News Stay informed about the latest enterprise technology news and product updates.

Email security buying decisions

Email security can be a daunting task for SMBs -- how do you go about finding the right product? This tip delves into three approaches to email security and the products available.

There are many ways to protect email, and to send and receive it securely. But for a cash-strapped small and medium-sized business (SMB) with little or no dedicated information security staff, there are three approaches:

  • Software.
  • Hardware or appliance.
  • Outsourcing to a managed security service provider (MSSP). These approaches can be handled with your existing staff, require no new specialized skills or training and are easy to implement. They also don't require someone on staff 24/7, usually a luxury for thin IT departments at SMBs; they can be set up to page someone on call instead of a night crew.

Whichever approach you choose, make sure it protects both inbound and outbound email. You don't want to spend scarce dollars on two solutions for each issue. The inbound risks include junk email, or spam, and email with malware attached. Sometimes the two are intertwined. Besides clogging up network bandwidth and hogging space on email servers, some spam comes with malware. Outbound email has the same two risks. An email server compromised by a malicious attacker can be turned into a relay, spewing out spam and malware-laden email from your network.


On the software side, there are a number of offerings. E-mail Filter from SurfControl PLC can be installed on either Windows 2000 or 2003 Server. Its Message Administrator allows a system administrator to analyze email logs and scout for spam, malware and message content. It can be tuned to block or allow any type of email the administrator sees fit.

GFI MailEssentials for Exchange/SMTP is a similar product that can be installed on mail servers or gateways. The product, from Cary, N.C.-based GFI Software, uses signatures and Bayesian keywords to pick out malicious email and spam. It also can add disclaimers and banners to outbound emails, a plus for businesses in some regulated industries.

Other products include PureMessage from Sophos PLC and Brightmail from Symantec Corp., both leading antivirus vendors. Last month, Trend Micro Inc. debuted Client Server Messaging Security, its own email security product just for SMBs. An advantage of these products is they integrate well with their parent company's antiviral offerings. In addition, PureMessage comes in versions for Windows, Unix and Lotus Domino. Some other software geared to SMBs are Mail Attender from Sherpa Software in Bridgeville, Pa., and Dash from AppMail LLC in San Mateo, Calif.

A drawback of software applications is they require installation on your own hardware and then regular maintenance. This can be time-consuming, especially configuring a server, installing and setting up software, and then testing it to make sure it's compatible with both your email system and network. On the surface, the software route may appear cheaper than a hardware approach. But after considering the investment required in hardware, installation and maintenance, it may end up costing the same.


For hardware, there is a wider variety of choices. All are self-contained appliances or servers that can be installed on your network in tandem with either your email server or gateway. Some are offered by the same companies that provide software, such as SurfControl, Sophos and Symantec.

RiskFilter from SurfControl has a Web-based interface for both management and reporting of email activity, similar to its software counterpart. The product bills itself as quick and easy to install and set up.

The Symantec Mail Security 8200 Series includes easy-to-use appliances that allow centralized management, as well as content filtering and monitoring for malware in both inbound and outbound messages. The products come packaged with Symantec's own Brightmail technology for filtering spam and its own antivirus software. The products are also designed specifically for smaller companies that need something easy to install that requires little maintenance.

IronPort Systems Inc., an appliance vendor acquired in January by Cisco Systems Inc., uses technology from Sophos for the antiviral piece and its own context adaptive scanning engine to block spam. The C10 Email Security Appliance is a smaller version of its product line designed to meet the needs of SMBs.

Other hardware appliances for securing SMB email include MailFoundry's 1150 Email Filtering Appliance and Tumbleweed MailGate Appliance. Prices are negotiated directly with the vendor but expect to pay at least $2,000 for any of these products.

When considering hardware, the same rules apply as for the purchase of any network equipment. Is it compatible with your network? How easy is it to set up, and how much maintenance is required after that? Will it take down your network if it fails, or can it pass through traffic in the event of an outage?

Outsourcing to an MSSP

The third option, using an MSSP, has the fewest SMB-friendly options. MessageLabs Ltd. is an MSSP for corporate messaging. It offers services for protecting the security of both email and IM, but without the installation of hardware or software. MessageLabs is one of the very few players in the MSSP space specializing in email protection. Even fewer still cater to the SMB market. This may be an attractive option for an SMB, since there's no overhead. MessageLabs also offers traditional email protection products.

The answer to your email security needs -- software, hardware appliance or MSSP -- depends on your organization's size, budget, staffing and security needs. But for quick installation, fewer maintenance headaches and a wide range of choices, hardware appliances should be strongly considered by any SMB shopping for an email security tool.

Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He is a Microsoft MVP in security, specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available on He is also the author of the IT Security Guy blog at, and he hosts a regular radio show in Chicago on computer security.

Dig Deeper on Small-business infrastructure and operations

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.