The Corporate Identity Crisis
by Andrew Krcik - VP of Marketing and Product Development at PGP Corporation - Thursday, 15 January 2004.
For internal messaging, companies typically have authority over employees, though rarely over external business partners, and can try to enforce the use of secure messaging. The cost of training end users in secure-messaging techniques and supporting them, often means that such solutions are not fully deployed but reserved for only so-called critical users. Even where security solutions are in place, many users forget or do not bother to use the solution when time constraints or business needs conflict with security policy.

Businesses using secure messaging to protect customer communications often discover that all these problems and their related costs grow exponentially. The corpus of keys changes faster and is far more complex to administer. Unlike employees, customers may have fewer concerns about asking a firm’s IT staff to retrieve or reset a forgotten password, placing a greater burden on support staff. Training large groups of customers to use traditional secure messaging—to recognise digital signatures, decrypt messages, and sign and encrypt their own responses—is also impractical.

What is needed is a secure-messaging solution that requires no action by the end-user. Such a solution would shift the burden of encryption, decryption, and signing and verifying messages—as well as finding and remembering the necessary keys—to an automated system that works invisibly at the network level. For automated secure messaging to be truly effective and used widely, however, it must be based on open standards and must offer some way to set up and maintain secure connections with recipients who do not have secure messaging in place and/or cannot be trained to use a secure-messaging solution.

Solutions must not only be invisible to senders, once recipients have authenticated themselves, the solution must also automate verification and decryption as well as securing and signing any response. To answer this need, systems have now been developed that operate transparently on the network layer and use small-footprint proxies on the recipient end. These systems can provide automated, two-way message security and authentication with no need for user training at either end.

With such systems in place, email and online communications can be transformed from a prime target for cyber criminals into a safe means of communicating with customers and partners while significantly reducing the potential of identity theft.

(1) The U.S. Federal Trade Commission defines “phishing” as follows: “Phishing, also called ‘carding,’ is a high-tech scam that uses spam to deceive consumers into disclosing their credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive information.”

PGP Corporation is exhibiting on Stand 680 at Infosecurity Europe 2004 which is Europe's number one IT Security Exhibition. Now in its 9th year, the show features Europe's most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 27th to the 29th April 2004.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th