Bug Watch: Remembering Achilles' heel

This week, Alyn Hockey, vice president of research at Baltimore Technologies' MIMEsweeper group, explains how the web can pose a major threat to email security if not guarded against, leaving organisations vulnerable to legal liability and loss of confidentiality.

Whether your organisation is planning or implementing email security to protect it from viruses and loss of confidential information, it's wise to bear Achilles in mind.

Remember him? The greatest Greek warrior of the Trojan War, his mother dipped him in the river Styx at birth to make him immortal. Except she missed a bit where she was holding him. Although he grew into a seemingly invincible warrior, he died through a wound to his heel.

Organisations may think that they and their corporate information - 60 per cent of which resides on their network - are impervious to attack because they employ some form of email security.

However, they may have a potential Achilles heel too, making them vulnerable to loss of confidentiality and legal liability, not to mention loss of productivity. And that Achilles heel is the web - the backdoor to the network - putting organisations at just as much risk as from email security threats.

Although the web has spawned a whole new business marketplace and a global information resource, it also provides an undetectable means of transferring sensitive information, viruses and offensive material. Left unchecked, this can damage business and network integrity through loss of trade secrets, network paralysis and being frog-marched to the law courts.

Web-based email systems such as Hotmail and Yahoo can also be used to send attachments containing information or data across the internet via HTTP and FTP protocols. As the information is sent via these protocols, it bypasses the company network (usually based on SMTP protocols) and the network's email security systems.

Another concern about the web is that it can provide a doorway for hidden 'mail-tos' and 'cyberwoozles' to enter the company network and siphon off valuable data. Without the right safeguards, your customer databases, sales and marketing plans and employee phone lists can slip right out through the web undetected.

Not only does this information make fascinating reading for your competitors, it also exposes your organisation to legal liability. Under the Data Protection Act, recently ratified in support of European Union legislation, individuals can sue companies which do not adequately protect information about them. It doesn't matter if the information was sent by an employee with a vendetta, or captured by a malicious code, your company is liable.

As well as the risk of losing valuable information via the web, there is the danger of content inadvertently being brought into the company through web downloads and web-based email. That content could be viruses or bandwidth-hogging files that paralyse the network, or the kind of offensive material - such as porn or racist jokes - that could ultimately lead to litigation and damage to reputation.

Organisations must establish a web-based usage policy to complement their email policy, defining what is and is not acceptable content in web pages, web downloads and uploads, including web-based email. Once established, the organisation should educate its employees on the policy and gain their buy-in to it. The risks involved should be explained, including the need to protect individual employees and the organisation.

Then you need to enforce the policy. As a basic solution, there are technologies that can restrict access to websites (URLs) but these URL blockers are not enough.

A better option is the use of web-based content management systems which not only restrict web access as appropriate in line with your web policy, but proactively analyse and monitor the contents of web transfers and websites that may not be blocked. The best solutions will be 'bi-directional' which means that security checks are applied to downloads from, and uploads to, the web.

Once integrated with antivirus software, a web-based content management system will ensure that your organisation will have taken the best possible methods of ensuring that it still reaps the benefits of the web while guarding against the threats that the medium poses, thereby avoiding the same fate as Achilles.