Two prominent examples of bonded programs are IronPort’s Bonded Sender Program and and Habeas’ Sender Warranted Email programs. These programs allow email marketers to secure bonds to certify that their email adheres to guidelines on basis of privacy, mailing practices and issue resolution. ISPs and other mail servers can then query Bonded Sender when scanning incoming messages and handle them accordingly. However, this “pay-to-play” model is fundamentally flawed, as it gives spammers ability to simply “buy” their way onto list by securing a bond as a legitimate sender, regardless of whether they’re actually legitimate or not. While cost of bond may be prohibitive to some senders, benefits far outweigh costs to most spammers, as only way bond will be debited is if Bonded Sender receives complaints about a specific account sending spam. And really, when was last time you or anyone you know reported receiving spam? Would you even know where to report it? In reality, spammers are paying IronPort for right to clog your inbox.

TrustedSource is CipherTrust’s adaptive, real-time email reputation system that provides information on email sender behavior. Who sends spam? Who polices their outbound email well? TrustedSource knows. By constantly observing and analyzing email traffic across Internet, CipherTrust identifies "good guys.” TrustedSource provides constant updates on sender status to improve spam-fighting accuracy and allows IronMail, secure email gateway, to achieve highest level of accuracy in determining good email from bad.

TrustedSource servers provide data to IronMail by contributing negative values to IronMail’s Spam Profiler (SP) algorithm for messages sent from senders that are deemed reputable. Every message that passes through IronMail is checked against TrustedSource list and based on reply, IronMail will make a decision about whether to reduce overall SP spam score for that message and improve its chances of not being classified as spam.

What constitutes “good behavior” Spammer behavior changes constantly so no definitive answer is available. However, following practices are considered “best practices” for email senders:

• Comply with proper RFC protocols for email.
• Do not attempt to obscure content or messages in emails.
• Do not send email to unverified or nonexistent email addresses.
• Post privacy policies where they can be read and understood, prior to submission of a request.
• Offer opportunities for users to opt-out of programs.

As complexity increases, so does probability that not all e-mail containing PHI will be encrypted. Doctors, who are always pressed for time, may not take extra few minutes required to encrypt an e-mail. The clerk handling outbound messages for a nurse may not understand which information requires encryption and which does not. Furthermore, many healthcare administration workers have not been trained on identification of PHI and subsequent proper handling.

The uncertainties and potential liabilities have led some organizations to go so far as to outlaw all PHI in e-mail. Instead of solving problem, however, these decisions generally force employees to find alternative, and usually insecure, methods of transmitting PHI via e-mail in order to accomplish their jobs. This leaves organizations vulnerable to lawsuits based, at best, on non-compliance with HIPAA and, at worst, exposed PHI. The liability is tremendous – leading many insurance providers to be extremely hesitant to provide coverage in IT space unless sound security practices and compliance can be proven.

The same problems arise with client-based encryption technologies that require user to be trained or to take extra time to accomplish his or her task. The effect is an increase in likelihood that PHI will be transmitted through an insecure channel as rushed or untrained employees break policies set up to protect information.

Another issue faced by organizations is a lack of technological standards. Some organizations may be employing technologies such as S/MIME or PGP encryption, while others utilize secure connection technologies such as TLS or HTTPS. The effect is that any two organizations, each complying with HIPAA regulations in their own way, may be unable to communicate electronically due to a lack of standardization within industry.

The solution to each of these issues is to move encryption responsibility from individual user to a specialized server, and to utilize a system that can select from a number of encryption technologies depending on recipient’s technological capabilities. The server should be capable of applying encryption policies based on heuristics determined by security officer, administrator, or business rules. Individual users should be able to specify that a message be encrypted, but encryption should automatically be applied where appropriate regardless of user involvement.

Beyond encryption issues, CE's need to maintain system integrity, and availability of information. At all times, network should not be at risk of downtime due to hacking attempts, Denial of Service (DOS) attacks, spam attacks, phishing, social engineering, or viruses.

E-mail Security Issues for Graham-Leach-Bliley Act

The Graham-Leach-Bliley Act (GLBA) was signed by Bill Clinton in 1999 and made fully effective on July 1, 2001. GLBA requires financial institutions, partners and contractors to protect consumer’s private financial information. It is similar in purpose to HIPAA regulations governing use and transmission of information in healthcare industry. It also imposes many of same challenges on financial industry as those faced by healthcare industry.

As with organizations affected by HIPAA and Sarbanes-Oxley regulations, financial institutions are faced with need to protect confidential data, comply with regulations, keep network operational and secure, and operate on a budget. The consequences of a failure to perform in any of these areas could result in imprisonment of company officers and fines. It could also have devastating effects on business itself – potentially causing existing and potential customers to lose faith in company’s ability to service their financial needs.

As with healthcare organizations and corporate entities, need to establish centralized policy-based governance over transmission, encryption, and archival of sensitive information requires a secure server-based solution. The solution should be capable of interfacing with all of an organization’s business partners regardless of partner’s technological capabilities, and it should be transparent to user in order to maximize efficiency and utility of e-mail and encourage adoption of acceptable means of corporate communication.

Conclusion

The trend is clearly in direction of more complex security regulations and an increasing concern by consumers and investors over an organization’s ability to protect privileged information. Fortunately, this increasing awareness of general public and government agencies has coincided with a rapid development of technologies required to meet these demands. CipherTrust has led e-mail security industry in developing comprehensive solutions to e-mail borne threats such as spam, hackers, phishing, DOS attacks and more.

CipherTrust’s IronMail provides first true balance of security and usability that will enable businesses to protect confidentiality and integrity of information as required while ensuring that employees can continue to use e-mail easily as a central communication medium. IronMail enables e-mail security governance with ease, solving a problem that has plagued industry for 15 years.

Others merely claim it. IronMail does it. We invite you to try it. Click here to schedule a FREE online demonstration of IronMail.

CipherTrust manufactures leading Enterprise E-mail Security appliance, IronMail. To learn more about how IronMail can help your organization filter spam, block attacks, and prevent fraud, download our white paper, "Controlling Spam: The IronMail Way."

Stay up to date on all E-mail security issues by signing up for IronMail Insider Newsletter.