CHICAGO, April 20, 2006 – Like any critical piece of infrastructure, e-mail has its issues. Spammers still clog traffic on the worldwide web, and online con-men are starting to become more sophisticated in their attacks. Any organization maintaining a messaging system must balance their ability to defend against those abuses, while at the same time reliably delivering an ever-increasing volume of e-mails.
In response to those issues, Microsoft is participating in the second annual Email Authentication Implementation Summit this week in Chicago. The summit is aimed at helping companies and industry organizations find ways to protect their businesses, their brands and their customers from unwanted and malicious e-mails, while at the same time letting legitimate mail do its job.
To get a look inside the agenda at the Email Authentication Summit II, PressPass sat down with Craig Spiezle, director of Microsoft’s Technology and Strategy Group, along with Michael Zaneis, director of Congressional and Public Affairs for the U.S. Chamber of Commerce, and John Curtis, senior security architect for Internet Systems at Bell Canada.
Craig Spiezle, Director, Microsoft Technology Care & Safety Group
PressPass: Participants at the Email Authentication Summit II include businesses of all sizes, as well as industry organizations such as the U.S. Chamber of Commerce and the American Association of Advertising Agencies. Why is such a broad range of interests concerned with this problem?
Zaneis: It really goes to the core of trust and confidence in the way commerce is carried out today. If you think about the fabric that’s holding commerce in general together today, it’s the Internet and e-mail, whether for transactions, proposals, purchases, customer service or something else.
Consumer confidence is one of the greatest assets of any business. Companies spend a lot of time building up that confidence and goodwill in their brand name. It only takes one phishing incident or one breach of security to really have a negative impact.
Spiezle: If you think back to the world where we didn’t rely on e-mail, from a business perspective, it’s hard to imagine how we did it. We didn’t have the immediacy, the flexibility, the ability to tune a message when your first e-mail campaign didn’t resonate, the ability to change an offer on a website based on market demands or pricing. We had quarterly catalogs. We had fax machines and the postal service, and we had to call and confirm whether those things delivered our messages.
The Internet and e-mail have changed all of that, but if we don’t protect those resources, then the agility and productivity and effectiveness of these tools will diminish. That’s why we fight spam, why we fight phishing, why we promote safety-enabling technologies. It’s all about the computing experience. For businesses, that comes down to reliability and efficiency, and, for customers, it’s all about trust.
PressPass: Why should smaller businesses be concerned with this problem? Isn’t it mainly the larger companies that are targeted for e-mail attacks?
Spiezle: If you have a business of any size, and all of a sudden customers are getting e-mails that look like they’re coming from you but aren’t, they’re not going to respond the next time you send them an e-mail. In many cases, the Internet and e-mail may be the exclusive touchpoint they have with customers. If these smaller businesses can’t rely on e-mail or their customers can’t rely on assurance of e-mail from them, their business as they know it will go by the wayside. So, while large enterprises understand what they need to do to protect themselves, their employees and their customers, there are millions of small businesses that need this prescriptive advice.
Another big concern today is a newer, more precise form of attack called “spear phishing.” These people may have a list of bank customers or 401(k) participants, and they send e-mails posed as legitimate requests for information. This is something that a company of any size should be prepared for.
Michael Zaneis, Director, Congressional and Public Affairs, U.S. Chamber of Commerce
Curtis: The biggest effect of this problem for business health isn’t security related, but marketing related. It’s churn. It can cost a business hundreds of dollars per customer acquisition and this investment and business growth is at risk due to spam or phishing.
There is a real risk as more customers “get turned off” of the Internet altogether that the entire e-commerce system loses. It certainly can erode a market pretty quickly. And unfortunately, the effects for a smaller business can also be more devastating. They have fewer resources to regroup after an attack and rebuild their brand.
Businesses large and small are looking for partners that they can trust to manage their security needs so they can focus on their business.
Zaneis: Another issue for the smaller businesses is that, as the large companies put in security measures, one of two things happens. The bad guys either try to get through those, or they go to softer targets. And usually, they go to softer targets because it’s easier for them.
These criminals recognize that larger companies are becoming more and more sophisticated, and often have great security practices, so they are trending toward targeting small businesses. We’ve seen numerous examples, where instead of going after the big companies, they’re going after small retailers because they tend to have less sophisticated security systems. They’re an easier target.
Spiezle: That’s true, and what it amounts to is a competitive advantage for the larger organizations that have taken more comprehensive security measures. So, for smaller businesses, the more of these proactive defensive measures you can take, the more it levels the playing field against those larger competitors.
PressPass: How is the landscape of these attacks changing? What trends are you seeing with regard to improper use of e-mail?
Spiezle: The main change we see with both malicious e-mails and spam is that the sophistication of the attacks is growing by leaps and bounds. The “amateur” or “recreational” spammers left the business awhile ago because it became increasingly difficult to make a sufficient return on their investments, due to recent progress in filtering technologies, public policy and law-enforcement threats. Now they’ve left the business to the professionals. These folks are well-funded, they have just as much experience as the legitimate companies, and so the challenges are growing. That’s why the industry needs to be proactive and work together.
Zaneis: They have become more sophisticated, and they are constantly trying to increase the relevance of their offerings to a more targeted audience in an effort to increase the returns on those efforts. A year or two ago, it was just purely a numbers game. Phishers were just throwing a hook in the water with bait, not knowing what they were going to catch, but knowing that, because they’ve put a million hooks out there, they were going to catch something. Today they’re much more skilled.
PressPass: What advice do you have for customers in dealing with these problems?
John Curtis, Senior Security Architect, Internet Systems, Bell Canada
Spiezle: As part of our efforts help customers in this area, Microsoft is issuing a new white paper this week in conjunction with the U.S. Chamber of Commerce that goes in depth about our own domain defense, what we’ve done and the genesis of that, with a lot of targeted, prescriptive guidance on what companies can do to address these issues. It provides common, no-nonsense steps of what businesses should be doing to protect themselves.
Zaneis: If you look at the title of the white paper we’re presenting with Microsoft at the Email Authentication Summit, its prescriptive advice. So any organization looking to protect itself should read that.
And that’s the most important thing we can do, be proactive and continue to invest resources and educate folks about how they can protect themselves. The threats are growing, and the industry needs to continue to be innovative and continue to invest in new technologies, and continue to be vigilant against identity thieves, criminal spammers, the phishing networks, all the vulnerabilities that are out there.
Spiezle: The other message we’re trying to get out there is that e-mail authentication is a foundation for protecting users from a technology standpoint. Sender ID continues to show significant support and promise. A year ago we were at roughly 20 percent adoption, and now we are seeing upward of one third of e-mail worldwide. That represents billions of e-mails, and that’s fantastic. As a result of that, we’re continually able to better detect phishing and spoofing mail as well as help legitimate mail be delivered. And the amount of support that we’ve seen from the industry and business has been phenomenal.
Curtis: Sender ID is simple and a very effective layer in the defense against phishing by providing a baseline of authentication to determining somebody’s reputation, whether or not the IP address connecting to you should be sending mail as the domain that it’s representing. For fraudulent use of domains, it’s quite effective, and companies should definitely be looking at Sender ID.
Overall, customers need to look at their people, process and technology to ensure the integrity of their system is safe and secure
PressPass: What about the E-mail Authentication Summit? How did that come about?
Spiezle: When we hosted the first summit in July , we didn’t know if we’d get 100 people at the event, but we got 500 and had to shut off registration. And two things occurred. No. 1, it drove a lot of awareness and adoption of authentication technology such as Sender ID, which is a huge part of solving the problem.
But we also found that businesses came back and said they want more information. So, based on demand and requests from the business community, we’ve pulled together this second event. It’s very exciting, this amount of broad, grassroots cooperation, forming a coalition so to speak, with organizations such as the U.S. Chamber of Commerce, the U.S. Council on International Business, the American Association of Advertising Agencies, as well as industry participants. It is really unique. The overall goal of the event of course is to provide and educate these organizations with prescriptive advice and case studies on the business value of e-mail authentication and how Sender ID is providing real results today.