Nearly four in ten companies have staff whose main job is to monitor the outgoing email of colleagues, according to US data security research. More than a third of the companies surveyed hired staff to perform only that monitoring function. Email security company Proofpoint interviewed email chiefs at 220 companies which …
Leaking by company email?
Surely there are better ways. Even the dumbest of industrial spies would surely leak by something like GMail instead. With an SSL connection they can't track that at all. Use a flash drive? Or burn it to a CD? Upload it to an FTP site? Transfer over SSH? Even if these companies lock down their access, there's almost always glaring holes such as the use of proxies or remote desktop or SSH tunnelling.
AC because I don't want my company thinking I've thought about this too much!
See the privacy tension?
On the one hand the employees want their privacy in outgoing emails, on the other hand, the employers want their private company info kept private.
Both agree privacy is a good thing, the tension is over whose privacy is more important.
Which is why privacy is a fundamental right and every new privacy violation needs to be justified,... really justified, not some bogus stats and a bunch of straw man arguments.
..actually not. I assume they can/will/do monitor everything I do on work equipment. It's a bit safer than using an internet cafe or library but the main difference is that the snoopers are slightly less likely to be malicious.
Haw many staff *really* need to send external email?
So, you're sitting at your desk in the chicken-farm. Along with all the other drones: in long lines, each with the company approved PC, phone, chair and pen. What part of your job requires you to send emails to your personal email address / your friends / other companies (who aren't on the approved supplier list)? You may even ask: what part of your job involves surfing, using facebook, linkedin (I didn't know that was still going), twatter etc. - not that you could send much confidential info in each twot, but I digress.
Maybe, rather than employ staff to oversee, censor and inform on all these dubious activities, why not save some headcount, increase productivity and cut virus infections AT A STROKE by axeing internet access. Let's face it, most orders are send without any human intervention, most emails get ignored or misinterpreted and the only real way to get high quality information is face-to-face: with phone calls a very poor second - maybe even third choice, after posting pieces of paper.
Not that this would have any effect on leaks of real information. That would still get left on trains, smuggled out on thumb-drives, stolen on unsecured laptops and slipped off the MD's tongue after the 4th G&T at the golf club.
All you'd really do (apart from massively increasing your staff productivity) would be forcing them to invent other excuses about why the business is doing badly. Most organisations don't actually have any secrets worth a damn, anyway.
....is watching the watchers?
If you want to access sensitive info, proberbly the best role to have.
4 in 10?
Surely you mean 2 in 5, or am I the only person that this really bugs? Must be the half decent edukashun i gotted.
technology or wholesale snooping?
The article reads as if all these companies have whole swathes of staff reading every email that enters of leaves the company to see if it contains sensitive data or not (and checking all the latest gossip of course!). Is it not more likely that they have implemented one of the various flavours of DLP technology into their email platform which will automatically check through emails and flag those that match certain patterns for further investigation?
platforms that can see if a number in an email is actually a credit card or account number rather than just a sequence of numbers for something else completely?
Although this may also be a cause for concern, it's not nearly so much of one as reading every message regardless. Also, the use of such technology would mean a much smaller number of staff looking into and investigating such incidents.
This comes across to me as more scaremongering than a real cause for concern. surely companies have a duty to protect their assets against leakage and while the staff may expect some privacy, technologies such as these are unlikely to impinge upon that too much as it's not random sampling, it's targeted at emails which meet certain criteria.
You'd have to be an idiot
...to send anything personal or incriminating through company mail servers. Not that there's a shortage of idiots.
What stops people from sending things through encrypted web-based personal mail accounts? Not much I think. Most companies don't block gmail and the like. If someone on the inside has a great desire to steal information, and puts half a brain towards the effort, there's not much that can be done about it unless everything is patrolled, no one can even print to printers, and employees are searched every time they leave work. Even if you fire someone, they've still stolen the information you're trying to protect. And likely are much more disposed to do something with it.
Yawn - Another misguided marketing stunt posing as news
Really, folks should be immune to security companies creating fud to sell their products, these companies need to find better ways to market.
What do they expect?
It comes down to whether you are loyal to the company you work for and how they treat you. If an employee is involved and motivated in their projects, and can see a reward, they'll take care to protect themselves and the company's information. Treat them like a drone, undervalue them, give them useless ineffectual leaders and don't be surprised as to how they behave. Mind you for the last 40 years when the going gets tough, employees are shed like toxic waste. I've witnessed people with 25+ years service being escorted off the premises, without even a chance to say goodbye to their colleges, the new guys don't think your knowledge is worth retaining. I blame accountants, somehow these slimeballs end up as company MDs, which usually spells its end. A long slow death of short term expediences.
Not as bad as...
The corporate-wide automated bi-annual email deletions which erase all emails older than 6 months from all laptops and servers.
@What do they expect
Can I add lawyers to that?
In summary, IMHO the reason most companies go to rats eventually is because they end up being run by accountants and lawyers. It's all bottom line, measureable benefits and covering oneself against litigation. If you can't measure it, or you can't accurately measure it's impact on the bottom line, it simply doesn't exist. So that'll be leadership, morale, knowledge-based decision making.... you name it. All replaced by perception, marketing, year-on-year growth, legal covergae, and the idea that if you can manage one team, you can manage any team in any field.
crikey.. thats a large market for someone who can write an app to filter emails / content for specific key words..
humm.. thinking cap on..
Glad someone is
After fucking me around on promised compensation and lying about bonuses I pretty much stopped reading most of my e-mail because I no longer feel like doing it. Good thing someone still cares enough to read all that crap. It sure as hell isn't me.
And let me guess: the managerial caste is exempt!
Dan 10 hit the nail on the head very well, but left out that managers are treated as God's anointed, incapable of sin, hence exempt from security measures. The very group who are most clueless about IT and often responsible for the biggest leaks.
It seems that things have reached the point where only ass-kissers and brown-nosers are promoted into the management ranks: can't have anyone capable of independent thought on the team as they might rock the boat.
It really must take a special kind of dunce to transmit stolen data through the networks of the very entity from which it has just been stolen.
Such an act would be like helping yourself to the hardware and then making your escape in a vehicle from the company motor pool!
Watch the movie!
Land of the free home of the *CENSORED*
I like to send e-mails with subjects such as "Re: Stolen Documents" or "Re: Confidential Company Accounts". People give blood pressure a bad name but without it you'd be dead.
This is as anal as it gets. Somebody needs to worry about making a profit and not preventing a loss. If anyone wants to know why companies have lost their way. This should be a guidepost.
SSL won't fix it
If the company controls the egress points of the network and controls the systems on the internal network a simple proxy that breaks SSL (MITM) would fix that.
It would terminate the SSL connection on itself, read the contents, re-encrypt the traffic, and send it on its merry way.
Any company that has to deal with US Banking Regulations would be foolish *not* to do this. They have to account for every single communication with every single customer, regardless of medium. This means recording all phone calls, all emails, and all web traffic.
I also doubt a person manually sifts through all the data. That would require an Herculean effort. I imagine a combination of data-loss prevention software, proxy servers, and intrusion prevention would do most of the heavy listing.
It's been happening for years. Now it's just easier for businesses that have paranoia as the reason instead of regulation to afford it.