Cyber security needs to start with the humble email.
For enterprises, the capacity for data breaches has multiplied exponentially and is now a key constituent of the business risk register. Everything from cybercriminals targeting central servers for the critical data they hold, to disgruntled employees leaking company is now a data loss threat.
However, the most common cause of data breaches is far more mundane. The standard, seemingly innocuous, email is a wolf in sheep’s clothing when it comes to data protection and is the chief concern for every organisation’s cyber defence efforts.
63% of employees share sensitive data over email frequently, making it a significant risk factor for businesses; even something as simple as accidentally sharing a company document with a customer could result in a headline data breach.
The problem lies with unstructured data, where sensitive information, such as credit card details, finds its way into email and documents. It could come from a customer who sends in their details, or a report run from a database.
It could be obvious in an email or maybe a word document or a hidden column in a spreadsheet. Information flows like water in an organisation and because it does, sometimes the details are overlooked.
This over familiarity and the fact it is regularly communicated both inside and outside the organisations leads to the risk of a data loss incident and with it a potential compliance failure with regulations such as PCI DSS (Payment Card Industry Data Security Standard).
The PCI Compliance Issue
Introduced in 2004, PCI DSS is an information security standard, for organisations that handle credit cards. Designed to protect consumer payment card details and reduce credit card fraud, it is the singular, most far-reaching financial security regulation today and is being introduced to more and more industries around the world.
Compliance with PCI DSS involves an organisation being able to protect card holder details, build and maintain a secure network and implement strong access control measures. Therefore, non-compliance can be as simple as receiving a customer credit card number in error on an uncertified network or replying to a customer email with payment information still included.
These small slip-ups have the ability to cause monumental risk to businesses, incurring fines of up to $100,000 and more significantly, the potential to have credit card processing revoked, which for many retail businesses would stop them in their tracks (until they become compliant).
In a world where email is the primary form of contact for many businesses, with 132 billion emails estimated to be sent every day, the likelihood of mistakes becomes significant. Recent Clearswift research shows that as many as 45% of employees have mistakenly shared emails containing key data with unintended recipients.
However, organisations cannot ban emails as this will create a ban on productivity, instead they need to find solutions which act as a safety net to catch the errors that could cause a breach.
Historically, when an employee unintentionally shares sensitive data via email, it’s been the job of IT and compliance teams to monitor, detect, block and then manually delete the email and with it the critical information it contained.
Traditional Data Loss Prevention (DLP) solutions, take an automated monitoring and blocking approach, leaving the review and deletion of potentially harmful emails to the IT team or those responsible for compliance.
However, this approach is both time consuming and blocks ongoing collaboration which has the potential to grind any business that uses email as a primary form of communication to a halt.
Today’s data protection technologies serve as a first and last line of defence in an organisation’s cyber strategy. In some cases, an adaptive encryption policy is sufficient. This is one where the solution determines the type of encryption required based on the content, the sender and the recipient.
Advanced solutions can automatically use TLS, ad-hoc, PGP, SMIME as well as portal-based encryption. After encryption, it is DLP which will keep your information safe by catching the mistakes.
The next generation of adaptive data loss prevention solutions scan every email entering and leaving an organisation and removes any sensitive data which breaks policy, i.e. it is unauthorised to be read by the recipient.
This approach, rather than the traditional ‘stop and block’ approach ensures that the email will be delivered, even if some data has been removed. Continuous collaboration, with assured information security keeps the business running as well as removing the frustration that traditional solutions create.
It's not just about email. Today we share information through the web as well. An adaptive DLP solution can be applied to web based traffic to ensure that critical information, including PCI, are not uploaded or downloaded to websites or cloud collaboration sites.
Furthermore, historical information held in files on laptops and file servers should also be considered. This information can be scanned for sensitive data and automatically mitigated by moving it to a secure area.
It is important that all employees are trained and made aware of the ways in which their everyday activity could put an organisation at risk, but implementing an adaptive solution which ensures mistakes are caught reduces the potential for human error.
No matter how skilled employees are in security measures, there will always be mistakes, but it is ensuring these mistakes do not put an organisation in unnecessary risk that will be vital to the organisation’s compliance as well as cyber defence efforts.
Dr Guy Bunker is senior vice president of products at Clearswift.
GDPR & PCI: Addressing Email Is The First Step Towards Compliance