Whitepaper - Protecting Business Critical Services, E-Mail

8/7/2019 Whitepaper - Protecting Business Critical Services, E-Mail

http://slidepdf.com/reader/full/whitepaper-protecting-business-critical-services-e-mail 1/12

Protecting Business Critical Services – Email

1 | http://www.gfi.com/hosted-email-security

Written by Richard Tubb ( [email protected] ) for GFI MAX

Author’s BioRichard Tubb has worked in the IT industry for over 15 years, working at large corporationssuch as Ernst & Young and the NHS, as well as being the owner of two award winningManaged Service Providers (MSPs) providing outsourced IT solutions to Small and MediumSized Businesses.

A popular speaker at events within the global IT community, Richard’s blog “Tubblog – The

Ramblings of an IT Consultant” ( www.tubblog.co.uk ) has twice been nominated for theComputer Weekly Blog Awards in the “IT Consultant” category, and he was nominated byhis peers for inclusion on both the “MSP Mentor 250” and “SMB Nation Magazine 150” 2010lists.

Richard now works as an Independent Consultant, helping IT companies to feel more incontrol and grow their businesses. You can find him on Twitter at www.twitter.com/tubblog oremail him at [email protected] .





Overview of White PaperEmail is the single most important service to businesses today. The average user spends anhour and 47 minutes per day using email [American Management Association].

With the advent of mobile devices, email is no longer tied to the office but is read, respondedto and sent everywhere, all the time. As well as constantly checking email at work, mostpeople check email whilst at home, whilst travelling, and even whilst on holiday.

As many as 1/3 rd of people aged 18-34 now check their email when they first wake-up, evenbefore they visit the bathroom [Facebook Survey].

Ask most people which business service they couldn’t live without, and they’ll answer email.

The rise of social networking has added to the number of emails sent and received, and withlarge amounts of multimedia content becoming the norm, the size of email messages hasdramatically increased.

From a security perspective, the threat of spam, viruses and malware is here to stay.Companies that aren’t protected against these threats run a serious gauntlet of issues, not

least of which being the danger of an uncaught virus wreaking havoc on a network.Additionally, if a company's email system is compromised and used to send outbound spamor viruses, the organization can find itself “blacklisted” and unable to send legitimate email topartners, suppliers and clients.

Government and industry regulations now require many companies to retain their electroniccommunications in a verifiable manner. And organizations that have been involved inlitigation are only too aware of the burden of electronic discovery, and the importance ofbeing able to conclusively demonstrate the content of historical email communications.

Additionally, due to the importance of email, many organizations and people now activelyseek to retain their email messages indefinitely. With the huge growth in storage capacity on

computers and corporate networks, people are less likely to delete email that might containvaluable information, and more likely to retain messages for future reference.

Together, these factors have led to new challenges for businesses managing email.Security threats are ever-present. Users are spending more time searching for informationstored within old emails. Continuous access to emails is required, all the time. Even shortoutages of email services can leave users unproductive, and with no external emailcommunication, business opportunities may be lost.

As a result, organizations are increasingly looking to protect themselves by making sureemail is online, archived and fully protected 24 hours a day, 7 days a week.





This Whitepaper looks at the challenges of managing email for businesses, and the optionsthat are available to organizations looking to deploy solutions to protect their email. Theauthor concludes that a Cloud-based Email Security, Continuity, and Archive solution is thebest option currently available.

How important is email?One of the earliest services available on the Internet, electronic mail (email) was originally

conceived for sending text based messages between users. Over time, email became the“killer app” of the Internet – with the ability for users of any technical ability to easily sendmessages with any contents and any manner of file attachments.

Most users view their email client software - most commonly Microsoft Outlook but withmany other alternatives also available - not only as a tool for sending and receiving email,but also as their “trusted source” for keeping track of documents, presentations andspreadsheets, and requests for appointments. Email client software is also frequently usedfor managing to-do lists and tasks, for keeping information about contacts, and for makingnotes. For many people, no other software is used as frequently.

Outside of general correspondence, messages from customer relationship management(CRM) systems, telephone voicemail systems, external supply-chain systems, transactionprocessing, e-commerce and other business critical systems all rely on email fornotifications.

The explosion in popularity of social networking has created yet another reason for emailcommunications, since people now receive frequent updates from both friends and businesscontacts through email.

In summary, email has become the de-facto standard for communication within virtually allorganizations and is widely relied on.

How much is email used?Email is the single most used application for the business user. In research , 26% of anindividual’s time was spent checking, reading and sending emails [ Radicati Group] . That’swell over 2 hours a day – more time than is spent on the telephone or using socialnetworking combined.

15% of Americans claim to be addicted to email [AOL Survey]. Certainly, research showsthat 62% of people admit to regularly checking work email over the weekend whilst at home,and 50% of people confess to checking email whilst on holiday, 78% of this checking beingthrough mobile devices (AOL Survey).





The number of emails sent worldwide is 294 billion messages per day, and some 90 trillionemail messages per year. The typical business user sends 43 emails per day, and receives130 [Radicati Group].

Disturbingly, 90% of these billions of emails sent are spam and viruses [Nucleus Research].For companies not protecting themselves against these threats, there is a very high chancethey’ll suffer damage in one way or another.

How much storage does email require?The average size of an email is now 75KB [About.com]. Whilst the majority of emailmessages are still short and text based in nature, many messages contain images andformatting information in addition to mere text. Newsletters and other marketing emailstypically contain both text and HTML versions of their contents, along with inline images,increasing the size of the average email message as they grow in prevalence.

People also frequently use email to send a wide variety of file types. Even though moreefficient and more secure alternative methods are available to transfer files, the convenienceof simply attaching files to an email message has made email the most popular method forsending large documents. With email attachments reaching as much as 10 or 20 MB in size,significant capacity is required to both transmit and store the associated messages.

These figures relate to legitimate emails and do not consider the 90% of emails that arespam and viruses, further adding to the amount of processing power and storage capacityrequired to manage email communications.

Why is there a need for email security?While most individuals consider spam emails a nuisance, for businesses it is a much greaterconcern.

With 90% of all emails being spam and viruses, research shows that without any protectionin place, lost employee productivity from dealing with spam will cost businesses a minimumof £538 per worker per year [Nucleus Research].

There is the added risk that if a virus is received by email, and infects an employee’scomputer, then it may cause loss of data and at least loss of productivity. Further, the viruswill try to replicate itself – often sending messages to the contents of a user’s address book,or by trying to connect to other devices on the network. Frequently a virus or other malwareon an infected workstation will be used to send out spam from an organization's networkwithout their being aware of the activity.





Quite apart from the damage done to an organization’s reputation when suppliers, clientsand prospective clients receive spam messages from a business in this way, the businessitself can end up being “blacklisted”. This occurs when an email server is identified as asource of spam messages (including those generated by a virus-infected PC), with the effectthat other email servers will subsequently reject legitimate messages from that server andthat organization. The process of getting removed from an email blacklist is extremely timeconsuming and difficult; often the reputation of that mail server or domain will be harmed fora long time.

Many organizations now deploy spam and virus filtering on their email servers. Whilst thishas the benefit of reducing the levels of junk mail that end users see in their inboxes, theemail message is still being sent through the company's network, received by the emailserver, and processed as any other message before it is classified as spam. This may havethe effect of slowing down the processing of legitimate email, and that spam message istypically also stored on the company's email server along with legitimate email. If acompany is retaining emails for legal or regulatory compliance, this can add massiveoverhead to storage requirements.

Why is there a need to archive and backup email?Many countries now place legal or regulatory requirements on email. Organizations that areheavily regulated, such as those in the financial or legal industry, must archive all inboundand outbound emails.

Quite apart from the requirements to archive email for legal or regulatory compliance, themajority of users now use email as a storage system - deleting few messages, and insteadattempting to keep their emails for potential future reference.

Given the growing quantity of emails received each day and the increasing size of anaverage email message, this requirement to retain old emails can put a significant strain onstorage systems. For many businesses, the storage requirement for email backup no longergrows annually, but quarterly. Whilst the cost of storage space has fallen considerably, thecontinuous need to backup systems, and to monitor and regularly verify the backupprocedure, is an on-going load for the IT department.

Additionally, there is a significant distinction between backup and archive. A backupprovides a point in time snapshot of the data on the customer's mail server. If there is aproblem with an organization’s mail server, the email data may be recovered from thebackup. However, if a user wants to retrieve a message that was deleted, or if anorganization is trying to locate messages that are no longer part of their message store, abackup will not help. Furthermore, a backup is not verifiable evidence of emailcommunications in the event of litigation or other disputes - only an archive solution thatprovides verifiable evidence of the date and contents of a given message will satisfy thoserequirements.





Last but not least, a backup does not facilitate a search for historical messages. Nor domost mail servers include this functionality. Technologies enabling swift searching of largeamounts of data are ever improving, but without this technology in place specifically for anemail system, individuals and organizations are left spending considerable time searchingfor old emails.

In cases where the IT department does not offer a comprehensive solution to email archivingand backup to their users, the users themselves often make their own arrangements. Thismight be by way of storing emails locally on their computers or laptops, in an uncoordinatedfashion completely separate from any centralized email system. These methods of backupare unreliable and insecure, with the number of laptops reported stolen or lost growing daily,including many high-profile cases reported in the press. Furthermore, for legal or regulatorycompliance, these individual backups scattered throughout an organization create alogistical nightmare. Without a centralized repository for the message storage, it can beextremely difficult to find relevant messages, particularly when a local backup is lost or anemployee leaves a company.

In short, organizations need both a backup solution that can help to restore data after thefailure of a mail server, and an archive solution that provides a verifiable record of emailcommunications as well as a centralized and reliable means to access and search historicalmessages, including those that were subsequently deleted from the mail store.

What happens when email is unavailable?Modern email systems are considered reliable, although 26% of Small and Medium SizedBusinesses still suffer almost 30 minutes of unplanned downtime each month, and half ofthose organizations reported unplanned downtime of 2 hours+ each month. [OstermanResearch Group]

This is quite apart from planned downtime - where email services are unavailable due tonecessary upgrades, patches and security fixes.

With 26% of a typical worker's day being spent working on email, any unplanned downtimecan have a significant impact on productivity. Workers suffer with being unable to find theinformation they require readily; find lack of email a significant roadblock to externalcommunication with suppliers and clients; and indicate that they spend as much timecatching up on email when service is restored as passed during the outage itself.

The effect of any email outages on an internal IT department can be considerable. Due tothe critical nature of email systems, staff in the IT department will be compelled to drop whatthey are doing and work on the emergency at hand. Other work is delayed, and IT staff mayspend whole days absorbed by responding to the after-effects of an outage, even after emailservices are restored.





Where email is unavailable for extended periods, the costs are multiplied. It is notuncommon to see a 100% loss in productivity if a department or entire organization is senthome due to unplanned email downtime. Such is the reliance upon email systems in modernbusiness.

Mobile workers are also significantly impacted by even short periods of email downtime.With email replacing telephone as the primary means of communication, mobile workers canbe severely disrupted when email is not available. This can particularly affect people whowork during short windows of opportunity for communication, such as in between meetings.

The impact of downtime on a business’s reputation can be significant. The most commonworry for businesses during an email outage is that the downtime may impactcommunications with prospects or pending orders. When suppliers or clients receive a“bounced” email message as a result of an email outage, it undermines confidence in abusiness. When a prospective client receives the same “bounced” response, they oftenwon’t re-send the email at all. Even if no bounce messages created, a delay in receiving animportant email can result in lost business.

When email is unavailable, many workers look to alternative methods of communication.This can include sending faxes, and using personal web-mail systems such as Hotmail andGmail. Sensitive information sent outside the corporate email system via these mediums can

be insecure. In October 2009, 21 million people and businesses using the Hotmail servicewere warned their data was potentially at risk after passwords to the system were acquiredillegally. Faxes can very easily be read by unintended recipients, making it a very poorsystem for sending sensitive information. And comparably few people have ready access toa fax machine.

Additional, all messages sent by these methods will bypass the organization’s archive andretention policies, creating a compliance issue for companies subject to regulation.

Clearly, an email outage can have far reaching effects – in lost productivity, harmedcommunications with customers and prospects, potential security ramifications, and in therisk of lost business.

Understanding how to protect your business emailThe first step to protecting your organizations email services is to answer the followingquestions.

What are email outages currently costing your business?The cost of an employee being unproductive during an email outage is a “soft” cost. That isto say, because the business is not actually writing a check for this cost, it is tempting to





ignore it when calculating costs. As we’ve discussed, there is a real and significant cost to abusiness of employees being unable to access email.

Do you have a Disaster Recovery plan?Some businesses have a Disaster Recovery (DR) plan that includes how the business willcope if struck by a natural disaster, fire, theft or loss of building. These plans should includeIT systems such as email and how a company will cope without these services.

If you have a Disaster Recovery plan, consider how you would cope as a business without

email, and incorporate contingency plans into your DR plan.If your business does not have a Disaster Recovery plan, creating a strategy for tacklingemail continuity can be both the first and a significant step towards creating your own DRplan.

What are the Regulatory and Legal RequirementsSeek more information of the regulatory and legal requirements that are placed upon yourbusiness, dependent upon its location and the nature of the business. Often, this will dictatethe requirements and scope of any system that you need to implement for email retention.

Do you need an agile Email solution?

When considering an email security and continuity plan, consider “future proofing” it. If yourbusiness were to grow, could your email grow with it? Even replacing a single email servercan be a time consuming migration, causing downtime and loss of services. Would an emailcontinuity platform help alleviate any of these migration pains?

If your organization were to acquire or merge with another organization, could your emailsystem quickly be adapted to this purpose?

Can you ensure the organizational knowledge in email is retained?60% of critical information within a company is contained within email [Radicati]. Yet manycompanies do not have the ability to easily search through this knowledge, particularly after

employees have left the organization.Additionally, the time an active employee spends searching for information within emailshould be considered. How much more productive would an employee realistically be if theycould find the information they wanted from email quickly and easily.

When determining a Return-on-Investment (ROI) on any system or process that preventsemail downtime and provides archive solutions, it is prudent to include these costs.





What is your solution for email security, and is it integrated with your solution forcontinuity and archive?Almost all companies have some form of spam and virus detection. However, such solutionsare often hardware or software point solutions that are separate from any solutions for emailcontinuity or email archive. Using different, non-integrated solutions for spam and virusprotection, a backup system for email continuity, and an email archive solution, can greatlyincrease the initial investment necessary along with the ongoing management time andcosts compared to a single integrated solution. The difference is magnified whenconsidering the learning curve, time and costs for employees of learning to use two or three

different systems instead of one.

Potential SolutionsGiven the factors discussed in this document, an email management solution fororganizations should encompass three different elements:

1) Email security - to provide robust, comprehensive defense against email borne spam,viruses, and other threats

2) Email continuity - to provide organizations with continued access to their email in theevent that their own infrastructure is off-line

3) Email archive - to provide organizations with reliable, secure storage of all of theirhistorical communications, for subsequent search and retrieval

The options for meeting these goals can broadly be split into three categories.

Software SolutionsTypically installed on the same server that is used for email services, or on another serverthat is locally connected to the main email server, a software solution can at first glanceappear to be the least expensive approach, especially if older server hardware can be

repurposed.This solution does suffer from the fact it is hosted inside the company’s premises, if not onthe mail server itself. This means that spam and virus emails will be downloaded to theserver before being processed, potentially slowing down the process of legitimate email andadding storage overhead. It is also a single point of failure, susceptible to any problems withthe server running the anti-spam/antivirus software. FAs an archive solution, a softwareapproach is also less than ideal, as the archived messages will typically be stored in thesame datacenter or server closet as the primary mail server - meaning that a fire,earthquake, flood, or other local issue could impact the archive along with the primary mailserver.





A software solution can also be the most expensive solution to manage on a longer-termbasis, as IT staff in-house need to maintain and monitor the underlying hardware as well asmake ongoing configuration changes to the software itself.

Last but not least, a software solution cannot provide continuity in the event that primary mailserver is off-line. And a software solution for spam and virus protection will typically not beintegrated with a solution for email archiving.

Appliance Solutions

An appliance solution typically consists of a pre-built set of hardware running specializedsoftware, specifically for the purposes of filtering and/or archiving email data.

Appliances can be deployed to a wide variety of sites, as they are not directly tied to a mailserver or operating system. They may also be easier to manage than a software solution.

An appliance solution can be an expensive option, requiring an initial capital investment tocover both the software and hardware inherent in an appliance. Additionally, an appliancewill need to be replaced every few years, requiring time and expertise, as well as periodicadditional capital investments.

An appliance, like a software solution, will also have limited capacity and may not grow with

the needs of an organization’s storage requirements. Also similar to a software solution, theappliance represents a single point of failure.

Appliances may also suffer from being stored on the same site as the businesses primaryemail service. In the event of a disaster involving fire, theft or loss of building – the appliancemay suffer the same fate as the email server.

Appliance solutions also may provide email security but not continuity or archive capabilities.Indeed, an appliance has limited capabilities as a continuity solution, as it will be susceptibleto the same network issues as the mail server itself.

Cloud Based Services

Cloud-based services, also known as Software-As-A-Service (SAAS) solutions, are hostedin the Internet (or “Cloud”). They benefit from being easy to deploy, and can be easilyaccessed from any location. Good solutions are engineered to have multiple points ofredundancy so that they will be always available on a 24x7x365 basis.

A SAAS email security solution filters email for spam and viruses in the cloud, and deliversonly legitimate emails to a business’s email server. This reduces an organization'sbandwidth requirements as well as the processing requirements of its mail server.

Cloud-based email security solutions can provide integrated continuity. In the event of anissue with an organization’s email server, users can be re-directed to the Cloud-basedservice where they can from any location continue to send and receive email. This reduces





the urgency to restore the on-premise solution, and makes migrations or changes thatrequire downtime much more manageable.

Cloud-based solutions also benefit from being a secure and trusted environment for sendingoutbound emails. By delivering outbound messages through the cloud service, anorganization can avoid being blacklisted, as outgoing emails are checked for spam andviruses, and would not be permitted past the 3rd party host – which stakes its reputation,and those of all its clients, on maintaining a healthy environment.

As an archive solution, a cloud-based solution offers geographic redundancy for themessage storage, providing greater reliability compared to an on-site hardware or softwaresolution.

A cloud-based solution also automatically scales to meet a customer's requirements,whether that is to provide additional protection in the event of a large spam run or denial ofservice attack, or to provide additional storage space for a growing email archive.

Generally, cloud solutions are the easiest and fastest solution to deploy – with minimaltraining required, no hardware or software to install or configure, and a 3rd party providingthe infrastructure and assisting with deployment.

Cloud-based services also benefit from being an Operating Expenditure (OPEX) as opposedto a Capital Expenditure (CAPEX), meaning little or no up-front investment and predictableon-going costs with no risk of obsolescence.

Last but not least, a cloud-based solution can provide a single integrated answer for emailsecurity, email continuity, and email archive - saving money and time for both administratorsand end users.

Longer term, cloud-based solutions may appear more expensive than on-premise solutions,due to their ongoing monthly costs. However, those costs include all the infrastructurenecessary to provide reliable and seamlessly scalable services, which has the result ofreducing other expenses for the business - namely those for network bandwidth, IT staff

time, hardware and software costs, and of course the on-going periodic costs in maintainingand upgrading on-premise hardware and software over time.

ConclusionThe author of this White Paper concludes that a Cloud-based, integrated email security,continuity, and archive solution is the best solution for the majority of businesses. A Cloud-based solution is ultimately the fastest and easiest to deploy, provides the most effectivecontinuity options, offers the potential to grow with the business, and reduces both the timeand cost of on-going maintenance requirements.

WP 0 0 0 5 -v 1 .0 -E N





© 2011. GFI Software. All rights reserved. All product and company names herein may be trademarks of their respectiveowners.

Documents

Whitepaper - Protecting Business Critical Services, E-Mail