G248

Email: You can't live with it, and you can't live without it.

For a relatively recent business tool, email certainly plays a big role in the lives of office workers. The average business user sends and receives about 170 messages a day, says Radicati Group, a Palo Alto, Calif., research company, and can spend as much as a quarter of the day sending, reading or deleting email.

This isn't all bad. Dashing off a quick email is a lot more satisfying than playing phone tag with a customer or co-worker. Email devices like Research in Motion's BlackBerry make even off-hours productive (even if they do annoy family and friends).

But this reliance -- some say overreliance -- on email causes grief for IT administrators, office workers and their managers. Storing all those messages -- along with attachments such as spreadsheets and PowerPoint slides -- can quickly clog a company's servers. Finding buried information can be nearly impossible.

Email can also be used to send corporate secrets and confidential customer information, a potential security nightmare. As such, email has become a favorite target for discovery in lawsuits. And then there's spam, which accounts for about 40% of email volume.

In this section, we look at the ways software makers are trying to make email more productive by making it easier to connect directly with other office applications -- in part by recognizing that most users are comfortable in their inbox.

Another article examines the latest in email security, which focuses on technologies that prevent sensitive information from going out -- as big a problem as keeping viruses and spam from coming in.

Finally, we explore better ways to archive and retrieve information locked in email, a topic that has become more important thanks to new federal rules on electronic discovery in lawsuits.

FOR MIKE BUTLER, sending an email involves a few extra steps. First, he must log on to his computer by inserting his personal cryptographic smart card into a special reader and entering his PIN. Then, when he sends an email, he must enter his PIN again, at which point the text is encrypted and the message is sent.

"It's about sharing information in a secure manner," says Mr. Butler, a director in the Defense Manpower Data Center, an agency within the U.S. Department of Defense. "If I send you a secure email, you can be certain that I am Mike Butler and that the message has not been tampered with before it reaches you."

Of course, you'd expect the Pentagon to take security quite seriously. But companies including auto makers and hospitals also are using this smart-card technology to give them greater control over outbound email.

And smart cards are just one of many approaches companies are taking to secure email. Others include filtering content for potentially sensitive information, encrypting the data to foil hackers, and having email recipients log in to secure Web sites or answer preagreed questions to prove they are the intended recipients. It's all a far cry from the days when securing an outbound email meant putting a blanket disclaimer at the bottom stating that it was intended only for the intended recipients.

These more rigorous solutions have gained popularity as companies start to realize that the cost of potential data breaches -- whether it's regulatory fines, damage to reputation or loss of intellectual property -- could far outweigh those of the more-publicized inbound threats like spam and viruses.

A recent study by Aberdeen Group, a Boston-based consulting firm, found that 80% of 116 companies surveyed view loss of confidential information -- either by being intercepted or being sent out by an insider -- as a high or medium threat. Only 43% of companies have a system in place to control outbound email, compared with 79% for inbound email. But 14% are planning to introduce outbound email controls in the coming year, according to the survey, while 16% plan to control both inbound and outbound mail.

"While the predominant focus has traditionally been on inbound threats, the 'best in class' companies are taking a more holistic approach and looking at outbound email solutions as well," says Mounil Patel, a research director at Aberdeen Group and co-author of the study.

One simple and popular solution is to encrypt outbound email. For fees starting at less than $10 a month, Toronto-based Echoworx Corp. provides downloadable software that allows users to encrypt outbound email messages so they are secure against interception and can be read only if the recipient knows the answer to a preagreed security question. The product, called Secure Mail, works with existing email programs like Microsoft Outlook. And email recipients don't need any special software -- they just get directed to a Web site to answer the question.

The smart-card technology used by Mr. Butler at the Pentagon comes from ActivIdentity Corp., of Fremont, Calif. The technology -- whose price starts at $68 per user, with discounts for larger volumes -- can be integrated with existing security systems, so that an employee uses the same ID card in his or her computer as he or she does to enter the building. The advantage, apart from convenience, is that employees are likely to take the smart cards with them when they leave their desks, ensuring that computers are disabled in their absence.

But while encryption solves the problem of data being intercepted in transit, it doesn't stop an employee from attaching critical information to an email and sending it outside an organization. Nor does it address the other ways in which information could leave an organization, such as being sent in an instant message, posted on the Web or downloaded to a portable hard drive.

That's why many companies are now looking to automatically screen all their documents. And a host of small firms, including Vericept Corp., Tablus Inc. and Vontu Inc., are rushing to meet the demand.

Systems have been available for some time that can scan the text of outbound email for basic data like Social Security numbers, credit- card numbers or customer-account details and flag them for the attention of a manager or compliance officer. But that's only part of the problem. Much of a company's most valuable information -- the design of a new product, the formula of a blockbuster drug or discussion of a potential merger -- isn't so easily identifiable. With so many permutations to deal with, the older systems that relied on simple text searches tended either to filter out too many emails, generating large piles of false positives for compliance staff to sift through, or didn't filter enough, which meant sensitive data might slip through the cracks.

The new generation of products takes a different approach. The idea is to identify exactly where all the confidential information within a company is held and to track exactly where it goes within the organization. If anyone tries to send this information out -- either by email, on the Web or by downloading it to a portable device -- an alert will be generated and the transmission can either be blocked, automatically encrypted or quarantined for a certain period of time.

Content Alarm, software made by Tablus of San Mateo, Calif., allows companies to tag sensitive documents with an electronic fingerprint. The document can then be tracked wherever it goes in the organization, and the system can even detect when fragments of that document have been copied and pasted. Since a large company often has thousands of confidential documents, the process works largely automatically: Once the software has established what kind of data the company wants to protect, it can identify documents with a similar format and mark those as confidential, too. The price varies depending on the number of users. For instance, a one-year subscription costs $90,000 for 1,000 users and $240,000 for 10,000 users.

"First of all, it's about being able to identify and locate your sensitive content," says Anne Bonaparte, CEO of Tablus. "When I ask CEOs if they know where their sensitive information is, most of them just chuckle. It may start out organized, but then you and I collaborate on a spreadsheet, and we send it to someone else to check over, and suddenly you've got information sprawl."

For many companies, adoption of these new technologies is being driven by the need to comply with regulations that require them to show that they are treating confidential customer information securely, says Aberdeen Group's Mr. Patel.

That was certainly the case at Sharp HealthCare, which runs seven hospitals in and around San Diego. The Health Insurance Portability and Accountability Act, or HIPAA, states that any company handling personal health information must have sufficient technology in place to ensure that the information remains confidential. Along with medical records, the company handles a lot of financial data. And it must send that information out to suppliers, insurance companies, government agencies dealing with Medicare and Medicaid, and a host of others.

The responsibility for safeguarding all that data lies with Paul Tobia, Sharp's information-security manager. "The health-care industry is moving toward electronic medical records," he says. "The question is, once that's all electronic, how is that information being transmitted, where is it going and how can it be kept secure?"

To find out, he purchased content-monitoring software from San Francisco-based Vontu. The price of the software starts at $25,000, and is based on the number of users and the products purchased. It has been in place only since November, but Mr. Tobia says it has already highlighted several cases in which the staff needed further training on the right processes, or in which a more secure method of transmitting information needed to be found. "We've always had the policies and procedures in place, and we've always had the training for our employees," he says. "What content monitoring does is to allow us to enforce it."

At online lending company E-Loan Inc., which started using a Vontu system a year and a half ago, the primary driver was reputation. As an online financial business, E-Loan, of Pleasanton, Calif., relies heavily on its customers trusting the technology involved. "To process a mortgage, you have to collect a lot of personal information," says Tess Koleczek, the company's chief privacy officer. "To ease people's fears, you have to make sure you're putting in the best possible methods for transmission of that data."

E-Loan also is motivated by laws like Sarbanes-Oxley and the Gramm- Leach-Bliley Act, which contain similar wording to HIPAA about the need to ensure that information remains secure.

Ms. Koleczek says high-profile cases of data loss also helped focus management attention on the issue. "It can make them realize that if something were to happen, it could cost us so much more than the price of a solution we could put in place right now to prevent that problem -- not to mention all the bad press."

Since installing the Vontu software, E-Loan has discovered several cases where more-secure channels needed to be used for communicating with title companies, notaries or other companies. It also uncovered cases of consumers sending private data, such as credit-card numbers, via email.

Ms. Koleczek says she sees real potential in the ability of the software to monitor portable devices such as BlackBerrys. Indeed, as workers become increasingly mobile and use more gadgets to connect with each other and share information, the number of ways in which data can be lost is multiplying rapidly.

"I don't see it as an email problem," says Vontu CEO Joseph Ansanelli. "I see it as a data problem. Data is everywhere, and it proliferates really easily. The real question for companies is, 'How do you share information securely in a wide-open world?'"