Internet Newsletter for Lawyers |
|---|
Statistics from the British Chambers of Commerce suggest that over half the
employees sampled in a survey had used their employer's systems to send
email jokes and other inappropriate material; another 10% admitting that they
had downloaded pirate software at work; 4% of workers had sent confidential
information by email and 20% admitted to responding to spam email whilst at
work.
Whilst it is good risk management to implement policies for use of email and the
Internet, law firms work with confidential client information all the time and they
have to assume that they can trust staff; internal security breaches should be
less of a problem. However, the problems from external sources - and
particularly email - are still there.
The solution could be "managed email" and we chose the service provided by
Kent-based Email Systems Ltd,
www.emailsystems.com. I am a director of
Cappuccino Systems Ltd,
www.cappuccino.uk.net, an IT company established
to provide practical and common sense IT advice to law firms from experienced
lawyers and IT professionals, and we were so impressed with the managed
email system that Cappuccino now resells it. Although my firm obviously uses
the Cappuccino service, the general concepts of managed email described in
this article could apply to other providers as well.
Our firm's network runs Windows Small Business Server 2003 which has
Microsoft Exchange running as the mail server. We now use strong passwords
to log onto the system (mine has 15 characters of mixed upper and lower case
and other characters), and a number of our critical applications require
passwords to log on. It is perhaps worth mentioning that SBS 2003 is more
secure than previous versions by default in its setup.
We have a software firewall and connect to the Internet using a 1Mbps ADSL
link. All our email was until recently directed straight to the server, so the
machine had to deal with everything from legitimate email to virus laden spam.
Although the volume of unwanted email was not huge, it was taking time and
resource to deal with it, and the fact that we were receiving it at all indicated that
there was a potential weakness. Managed email was the solution. We changed
a couple of records in the database at our ISP and on our server and had all
incoming and outgoing email diverted via the “managed email” filtering service.
This managed email solution does more than just prevent viruses and spam
hitting our system. It means that, should someone attempt a denial of service
attack by trying to flood our system with email, we are now safe. It also saves
us from potential embarrassment should we be infected through other routes by
scanning out going mail for viruses as well. Our server is effectively insulated
from the Internet as far as email is concerned. In fact, unless a firm hosts its
own website then SMTP mail is likely to be the only unencrypted incoming
traffic, so this simple step totally insulates you from public access. We obviously
have remote access to our systems using Outlook Web Access (much improved
from the NT version!) and VPNs, but such access is password protected and
encrypted.
There was a short initial problem when we found that some (less than 0.5%) of
the email we 'did want was not getting through, and some we did 'not want was
getting through. That was just a simple case of making some rules to deal with
specific addresses, and informing legitimate senders that their system was using
invalid settings (one of the tests for unwanted email involves checking that the
return-path in the mail is valid for the sender; if there is no valid address then the
sender verification fails and the email is blocked).
In addition to the filtering, we have a complete log (rolling for 28 days) of every
email that is sent or received by our domain, similar to the logs that fax
machines keep. This allows easy troubleshooting of non-delivery problems. We
can also have all valid email archived on the remote system for anything up to
10 years, providing a secondary layer of data security. There is also the comfort
that if our server is unavailable for a period, then Email Systems can hold our
mail for up to 28 days, and even redirect it elsewhere.
The email service provides technology to scan email for inappropriate content
as well as spam and viruses, so pornographic content can be prevented from
getting to our system. This may be useful in larger firms, and go some way to
prevent the possible circulation of such material, which has given rise to
harassment claims.
In addition to our worries about email not reaching us, we were also initially
concerned that the receipt of mail might be delayed, that it might be examined
en-route, and that it might be stored outside the EU. However, despite millions
of messages passing through the system, the delay is less than 1 second. The
likelihood of our mail being looked at by the service provider is about the same
as that for every server through which email passes, and the fact that there are
so many messages a second going through the system makes it impractical. In
any event we have imposed confidentiality obligations. As to the location of the
data, archived material is stored in the UK, or at worst on a mirror server in
Sweden. (Some providers of this type of service hold data outside the EU, which
might be a concern, due to the Data Protection Act).
Although the use of a managed email system has tackled the most common
route to infection, it has not prevented us from having to use up to date
consumer anti-virus software, because not all viruses are email borne. We use
the Web and we have floppy disks and flash memory keys, as well as digital
cameras and the like. It is possible to prevent these hardware sources from
being used, by removing diskette drives and USB ports or through software
means, but that still leaves the Internet. Also, where users work from home or
a laptop to access the office system, the remote machines may not have been
so well protected.
In concluding, I should say that whilst people have been telling me for years that
the Internet is really not so bad, there are still many villains out there, getting
more sophisticated all the time. However, it is really quite easy and cheap to
take some effective steps to protect yourselves from at least some of the
problems.
Simon Page is a partner in Schneider Page,
www.schneiderpage.com, a small
firm of solicitors with two partners and no staff. He is also a director of Cappuccino,
www.cappuccino.uk.net.
Back to Contents.
Managed Email – one less worry?
I attended a lecture recently at which the topic was "e-security – how secure is
your business?" and learned that 70% of security breaches are internal. If that
is true, it means that your staff are the biggest risk to your IT security. This is
quite a frightening thought, and means that the policies and protocols referred
to by Rupert Kendrick in the last edition of this Newsletter are important to put
in place and monitor.
By Simon Page
How it Works
Email simon@schneiderpage.com.