Some people are still waiting for the next killer app to emerge. But in my view, email is the killer app and has been for the past several years. Email has opened up easy communication for people both inside and outside an organization. It's a fast and convenient transport and distribution mechanism for vital information and enables an organization to operate smoothly. For many companies, email is a mission-critical component: If email is down, the business suffers—sometimes drastically.
How Times Change
Unlike spreadsheets, the killer app of the 1990s, email opens the doors of the organization to the outside world, thus introducing a new element of risk to the business. Certainly viruses can corrupt spreadsheets, but such corruption occurs relatively rarely. And because only a handful of people share spreadsheets, the potential infection rate is low.
In comparison, the chances of receiving a compromised email message are high. At the height of the MyDoom virus, my small server received upwards of 40 infected messages per day. The strategic importance of email to business and the high likelihood of end users encountering email-borne viruses underscores the importance of securing email as a company asset.
Lines of Defense
To cope with the threats to email, you need several lines of defense. An organization's initial point of contact with incoming messages is typically the email server. So, the first line of defense is server-based antivirus software. And that goes for small businesses as much as large ones. With fewer systems—and typically a smaller network infrastructure and fewer safeguards in place—small businesses are likely to suffer more extensive damage from email viruses than are enterprises. Although virus scanners are reactive products, antivirus vendors can usually provide protection before most viruses reach your system.
On a related note, I strongly recommend against configuring scanning software to automatically reply to the sender when the software encounters a virus. Such a simple-minded solution might have worked several years ago. But nowadays, almost all return addresses are spoofed, and this approach instead contributes to the problem by sending out reams of warning messages—which are essentially spam—to spoofed addresses.
The second line of defense is server-based antispam software. Bill Gates's statements about stopping spam in 2 years notwithstanding, the spam problem will get worse in the foreseeable future. Can your business afford the waste of time and resources—or even employee lawsuits that target a hostile work environment?
The third line of defense is on the desktop. If your organization uses direct ISP-based POP accounts, invest in desktop antivirus and antispam solutions. And whether you use server-based email or direct desktop mail access, implement a patching strategy to ensure that your desktops have the latest security fixes.
The Importance of Education
Addressing the email problem on the systems is vital, but user education is every bit as important. The actual cause of the rapid spread of MyDoom and MyDoomA wasn't that the viruses' author used a malevolent new coding practice. Rather, that email epidemic was caused by hundreds of users opening infected email attachments.
Blocking attachments isn't the solution to this problem—many companies don't have that option. The best solution to users opening suspect documents is education. Just as human resources educates employees about company policies, IT must educate them on safe email practices. All employees should know better than to open email from unknown senders. Likewise, all employees should know that opening a spam message, and especially clicking a link in the message—even a link that says "remove me from this mailing list"—only invites more spam.
Email must be protected like the vital company resource it is. To achieve that goal, companies need to use both technological and human solutions. What strategies are you using to protect today's killer app? I'd like to hear your success and horror stories about how you deal with email-borne threats.