Proofpoint: Security, Compliance and the Cloud

Thanks to the hundreds of you that tuned in for our first live web seminar of the new year, "2011 Predictions: Top 10 Privacy Issues" where co-presenter Ken Liao and I looked into the crystal ball to expose the cultural, policy, technology and regulatory trends that will dominate privacy discussions this year! My thanks especially for all of the great questions and feedback on the seminar.

If you missed it, or if you'd like to refer back to the web seminar, it's now available as a replay. For those of you who registered for the live event, a direct link to the replay file has been sent to you via email, as usual.

In our presentation, Ken and I shared quite a few links to various privacy-related resources that I promised to share with you here as clickable links, so here they are, by prediction:

Intro: Why Privacy Matters Today

Privacyrights.org's running list of data breaches can be found here:
http://www.privacyrights.org/data-breach

Proofpoint's 2010 research on data loss events was referenced multiple times during the presentation. You can download a copy of our full report, Outbound Email and Data Loss Prevention in Today's Enterprise, 2010 here:
http://www.proofpoint.com/outbound

Prediction 1: Mobility & Location-based Info Becomes a Major Concern

We had a little extra comedy in yesterday's webinar as our slide on this first prediction had mysteriously disappeared. Click the image at left to see the slide we had intended to display!

Predictions 2-4: At Least One Major Social Media Site Will Experience a Serious Breach, Evolution of Social Media Policies, More Organizations will Formalize Acceptable Use Policies

The data/charts in these slides on social media data loss events, social media/web services that large organizations prohibit access to, and acceptable use policy adoption are all from the aforementioned Proofpoint research at http://www.proofpoint.com/outbound.

Prediction 5: Blended Threats Will Continue to Increase

For more on the VBMania outbreak and other recent blended threats, see my blog post about "Blended Threats Old and New." On the topic of spam's holiday vacation and subsequent return, see "Spam Volume Makes a Comeback After Holiday Hiatus."

Prediction 6: New, Stricter Privacy Regulations Will be Adopted Worldwide

Not mentioned in the slide, but here's a good article explaining the European reactions to privacy implications of Google Street View.

Prediction 7: Expect a US National Data Breach Notification Law

Here's the link to the Federal Trade Commission's report on Protecting Consumer Privacy. And here's information on the new White House "Enhancing Online Trust and Privacy" initiative.

Prediction 8: At Least One Enforcement Action Under Massachusetts 201 CMR 17

Links for the State of Massachusetts FAQ on 201 CMR 17, and interesting ThreatPost article about a possible 201 CMR 17 test case in 2011.

Prediction 9: More Organizations Will Encrypt More Data

Find more product information about Proofpoint Encryption here. Also, http://www.proofpoint.com/outbound is referenced again (data on adoption of data loss prevention technologies).

Prediction 10: Increased Adoption of Secure/Managed File Transfer

Statistic about level of concern around FTP as a source of data loss risk is, once again, from http://www.proofpoint.com/outbound. And visit this link for information on the Proofpoint Secure File Transfer solution. 

Q&A Session

In my comments, I mentioned recent email breach of personal information of all GSA personnel.

Thanks again to everyone who joined us for this web seminar. If you missed it and would like to see the replay, please visit:

 http://www.proofpoint.com/id/top10privacy/index.php?id=6

Over at Baseline magazine this week, writer Nick Wreden has a good article on "Social Media Policy Development," summarizing that organizations need to develop firmly written, clearly communicated policies around all types of electronic communications, including those conducted via social media channels.

This is still a sometimes-overlooked area of policy development and, if your organization hasn't yet communicated specific policies around keeping confidential (or regulated) information secure over social media channels, I'd suggest you put this on your "to do" list for the new year.

Nick quotes our oft-cited statistics about data loss and social media in large enterprises, noting that our 2009 research found that "34 percent reported that a loss of sensitive information had affected business. The same study found that 13 percent had investigated troublesome Twitter usage, and 15 percent had disciplined employees for unauthorized posting of videos on YouTube and similar sites."

Note that these numbers increased in 2010 (and you can get a copy of our latest report, "Outbound Email and Data Loss Prevention in Today's Enterprise, 2010" at http://www.proofpoint.com/outbound. Our report also shows that, while acceptable use policies for email are almost universally adopted, there are still a substantial number of organizations that do not yet have formal policies in place around the use of social media sites (including blogs, message boards, social networks, short message services like Twitter and media sharing sites like YouTube).

As I always suggest when considering acceptable use policies for email, when creating these sorts of policies for social media, I'd encourage organizations to focus on the data loss and compliance risks associated with social media sites, not just the "time wasted" aspects of same.

Keep in mind that the cost of a single low-performing employee (who, for example, spends too much time at work engaged in non-work-related social media) is completely bounded by that employee's salary (and such problems are fairly easily addressed). However, a single data loss/breach incident can cost hundreds of thousands or even millions of dollars in remediation costs, potential fines, brand damage and lost business.

The article over at Baseline has some other good suggestions around social media policy development and some real-world examples of what enterprises such as EMC, Xerox and Mel-O-Cream are doing to address the risks associated with social media.

Note also that I'll be touching on this topic a bit in our next live web seminar (January 12th), "Top 10 Privacy Issues for 2011." Do join me! You can register here: http://www.proofpoint.com/id/top10privacy/index.php

Hard to believe another year has almost come to a close... Proofpoint's live web seminar series will kick off another terrific year of programming on Wednesday, January 12th, 2011 with:

2011 Predictions: Top 10 Privacy Issues »

I'll be making one of my occasional webinar appearances, discussing the top policy, technology and regulatory trends that will dominate privacy discussions in the coming year with our resident email security and data loss prevention expert, Ken Liao.

In addition to our top 10 privacy predictions for 2010, we'll also be sharing some actionable advice about what organizations should do today, to better protect sensitive information in the coming year.

As regular readers of this blog know, data loss risks are generally on the upswing and your customers and business partners are more concerned than ever about how you handle their private data. I'm sure this will be a lively presentation — touching on diverse topics including social media, email, encryption regulations, acceptable use policies and a lot more — and as always, we'll answer your questions during the live Q&A period. 

Register here (and, as usual, all registered attendees will receive a link to the webinar replay).

I hope you'll join me... In the meantime, have a happy and safe holiday season!

Our live web seminar series continues on Wednesday, December 8th, 2010 with "What are your Obligations to Retain Email and Other Electronic Content?"

Analyst Michael Osterman of Osterman Research will join us to talk about findings from his recent report on the same topic. He'll discuss the business, litigation and regulatory compliance drivers that require organizations of all sizes and every industry to establish retention policies for email and other types of electronic documents.

Mike's report includes a summary of more than 50 regulations that require archiving of digital content. But as Mike notes in his report, there are still some organizations that are resistant to archiving such information.

"Unlike their regulated counterparts, organizations in so-called 'non-regulated' industries tend to believe that their electronic content retention obligations are minimal at best," he writes. "They believe electronic content should be deleted regularly to reduce the risk of liability in the event of a lawsuit or regulatory audit. They fear such content may contain 'smoking guns' that might reveal poor judgment by organizational decision makers or rogue employees... Contrary to what such decision-makers may think, no organization operating in the United States, regardless of size or industry, is immune from the obligation to retain electronic content in accordance with the Federal Rules of Civil Procedure."

Come learn the facts about why archiving email and other digital content is important for every type of organization.

As an added incentive, attendees who take our short survey at the end of the live event will be entered in a random drawing to win a new Apple iPod Nano... Just in time for the holidays!

Register for "What are your Obligations to Retain Email and Other Electronic Content?" here.

While we regularly post notes here about upcoming web seminars, I also wanted to mention that Proofpoint holds regularly-scheduled live online demonstrations of our Proofpoint Enterprise email security and data loss prevention solution.

In fact, the next one is coming up tomorrow, November 18th at 11:00 a.m. PT / 2:00 p.m. ET.  There's still time to register by visiting the following link:

Register for an upcoming Proofpoint Enterprise live demo

Even if you're seeing this post after that time, you can always register for a future demonstration via that page. These demos are a great opportunity to get a comprehensive overview of Proofpoint Enterprise Protection's email security features, Proofpoint Enterprise Privacy's DLP and email encryption features, and to get your questions answered by Proofpoint experts.

For a brief preview of what these demos cover, check out this short video (which you can also find in the left hand column of most pages in the Proofpoint website):

For our friends in the UK and other European countries, Proofpoint is giving a live encore presentation of our popular web seminar, "Email Encryption: Why Now is the Time to Deploy" on Tuesday, November 23rd at 2:00 p.m. GMT (3:00 p.m. CET).

Proofpoint email encryption expert Ken Liao will discuss recent changes in the global regulatory environment and how Proofpoint's SaaS-powered email encryption solution can help. He'll explain how Proofpoint Encryption automatically applies email encryption policies at the gateway, while also enabling easy desktop-to-desktop encryption for secure communication over email.

Ken will also answer your questions during the live question and answer period.

As with all of our web seminars, registrants will be sent a link to a replay of the webinar after the live event.

To register, follow this link: Register for "Email Encryption: Why Now is the Time to Deploy"

Sorry to be like the department store that puts out the Christmas decorations before it's even Halloween, but the holiday season will be upon us before we know it.

And as is traditional this time of year, Proofpoint's live web seminar series takes on the perennial rise in spam, phishing attacks and other forms of email nastiness that occurs during the holidays.

Join us live on Wednesday, November 17th for "Holiday Threats: Why Fruitcake is the Least of Your Worries" as Proofpoint email security expert Steve Eddy discusses some of the latest spam, blended threat and malware distribution techniques and what you can do to protect your organization and email users.

Despite the whimsical title, the topic is very timely and serious. We always see spammers and scammers using the increased volume of valid commercial email during the holidays as a “cover” for their messages, making it easier to deceive people into responding to fraudulent email.

Learn about the latest spam tricks and techniques, the return of some of the "old school" attacks that are making a dangerous comeback, how proper inbound threat protection relates to PCI-DSS compliance and some of the best practices around user education, mail server configuration and gateway email protection that can help keep your organization safe.

Register at the link below. As always, if you can't make it to the live webinar, you'll still receive a link to the replay edition as soon as it's available:

Register for Proofpoint's 2010 Holiday Email Threats Webinar »

(Oh, and Wikipedia has some theories on how fruitcake came to be the subject of holiday ridicule.)

Proofpoint's live web seminar series continues on Wednesday, October 13th as Proofpoint email encryption expert Ken Liao presents, "Email Encryption: Why Now is the Time to Deploy."

Ken will be talking about how email remains one of the most frequent vectors for data loss and exposure of confidential information. In fact, according to our latest research on this subject, more than a third of large enterprises investigated the exposure of confidential information via email in the past year.

He'll explain some of the recent regulatory changes that are driving more and more organizations to deploy email encryption and talk about how today's email encryption solutions, like Proofpoint Encryption, are much easier—and much less costly—to deploy than solutions of years past.

You'll also get to see how Proofpoint Encryption enables policy-based email encryption at the gateway, as well as desktop-to-desktop email encryption.

To register to attend, simply following the link below. As with all of Proofpoint's web seminars, all registered attendees will receive a link to a replay version, even if they can't make it to the live event:

Register for Email Encryption: Why Now is the Time to Deploy »

[Update, November 9, 2010: For more on this topic, read Gartner's 2010 Content-Aware Data Loss Prevention FAQs report, compliments of Proofpoint.]

NetworkWorld's Ellen Messmer has a really interesting article posted yesterday at NetworkWorld, reporting from Gartner's Security & Risk Management Summit (where Proofpoint is exhibiting, booth #27, BTW). In "Too many data-loss prevention tools become sheflware, says analyst", Messmer relates highlights of a presentation by Gartner DLP, security and encryption analyst Eric Ouellet, in which he talks about the challenges that many organizations face when deploying enterprise DLP solutions.

Of particular note, Ouellet discusses how many DLP deployments go awry because there's not enough involvement from business units who actually own responsibility for setting up and enforcing policies. "Organizations underestimate the need for the involvement of non-IT business units," Oullet says.

The whole article is worth a read and it provides an interesting "proof point" for something that we've been noting for quite a while... That multi-channel, enterprise DLP deployments (that involve the deployment of endpoint, network and discovery tools) are often more difficult and costly for organizations than they can really manage.

As an alternative, Proofpoint has long argued for a more pragmatic approach to DLP whereby the biggest risk vectors are addressed first (and, as I've noted many times, email continues one of the most significant channels for data loss - and one of the least controlled).

Rather than belabor that point here, I'd refer interested readers to this replay of an April 2010 web seminar featuring Proofpoint's Ken Liao, where Ken talks presents on precisely this topic:

Register for Brighttalk webinar replay: A Pragmatic Approach to Compliance with Policy-Based Encryption

Back to the NetworkWorld article, analyst Eric Ouellet is also quoted on the issue of "enterprise DLP" versus "channel DLP" (that is, addressing the DLP concerns in a specific protocol/channel, such as email):

... the market has evolved over the last year to include a second track for DLP that Gartner is calling "Single Channel DLP," which often focuses on the sole task of monitoring e-mail and attachments and ensuring e-mail encryption is properly used. "It provides you with enough to get you by," he said. Costs in this "Single Channel DLP" area can be in the $5 range for e-mail monitoring per employee.

The distinction between enterprise and channel DLP is discussed briefly in Gartner's 2010 Magic Quadrant for Secure E-mail Gateways, which also gives some detail on the DLP capabilities of each vendor in the email security market, including Proofpoint. You can view a copy of that magic quadrant, compliments of Proofpoint, by visiting:

http://www.proofpoint.com/magicquadrant

Our live web seminar series continues on Wednesday, May 26th. Join Proofpoint and our new partner Titus Labs to learn about how email classification, email security and email archiving intersect. Find out how these technologies can help your organization better protect sensitive data and comply with an increasingly complex global regulatory environment. 

To register for "End-to-end Email Security: Ensuring Data Privacy and Compliance," please visit the following link:

http://www.proofpoint.com/id/end2end/index.php?id=6

As with all of our web seminars, a replay will be made available to all registrants shortly after the live event.