Proofpoint: Security, Compliance and the Cloud

The Federal Bureau of Investigation (FBI) issued a new warning recently about new phishing attacks carried out via SMS text or cellular voicemail messages. The FBI's announcement notes that these messages provide a phone number to call or a website to log into, which then ask the respondent to provide personal information such as a bank account number, PIN or credit card number in order to restore service or fix a problem. Of course, the site or number in question is fraudulent.

These attacks, dubbed "smishing" (for SMS text phishing) and "vishing" (voice phishing) are apparently on the upswing for the same reasons that we see email-based attacks increase during the holidays.

The FBI announcement gives several examples of recent smishing cases:

• "Account holders at one particular credit union, after receiving a text about an account problem, called the phone number in the text, gave out their personal information, and had money withdrawn from their bank accounts within 10 minutes of their calls."
• "Customers at a bank received a text saying they needed to reactivate their ATM card. Some called the phone number in the text and were prompted to provide their ATM card number, PIN, and expiration date. Thousands of fraudulent withdrawals followed."

The FBI offered the following tips to stay safe from these types of cyber threats, which echo some of the same tips Proofpoint gives as our "Seven Simple Rules for Staying Safe Online":

1. Don’t respond to text messages or automated voice messages from unknown or blocked numbers on your mobile phone. 

2. Treat your mobile phone like you would your computer…don’t download anything unless you trust the source.

3. When buying online, use a legitimate payment service and always use a credit card because charges can be disputed if you don’t receive what you ordered or find unauthorized charges on your card.

Check each seller’s rating and feedback along with the dates the feedback was posted. Be wary of a seller with a 100 percent positive feedback score, with a low number of feedback postings, or with all feedback posted around the same date.

4. Don’t respond to unsolicited e-mails (or texts or phone calls, for that matter) requesting personal information, and never click on links or attachments contained within unsolicited e-mails. If you want to go to a merchant’s website, type their URL directly into your browser’s address bar.

To read the full warning at FBI.gov, see the following link:

FBI.gov: Smishing and Vishing and Other Cyber Scams to Watch Out for this Holiday

Today we released the latest edition of our Outbound Email and Data Loss Prevention in Today's Enterprise report, now in its seventh year. As always, this report contains a huge number of interesting findings. Check out the video preview, above, for just a few of the top findings. This year, IT decision makers from 261 large US enterprises (all with 1000 or more employees) responded to our survey, conducted with the help of Osterman Research.

You can find more highlighted findings about how large enterprises manage data loss risks in our press release. Better yet, download the complete report, by visiting http://www.proofpoint.com/outbound.

I'll be blogging more about this throughout the week, but here are just a few of the most interesting findings:

Proofpoint found that, despite a growing awareness of data loss risks, large enterprises continue to be impacted by data loss at a surprising rate:

• 36% of respondents said their organization was impacted by the exposure of sensitive or embarrassing information in the past 12 months.
• 31% of respondents said their organization was impacted by the improper exposure or theft of customer information in the past 12 months.
• 29% of respondents said their organization was impacted by the improper exposure or theft of intellectual property in the past 12 months.

Enterprise concerns and data loss events from social media continued to rise in the past 12 months:

• Social Networking Sites (such as Facebook and LinkedIn): 20% of companies investigated the exposure of confidential, sensitive or private information via a post to a social networking site. 7% of companies terminated an employee for social networking policy violations. Twenty percent disciplined an employee for such violations. 53% are highly concerned about the risk of information leakage via social networking sites. 53% explicitly prohibit the use of Facebook, while 31% explicitly prohibit use of LinkedIn.
  
• Blog and Message Board Postings: 25% of companies investigated the exposure of confidential, sensitive or private information via a blog or message board posting. 11% of companies terminated an employee for blog or message board posting policy violations. 54% are highly concerned about the risk of information leakage via blogs and message boards.
  
• SMS and Web-Based Short Messaging Services (such as Twitter): 17% of companies investigated the exposure of confidential, sensitive or private information via one of these services. 51% are highly concerned about the risk of information leakage. 49% explicitly prohibit the use of Twitter.
  
• Media Sharing Sites (e.g., YouTube, Vimeo): 18% of companies investigated the exposure of confidential, sensitive or private information via shared video or audio m5edia. 9% of companies terminated an employee for media sharing/posting policy violations. 21 disciplined an employee for such violations. 52% are highly concerned about the risk of information leakage. 53% explicitly prohibit the use of media-sharing sites.

Regular readers of this blog know that I've been following the legal proceedings around a text messaging privacy case involving City of Ontario, California police officer Jeff Quon and his employer, the Ontario (California) Police Department. Last year, the 9th Circuit Court sided with several police officers (including Quon) who had sued the department for reading hundreds of personal text messages (many of which were of a sexually explicit nature) that officers had sent and received on department-issued pagers.

The City appealed that ruling to the Supreme Court, which has issued its ruling today in City of Ontario v. Quon, U.S. Supreme Court case No.08-1332. In its ruling, the high court reversed the 9th Circuit's Court finding, ruling that the City's search and audit of Quon's text messages was reasonable. (You can read the full text of the court's decision here: City of Ontario, California, v. Quon (PDF format).)

Business and Legal Reports has a good summary of this case in the article, "Supreme Court Rules on Text Message Privacy Case." And, of course, the court's findings have been reported widely today in other media (for example, this LA Times article). 

Though this particular case involved the privacy of text messages and the privacy of government employees that send them, the outcome of this case will have an impact on workplace monitoring policies in all types of industries – not just government – and for all types of electronic communication mediums.

One of the main take-aways from the Supreme Court’s ruling today is that the employer’s policies, and the clarity with which those policies are communicated, are crucial to establishing what sort of “reasonable expectation of privacy” employees should have.

In this particular case, the court found that the City of Ontario’s search and audit of text transcripts was reasonable, not excessively intrusive and had a clearly work-related purpose (the City was trying to determine if employees’ text messaging limits were too low  and should be increased – during this audit, the content of Quon’s personal messages came to light).

The court also found that Quon did not have a reasonable expectation of privacy, in part because Quon had signed the city’s Computer Usage, Internet and Email Policy, which stated that the City “reserves the right to monitor and log all network activity… with or without notice.”

My advice to employers and employees is as follows:

1. Companies that monitor employees' outbound email and other electronic communications should clearly communicate to them what is being monitored and how. If that includes transmissions to "personal" email accounts via company networks or devices, this should be explicitly stated. If the company feels that employees should not have a reasonable expectation of privacy, this should be clearly communicated in a formal, written policy.
2. Additionally, as part of their electronic communications policies, companies should discourage employees from using personal accounts to conduct company business.
3. Employees should be aware that, even in the absence of a formal policy, their employer may be monitoring or auditing their electronic communications. For example, Proofpoint’s own research (http://www.proofpoint.com/outbound) finds that 46% percent of large US companies perform regular audits of outbound email content.

Of course, employers have many legitimate reasons for monitoring the content of email, web messages and text messages sent from their organizations, not the least of which concerns about compliance with data protection regulations including HIPAA and GLBA.

In our 2009 research on this topic, Proofpoint found that 43% of US companies had investigated a suspected email leak of confidential or proprietary information in the past 12 months and 34% had investigated an email-based violation of privacy or data protection regulations in the past 12 months.

With respect to text messaging, Proofpoint found that 13% of large US companies had investigated the exposure of confidential, sensitive or private information via an SMS text or Web-based short message service (e.g., Twitter). And 41% of those companies said that they are highly concerned about the risk of information leakage via Web-based short messaging.

More such statistics are available in Proofpoint’s 2009 Outbound Email and Data Loss Prevention in Today’s Enterprise report, which is available from http://www.proofpoint.com/outbound. (The 2010 edition of this report will be available in the coming weeks.)

Interesting news out today that the US Supreme Court has agreed to review a ruling by the Ninth Circuit Court of Appeals that sided with several several police officers who sued their employer, the Ontario (California) Police Department, for reading hundreds of personal text messages (supposedly some of them were of a sexually explicit nature) that the officers had sent and received on pagers issued to them by the department.

The finding by the 9th Circuit Court was cited in a recent Wall Street Journal article (see my earlier post "Reading Employee Email: Do Workers Have an Expectation of Privacy?") as evidence that courts are increasingly siding with employees in cases of electronic privacy violation.

CRN's ChannelWeb has a really good summary of the Ontario Police Department case that includes a lot of detail. See "Supreme Court to Weigh in on Employee Text Messaging Privacy." Writer Stefanie Hoffman notes that the City of Ontario appealed the ruling to the Supreme Court on the grounds that it's customary for employers to have policies that give them access to electronic communications sent by employees on employer-owned devices.

The Supreme Court is slated to rule on this issue in June 2010 and, should they find for the City of Ontario, it could set a new standard for employee privacy vis-a-vis employer-provided devices.

NetworkWorld also has some good coverage of this case (see "Supreme Court to Rule on Employee Privacy"), noting that the Supreme Court's decision could have repercussions that will impact compliance efforts. Writer Tony Bradley notes:

"Regulatory mandates such as SOX (Sarbanes-Oxley), HIPAA (Health Insurance Portability and Accountability Act), and GLBA (Gramm-Leach-Bliley Act) contain guidelines requiring that companies ensure certain information is protected, and that communications be archived for a certain period of time.

Companies can't meet some of these compliance requirements if the courts uphold an employee's right to privacy while using company equipment."

This tension between employee privacy and regulatory mandates that more-or-less require monitoring of outbound electronic communications is a theme that comes up regularly when I discuss findings from Proofpoint's own research on outbound email monitoring and data loss prevention (download a copy of our 2009 survey findings here).

It would seem that racy text messages are fully in the zeitgeist these days. Between Tiger Woods's travails, media hype around "sexting" and court cases like this one, it's impossible not to be aware of the privacy, policy and cultural issues around electronic messaging.

 
A quick check of BlogPulse's trend search (see illustration above) confirms that, indeed, there's a lot more chatter about these topics in recent weeks.

Links:

• ChannelWeb: Supreme Court to Weigh in on Employee Text Messaging Privacy
• NetworkWorld: Supreme Court to Rule on Employee Privacy
• Proofpoint: Outbound Email and Data Loss Prevention in Today's Enterprise, 2009