For most enterprises it is not enough to make sure their own email platform is secure. If their suppliers are not equally secure, they can be as vulnerable to criminal hackers and data leaks from human error as the weakest link in their supply chain.
The combination of a chain of usually small- to medium-size suppliers, the expansion of cloud-based email services and the Bring Your Own Device (BYOD) trend among workers has created what Richard Parris, writing for BCW, calls a "complex melting pot of security challenges surrounding the secure transfer of sensitive data via email."
[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Understand how to both manage and benefit from the consumerization of IT with InfoWorld's "Consumerization Digital Spotlight" PDF special report. | Subscribe to InfoWorld's Consumerization of IT newsletter today. ]
By now, the advantages and risks of BYOD have been well documented. While it promotes convenience, collaboration and mobile productivity among employees, it is vulnerable to malicious applications, theft and simple carelessness -- employees storing corporate data in public cloud services that are not secure, so they can access it anytime.
Companies are increasingly aware of those risks. In May, IBM famously issued a new set of BYOD policies that, among other things, forbid employees to use a competitor's cloud service (no more Dropbox, no more Carbonite, iCloud, etc.), to forward corporate email to private accounts, to transmit unencrypted data, or to use Apple's personal assistant, Siri, due to fears that confidential information might be forwarded to Apple.
[See also: BYOD Security Concerns - Does IT Protest Too Much?]
Jeanette Horan, IBM's chief information officer, told MIT's Technology Review that there was, "a tremendous lack of awareness [among employees] as to what constitutes a risk," including forwarding internal corporate emails to webmail inboxes, exposing sensitive company information to possible security breaches.
Many companies also require remote wiping capability on employee devices in case they are lost or stolen, plus communication encryption software. They also require employees not to use a single password for multiple sites, and some are forbidding passwords of a single word.
But Parris, who formerly held technical and sales management positions at Boeing Computer Services and founded Intercede, argues that securing email also requires identity management -- a system that creates a digital identity for employees and other third parties connected to an enterprise, which will then track, "who is sending which email and information to whom, when and protecting it in transit and at rest."
