Poor e-mail security threatens the UK’s financial sector

The UK’s financial sector information systems are among the most vulnerable in the world, according to an ex-CIO at Visa. Security experts, speaking at a recent web seminar, ‘Taking Control of Enterprise Security’, warned that poor e-mail security and the lack of a clear and co-ordinated approach to security lies at the heart of most corporate security failures.

Paul Stamp, security analyst at Forrester Research, says its research shows that four out of the top five security concerns for CIOs have major e-mail-related components.

Yet e-mail security is still failing, with an overload of e-mail point solutions leading to high costs and a lack of co-ordination between the administration of different e-mail policies.

John Chaplin, a partner at consultancy CC Associates, spent several years as CIO during his 17 years at Visa. “In the financial sector there are enormous risks to the security environment as people’s security environments have become much more diffuse. The UK has one of the weakest security environments, particularly in the financial sector,” he says.

Chaplin believes enterprises are still failing to address the basics of e-mail security and are allowing their systems and policies to become overcomplicated. “The quickest way to get a CEO’s attention is to take his e-mail down. E-mail is mission critical, but the basics still go wrong. Most organisations will have to pull their e-mail system down every month.”

The most effective tool in the CIOs toolkit is not a technical solution, argue the experts, it is their imagination, used to conjure up potential threats from hackers equally as intelligent and well resourced as their IT team, and evoking worst-case scenarios to motivate development. There is no crystal ball, but perhaps the hardest foreseeable threat to deal with is that posed by the disaffected employee. As CIO, Chaplin was involved in formulating policies to prevent disaffected employees from accessing IT systems and business applications. But he advises caution: “If you think you have someone who is a potential problem, if you restrict access you can put the company in the wrong.”

The expert panel recommended that CIOs facing the challenge of winning funding for additional e-mail security measures try to find the money to implement the technology needed to at least audit the system. The number of confidentiality breaches that are revealed are likely to provide the business case for more funding for security. Additionally, CIOs must argue beyond the business case and force CEOs to consider the effects of reputation damage if steps are not taken to control e-mail privacy and security.