Get Serious About Email
This is an excellent article from Mark Hall that challenges CIO’s to get serious about email security. His ideas are radical and absolutely necessary.
When CIOs start using encryption communications services that permit only messages to and from whitelisted sources, that’s when IT management will be seen as serious about securing business information. Until then, IT executives are merely pretending to defend their companies and their people.
First, jettison the snail-mail mentality that believes electronic messages should be treated exactly like communications handled by various nations’ post offices, which endeavor to deliver all letters and packages to any address on their countless mail routes… But e-mail, instant messages, text messages and the like aren’t the same. Just because someone gets your Internet address, there’s no earthly reason to assume that person has the right to deliver something to your PC in-box without your approval…
Second, IT should encrypt all messages going out of the company and accept only encrypted communications from sources that it subscribes to, using a publish-and-subscribe model between the organization and outsiders.
Third, you will need to plan for transition problems. Companies and people with whom you now communicate in clear text freely over the Internet will complain about having to subscribe to your whitelist and add encryption tools to their organizations. You’ll need to tell people that effective security is now part of the cost of doing business with your company…
The big win will be in security. Think about it: If all your communications are encrypted, and you manage the keys and only those on your whitelist can get through, malware will wither and die. That’s serious security.