Tag Archives: MessageLabs Ltd.

About 1630 days ago Computer Security

New Tactics in the War on Spam

our beautiful site

It’s depressing but true that most of the e-mail directed to your company is e-mail you don’t want. Overall, about 70 percent of the e-mail most businesses receive is spam, but that percentage can vary widely, depending on how well-known your business is, how available its e-mail addresses are, and how often employees submit their e-mail addresses on other websites. For a visible company with widely available e-mail addresses, the percentage can be much higher — 95 percent or even more. “At one company we worked with 99.7 percent of the e-mail received was spam,” notes Peter Firstbrook, research director at Gartner. Spam overall continues to grow, experts say, driven by a simple economic reality: spamming is a pretty good way to make money. “The spam industry, if you can call it that, has evolved over time,” notes Bill Kasje, vice president of development for spam solution Abaca. “There are now development programs for spammers and people and organizations who specialize in different areas of enabling spam. There are people who control botnets and rent time on their botnets to spammers.” A “botnet” is a group of computers that have been taken over by malware, usually without their owners’ knowledge, and can be set to secretly send out spam or perform other tasks. “Spam exists because it continues to provide real economic benefit to spammers,” Kasje says. Spam-fighting tools have grown more sophisticated as well, with two important weapons now available in the never-ending fight against spam — these should be components of whatever ant-spam solution you choose: Reputation Filter: A reputation filter examines the behavior of a website, automatically blocking those that send spam so that not only e-mail, but even mail connections are blocked; Tarpit: A tarpit slows down an incoming message, forcing the sending server to wait and retry after a few minutes. A legitimate e-mail application will do this, but spam generally won’t, since reaching the largest number of addresses in the shortest time is essential to spammers’ success. When it comes to fighting spam, there used to be three viable options, Firstbrook says: using a hosted anti-spam service, using a gateway device to block spam, or installing spam-blocking software. Though software solutions such as SpamAssassin remain quite popular, the need to constantly maintain the software and update information means software may not be the best approach for a small company, according to Firstbrook. Instead, he recommends either a gateway device that filters all incoming e-mail, or a hosted service, which filters your e-mail at its servers, and passes legitimate messages along. Gateway device The advantage of a gateway is that it may give you better control over spam filtering, and may provide some peace of mind if, for security reasons, you’re uncomfortable having your mail on someone else’s servers. On the other hand, you’re responsible for the hardware, and for providing enough bandwidth to handle ever-growing mail volumes. If you’re considering a gateway device, here are some questions to ask: How frequently do you update? Gateway devices generally come with a connection to the maker’s servers, which automatically download new spam definition lists. You should find out how often these new definitions go out. Spammers often use the window between when a vulnerability is discovered and when that hole is closed to launch as much spam as they can. Real or virtual gateway? These days, virtualization means never having to buy specific hardware, so it might make sense to consider using virtualization to create a virtual email gateway instead. What if I increase bandwidth? Limited bandwidth can act as a tarpit, discouraging spam because access to your system is too slow. Therefore, it’s best to make sure spam is under control before increasing that bandwidth. “I’ve talked to companies that scaled up their bandwidth to help handle spam volume — and their spam percentage immediately went up,” Firstbrook says. Hosted anti-spam service The argument for a hosted anti-spam service is that these services can respond to new spam threats instantly, with no delay while new information downloads to your gateway. They take most of the hassle out of fighting spam because you no longer have to worry about maintaining hardware or increasing bandwidth to handle e-mail. On the negative side, their system may not integrate quite as seamlessly with your e-mail application as a hardware solution would. If you’re interested in using hosted anti-spam, here are some questions to ask the provider: What are your guarantees? Does the provider offer a service level agreement (SLA) or other form of guarantee? If you can get one, an SLA provides added assurance that the service will work, and keep working. Is it customizable? Some services allow you to separately set filtering levels for messages that contain sexual words compared with, say, messages bearing business propositions from Nigeria. Given the particulars of your business, this might be handy: a medical practice, for instance, might not want to aggressively filter out messages mentioning body parts. What if I need other services later? Many anti-spam services have ancillary products such as archiving of (non-spam) e-mails, backup e-mail systems in case you are unable to use your usual e-mail software and other services. Even if you don’t need any of these right now, it’s a good idea to plan for the possibility that you might need them in the future, and negotiate option prices for the possible purchase of ancillary products at the same time as you make your original deal. “If you wait two years after you sign your contract, they’ll be less motivated to offer you a good deal,” Firstbrook says. SIDEBAR: Popular Spam-Fighting Products Here are some popular gateway appliances that fight spam: IronPort, now part of Cisco, provides gateway appliances for large corporations, but its lower-end boxes are both effective and affordable for small businesses. Secure Computing, recently acquired by McAfee, uses multi-layered techniques for added safety. Abaca’s gateway security comes with a 99 percent accuracy guarantee. There are also some hostedanti-spam services: Postini, now owned by Google, offers low-cost and flexible spam solutions for even the smallest of companies, with the ability to scale as your company grows. MessageLabs, recently acquired by Symantec, can both block spam and enforce company policy. The site keeps a monthly tally of spam percentage overall (69.7 percent in October). Microsoft Exchange Hosted Filtering (formerly FrontBridge) blocks both inbound and outbound spam, as well as disaster recovery.

About 1660 days ago Spyware and Malware

A Network Tune Up for Tough Times

our beautiful site

The U.S. economy may be tanking, but Lilli Wiggins is as busy as she’s ever been. Wiggins, the vice president and customer care manager of Gainsville, Fla.-based Computer Network Experts, is taking in more business than ever. Small and mid-sized businesses are flocking to the nine-employee IT solutions company to find ways to make their existing network equipment and systems last longer. “Usually, when equipment gets to a certain age… about four years out, you’re on the edge, and thinking you’ll buy something new. Most people right now, though, are fixing rather than buying new. They’re not throwing anything out,” notes Wiggins, whose best customers are companies with fewer than 50 employees. October’s grim news of the housing market’s collapse sent stocks tumbling around the globe, creating recession woes and a credit crunch that’s making banks leery of lending to any but their best customers. Faced with the prospects of less available capital and fewer sales, businesses big and small are holding off on many major outlays, experts say. In a mid-October report, Cambridge, Mass.-based Forrester Research forecast that computer and communications vendors will “bear the brunt of IT cost-cutting” as companies tighten their belts. How to make your networks last But just how can businesses make their networks last longer? The experts offer these five suggestions: Be proactive.  Smart companies are taking a look at their networks now to make any fixes so that crucial systems don’t fail, says Wiggins. Clean out the hard drive and take care of any basic maintenance. “In this economy, people can’t afford to have a crash,” says Wiggins. Keep malware and spyware up to date.  Yes, it’s basic, but so important, and many companies forget to keep things updated, says Wiggins. For companies lacking the staff or know-how, hosted spyware solutions are offered by MessageLabs, Cisco’s Linksys, and others. Keep close tabs on Internet use.  Hammer down those inter-office and remote-worker policies about Internet use, and make sure employees aren’t downloading freebies onto the network. “There’s a fine line between open-source and free, and people are still downloading things that carry viruses and malware. It’s a quandary for many businesses,” says Wiggins. Schedule a check-up.  Consider bringing in a consultant to independently review your networks and make sure there isn’t something you’ve overlooked in terms of maintenance. Consider upgrades.  Adding memory, adding CPUs, or switches may be a good option for some companies wanting to use what they’ve got for a while longer, notes Jennifer VanDerHorst-Larson, CEO of Minnetonka, Minn.-based Vibrant Technologies, a business-to-business IT reseller that offers technical support. Consider buying them from a reputable reseller: by buying used, companies can save 50-80 percent on quality parts, says Larson. CNE’s Wiggins notes that most of these suggestions “are just common sense.” But in this tough economy, common sense is something few can afford to be without.

About 1660 days ago Wireless Networks

A Network Tune Up for Tough Times

our beautiful site

The U.S. economy may be tanking, but Lilli Wiggins is as busy as she’s ever been. Wiggins, the vice president and customer care manager of Gainsville, Fla.-based Computer Network Experts, is taking in more business than ever. Small and mid-sized businesses are flocking to the nine-employee IT solutions company to find ways to make their existing network equipment and systems last longer. “Usually, when equipment gets to a certain age… about four years out, you’re on the edge, and thinking you’ll buy something new. Most people right now, though, are fixing rather than buying new. They’re not throwing anything out,” notes Wiggins, whose best customers are companies with fewer than 50 employees. October’s grim news of the housing market’s collapse sent stocks tumbling around the globe, creating recession woes and a credit crunch that’s making banks leery of lending to any but their best customers. Faced with the prospects of less available capital and fewer sales, businesses big and small are holding off on many major outlays, experts say. In a mid-October report, Cambridge, Mass.-based Forrester Research forecast that computer and communications vendors will “bear the brunt of IT cost-cutting” as companies tighten their belts. How to make your networks last But just how can businesses make their networks last longer? The experts offer these five suggestions: Be proactive.  Smart companies are taking a look at their networks now to make any fixes so that crucial systems don’t fail, says Wiggins. Clean out the hard drive and take care of any basic maintenance. “In this economy, people can’t afford to have a crash,” says Wiggins. Keep malware and spyware up to date.  Yes, it’s basic, but so important, and many companies forget to keep things updated, says Wiggins. For companies lacking the staff or know-how, hosted spyware solutions are offered by MessageLabs, Cisco’s Linksys, and others. Keep close tabs on Internet use.  Hammer down those inter-office and remote-worker policies about Internet use, and make sure employees aren’t downloading freebies onto the network. “There’s a fine line between open-source and free, and people are still downloading things that carry viruses and malware. It’s a quandary for many businesses,” says Wiggins. Schedule a check-up.  Consider bringing in a consultant to independently review your networks and make sure there isn’t something you’ve overlooked in terms of maintenance. Consider upgrades.  Adding memory, adding CPUs, or switches may be a good option for some companies wanting to use what they’ve got for a while longer, notes Jennifer VanDerHorst-Larson, CEO of Minnetonka, Minn.-based Vibrant Technologies, a business-to-business IT reseller that offers technical support. Consider buying them from a reputable reseller: by buying used, companies can save 50-80 percent on quality parts, says Larson. CNE’s Wiggins notes that most of these suggestions “are just common sense.” But in this tough economy, common sense is something few can afford to be without.

About 1691 days ago E-Commerce

Stem the Flood with E-mail Archiving

our beautiful site

At the average business, the day starts like this: Boot up the computer. Open e-mail. Push the “Send/Receive” button and wait for the flood of messages to pour in. And a flood it is. According to the Radicati Group, a Palo Alto, Calif., technology market researcher, the volume of global e-mail has grown to 210 billion a day and is expected to hit 297 billion by 2010. Radicati predicts that by next year, workers will spend 41 percent of their day handling e-mail. That’s a lot of messages. Once they’re opened and read, what’s a small business supposed to do with them all? In more and more cases, the answer is to keep them. E-mail has become so intrinsic to the way work is done at companies of all sizes, it’s where most business records are stored, says Nancy Flynn, executive director of the ePolicy Institute, a Columbus, Ohio, an electronic communications consultant and author of a book on e-mail policies due out in December. Federal regulations like Sarbanes-Oxley and recent rule changes that make e-mail subject to discovery in the course of a federal lawsuit are also driving companies to archive e-mail, Flynn says. “People incorrectly assume e-mail is only produced as bad evidence,” in a trial, she says. “But it could be evidence you need to save the day.” However, not all messages are created equal. Companies need to come up with policies about what to save, Flynn and other e-mail experts say. Once they’ve sorted that out, they can decide how and where to set up e-mail archives, either on site or through an e-mail archiving service. Creating an e-mail policy According to e-mail experts, a comprehensive e-mail retention policy should include: Which e-mail messages to keep How long they should be stored How they should be purged once they’ve reached their life expectancy How employees should be notified and educated about the policy What types of disciplinary action the company will take if employees break e-mail rules Breaking e-mail rules is no joke. According to a 2007 survey conducted by the ePolicy Institute and the American Management Association, 28 percent of bosses had fired employees for e-mail violations. “We’re seeing more employers put real teeth in these policies,” Flynn says. When it comes to managing e-mail, small businesses have more at stake because they don’t have the deep pockets that a large corporation has to hire a defense team and do records searches should they be sued. “It’s much more cost and time effective for a small business to do the work upfront,” she says. Whether it’s an on-site appliance or hosted service, a small business should make sure the e-mail archive solution they choose: Captures inbound and outbound, internal and external messages and attachments Indexes messages so they can be searched and retrieved with minimum time and trouble Insures the authenticity and completeness of e-mail records in such a way that it complies with regulators and courts Preserves messages in a way that’s secure and tamperproof When deciding whether to bring e-mail archiving in house or go with an outside vendor, companies need to think about how many employees they need to cover, average e-mail volumes, if their company is growing and how much work they want to take on themselves, says Sean Hegarty, messaging senior product manager at Iron Mountain, the information storage company. Once a company’s determined the scope of the needs, they can decide whether they want to take on the task themselves or farm it out to a Web-based -email archiving service, Hegarty says. The former can be capital intensive, while the latter “is more of a gradual predictable cost,” he says. “Five years ago the market was primarily on-site solutions. Now it seems that a lot of adoption is of the outsourcing model.” By all means, don’t let employees save their own messages on an ad hoc basis on their PCs or printed out and stored in file cabinets, ePolicy Institute’s Flynn says. If that happens and the company gets sued, the first thing a computer forensic team does is “look in employees’ inboxes and hard drives for those underground archives,” she says. Sidebar: E-mail Archive Vendors Here’s a list of some e-mail archiving product vendors: ArcMail — Appliance-based e-mail archiving solution. Autonomy — Web-based e-mail archiving and e-discovery, e-mail archive services that are specific to lawsuits. EMC EmailXtender Family — An array of e-mail archiving products, including specialized programs for Microsoft Exchange and IBM Lotus Notes/Domino. Iron Mountain Total Email Management Suite — The long-time storage business offers a Web-based e-mail archive service for Exchange and Lotus Domino servers and acts as an online backup service; includes extras such as virus scanning and phishing protection. Iron Mountain offers a separate e-mail storage service for SEC-regulated businesses. MessageLabs — Provides hosted mailbox management, e-discovery, e-mail compliance and supervision archiving along with encryption, anti-spam, anti-virus and other e-mail services. Dell Message One — Complete Web-based e-mail management service, including archiving. Quest Software Archive Manager — A Microsoft-centric e-mail archiving appliance. Symantec — Offers various e-mail archiving solutions, including Microsoft Exchange archive and recovery service for small and mid-sized businesses and Enterprise Vault automatic mailbox management.

About 1783 days ago Data Security

Can Outsourcing Better Protect Customer Data?

our beautiful site

“Is it inherently insecure to let someone else handle your own security?” mused an October 2007 report by Forrester Research. Not if a reputable firm can do the job better and for fewer greenbacks than you can, experts say. In today’s marketplace, your company must meet a dizzying number of compliance regulations, with acronyms to match, if you store your customers’ personal or financial information.  Everything from the Payment Card Industry Data Security Standard (PCI DSS) to the Gramm-Leach-Bliley Act (GLBA) to Health Insurance Portability and Accountability Act (HIPAA) requirements. High-profile cases of laptops containing such data being stolen have added to the angst. Meanwhile, many smaller businesses just don’t have the manpower to handle these added security concerns. “You might have someone on-site who can put in a firewall or a VPN [virtual private network] gateway, and then forgets about it,” warns Guy Fardone, chief operating officer and general manager with Wayne, Pa.-based Evolve IP, a managed security and compliance services firm. “So no one is looking at it, and no one is updating it…they never inspect it.” As a result, there is no threat detection and the system is at risk, he says. Does this sound familiar? Providers come in several flavors If it does, hiring a managed security services provider (MSSP) may be the solution. They can step in and install and manage firewalls, VPNs, vulnerability management, Web filtering and anti-spam, security intelligence services, and wireless and mobile functions.  According to the Forrester report, there are several types of these providers, including: Managed services specialists, such as Evolve IP, SecureWorks, and Solutionary; Security product or service vendors, including VeriSign, McAfee, MessageLabs, and Google’s Postini, which offer either security services or products; Telcos and managed services providers, such as Verizon Business, AT&T, and Sprint now offer some of these services. Which type of MSSP should you choose? That, experts say, depends on how extensive your needs are. For example, do you need consulting, hardware, and services, or only some of these? Telcos do not provide compliance consulting, “but if requirement number one for PCI [compliance] is that you need a firewall, you can get one through a telco,” notes Doug Barbin, director of product management with Mountain View, Calif.-based VeriSign. VeriSign, which offers a full range of MSS products and services to enterprise customers, currently services the small business market only through telco partners such as AT&T, Barbin says. Other service vendors may cover specific security needs (for example, MessageLabs offers email protection and archiving services) but not a full range of service. A so-called pure-play MSSP, such as SecureWorks or Evolve IP, can provide a wide range security and compliance systems and consulting, notes Evolve IP’s Fardone. The cost can start at $100/month for a managed firewall and run over $1,000/month for a threat detection service, but is still “cheaper than hiring someone,” he says. Choose wisely and get everything in writing The next big question: whom to choose? “Like choosing a doctor, the customer’s lack of specified knowledge in the field makes trust an essential issue,” the Forrester report notes. Many companies tend to rely on word of mouth. Whomever you choose, make sure the service-level agreement (SLA) you draw up with the company is crystal clear and is done with legal help. This IncTechnology article on avoiding security pitfalls with subcontractors can help. Experts recommend that the SLA includes enforcement rights, consequences, and a policy about how sensitive data will be destroyed after use. After all, a good security agreement with the correct firm can save you time, money — and your bottom line.

About 1934 days ago Computer Security

Fight Spam in Six Steps

our beautiful site

No, they haven’t found a cure for spam yet. But until then, it’s still a fight worth fighting. According to a March 2007 survey by Wellesley, Mass.-based Nucleus Research, two out of every three e-mail messages received on the job are unwanted or unsolicited. All that spam costs U.S. businesses $70 billion — or $712 per employee per year in productivity alone, the same study estimated. And that’s not counting the losses due to viruses, worms and Trojans it spreads, or the identity or trade secret theft it can cause. What can a small or mid-sized business do, especially if your IT department is on the smaller side, too? Here are some tips from the experts: Consider a Hosted Service: If you don’t have the staff or the time to fight spam properly, perhaps a hosted service such as Google-owned Postini or MessageLabs is for you, suggests Joe Stewart, senior security researcher with SecureWorks, an information security firm based in Atlanta. Hosted services offer spam blocking, extensive anti-virus coverage, and disaster recovery services for about $100/month for under 100 users. Install a Good Spam Filter: SecureWorks’ Stewart recommends some open-source filters, such as Apache’s SpamAssassin. High Mountain Software’s SpamEaterPro and CA Anti-Spam are among the many vendor-provided options that work well with a number of different email servers. Safeguard Those Addresses: Make sure the workers in your office are not using their work email address to conduct personal business, or for online shopping. Ditto for FaceBook, MySpace, or other social-network sites…spammers often look to these for new addresses. Also, discourage workers from signing up for newsletters with their work email address. Block Sender: Make sure all workers using Outlook and Lotus Notes know to right-click and “block sender” on a piece of spam so that the sender cannot send anything else to that address, notes Mike Song, an email efficiency expert, corporate trainer, and CEO of Guilford, Conn.-based CohesiveKnowledge Solutions Inc. Take Out Website Links: “Be careful how you list worker directories on your corporate website,” warns SecureWorks’ Stewart. If you must list workers’ email addresses, publish them inside Javascript, not as an email link, he suggests. Set a Spam Trap: Consider creating a fake employee profile, complete with bogus title and address, on the website. Monitor what e-mail comes to this “employee,” since it is likely to be spam, suggests Stewart. Use it as a test of how well your anti-spam techniques are working. By trying these steps, your business can have the upper hand in the war against spam. But diligence remains key: “Remember that the spammers actively test the anti-spam software,” notes Stewart. “You can’t just install the software and have the problem go away.” SIDEBAR: Where to Go for Spam-Fighting Help Postini is a hosted solution that screens email for malware and spam and offers back-up and archiving services. It serves about 10 million end users. MessageLabs is a hosted solution that screens email and instant messages for malware, spam and spim. It offers back-up and archiving services. SpamAssassin is an open-source-based spam filter written in Perl. It can be downloaded free from the above website. High Mountain Software’s SpamEaterPro is a widely used spam-fighting software program. The company also offers a hosted spam-fighting product, spameater.net. CA Anti-Spam is another popular anti-spam software product that includes anti-virus, anti-phishing, and other features.

About 2210 days ago Computer Security

Email Recovery Services: For Disasters Large and Small

Businesses these days are completely and utterly dependent on their email systems for communicating not only in-house but with customers and suppliers, as well. In this environment, molasses-paced email, or servers down for hours or more, can hurt the bottom line. Full-blown disasters, such as extended power outages, fires, floods, or other natural disasters, can cripple a small or mid-size business. But disasters both large and small are all possibilities companies have to prepare for — and make sure their email systems can weather the storm. “Email is mission-critical,” Stephanie Balaouras, senior analyst at Forrester Research, says simply. Small- and medium-sized businesses seem to understand the risks. A December 2006 Forrester survey of 2,434 small and mid-sized businesses found upgrading disaster recovery plans to be their second-highest priority. Hosted email solutions With limits on staff and resources, many small and mid-sized businesses are turning to hosted email server solutions to solve their email woes. Providers of these products, which include Sprint, AT&T, XO Communications’ Concentric, MessageLabs, and Postini, check incoming email for spam, viruses and other cyberattackers before allowing it to pass through to the company’s on-premise email server. By using multiple virus scanners, constant monitoring, and customized scanning techniques, providers like MessageLabs can offer much more protection than standard anti-viral software, notes Joe Stewart, senior security expert with SecureWorks, an Atlanta-based information security firm. These services can also ensure that, if a company’s server is down for any reason, its incoming email is queued off-site and held until the server is back up. This ensures no loss of email, but also prevents embarrassing email “bounce-backs” to the sender. Some providers can also offer companies the ability to switch over to webmail in instances where their email is down for days or more, so that employees can access it from other locations in case of an emergency. Nate Gilmore, Concentric’s director of hosting product marketing and sales, says that it’s important for companies to think of email security and email disaster recovery in the same breath. “The first stage of email disaster recovery is prevention,” he says. “Addressing security concerns helps keep your server up and running.” Pricing of these services is relatively affordable. Concentric, for instance, charges $15/month for 80 users of its Perimeter Email Protection service, while AT&T charges $2.75 per user per month for its Secure E-mail Gateway service. Don’t forget that saved email   Companies considering use of a hosted server should be clear on what they do not offer.  Most hosted email server solutions do not include email storage as part of their small- to medium-sized business offerings. Smaller companies may need to look for separate plans offered by telecommunications companies, or specialists such as Iron Mountain, for backup or archival services so they can access back email as well as critical data on the company local area network. Unfortunately, email is perhaps as unreliable now as it’s ever been. But with proper planning, companies can make sure that their email systems can survive through potential disasters — be those natural, such as stormy weather, or man-made, such as a hacker attack.

About 2787 days ago Computer Security

How to Avoid Scammers, Spammer and the Rest of the Bad E-guys

The first e-mail message was sent sometime in the early 1970s by Ray Tomlinson, an English computer engineer working for the Defense Department’s Advanced Research Projects Agency. Nobody remembers what it said: possibly “testing” or “QWERTY.” Tomlinson wasn’t thinking about history; he was just trying to create a quick, informal way for a closed universe of research scientists to communicate with one another. Ease of use was the point, not security. Defense scientists 30 years ago, after all, did not have to worry about armies of malicious nerds with laptops and cable modems. The openness of e-mail, though, the thing that makes it so revolutionary, is also what makes it so vulnerable to viruses, worms, ID theft, denial-of-service attacks, and a host of other threats. Scammers are constantly cooking up new ways to use your e-mail system against you. Phishing attacks, for instance. Your employees or customers get an official-looking e-mail saying there is a problem with, say, their credit card account. Would they please click on the link below, then type in their account or Social Security number? MessageLabs, a security firm that tracks phishing attacks, says the number of phishing e-mails grew to 4.5 million in November 2004 from 337,050 that January. Then there’s spam. The Radicati Group estimates that 45% of all e-mail is spam; other experts think it may be as much as 80%. According to Ferris Research, an e-mail and communications consulting firm, the worldwide cost in lost productivity and resources devoted to fighting spam will be $50 billion in 2005, more than a third of that coming from U.S. companies. It’s not all bad news, though. Anti-spam laws have started to show some teeth. In April, Jeremy Jaynes, who was reportedly sending out 10 million junk e-mails a day, was convicted of felony charges in Virginia and sentenced to nine years in prison. Couldn’t have happened to a nicer guy. As you may have noticed, though, spam, viruses, and the rest haven’t gone away. You still have to protect yourself. Which defense is best for you is a function of how big your business is and how much control you want over your security. Many fixes can help not only with keeping your system safe but also with archiving messages and making sure your system complies with your policies and the law. One solution may not be enough. “You cannot expect to buy a single layer of security protection and sleep at night,” says Sara Radicati, of the Radicati Group. Your choices fall into three main categories. Managed Services Letting somebody else do it is an attractive option if you have a modest (or nonexistent) IT staff. The tradeoff is loss of control: You’re trusting an outsider with a key part of your business. Managed providers offer a range of security services that include spam filtering, virus protection, encryption, mail monitoring for compliance with regulations or company policy, and even archiving. Fees are typically per user, per month or year, and the price generally drops the more licenses you buy. Most vendors offer 30-day free trials. Postini’s Perimeter Manager Small Business Edition (starts at $25 per user per year) includes protection from spam, phishing, and viruses. It also provides defense against directory harvest attacks, in which cyber miscreants try to get your employees’ e-mail addresses by bombarding your server with messages sent to every possible address–jfried@inc.com, johnfried@inc.com, etc.–and seeing which ones bounce back. Perimeter Manager handles only inbound e-mail, however. If you need to keep tabs on internal or outbound mail, too, you can upgrade to Postini’s enterprise edition (starts at $33 per user). SingleFin’s Global Gateway Service includes e-mail, Web, and instant messaging content filtering, as well as archiving ($12 a month, or free for businesses with fewer than 10 users). A light version of the suite, which simply marks spam and forwards it along to you and also filters viruses out, is free for any number of users. MessageLabs offers anti-virus, anti-spam, content, and policy control services. Pricing is based on company size. A business with 250 to 499 employees, for instance, pays a monthly $3.83 per feature per user. Other big players worth checking out in managed services are Frontbridge, Symantec, and McAfee. Appliances Not refrigerators or microwave ovens. These are security hardware systems–literally boxes that contain e-mail watchdog and filtering systems. They are the fastest-growing segment of the security industry, according to the Radicati Group. They are generally easy to install and customize and they leave your own tech people in charge. Appliances are, however, not cheap. IronPort’s C-series comes in four sizes, depending on the number of people in your business. The midline C10 (around $9,000) is designed for companies with up to 1,000 employees and features anti-spam and virus protection, as well as content filtering for policy enforcement and monitoring. CipherTrust’s IronMail appliance (starts at $5,995 for the S-10 model, which is designed for companies with 100 or fewer users) has strong compliance tools. Other companies that make security hardware include Borderware, Barracuda Networks, Mirapoint, and Alladin. Software Security software is plentiful and comparatively cheap. Most security experts, though, say this stuff is most effective when used in combination with an appliance or a managed service. They also warn that given the constant evolution of viruses and other threats you (or your IT staff) may be constantly managing patches and updates. WebRoot’s Spy Sweeper Enterprise ($300 for a one-year subscription with 10 licenses) and PepiMK Software’s SpyBot Search & Destroy (free) will keep your business computers clean of spyware programs, which can steal your data or even turn your computers into spam-generating “zombies.” Symantec’s Norton AntiSpam 2005 ($320 for a 10-user pack) will clean your computer of junk mail; Computer Associates’ Server Protection Suite ($1,055 for five users) offers a range of security tools, including anti-virus, anti-spam, and spyware protection; Clearswift’s MIMEsweeper ($2,628 for 100 licenses) series has a variety of monitoring software solutions; Sophos’ PureMessage Small Business Edition ($2,850 for 100 users) offers protection from viruses and spam; TrendMicro’s NeatSuite for Small and Medium Businesses ($59.34 per user for 25 to 100 users) has anti-virus, anti-spam, and content security.