Companies Concerned About Data Leaks, E-mail Security
Thursday, September 17, 2009
Companies are increasingly concerned about data leaks caused by employee misuse of e-mails, blogs, social networks and text messages. We speak with two experts about what companies are looking for and how the recession is affecting data leaks.
MAUREEN CAVANAUGH (Host): I'm Maureen Cavanaugh. You're listening to These Days on KPBS. Not long ago, e-mail was a new-fangled, cutting-edge communication tool. Your parents probably didn't use it, and your boss took pride in saying he or she didn't know how the darn thing worked. Now, e-mailing is one of the standard ways people contact each other, in both business and social life. Unfortunately, security and legal issues surrounding e-mail communication are still in the process of catching up with the times. Do you know what's safe to say in an e-mail, so that you don't risk your job, or your business, or your personal information? As a business owner, are you required to store your e-mail, for how long and at what level of security? And is there any such thing as a private e-mail? Joining me to talk about e-mail security are my guests. Keith Crosley is director of Market Development at Proofpoint, Incorporated. Keith, welcome to These Days.
KEITH CROSLEY (Director of Market Development, Proofpoint, Inc.): Thanks, Maureen.
CAVANAUGH: And I'd like to welcome back a frequent guest to These Days, Murray Jennex, information systems professor at San Diego State University. Hello, Murray.
MURRAY JENNEX (Information Systems Professor, San Diego State University): Good morning, Maureen.
CAVANAUGH: And we'd also like to invite our listeners to join the conversation. Do you know if your company reads your e-mails? Do you think they should? Do you have a question about what kind of information is safe to send by e-mail? You can call us with your questions and your comments. The number is 1-888-895-5727, 1-888-895-KPBS. Keith, let me start out by asking you, what does your company, Proofpoint, do?
CROSLEY: Right. So Proofpoint really helps companies put policy around e-mail. So on the inbound side that means preventing spam and viruses from entering corporate inboxes. But then also on the outbound side, making sure that there's not proprietary, confidential or otherwise protected information being sent inappropriately in outbound e-mail. We also help companies archive their e-mail. As you mentioned, companies sometimes do need to retain e-mail and it's commonly a subject in court cases. So being able to retrieve and store e-mail is a very important issue today.
CAVANAUGH: Now your company recently did a survey about e-mail security. What did you find out?
CROSLEY: Yeah, so this is the sixth year, actually, that we surveyed large enterprises about their concerns about outbound e-mail, and a few interesting things. You know, you talked about do you know if your company reads your e-mail? Well, it turns out that more than a third of U.S. companies, it's actually close to 40%, say that they employ staff that reads or otherwise analyzes the contents of outbound e-mail. We also found that more than a third of companies say that their business was impacted by the exposure or – of sensitive or embarrassing information in the last 12 months. A third said that they'd been impacted by improper exposure or theft of customer information, and a similar number said they'd been impacted by the improper exposure or theft of intellectual property. So you can see that there's a lot of reasons for companies to be worried about what's going out of the company in outbound e-mail, and it gets employees in trouble. Nearly a third of companies that we surveyed said they'd terminated an employee for violating e-mail policies in just the past 12 months.
CAVANAUGH: Now, Keith, when we talk about data leaks…
CAVANAUGH: …what kind of information are we talking about?
CROSLEY: Right, well, there's – there are really, I would say, three key areas here. So one is things like the personal identity and financial information that belongs to your customers, right? So your name and your credit card number that might be stored at an online retailer. And then there are things like the company's intellectual property. You know, confidential information like internal memos, product plans, even things like the employee roster are confidential information that could cause a company big problems if it fell into the wrong hands. And then thirdly, there are – there's protected healthcare information. I think everybody who's been to a doctor in the past five years is familiar with the HIPAA regulations that protect patient privacy, right? This is also a big issue especially in the healthcare and pharma industries but the HIPAA regulations actually today actually apply to a huge number of different types of companies that you wouldn't even expect.
CAVANAUGH: Wow. I – Murray, I'd like to get you into the conversation. How dangerous are – can e-mails be to companies?
JENNEX: Well, they can be extremely dangerous because many comp – well, employees many times can say things that the company doesn’t really – they're not aware of what they're saying. And there's been several cases where employees have e-mailed out, just before leaving the company, critical information that they wanted to keep and use in their new job and, you know, that can be very damaging from a competitive advantage standpoint.
CAVANAUGH: And also, is it possible that if people – if companies have a security system in place, you know, you put your credit card information when you want to buy something and that's all secure and everything but then people take that information and put it in an e-mail and then anybody can get it. Is that – Does that happen?
JENNEX: Well, sort of. I mean, you can still have confidential e-mail where you've encrypted the e-mail message…
JENNEX: …and only the people who receive it can open it up. But, again, if you're using a company e-mail and they have their own encryption system, they're going to have the key. So to assume that you've encrypted a company e-mail and that it won't be read by anybody in the company is…
JENNEX: …probably a big mistake.
CAVANAUGH: Now, Keith and Murray, I want to ask you both about the people – the companies that are hiring people to monitor the content of…
CAVANAUGH: …outbound e-mail. Keith, what specifically are they looking for?
CROSLEY: Right, well there are even – there's a few different reasons that you would do that. You know, in a highly regulated industry, you know, whether you're trying to comply with credit card security standards or, you know, in a, say, a financial services type of environment like a broker dealer, is there are actually people that are employed that actually have to read every single inbound and outbound e-mail. Now in the…
CAVANAUGH: All right.
CROSLEY: …in the broader landscape, that's not the case but when somebody who's tasked with reading e-mail is reading it, what they're looking for are things like confidential information, they're looking for financial information about customers, and they're looking for healthcare information. They might also be looking for content, you know, that's either adult, obscene or potentially offensive that could be creating a hostile work environment.
CAVANAUGH: And, Murray, I wonder, is it common to catch malicious activity when a company does put in a monitoring system?
JENNEX: Oh, absolutely, and even if it's not people and it's just automatic. The last issue about the hostile work environment, this is probably one of the more common things that have gotten companies in trouble. Many companies that I know of have been sued by employees for a hostile work environment, and when these employees subpoena the e-mail system, many times the companies just settled because it's too dangerous to go in and start looking at e-mail because they didn't know what was in there.
CAVANAUGH: Oh, I see.
CROSLEY: Yeah, there are two classic cases there actually, so Chevron had a sexual harassment lawsuit case that involved e-mail. It was settled for $2.2 million. And then Morgan Stanley settled a $60 million lawsuit that was filed over racist jokes being sent through e-mail.
CAVANAUGH: We are taking your calls, 1-888-895-5727. We're talking about e-mail security. My guess – guests, that is, are Keith Crosley. He's director of Market Development at Proofpoint, Incorporated. And Murray Jennex is information systems professor at SDSU. That number once again is 1-888-895-5727. Helen is calling us from north county. Good morning, Helen, and welcome to These Days.
HELEN (Caller, North County): Good morning. I'd like to ask a question about wireless security when you're picking up a e-mail on WiFi connections whether it's in a public setting or you're like on an AT&T U-verse system which goes to your pole versus these net cards and netbooks that they're now kind of pushing in the cell phone stores. They claim that those are much more secure, quote, unquote, because of some encryption that would be like more on a cell phone versus taking just like an air card or a wireless.
CAVANAUGH: Now, Helen, you've talked a lot about things that I don't know we all know about. So, Keith or Murray, could you take that and also give us a little bit of a tutorial about exactly what Helen's talking about?
CROSLEY: Sure, well, I think we both can comment on that. So, you know, if you take your laptop to Starbucks, right, and you're using somebody's wireless network and, you know, you access your e-mail system and you're just going to download your e-mail, right? That's the situation she was talking about.
CROSLEY: And the – Her question is are these kind of WiFi networks, are they secure at all? And then, too, are they less secure than another method of doing it, which is to actually have a cell phone technology card that is commonly in a netbook or you might actually have a card that goes into your laptop that actually uses the cellular network to communicate with the internet. The quick answer on this is that public WiFi networks can be snooped. They can be snooped very easily. On a lot of these, your data is at risk of being accessed by somebody else and there are people out there that do this. The cell phone technology is more secure. I couldn't tell you scientifically how much more secure but the data is encrypted and you're not sharing this kind of open network with everybody else. And, Murray, correct me if I'm wrong and grade my work.
JENNEX: Well, you're absolutely correct in what you've said. The cell phone, in particular, if you have a digital cell phone, that is encrypted. If you're using the old analog cell phone and trying to download stuff, that's not, and that can be looked at. I think from the standpoint of the cell phone you're probably much safer. Public network's a very common hacker approach to getting into people's computers. And just because your personal computer is kept secure doesn't mean that it won't get looked at because you're going across their server and their server will be open. And everywhere e-mail goes, any time it gets on any server, it can be opened and looked at.
CAVANAUGH: Right, Murray, I know that that's one of your pet peeves about people who are using their computers in a public place like a Starbucks or another coffee shop and they don't realize that their basically leaving themselves wide open.
JENNEX: And I know of many cases where people have read e-mail and posted them and, you know, it's not just in the U.S. This is another thing that we should keep in mind is that if we're doing any kind of international work, the standards outside the U.S. can be even less and your e-mail can be even more open. I, personally, had my e-mail read by the Ukrainian government when I was doing a job for them back in Kiev and it was posted in the paper.
CAVANAUGH: Well, okay, let that be a lesson to us all when we're in Ukraine. Let me ask you both, Keith, let me start with you.
CAVANAUGH: What are the types of e-mails that could get employees into trouble?
CROSLEY: Right, well, I think there are many different types, I mean, you know, that could get employees into trouble. I – Let me just share kind of the golden rule of e-mail, right? As we were just discussing, e-mail is essentially like a postcard unless it's encrypted, right? It could be read at many different points along the chain. And we know statistically and we know from just our experience working in e-mail security, that someone else besides the recipient you think your e-mail is going to inside your company is probably going to look at your e-mail at some point. So don't put anything into e-mail that you wouldn't want the whole world to see, right? This is a tough rule to live by but it's something that one should keep in mind before sending certain types of personal information over e-mail. So things that an employee could get in trouble for are, you know, like we said before, things that contain offensive contents, right. That can pose a very huge risk to the corporation. You also wouldn't want to share other people's personal information in e-mail, so whether that's your customers', you know, names and social security numbers and credit card numbers, or private healthcare information if you work in a healthcare related company. I would also say don't put your own personal information in e-mail, right? That gets you into trouble in other ways, right. Someone else could easily access that and, you know, as we've seen, these kinds of leaks of personal information can lead to identity theft and a whole host of other problems.
CAVANAUGH: Well, you know, as I listen to you, both of you, I'm ticking off in my head, I've probably done everything that you've mentioned wrong. I mean, I've probably put personal information and I've probably said things I shouldn't and I – I've probably sent all of these things out all the time. And I would imagine, Murray, that I am not alone.
JENNEX: No, I think it's a fairly common practice. I think many people perceive e-mail as being private and it really isn't. Another issue to keep in mind is just because you delete the e-mail you sent doesn't mean it's gone away. It's on the server, the e-mail server itself, and many times these e-mails don't go away until every single copy has been deleted and that's a very difficult task. Another issue that comes up is at holiday time. A lot of people send e-mails on Christmas or Halloween with all the fancy pictures and stuff and video, and these actually impact the networks so then companies start looking to see who's passing off these e-mails and spreading them around the network and that can get you in trouble.
CAVANAUGH: Oh, dear. Now even on your home computer then, Murray, there's really no such thing as a private e-mail?
JENNEX: No, not really because even if I send it to – Say, I send you an e-mail. It's going to go across the SDSU server, it's going to go across a public server. And everywhere it goes, a copy is created at least for momentarily purposes. I don’t – Usually, these are destroyed but you don't really have control over that and they can be saved. Plus, if I'm using my own SDSU e-mail account, the SDSU e-mail server keeps a copy and even though I delete it, they still have it.
CAVANAUGH: I see. Now, Keith, what about individuals, should we be archiving our e-mails? Why would we do that? And why is it a bad idea if we shouldn't be doing it?
CROSLEY: Right, well, you know, there's no simple answer to whether people should or should not archive e-mail. This is still an area where I think individuals and companies, which are, you know, the types of organizations that I deal with, should or should not retain e-mail and, if so, for how long. Our general advice at Proofpoint is that you should be retaining e-mail and you should be doing it in a way that makes it easy to search, right. So rather than just archiving e-mail off to tapes to put it into, you know, a more robust system, right, that has – that's searchable. And here's why. Lawsuits happen. So one of the things we found in our survey is out of these 220 large companies that we surveyed this year, nearly a quarter said that employee e-mail had been subpoenaed in the past 12 months. So e-mail is such a rich source of information, it's the de facto filing system for a company, it's where people discuss plans and what they're going to do and all this, you know, everything, right, technology, plans. All of that stuff is evidence and everybody understands that now so when a company gets sued, employee e-mail gets attached to that lawsuit. And if you – if you're retaining your e-mail and you can search it quickly, you can actually figure out, well, one, you can comply with the rules of civil procedure, right, that govern court cases. You can ensure that you've retained information that's relevant to the case and you can ensure that it's not going to be destroyed. But, two, it gives you time to actually analyze the merits of the lawsuit, right, so should we fight or should we settle? And if you don't have the evidence, the thing is, is that somebody else is going to have it because, like Murray said, e-mail basically never goes away.
CROSLEY: It's pretty much impossible to lose an e-mail, so somebody else has got it.
CAVANAUGH: Yeah, right.
CROSLEY: So if the opposing counsel wants to get that e-mail, they can find a way to get it. And if you don't have it, well, then, you know, you can't fully understand the merits of the case, so that, I think, is one of the central issues. There are other regulatory concerns in certain industries where it is mandated that a company would need to retain e-mail for a certain period but this is still a kind of vague area.
CAVANAUGH: Murray, it seems to me that even though e-mail, as I said in the beginning, is so ubiquitous, people really haven't gotten the idea that this is almost like you – remember how people used to say this goes on your permanent record? This is a permanent record. Do you think that there's a disconnect there between how people are using this technology and its ramifications?
JENNEX: I think there really is. And I think – I mean, I understand the need to retain e-mail. I'm not sure it's a good idea to retain it. I've never heard of anything good happening to a company by keeping e-mail. But on the other hand, knowing that what's there is important. What I really think needs to happen is that companies need to probably start looking at e-mail and having like a two-tier system, one for formal communications where it's very controlled, very rigid and those – that's retained, and one for the informal communication that is just discarded. Because I don't think employees understand. It's like using the phone, you know, it's just a standard communication tool. You will say all sorts of informal things that have no bearing on your work. And then another thing is, I'm like most people, I – the only e-mail I really like to retain are e-mails that make me look good.
CAVANAUGH: I'm glad you said it. Let's take a call. Allison is calling from Tierra Santa. Good morning, Allison, and welcome to These Days.
ALLISON (Caller, Tierra Santa): Good morning. I was calling with a question. I have always assumed that every single stroke I have made on my computer, whether I am offline or online, sending e-mail, receiving e-mail, drafting it offline, or every stroke I make on my phone, whether it's receiving e-mail, sending a text, calling a number, is forever a permanent record somewhere on some server in some universe. And I just wanted to know if that is true because that's what I've told my children.
CROSLEY: So that's not entirely true so, certainly, the issue of a sent e-mail, right, there's – that's actually probably – It probably does exist somewhere, if not forever at least for a long period of time. When you're actually typing, unless you're infected with some sort of virus or somebody has, for some reason, installed a key logging application—that would be an application that actually keeps track of keystrokes—on your machine, there's not some sort of record about that. But as a security professional, I appreciate your level of paranoia.
CAVANAUGH: Murray, though, you know, you see in like CSI where they confiscate the computer of the suspect and they can find everything that the person ever accessed. Is that really true?
JENNEX: To a point. Computer memory is pretty nonvolatile, the hard drives, and with very sophisticated software, you can retrieve stuff that has been deleted unless it's been written over many times. And so it's a yes and no thing. I mean, they can get the recent stuff but not stuff you've done a year or two ago. That's probably gone and won't be retrieved at all. And if they get any of it, it's just going to be bits and pieces of it. So from that standpoint, I don't really think that when you look at somebody taking your computer and getting things, unless it's recently deleted or just put on there, they're not going to get it.
CAVANAUGH: Okay. All right, thank you, Allison, for that phone call. Let's go to Christine calling from north county. Good morning, Christine. Welcome to These Days.
CHRISTINE (Caller, North County): Good morning. I was calling because – regarding people getting fired for e-mails. I know that my husband had to fire someone not too long ago because she had taken a picture on her cell phone and sent it through picture mail and sent it by mistake to other people at the company and not to the person she had anticipated for that person to receive it. And he had to fire her, and I think that the argument was that picture now really was an e-mail and I think that people don't really realize the difference of that and are taking risks because this has happened a couple of times with him, he's had to fire people regarding that. And so I just wanted to point that out, that it wasn't just regular e-mail that people are getting fired over.
CAVANAUGH: Well, thank you for that. And is this – Keith, is this an example of just hitting the dreaded send button and then realizing that you've done something awful?
CROSLEY: Yeah, I do think it's that case. And it also – You know, this points to kind of the broader issue which is, you know, most of the kinds of data leaks and exposures of intellectual property, most of the incidents that happen are actually inadvertent, right. They're not really the case of a rogue employee, you know, trying to steal something. It's really people just making mistakes or just trying to do their job and they don't understand the rules, right. This is a slightly different case where I'm guessing this was sort of a racy photo that got sent. You know, and of course the personal embarrassment is huge and I think one could argue whether that's actually a firing offense or not but, you know, as Murray pointed out, right, I mean, this kind of material in a company's IT systems can get them in trouble. And so you can make a strong argument for firing. You do have to be really careful, I think, with what you send and how you send it.
CAVANAUGH: Keith, I'm wondering, for those organizations that are required to archive their e-mail for legal reasons, I'm thinking of government institutions and…
CAVANAUGH: …and organizations like that, are there ways that have been developed in order to do that in a secure and a reasonable way?
CROSLEY: There are, actually. And, you know, as I sort of touched on before, there – you know, these systems range anywhere from just kind of, you know, taking back-up tapes of the e-mail system to more advanced technologies and this is one of the areas that Proofpoint works in. So, you know, we can actually take a company's e-mail and we connect directly to the e-mail server itself, right, take copies of all the messages. They get sent by an encrypted link to our storage facilities where they're also stored in encrypted form. So you've got the e-mail, it's completely secure both when it's at rest and when it's in transmission. And then the other thing that system does, is it can apply all the policies that you need. So, for example, if your policy says, hey, you know, we only retain e-mail for, say, five years, right. It can make sure that e-mail gets deleted that's older than five years. But then it will preserve e-mails that are subject to a legal hold. So you have some sort of legal action and you search for the e-mails, you find them very easily. You say, hey, these thousand e-mails cannot be deleted until this legal matter is closed whether or not, you know, they're out of age, right.
CROSLEY: So there are technologies for that. Proofpoint's one company that makes them. There are many others out there. But it can be done.
CAVANAUGH: And, Murray, I'm wondering, for the rest of us in our own little worlds, are there any tips that we can use to keep our e-mails just a little bit more secure?
JENNEX: Well, I'm not sure there's a lot that we can do to keep them secure. I think the person that called in and said that she just assumed everybody looked at it is probably the safest thing to do. And…
JENNEX: …because even with people who have to keep archives and you delete after a certain period of time, there are things that you can do to get around that. Like you can still block copy an e-mail into Word and keep it as a Word document, so it doesn't necessarily go away even if you have the tools in place.
JENNEX: If somebody wants to keep something, they'll find a way. And that's the worry I look at, and it's not just e-mail, it's instant messaging, it's all the other stuff that we're doing, that all these communications leave traces. So, again, I think it's making sure that we don't say stuff that we don't want other people to hear.
CAVANAUGH: So 'til further notice, paranoia makes sense.
JENNEX: Yeah, I mean, it's – well, it's like on a phone. The old party line, if…
CAVANAUGH: Yeah. Yes.
JENNEX: I mean, would you say stuff on a party line when you're not really sure who's listening?
JENNEX: And e-mail's kind of like that even on a secure system. Now there are very secure systems where the e-mails are more secure and that's fine, but I don't think most common people have that. And I'm not really advocating that we go out and encrypt every e-mail that we ever send because that's a very ponderous task.
CAVANAUGH: We will have to leave it there, gentlemen. We've run out of time, so I want to thank my guests so much. Keith Crosley is Director of Market Development at Proofpoint, Incorporated. Keith, thank you.
CROSLEY: You're welcome, Maureen. Thank you.
CAVANAUGH: And thanks so much once again, Murray Jennex, information systems professor at SDSU.
JENNEX: Well, thank you, Maureen, and nice meeting you, Keith, and good conversation.
CAVANAUGH: Thank you. You've – And if you want to add something to the conversation, I want to remind you, you can post your comment online at KPBS.org/TheseDays. Now, coming up, we'll talk about a new exhibition that reveals the threats to Baja California's beautiful environment. That's coming up in just a few moments here on KPBS.