This blog is now hosted at

Monday, August 20, 2007

Lack of email controls considered harmful

The Treasury Inspector General for Tax Administration performed an audit of the Internal Revenue Service. In summary, the IRS has improved greatly, but employee noncompliance is still leaving Personally Identifiable Information (PII) at risk.

analysis and link to the report after the jump.

Full report here.

Employees have also shown they are susceptible to social engineering techniques that hackers could use to gain access to their systems, and they continue to ignore IRS policies on the use of email, which increases potential security vulnerabilities.

Now, maybe I'm biased (and who are we kidding: of course I am!), but this again points to the need for centralized, server based controls on email. How long would employees continue to "ignore IRS policies on the use of email" when they receive an email each time stating that they are in violation of the Acceptable Use Policy, and that their email has been logged?

Our SenderConfirmTM even allows the user to make the final judgment on whether an email should actually be sent. This is a powerful influence on behavior, nonetheless.

One of the core benefits of this approach is that you don't actually have to add any human infrastructure-- it isn't necessary to actually hand analyze the mail: the threat of it alone is enough to change user behavior. I believe that this coincides with the "broken windows" theory; allowing users to make "little violations" leads to a lack of vigilance ending in a breach, but the blocking the "turnstile hopper" promotes an increased level of security.

No comments: