Viruses, spam and phishing may have been big messaging security threats in 2005, but this year expect secure archiving, risk management and layered threat prevention to take center stage.
That's the forecast from San Francisco-based Ferris Research, which last week unveiled its latest report, Top 10 Messaging & Collaboration Issues of 2006.
According to one of the report's authors, Ferris Lead Analyst Richi Jennings, traditionally vexing problems like spam and phishing still exist, but increasingly sophisticated antispam software and its ubiquitous use are mitigating those threats.
"Spam will continue, but people will no longer see it," Jennings said. "And if they can't see it, they can't buy things from spam ads. And if they can't buy, then the spammers don't get paid, since they work on commission. And if they don't get paid, there's no more incentive, and then presto, the spam problem implodes."
But that won't happen overnight. Jennings said it's likely to be another 18-24 months before the spam industry recedes. Phishing may take even longer, he said, but it's only a matter of time before it goes away as well, thanks to improved defenses and an increased willingness among companies exploited as phishing fronts -- eBay, PayPal and major banks, most notably -- to go after phishing outfits.
As a result, Ferris sees other security issues taking the fore. E-mail archiving and retention topped the overall list. Jennings sees it as a security issue
The bottom line, Jennings said, is that organizations can no longer risk losing sensitive information that could in turn result in a regulatory violation. "Regulations like HIPAA have a great deal to say about the security and privacy of heath care information," he said, "so I think it should be very much top-of-mind."
Mobile messaging security is becoming more important as well, but many fail to realize that it's a two-fold issue. In addition to securing mobile data and the devices it resides upon -- "If someone comes across a lost BlackBerry and wants to extract the data," Jennings said, "it can be quite easy to do," -- it's necessary to constantly monitor and evaluate the risk management aspects of mobile messaging.
For instance, Jennings said, mobile messaging requires an organization to "punch through the firewall and expose a service using an additional protocol," but doing so creates another potential point of entry that attackers could exploit.
"It's a classic risk management argument, and it's something some people don't understand well," Jennings said. "They don't understand how to go about making risk management decisions and understanding the implications, particularly the small and medium-size organizations that choose to run all their IT themselves."
Zero-hour exploit control is also an increasingly urgent issue, Jennings said, because several incidents in 2005 proved that attackers can take advantage of vulnerabilities almost immediately with damaging consequences, most notably the Zotob attacks of last summer that caused network outages at CNN, ABC and The New York Times.
Despite the myriad of emerging messaging threats, Jennings said the best way to circumvent any number of them is through a layered defense strategy, such as using a perimeter security product from one vendor, a messaging-specific product from a second vendor and desktop security software from a third. That way, if one vendor's product fails to spot a problem, perhaps another will.
"It's tempting to go with one vendor whom you're familiar with and just buy an all-in-one product," Jennings said, "but for zero-hour exploits and variability among vendors, it's a good idea to have several security layers."
He also recommended always tracking state-of-the-art messaging security products, because better techniques are always emerging. "The bad guys aren't standing still," Jennings said, "so you shouldn't stand still either."