Inexpensive ways to keep e-mail clean

big on budget For small and midsize businesses (SMBs) on a budget, implementing e-mail security may be a significant cost, but outsourcing and user education can be two inexpensive ways to keep e-mail clean.

Paul Wood, senior analyst, MessageLabs, said in an interview with ZDNet Asia, outsourcing may help SMBs access quality e-mail security without the capital costs of depreciating hardware assets and manpower.

A subscription model can also be scaled up as the business grows, allowing SMBs to cut back on spending on extra hardware or software licenses which they may purchase in anticipation of more seats--an additional cost, Wood said.

User error is another security hole that can be plugged with education and discretion.

Paul Ducklin, head of technology, Asia-Pacific at Sophos, suggested some ways users can practice safe e-mail behavior: "Don't blindly click on links in e-mail messages, even if they appear to come from a friend, out of a casual curiosity.

"Don't allow yourself to be frightened or intimidated into following instructions given in an e-mail. For example, if your bank account is compromised, your bank will not e-mail you asking you to login and 'fix' the problem. When in doubt, ignore or delete.

"Don't blindly open unexpected or unsolicited attachments. Even files such as Office documents and PDFs can contain malicious content."

Ong Geok Meng, manager, anti-malware research, Asia-Pacific and Japan, Secure Computing, offered additional tips: do not send HTML e-mail, or exchange personal and confidential information.

Wood said "the next biggest risk" users will encounter is social-engineered attacks. These "prey on human networks and vulnerabilities, fueled by the availability of data about potential victims", tricking users into lowering their guard, he said.

Andy Norton, director of product management, IronPort, said e-mail authentication frameworks such as sender policy framework (SPF) and the more recently-established standard, domain keys identified mail (DKIM), are "not expensive and very effective" ways of fighting spam and phishing, as well as protecting outgoing mail.

Wood said: "Encryption has traditionally been viewed as costly and difficult to implement." But he said that allowing a third-party provider to manage this service can take the pain out of implementation.

Panda Security released last month a cloud-based, free antivirus software in beta, and expects to keep it free for individual use after it leaves beta testing.

Not everything comes for free
Most vendors ZDNet Asia spoke to were careful to suggest that SMBs should think about some measure of paid service.

AVG provides a free version of its anti-virus software, with an option for extra protection--for a fee. Its spokesperson said it is possible for an SMB to rely solely on a free client, but noted that it may not be adequate for a larger enterprise.

"A free service may provide basic services, which is all that may be required in some cases," but "an enterprise may have special needs" such as remote workers and a wider variety of devices which need securing. A free service may not cover all these endpoints, he said.

Furthermore, paid services are invested in improving their product and continued research and development (R&D), the spokesperson added.

IronPort's Norton said: "With paid-for e-mail security, you pay to protect yourself. With free e-mail security, you pay to clean up the mess."

Norton said paid-for services are distinguished from free services in that the former come with support and "round-the-clock" monitoring. Free services on the other hand, typically do not respond as quickly to threats, leaving systems vulnerable, he said.

MessageLabs' Wood added that regardless of a company's size, customer safety requirements need to be taken into account. Larger businesses will likely be governed by stricter regulatory requirements, and these are often cascaded down the supply chain to smaller suppliers, he said.

And failure to comply could have a negative impact on a deal. "When asked to complete a response-to-tender document, any potential supplier will be considered in the same way as any other business function, and will be assessed accordingly as a potential conduit for introducing potential risk to the larger organization," said Wood.

Free e-mail services, which are unaccompanied by service level agreements (SLAs), offer users no safeguards and guarantees, Wood explained.