Security of customer financial information, particularly data in motion such as e-mail, is a top priority for financial executives. This is in part due to privacy legislation such as the Gramm-Leach-Bliley Act, which provides for civil and criminal penalties for failing to secure customers’ financial data, and an overall heightened concern about national security. Organizations everywhere are coming to realize that their very viability may be at risk unless they take a new approach to securing communications.Security naturally involves data protection; this encompasses both data at rest (stored in databases and Web servers) and data in motion (typically e-mail communication). The issues related to protection of stored data are well known, but little attention has been spent on protecting data in motion. This is unwise, because for many organizations, sensitive information is constantly being sent outside the organization’s boundaries. E-mail is the dominant means of transmitting information, whether it is financial, legal or other. Yet, with the click of a button, sensitive information is sent every day over open networks. Today, a comprehensive approach to securing data in motion can be accomplished in five easy steps: *Recognize that security is a business process that must be managed. *Declare email a strategic asset and protect it. *Implement a data retention policy. *Define and enforce content management policies. *Educate your users. 1. Recognize security as a critical business process. Security is an important business process for which priorities must be set, strategy and processes established, and effectiveness measured. In light of today’s globalization, deregulation, outsourcing, e-mail and Internet challenges, security must embrace both greater openness and efficiency, while dealing with an abundance of new vulnerabilities. Business processes need to be managed to be effective and, in the case of security, the best person to handle the job is the Corporate Security Officer (CSO). Only by dealing with security at the top executive levels can it be given the attention, budget and oversight required to keep pace with today’s threats. 2. Declare e-mail a strategic asset; protect it as such. A company with 1,000 employees will spend nearly $4 million a year on email, according to a Tally Systems survey. It stands to reason that such data in motion should be protected at least as well as stored data is protected today. Most organizations today have formal policies for controlling access to key applications, databases and information. E-mail is no less important, so it needs to be defined as a “strategic corporate commodity,” to acknowledge the importance of protecting it. There are simple, strong solutions available today to ensure the privacy and confidentiality of data in motion. A well-architected secure e-mail solution will protect sensitive communication from end to end, providing a strong assurance that corporate policies are being enforced. A secure e-mail solution should: * Encrypt all messages automatically (or at least all sensitive messages), from sender to recipient; * Use the strongest possible encryption; * Employ equally strong authentication mechanisms so only intended recipients can decrypt and read the email; * Perform content integrity checks to ensure the message sent is identical to the one received; * Provide controls and assurances, such as end-to-end tracking; * Maintain audit trails that can be used to verify receipt and non-repudiation; * Make security transportable, and not tied to a specific computer; enable employees to use Internet kiosks and wireless LANs by equipping them with the tools needed for sending and receiving secure email. 3. Implement a data retention policy. E-mail communications often play a major role in legal affairs. E-mail messages are seen as acceptable proof of agreements and business decisions; because this is so, corporations are increasingly looking at data retention as a means of legal protection and regulatory compliance. Corporations are coming to the realization that data retention policies must be implemented to address the reality of enterprise e-mail, and should set reasonable standards and guidelines for employees to follow. While policies might call for the destruction of drafts and preliminary versions of documents, the lines separating “draft” from “final document” can be unclear; also, 30 or 60-day e-mail policies wherein older emails are automatically deleted are difficult to enforce and copies can always exist outside the organization. Data retention policies should define terms like “draft,” advocate carefully crafted distribution lists, and educate employees about how to ensure policy compliance. 4. Define and enforce content management policies. Ensure all e-mails leaving or entering the company are filtered. Offensive, harmful, derogatory or sensitive information should trigger actions like quarantining, encrypting or diverting e-mails. Similarly, scan all e-mail for viruses, malicious code and spam. If the e-mail security system allows, send alerts and keep audit logs of any suspicious activity for later review and, potentially, as evidence. E-mail risks have been known for years yet even today many organizations ignore the potential liability, and fail to set or enforce policies. Risks include abuse by those inside an organization- an example of this is the premature leak of a company’s quarterly earnings, which can easily result in a class action lawsuit. Alternatively, e-mail carrying sensitive or offensive material may prove troublesome, embarrassing and costly. This issue arose during the antitrust case against Microsoft Corp., when the US government entered into evidence the content of emails written by top executives describing plans to attack competitors. 5. Educate your users. Employees play a key role in securing data in motion. Because of this, organizations should include email security training in their employee education and awareness programs. Just as employees have been trained to choose strong passwords and not to open email attachments from unknown people, they should learn what is permissible with email, where liabilities exist, and what they must do to protect organizational assets and reputation. Companies should draft policies for Internet and e-mail usage and ensure employees receive updated copies at least twice a year. This might include defining email usage rules, educating users as to e-mail legal liabilities, prohibiting or limiting personal e-mail, monitoring adherence to guidelines, filtering outgoing and incoming email for unwanted or unusual content, and ensuring that email is archived according to document retention policies. A Final Word on Securing Data in Motion Organizations can make securing data in motion easy and completely transparent to end users. Policy-based encryption can be set to occur automatically, while other solutions allow a combination of end-user input by providing a prompt such as “Is this a confidential message?” However, with the sheer simplicity of available secure messaging products, it is just as easy for a corporation to secure all e-mail, so there are no more issues about which e-mails should be protected, or whether a previously-made decision was correct. Encryption, content filtering, virus and spam scans can be performed at the corporate gateway, while executives and members of sensitive corporate departments can further extend security to the desktop within a corporate wired or wireless LAN, or to wireless devices. When it’s so easy, why would organizations take the chance of sending sensitive information “in the clear” ever again?