The safety of numbers: Implementing filters on outgoing email

Derek Schauland recently ran into a support situation involving the filtering of outbound email messages. How much emphasis does your organization put on outbound filtering?

I had an interesting email issue recently at the office. A co-worker was trying to send an email with some attached financial information to an auditor in preparation for upcoming meetings. The information in the attachment was returned by our spam filter because it had a string of numbers in it that matched a pattern similar to that of a Social Security Number.

This problem, of course, was hard to explain to the user, who was just trying to do her job. To a user, it seems odd that we would care about patterns of numbers that weren't actually social security numbers. However, the automation and regular expression editor at Postini doesn't know if a number is or isn't a SSN -- it's simply looking for that pattern.

Reasons to watch outgoing information

Until recently it hadn't occurred to me that we might wish to look for things like this. Who would want to email their social security number anywhere? With all of the talk of identity theft going around, it seemed to be a no brainer to me; however, when Postini introduced an easy way to ensure the safety of these things, I was quick to turn it on.

I feel responsible for the Internet well-being of my users, and it's possible that there are some who aren't properly aware of the risks of transmitting their own personal information via email, even for legitimate purposes. But the real threat for many companies, isn't that their employees are clueless about handling sensitive data, but that there are those who might purposefully try to steal and transmit personally identifying information for their own profit.

Insiders might try to steal credit card numbers, account numbers, or even Social Security Numbers. Preventing these items from getting emailed out by simply configuring a filter to catch them is a first step in security. Obviously, this measure would only prevent the dumbest criminals from trying to steal from the company, but it's a start.

When this new feature was added to the filter, it triggered a discussion about what should be done. When my reasons were given for adding these filters, the consensus was that this was a good idea, if for no other reason than to keep an accidental email from being sent out that contains a customer credit card number or other sensitive information.

Bottom line

Filtering inbound email for spam is a given to help keep employees productive, but helping to keep data secure by preventing certain types of information from being sent out is also a good practice. Taking the time to filter outbound mail and flagging potentially damaging contents might just be the thing that keeps an organization out of the courts.

Does your organization filter outbound email for any reason? How do you do it? Have you run into any problems?