Proofpoint: Security, Compliance and the Cloud

The holiday season — you know, Black Friday, Cyber Monday and those other ones — is once again upon us.

Here at Proofpoint, we celebrate the season with two fine traditions: An inbound email threats webinar (see the bottom of this post for more details) and a reminder about how to stay safe online during the busy holiday shopping season.

At this time of year, both snail mail and email inboxes start to get full of special offers, catalogs and the like.

As the volume of legitimate email marketing increases, Proofpoint also sees the volume of spam, phishing and other forms of scam email increase as well. The chart below shows the relative volume of "obvious" phishing messages in Proofpoint's spam traps over the last month (click the image for a larger view):

Over the course of 2011 we've seen spear phishing messages revealed to be the exploit at the root of many high-profile data breaches.

In the same way that enterprises and government organizations need to be wary of phishing messages and other types of threats, consumers too need to be especially careful around this time of year.

So, once again, let me reiterate our “Seven Simple Rules” for staying safe online during the holidays (or any time of the year) which explain some of the tactics that scammers use and the important steps consumers can take to protect themselves. Keep these tips in mind this holiday season and share them with your friends, family and email users!

Proofpoint's Seven Simple Rules for Staying Safe Online During the Holidays

1. Be aware: View with suspicion any email with requests for personal identification, financial information, user names or passwords, especially during the busy holiday season when spammers and scammers use the increased volume of legitimate promotional email as “cover” for their attacks. Your bank, online services, government agencies or legitimate online stores are extremely unlikely to ask you for this type of information via email. Consumers should also be suspicious of similar emails that appear to come from an employer or friend. Never send personal financial information such as credit card numbers and Social Security numbers via email. 

2. Don’t click: If you receive a suspicious email, don’t click the links in the email or open file attachments. Never click email links or open attachments from anything but 100% trusted sources. Links embedded in emails may take you to fraudulent sites that look similar or identical to the legitimate “spoofed” site. Instead of clicking, open a browser and type the actual Web address for the site into the address bar. Alternatively, call the company using a phone number you already know.

3. Be secure: When you are shopping online, entering important information such as credit card numbers, or updating personal information, make sure you’re using a secure Web site. If you are on a secure Web server, the Web address will begin with “https://” instead of the usual “http://”. Most Web browsers also show an icon (such as Internet Explorer’s “padlock” icon) to indicate that the page you are viewing is secure. 

4. Don’t fill out email forms: Never fill out forms within an email, especially those asking for personal information. Instead, visit the company’s actual Web site and ensure that the page you are using is secure before entering sensitive information. 

5. Keep an eye on your accounts: Check the accuracy of your credit card and bank statements on a regular basis, especially during the holiday shopping season, when cyber attacks typically increase and busy consumers tend to be less attentive. If you see anything suspicious, contact the financial institution immediately.

6. Get social media savvy: Email isn’t the only attack vector used by spammers and scammers. Social media sites like Facebook, LinkedIn and Twitter are commonly used to deliver the same kinds of scams and malicious links to unsuspecting users. Be wary 0f social media notifications—such as friend requests, security notices and message notifications—that arrive via email. Scammers have spoofed these sorts of messages to deliver links that lead to fraudulent sites or malware. 

7. Make security your first stop: If your holiday includes giving or receiving a new computer (or tablet, netbook, operating system upgrade, etc.) always install a good desktop anti-virus or Internet security solution before doing anything else online. Always make sure that your net-connected computers are protected by such a solution—and that you keep your subscription up to date! Reputable vendors include F-Secure, McAfee and Symantec.

There are also reputable free solutions such as Avast, so a lack of resources doesn't mean you have to go without security. But be extremely wary of Web pop-ups that offer “free security scans” or that inform you that your machine is infected with a virus. Such offers usually lead to fraudulent anti-virus solutions that are actually malicious software.

If you'd like to learn more about the latest phishing threats, and new techniques for stopping them, attend our upcoming live web seminar Don't Get Hooked by the Latest Phishing Attacks (December 14th, 11 a.m. PT/2 p.m. ET). To register, visit the link — or simply fill out the form below:

Our live web seminar series continues this Wednesday, October 12th, 2011 with "Mitigating Security Concerns about Cloud Archiving and eDiscovery."

Resident cloud archiving and eDiscovery expert, Andres Kohn, explores the risks and concerns you should consider when moving archiving and eDiscovery functions to the cloud.

IT departments are moving quickly to the cloud – enabling organizations to operate more quickly and more nimbly, and at a lower cost. However, this trend can raise a new set of concerns over how the organization should manage in-house eDiscovery processes and minimize risks.

As Andres has said on many occiasions, "Not all clouds are created equal..." and, in some cases, cloud computing can make the search, collection, and preservation of ESI more complex, time-consuming, and difficult, with much of the burden falling on the IT department.

During this web seminar, Andres will help answer key questions around these trends, including: How concerned should you be? And how can you minimize these risks while reaping the benefits of cloud computing?

To attend, please visit our registration page or simply complete the mini-form below! We hope to see you there!

Proofpoint's live web seminar series continues next week with a brand new topic, Microsoft Office 365: Meeting Encryption, Privacy and Compliance Requirements, presented at two times (7 AM PT/10 AM ET and again at 11 AM PT / 2 PM ET) on Wednesday, July 20th, 2011.

Pictured at left is special guest Mike Blake, CIO of Hyatt Hotels Corporation, who will be joining us to share how his organization is using Proofpoint to ensure that their Microsoft Office 365 deployment meets a variety of compliance requirements.

This is a rare opportunity to hear first hand about how one of the world's leading organizations is leveraging the cloud to achieve its security and compliance objectives.

If your organization is moving - or thinking about moving - to Microsoft's next-generation hosted email environment, you are not going to want to miss this one!

Come and learn about the compliance and security features built into Office 365 and how those match today's enterprise data protection and privacy requirements. You'll also learn about our newest solution, Proofpoint Compliance for Office 365, and how it enhances Office 365's encryption, data loss prevention, archiving and security capabilities.

As always, registered attendees will receive a link to a replay of the webinar and we'll answer your questions live, during a Q&A session. Follow the link below to register:

 Register for Microsoft Office 365: Meeting Encryption, Privacy and Compliance Requirements »

Our live web seminar series continues on Wednesday, June 15th as Proofpoint email archiving experts present, "Why Relying on Exchange 2010 Alone for Archiving Could Cost You."

Join us to learn about recently introduced email retention and discovery features in Microsoft Exchange 2010, the extent of those features and how they match up with today's enterprise requirements for archiving and eDiscovery.

We'll discuss why those new features may not adequately address the full legal discovery, compliance and mailbox management features your organization requires.

As I've noted here regularly, failure to properly retain email and deploy the necessary technology to enable rapid discovery of electronic records in the case of lawsuits or regulatory actions can end up costing your organization significant time, money and effort.

We'll also discuss best practices for preparing your organization for the most common eDiscovery scenarios, the feature requirements you should consider when evaluating email archiving solutions and recent trends - such as the growing use of social media in the enterprise - that you should factor in when making decisions about your enterpise archiving strategy.

To register, visit our webinar registration page or simply fill out the form below. As always, all registrants will receive a link to the replay of the live webinar, so feel free to register even is you can't make it to the live event.

Proofpoint's live web seminar series continues on Wednesday, May 18th with "Healthcare Privacy 2011: Top 5 Messaging and Collaboration Risks." Proofpoint data loss prevention expert Rami Habal will discuss:

• How hospitals, HMOs and other medical providers can manage email and social media content in compliance with privacy regulations

• How advances in policy-based email encryption can greatly simplify administration, reduce costs and improve usability for both desktop and mobile email recipients

• The impact of regulations—including HIPAA/HITECH—on data privacy and retention policies in the healthcare industry

• Recommendations for taking a proactive approach to archiving email and other communications in the event of litigation or regulatory investigation

• Trends in inbound threats that could compromise your email and messaging infrastructure, and expose private data

• How other leading healthcare organizations have tackled today’s critical messaging and collaboration challenges, while improving patient care.

To register, follow the link above, or simply fill out the form in this blog post.

Proofpoint's live web seminar series continues on Wednesday, April 13th with a brand new email security topic, "Enhancing Security & Compliance for Microsoft Email Environments."

Businesses large and small have moved – or are considering moving – their email infrastructure to a hosted Exchange environment such as Microsoft’s own Business Productivity Online Suite (BPOS) or Office 365 to lower costs and minimize burdens on internal IT staff. However, some are concerned about the security of their data in the cloud, and how to best about enhance their current Microsoft offerings.

In this live webinar, we'll explain how Proofpoint’s SaaS email security and compliance solutions complement and extend all types of hosted Exchange deployments, including Microsoft BPOS and the forthcoming Office 365 suite. As always, webinar registrants will receive a link to a replay of the live event as soon as it's available. And Proofpoint product experts will answer your questions live during a Q&A period at the end of the webinar.

To register, please visit the following link — Enhancing Security & Compliance for Microsoft Email Environments — or simply fill out the form below:

Our live web seminar series continues on Wednesday, March 9th at 11 AM Pacific Time, 2 PM Eastern Time, with "Social Media Risks in the Enterprise: Mitigating Data Loss, Compliance and Discovery Dangers."

We post here about social media risks, policies and trends fairly regularly here (see the social media category), and our annual research on data loss issues shows that social media channels (including Facebook, LinkedIn, Twitter and other sites) are increasingly the source of data breaches (see this post for a video overview of our 2010 findings).

In response, about half of organizations simply prohibit access to popular social media sites. But over the long term, that approach will be less effective as social media becomes more and more ingrained into how companies do business. So our feeling is that companies need to address social media risks in the same way that most of them address email security risks—via a combination of policy and technology.

In addition to data loss and compliance issues, one very new area of concern is the archiving, retention and discovery of social media content. In many cases, social media communications such as corporate tweets, Facebook posts/messages, etc. can be considered business records and could be subject to the same sorts of discovery rules as corporate emails.  (See this recent CIO article for an interesting overview and introduction to this topic, "Why Your Records Retention Policy Should Include Social Media").

Our upcoming webinar will have both Robert Cruz, our director of eDiscovery solutions, and Rami Habal, our director of product management and expert on all things DLP, on hand to talk about the many dimensions of social media risk and how you can apply today's security technologies (including cloud-based security solutions) to address these issues.

To register, visit this link—Social Media Risks in the Enterprise: Mitigating Data Loss, Compliance and Discovery Dangers—or simply fill out the form below:

Proofpoint's senior director of eDiscovery solutions, Robert Cruz, recently presented a web seminar with legal publication InsideCounsel.

In "What are Your Obligations to Retain Email and Other Forms of Electronic Content?", Robert discusses the content retention challenges faced by organizations in the midst of stringent litigation and regulatory compliance demands, and offers practical advice for how to address those challenges.

Topic covered included:

• Key legal, business and regulatory drivers for archiving email and other electronic content
• The impact of regulations—including FINRA, HIPAA and newer or less well known regulations—on your organization’s retention policies
• Recommendations for taking a proactive approach to content retention and litigation hold procedures
• Given the sweeping impact of the Dodd Frank Wall Street Reform Act and introduction of "preventative compliance," what steps can you take to prepare your organization for greater regulatory information access and transparency?
• How organizations in both regulated and previously non-regulated industries are tackling retention challenges

To watch this replay now (no registration required!) visit the following link:

http://webcast.streamlogics.com/audience/index.asp?eventid=52552431 

I wanted to bring two "don't miss" events coming up in the next couple of weeks to your attention:

First, it's exactly one month until the RSA Conference 2011 (February 14-18th, 2011) at Moscone Center in San Francisco. Proofpoint will be exhibiting at booth #728 and we'd love to see you there! If you'd like to attend the RSA Conference 2011 expo (exhibits), you can get a free exhibits-only pass courtesy of Proofpoint by using code EC11PRF when you register at the following URL: 

https://cm.rsaconference.com/US11/portal/regCode.ww

Second, our live web seminar series continues on Wednesday, February 9th as Rami Habal presents "The Path to SaaS: Transitioning Email Security and Compliance Functions to the Cloud."

If you've been thinking about the possibilities of moving various security or compliance functions "to the cloud," you'll definitely want to join us.

Among other things, Rami will discuss the pros and cons of Security-as-a-Service, and the tradeoffs between on-premises, hybrid and SaaS deployment models (as you might already know, Proofpoint offers all three). Learn the top criteria you should use when evaluating the quality and security of cloud-based service providers and what factors you should consider when looking specifically at email security, email archiving/eDiscovery and DLP solutions.

To register, please visit:

http://www.proofpoint.com/id/path-to-saas/index.php?id=6

Thanks to the hundreds of you that tuned in for our first live web seminar of the new year, "2011 Predictions: Top 10 Privacy Issues" where co-presenter Ken Liao and I looked into the crystal ball to expose the cultural, policy, technology and regulatory trends that will dominate privacy discussions this year! My thanks especially for all of the great questions and feedback on the seminar.

If you missed it, or if you'd like to refer back to the web seminar, it's now available as a replay. For those of you who registered for the live event, a direct link to the replay file has been sent to you via email, as usual.

In our presentation, Ken and I shared quite a few links to various privacy-related resources that I promised to share with you here as clickable links, so here they are, by prediction:

Intro: Why Privacy Matters Today

Privacyrights.org's running list of data breaches can be found here:
http://www.privacyrights.org/data-breach

Proofpoint's 2010 research on data loss events was referenced multiple times during the presentation. You can download a copy of our full report, Outbound Email and Data Loss Prevention in Today's Enterprise, 2010 here:
http://www.proofpoint.com/outbound

Prediction 1: Mobility & Location-based Info Becomes a Major Concern

We had a little extra comedy in yesterday's webinar as our slide on this first prediction had mysteriously disappeared. Click the image at left to see the slide we had intended to display!

Predictions 2-4: At Least One Major Social Media Site Will Experience a Serious Breach, Evolution of Social Media Policies, More Organizations will Formalize Acceptable Use Policies

The data/charts in these slides on social media data loss events, social media/web services that large organizations prohibit access to, and acceptable use policy adoption are all from the aforementioned Proofpoint research at http://www.proofpoint.com/outbound.

Prediction 5: Blended Threats Will Continue to Increase

For more on the VBMania outbreak and other recent blended threats, see my blog post about "Blended Threats Old and New." On the topic of spam's holiday vacation and subsequent return, see "Spam Volume Makes a Comeback After Holiday Hiatus."

Prediction 6: New, Stricter Privacy Regulations Will be Adopted Worldwide

Not mentioned in the slide, but here's a good article explaining the European reactions to privacy implications of Google Street View.

Prediction 7: Expect a US National Data Breach Notification Law

Here's the link to the Federal Trade Commission's report on Protecting Consumer Privacy. And here's information on the new White House "Enhancing Online Trust and Privacy" initiative.

Prediction 8: At Least One Enforcement Action Under Massachusetts 201 CMR 17

Links for the State of Massachusetts FAQ on 201 CMR 17, and interesting ThreatPost article about a possible 201 CMR 17 test case in 2011.

Prediction 9: More Organizations Will Encrypt More Data

Find more product information about Proofpoint Encryption here. Also, http://www.proofpoint.com/outbound is referenced again (data on adoption of data loss prevention technologies).

Prediction 10: Increased Adoption of Secure/Managed File Transfer

Statistic about level of concern around FTP as a source of data loss risk is, once again, from http://www.proofpoint.com/outbound. And visit this link for information on the Proofpoint Secure File Transfer solution. 

Q&A Session

In my comments, I mentioned recent email breach of personal information of all GSA personnel.

Thanks again to everyone who joined us for this web seminar. If you missed it and would like to see the replay, please visit:

 http://www.proofpoint.com/id/top10privacy/index.php?id=6