Though it makes far fewer headlines, spam is a huge problem for financial institutions. Besides the fact that financial organizations are likely targets for phishing attacks, employees continue to be targeted by email scams aiming to compromise personal information and your organization's defenses.
Email also cuts both ways since one of the most prevalent places for data leakage is outbound email. These violations are usually not intentional, but all the same if private customer data is sent out of the organization via email. And don't forget that it's hard to find a grumpier employee than one that can't access email for any length of time.
Buying vs. building
We all are resource constrained (regardless of the size of organization), which means we've got to make hard decisions about what makes sense for us to do and what is better left to others. A few years ago, your options were either software or an appliance run by the organization. Now with the advent of mature managed services, there is a clear alternative to customer-premise based offerings.
Managed email security services (don't mind the unfortunate acronym MESS) potentially deliver the core value propositions of other managed services, and that's less operational overhead and the ability to scale without requiring more equipment. But that doesn't mean outsourcing email security is right for everyone.
The reality is that both options can work fine for a financial institution, so a lot of the decision rests on whether you have the resources to actually manage the environment and scale the equipment in times of stress. Many mid-sized financial firms will likely end up outsourcing their email security because they have a lot of other things to spend their time on. Let's play this out and look at how to integrate an email security service into your existing architecture.
We shouldn't get the cart ahead of the horse, so the first thing is to pick a vendor, which nowadays rests mostly on price and comfort within their management interface. Other selection criteria will include the ability to filter outbound mail and the quarantine function (which gives employees the ability to check for false positives).
Run some real mail traffic for a test group through the service provider during the selection process. You can't really judge effectiveness any other way and it will also allow you to get familiar with the environment.
The first step of the implementation is to set up the rest of your users. Most vendors offer utilities that make this reasonably painless, however, this is going to be the area that requires most of your attention over time, since any moves, adds and/or changes in your employee base will need to be reflected in the service provider's network.
Once your users are set up, migrate your email traffic through the service provider's mail network. This involves redirecting your MX record to the service provider. It takes maybe 12 hours for the information to propagate through the Internet and you are good to go.
You need to watch the environment like a hawk for the first few weeks. Check for adequate throughput and most importantly, minimize false positives and negatives. You don't want your users to get bombarded with unsolicited messages because the service provider's detection engine is adjusting to your traffic.
Make sure you have the instrumentation to enforce the service levels. That means scrutinizing the reports and holding your service provider's feet to the fire to make sure they are holding up their end of the bargain.
Finally, if you are using outbound filtering services, you should test these by putting together a dummy file of fake social security and account numbers meant to trigger a compliance violation. Then send it through the service provider to make sure it flags the message as a problem.
Once you've got your email security under control, you may also want to look at an emerging services alternative for email archiving. In the financial business, it's a requirement to be able to keep messages for a length of time, which is very storage intensive. Once you are comfortable having someone else handle youremail security, message archiving could be a logical next step.
About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.