As you might already know, Proofpoint exhibited last week at the RSA Conference 2010 in San Francisco. As part of our exhibit (see photo at left), we conducted an electronic survey about email trends that more than 120 booth visitors kindly took the time to fill out.

Today we announced the results of that survey (see "Proofpoint Reports Findings of Email Security Trends Survey Conducted at RSA Conference 2010" for the full release).

Among the findings:

48% of respondents said their organizations had been the target a "spear phishing" attack. That is, they were targeted by a phishing email designed specifically to compromise their own email users.

59% of respondents said that their organizations have deployed an email encryption solution. An additional 19% intend to deploy such a solution in the future (most in the next 12 months).

43% of respondents said that effectiveness and accuracy is the most important factor when selecting an email security solution, while 20% said that "ease of administration" was the most important factor. 16% cited cost, 11% cited available deployment method (e.g., SaaS vs. appliance) and 6% cited vendor brand/reputation as the most important decision factor when selecting an email security solution.

Survey respondents were also asked about their top email annoyances. It's probably no surprise that spam and phishing emails that get through the organization's spam filter were the top two annoyances (39% and 27%, respectively). But certain types of legitimate email were most annoying for some of our survey respondents:

• 15% find legitimate email newsletters/marketing emails that are sent too frequently their top email annoyance.
• 10% find legitimate emails from coworkers or business contacts "that I just don't have time to answer" as most annoying. (Personally, I would fall into this camp!)
• 7% find social media notifications and other types of legitimate, but non-essential, emails as most annoying.

You can read our complete press release on the survey here.

RSA 2010 was a great show for us with a lot of customers and more than 1000 interested attendees who dropped by the booth. Thanks to everyone who took the time to stop by our booth! As promised, I do have a few video interviews coming soon to the blog. Stay tuned...

According to a new article out today at Inc. Magazine (see, "Would You Suspend an Employee Over a Status Update?"), an associate professor of sociology at Est Stroudsburg University (Pennsylvania) has been put on indefinite paid leave for posting Facebook status updates that the university is investigating as potentially threatening.

The posts in question from January and February of this year - which reportedly read "Does anyone know where I can find a very discrete hitman?" and "Had a good day today. DIDN'T want to kill even one student. Now Friday was a different story." - set off alarm bells for university officials. Inc. reports that the university does not have a social media monitoring policy, but a spokesperson said, "Given the climate of security concerns in academia, the university has an obligation to take all threats seriously and act accordingly."

As is common in article of this type these days, the Inc. story quotes Proofpoint's statistics about social media monitoring and related risks (download a copy of our complete DLP statistics here), saying:

Type "Facebook" and "fired" into any search engine and you'll get an ever-growing list of people who've stuck a foot into the wide-open mouth that is Facebook – and it's cost them dearly. A 2009 study by Proofpoint, an Internet security firm, found that 17 percent of companies report having issues with employees' use of social media, and 8 percent have actually dismissed someone for their behavior on those sites. In the previous year's study, just 4 percent were fired for their social media sins.

A giant thank you to all of the Proofpoint Email Security Blog readers who took the time to vote in SC Magazine's blog awards! We've been named "Best Corporate Security Blog" in the SC Magazine Awards 2010!

Been too busy at the RSA Conference to do much blogging yet this week, but look for a few new videos we taped at the show that we'll be posting over the next couple of days.

And if you're at RSA Conference 2010, please take a moment to visit the Proofpoint booth (#1132) and take our email security survey!

RSA Conference 2010 exhibits open tonight and we're looking forward to seeing any of you who are attending! Find Proofpoint at booth #1132. When you stop by, please take a moment to take our quick email security survey and we'll give you one of our classic "Defend Email" t-shirts.

Also, we're giving away a $500 Apple gift card to one lucky visitor, so make sure you drop by and get your badge scanned. See you there!

From the "It's an Honor Just to be Nominated" category, the Proofpoint Email Security Blog has been nominated by the US editors of SC Magazine as one of the "Best Corporate Security" blogs. The winner will be determined by votes at the SC Magazine site (http://www.scmagazineus.com).

The poll itself is right on the SC Magazine US homepage (see illustration at left) and it only takes a second to vote.

So, if you like this blog, won't you please take a moment to vote for us as "Best Corporate Security Blog"? Just click the graphic at left or this link to visit the SC Magazine site and vote.

All of the blogs nominated in the different categories are really great and it really is an honor to be included in this list. Thanks, SC Magazine!

Polling closes on Friday, February 26th at 11:00 AM ET, so do cast your vote now.

In the wake of their recent announcement about online scams becoming an increasingly common occurance in the UK, the British Office of Fair Trading has now received £4.3 million, which will be invested in helping to stop online scams. In a CIO article on the story, it's reported that the new enforcement team enabled by the funding will track Internet fraudsters behind online scams with an emphasis on scams offering fraudulent tickets for music and sporting events as well as the sale of fake goods (which, as you know are commonly hawked via spam email).

In other OFT news, the agency also issued a warning to Britons about a rise in the number of "work from home" and employment scams. The OFT says that their statistics show that one in four UK adults has at some point in their life been contacted by work from home scammers. These scams are attempts to swindle money by offering so-called profitable business opportunities or start-up advice. Their data also shows that 17 per cent of the adult population has been targeted in the last 12 months, and the incidence of such scams is rising.

'We are seeing an increasing volume of work from home and business opportunities scams," said Heather Clayton, senior director of the Office of Fair Trading's Consumer group. "People who are struggling financially may be particularly vulnerable to these types of scams. Genuine work from home schemes should tell you in writing exactly what you will be expected to do, how much you will be paid and how and when you will be paid."

I've reported in this sort of job scam activity in the US extensively in the past and have some tips to help keep consumers from being victimized by job scams:

• Remember, first of all that any offer presented to you that sounds too good to be true usually is—whether it's presented via email, phone or direct mail.
  
• Simply do not respond to these sorts of solicitations. Especially do not click links presented in such emails (which may lead to fraudulent websites that attempt to install malicious software on your personal computer). Note that the latest job scam emails do not include links, asking job seekers to respond to a generic webmail account (like a gmail or Yahoo mail account).
  
• Keep in mind that anyone can place an online ad, send you an email, or post a "lure" in otherwise legitimate online forums.
  
• Never pay a company to hire you. If the employment process involves sending the employer money, it's almost definitely a scam.
  
• Do not wire money (which is the same as sending cash) to individuals unknown to you or to firms that have supposedly hired you.

Quite a bit of coverage today of this story about the frequency of terminations and disciplinary actions against UK officers of the law for violations of their organizations' social media and internet use policies. Our partners at LEWIS Communications in the UK filed Freedom of Information Act requests to uncover this information.

Their investigation found that more than 70 staff at the UK Ministry of Justice and London's Metropolitan Police Service have been fired or disciplined for violations of acceptable use policies for social media, Internet sites and email.

The Ministry of Justice fired four staffers and issued final warnings to another three for failing to adhere to strict policies on usage of social networking sites such as Facebook and Twitter. Another 40 staffers were disciplined for other Internet and email-related offenses.

Scotland Yard disciplined 28 police officers for breaching the Metropolitan Police Service's policies for use of social networking sites.18 were served written warnings, five were given "words of advice" and four were issued "formal misconduct" charges.

I'm quoted in these stories, noting that the Met and MoJ aren't alone in dealing with these sorts of issues. Regular readers will know that Proofpoint has previously published research about the discipline and termination actions that large companies have taken vis-a-vis violations of social media policies in our annual Outbound Email and Data Loss Prevention in Today's Enterprise report, finding among other things that:

• 17% of US companies investigated the exposure of confidential, sensitive or private information via a posting to a social networking site (e.g., Facebook, LinkedIn) in the past 12 months.
• 10% have disciplined an employee for violating social networking policies in the past 12 months. 8% reported terminating an employee for such a violation.
• 45% are highly concerned about the risk of information leakage via posts to social networking sites.
• 13% investigated the exposure of confidential, sensitive or private information via an SMS text or Web-based short message service (e.g., Twitter). 41% are highly concerned about the risk of information leakage via Web-based short messaging (e.g., Twitter).
• 66.8% of US companies responding to our survey reported having a formal acceptable use policy for social networking sites (compare that to 93% of companies that report having a formal acceptable use policy for email).

Scotland Yard has a nine-point guide that advises officers how to behave online. These cover a wide range of topics including personal and operational security, use of copyrighted material, upholding MPS standards and reputation and discrimination/harassment. It's a pretty interesting list, so I've included it below: 

• While it is a personal decision, for security reasons it is suggested that staff do not disclose their position as an MPS employee or officer. Whatever the decision, one should avoid disclosing personal details which may be used for identity theft, or to identify one's home address or other sensitive details. Do ensure that the privacy settings available on social networking sites are used.
• Irrespective of whether you disclose your position, you must do nothing which risks bringing the MPS into disrepute or compromising its effectiveness or the security of its operations or assets. To do otherwise might lead to disciplinary and/or legal action, with potentially serious consequences.
• If disclosing your association with the MPS, staff must consider whether it is appropriate to discuss their role within the MPS, as any information that may compromise police operations or investigations or which breaches the Official Secrets or Data Protection Acts must not be divulged.
• Staff must not divulge any official MPS information, including information obtained through your work for the MPS, nor expand upon MPS information already available in the public domain.
• If staff disclose that they work for the MPS, then it must be made absolutely clear that any views expressed do not represent the official position of the MPS but are the views of the individual.
• Staff must not use any MPS logo or other copyrighted material.
• Staff may accept payment for their own material produced away from their MPS employment, provided that this has been officially registered and sanctioned as a business interest, and providing the material does not in any way relate to policing. Failure to register and obtain a sanction for a business interest may result in formal disciplinary action being taken.
• Under no circumstances must staff bring the reputation of the MPS into disrepute by making derogatory comments regarding MPS policies/procedures/operations or any other activities.
• In accordance with the MPS Equality Policy and SOP, staff must not display offensive images or make offensive comments, or in any way harass, intimidate, bully, victimise or discriminate against others.

You can find more coverage of this story at:

ComputerWeekly: Law Officers Disciplined for Bad Behavior Online
(ComputerWeekly also has the full text of the Metropolitan Police Service's Freedom of Information Request response at http://www.computerweekly.com/blogs/read-all-about-it/2010/02/the-mets-mea-culpa.html)

WebUser: Police, MoJ Staff Disciplined for Web Use

Computerworld: Police Officers Discliplined for Facebook Use

Clever press release out today from our friends at analyst firm Gartner promoting their upcoming "Gartner Portals, Content and Collaboration Summit" with five interesting predictions about social media and social software in the enterprise.

The one that most caught my eye was a prediction that, by 2014, social networking services will replace email as the primary vehicle for interpersonal communications... for 20% of business users. By way of explanation, Gartner notes greater access to social networking services in the enterprise, along with organizational culture and demographic shifts will lead 20% of users to make a social network "the hub of their business communications."

I wouldn't dispute that claim. Gartner goes on to note that over the next few years, most companies will either build out their own internal social networks and/or allow business users access to personal social networking accounts. Social networking, they say, "will prove to be more effective than email for certain business activities such as status updates and expertise location."

Analyst Matt Cain (who covers email, collaboration and related topics at Gartner) says:

"The rigid distinction between email and social networks will erode. Email will take on many social attributes, such as contact brokering while social networks will develop richer email capabilities. While email is already almost fully penetrated in the corporate space, we expect to see steep growth rates for sale of premises- and cloud-based social networking services."

Hard to argue with that. For some related commentary, see some of my earlier posts including:

• Facebook Enables Commenting by Replying to Notification Emails: Will this be Exploited to Harvest Email Addresses?
• Should Bosses "Friend" their Employees? Social Media Statistics, Risks and Policy Suggestions
• Facebook Fired: 8% of US Companies Sacked Social Media Miscreants

Amongst Gartner's other predictions for social media:

• By 2012, over 50 percent of enterprises will use activity streams that include microblogging (i.e., public services like Twitter), but stand-alone enterprise microblogging (i.e., services like Yammer) will have less than 5 percent penetration.
• Through 2012, over 70 percent of IT-dominated social media initiatives will fail. Gartner says that, "Enterprises will need to develop entirely new skill sets around designing and delivering social media solutions. Until this happens, failure rates will remain high. A dearth of methods, technologies and tools will impede the design and delivery of social media solutions in the near term."
• Within five years, 70 percent of collaboration and communications applications designed on PCs will be modeled after user experience lessons from smartphone collaboration applications. Gartner explains, "Just as the iPhone impacted user interface design on the desktop, the lessons in the mobile phone collaboration space will dramatically affect PC applications, many of which are derivatives of decades-old platforms based on the PBX or other older collaboration paradigm."
• Through 2015, only 25 percent of enterprises will routinely utilize social network analysis to improve performance and productivity. This one is really interesting as well. Gartner notes that "social network analysis" may be useful for understanding the interaction patterns and information flows among the people and groups working in an organization (in addition to interactions with business partners and customers). But care must be taken to address issues of privacy and confidentiality regarding how such analyses will be used and communicated. "Establishing the ground rules upfront will encourage more open and honest participation and reduce the resistance to ongoing relationship monitoring," they say.

You can read Gartner's entire press release, "Gartner Reveals Five Social Software Predictions for 2010 and Beyond" at the following URL:

http://www.gartner.com/it/page.jsp?id=1293114

Update: Analyst Mike Osterman (of Osterman Research fame, follow him on Twitter @mosterman) pointed me toward a similar article he wrote for NetworkWorld way back in July 2008! Worth a read as he has reposted it today. See: "What will truly unified communication be like?" Excerpt:

"Instead of having multiple email addresses, instant messaging handles, phone numbers, etc., each of us would have just a single address – either an email address as we have today or a phone number. To support this, we would have a powerful directory system that would be populated with information on all of our various modes of communication – published and unlisted phone numbers, email addresses, instant messaging handles, etc. – as well as detailed information on our preferred methods of communication based on time of day, day of the week, presence status, travel status and, perhaps, even our current mood based on biometric sensors at our desk or on our mobile device."

Interesting stuff from Mike, as always!

Hard to believe that the RSA Conference 2010 is just a little more than a month away! If you'll be attending RSA Conference 2010 at Moscone Center in San Francisco, please be sure to visit the exhibits and visit Proofpoint at booth #1132.

If you'd like to attend the RSA Conference expo (exhibits), you can get a free exhibits-only pass (which RSA calls an "Expo Pass") courtesy of Proofpoint by using code EC10PRF when you register. We'll be demonstrating our latest email security solutions including our new email encryption solution, Proofpoint Encryption.

To register for your free exhibit pass, please visit the following URL:

https://cm.rsaconference.com/US10/portal/regCode.ww

We hope to see you there! By the way, Proofpoint maintains a list of upcoming live events on the Proofpoint Events Calendar page.

As always happens after a disaster, scammers come out to take advantage. The situation with Haiti earthquake relief is no different.

Update: 1/19/10: Jon Swartz at USA Today covered this story today in his article, "Computer scammers solicit 'donations' for Haitian relief."In that story, he quotes Proofpoint stats about emails that contain malicious links, which are up several hundred percent in the past few days.He also provides a handy list of safety tips for consumers, including the following:

That story mentions that a common email-based scam encourages recipients to wire relief funds via Western Union and to reply in email with details of their transaction. We've detected these scams at Proofpoint, too, and in addition to emails spoofing the British Red Cross, we've also seen them claiming to be from other charitable organizations including Habitat for Humanity. Never wire funds in this way.

Please read on for more links to legitimate sites for donating to Haiti relief.

Here's the rest of my original post on this subject:

Our friends at anti-virus partner F-Secure blogged about a typical scam that's using "poisoned" search results to put malicious links in front of unsuspecting users searching for details on the Haiti earthquake. You can read their post here:

http://www.f-secure.com/weblog/archives/00001855.html

You can be certain that there are similar email-based scams circulating as well.

For safe ways to donate and tips on avoiding scams, see the following excellent article at Lifehacker. Donating in these ways is easy, safe and ensures that your contribution has the maximum positive effect:

Lifehacker: How and Where to Donate to Haiti (and Avoid Scams)

On a personal note: If you are able, I hope that you will join me in contributing what you can to help provide relief for the victims of this disaster. My personal relief charity of choice is the American Red Cross, accepting donations to help victims of the Haiti quake at the following URL. If you're a US taxpayer, 100% of your donation is tax deductible. Please visit:

http://american.redcross.org/supporthaiti