banking transactions use encryption and many now use crypto devices for login authentication, and no one notices. However, managing your own in-house encryption environment can be complex and potentially expensive. You have to secure it against hackers and accidents. You will need to manage the keys used to encrypt and decrypt messages as well as develop trusted relationships with those with whom you exchange encrypted correspondence. And you need to have robust enrollment, updating, and end-of service procedures for the people with access to keys and encrypted information. The Symantec.cloud Solution We ve seen that there is a clear and present threat to businesses from data loss, whether it is the result of accidents or deliberate attack. The consequences are severe and increased by regulations. It s clear that classifying your data accordingly is essential, as are policies and processes that protect it. 13-http://www.cpni.gov.uk/advice/infosec/ 3
An essential part of any data protection plan is encryption. However, we ve seen that it can be difficult, expensive and time-consuming to use. Fortunately, there is an alternative: using cloud-based, managed encryption systems. Many companies already outsource much of their email system. When so much email carries spam and malicious content, running an email service is a costly overhead most companies sensibly prefer to leave to specialists such as Symantec.cloud. The same approach helps companies protect against data loss, and Symantec.cloud has several services that can help: Boundary encryption - Symantec s Email Boundary Encryption.cloud allows clients to set up secure private email networks that link up with their nominated partners. Every part of every email sent or received via these networks is fully and securely encrypted. As with Skype and mobile phone calls, both sender and recipient remain unaware that their messages are encrypted, unless you tell them. The service works seamlessly with leading email servers such as Microsoft Exchange, Lotus Domino and Sendmail. And of course, it works with other Symantec.cloud services such as Email Security.cloud to scan all incoming and outgoing encrypted email for viruses, spam and other inappropriate content, thus preserving the integrity of both your IT systems and your information. Policy-based encryption - This lets you encrypt sensitive data using flexible rules to decide what emails should be encrypted; for example, based on sender, recipient, words or attachments. Recipients can read encrypted emails easily and send encrypted replies without installing special software on their PC or smartphone. Content control - Symantec Email Content Control.cloud reduces the risk of data loss over email by scanning outgoing emails and attachments for keywords, phrases, URL lists or particular wildcards (e.g. credit card numbers). Emails of concern can be tagged, redirected, or blocked and deleted. Spyware prevention - Keeping your computers safe from spyware and intrusion is an essential part of data loss prevention. Our cloud-based Email, Web, and endpoint solutions do exactly this. The Symantec Web Security.cloud service blocks spyware coming in via web browsers and Symantec Email Security.cloud blocks malware including targeted attacks coming in via email. Because they are cloud-based services, they can block threats before they reach your network and provide advanced malware filtering such as Link Following which ispects web links embedded in emails. Although these services are in the cloud, you still retain complete control over the security policies you wish to enforce via a web-based console. When combined with sensible security policies, employee training and information classification, Symantec.cloud can help you keep your critical data away from prying eyes and protect it from accidental leaks. Easy-to-implement email encryption adds a further level of protection that protects a vital channel of communication. In a world where leaked emails, spyware and data theft can cost companies millions, it pays to have comprehensive protection. For more information please visit our website at www.symanteccloud.com or contact us at CLD_Info@symantec.com 4
More Information AMERICAS UNITED STATES 512 Seventh Avenue 6th Floor New York, NY 10018 USA Toll-free +1 866 460 0000 CANADA 170 University Avenue Toronto, ON M5H 3B3 Canada Toll-free :1 866 460 0000 EUROPE HEADQUARTERS 1270 Lansdowne Court Gloucester Business Park Gloucester, GL3 4AB United Kingdom Tel +44 (0) 1452 627 627 Fax +44 (0) 1452 627 628 Freephone 0800 917 7733 LONDON 3rd Floor 40 Whitfield Street London, W1T 2RH United Kingdom Tel +44 (0) 203 009 6500 Fax +44 (0) 203 009 6552 Support +44 (0) 1452 627 766 NETHERLANDS WTC Amsterdam Zuidplein 36/H-Tower NL-1077 XV Amsterdam Netherlands Tel +31 (0) 20 799 7929 Fax +31 (0) 20 799 7801 BELGIUM/LUXEMBOURG Symantec Belgium Astrid Business Center Is. Meyskensstraat 224 1780 Wemmel, Belgium Tel: +32 2 531 11 40 Fax: +32 531 11 41 DACH Humboldtstrasse 6 Gewerbegebiet Dornach 85609 Aschheim Deutschland Tel +49 (0) 89 94320 120 Support :+44 (0)870 850 3014 NORDICS St. Kongensgade 128 1264 Copenhagen K Danmark Tel +45 33 32 37 18 Fax +45 33 32 37 06 Support +44 (0)870 850 3014 ASIA PACIFIC HONG KONG Room 3006, Central Plaza 18 Harbour Road Tower II Wanchai Hong Kong Main: +852 2528 6206 Fax: +852 2526 2646 Support: + 852 6902 1130 AUSTRALIA Level 13 207 Kent Street, Sydney NSW 2000 Main: +61 2 8220 7000 Fax: +61 2 8220 7075 Support: 1 800 088 099 SINGAPORE 6 Temasek Boulevard #11-01 Suntec Tower 4 Singapore 038986 Main: +65 6333 6366 Fax: +65 6235 8885 Support: 800 120 4415 JAPAN Akasaka Intercity 1-11-44 Akasaka Minato-ku, Tokyo 107-0052 Main: + 81 3 5114 4540 Fax: + 81 3 5114 4020 Support: + 852 6902 1130 5
About Symantec.cloud More than 31,000 organizations ranging from small businesses to the Fortune 500 across 100 countries use Symantec.cloud to administer, monitor, and protect their information resources more effectively. Organizations can choose from 14 preintegrated applications to help secure and manage their business even as new technologies and devices are introduced and traditional boundaries of the workplace disappear. Services are delivered on a highly scalable, reliable and energy-efficient global infrastructure built on fourteen datacenters around the globe. A division within Symantec Corporation, Symantec.cloud offers customers the ability to work more productively in a connected world. For specific country offices and contact numbers, please visit our website. Symantec.cloud North America 512 7th Ave. 6th Floor New York, NY 10018 USA 1 (646) 519 8100 1 (866) 460 0000 www.symanteccloud.com Symantec helps organizations secure and manage their information-driven world with managed services, exchange spam filter, managed security services, and email antivirus. Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 8/2011 21207734