It is becoming increasingly difficult to monitor emails coming in and out of an organisation that may potentially pose a threat but the ramifications of an email data leak can be dire. These include fines, reputational damage and there is the possibility that legal action can be taken against the organisation, which makes it understandable that risk and compliance officers would want to take steps to protect against these repercussions.
When we discuss issues of email security, we are touching on issues of preserving email integrity, observing confidentiality and ensuring that availability is constant. In practical terms, people use email to send confidential documents, to process information within a business (such as procurement and finance) and these are all tasks that have a massive impact on productivity if they cannot be performed.
Aside from the productivity aspect, there are now also compliance issues, brought to light by the Protection of Personal Information Act which has us questioning how we should protect our communications, not just for the business, but because of our clients and staff. Although this brings a different twist to the discussion, the objective is still the same and the system must be as secure as possible without compromising productivity.
In order to secure messaging, it's necessary to develop a strategy that focuses on both legislative and security compliance. This requires an organisation to classify and map out the process of email data flow through the business in order to decide how this data can be protected and controlled. So how can the business messaging processes be secured? What steps can be taken to prevent data leaks via email? There are a number of technologies available to do this. Whether the organisation's email is on-premise or hosted in the cloud, it can be filtered through a single point of entry or gateway protective system.
These kinds of systems have the capability to filter email; this is where data leakage policies get applied. This starts with identifying business systems worth protecting, and because not all email content is sensitive, an organisation can opt to categorise people based on criticality to business which can then be managed through creating user groups.
Then, on a policy level, the company needs to identify parameters to look out for, and depending on what that business sector is doing, these can be keywords like 'confidential'. For example, banks may need to protect against the transmission of credit card information, so that would be specified as a data leakage protection measure. This then enforces the policy that forbids employees from emailing this information out, and the email filter will detect the infringement, block it and alert compliance offers to investigate.
From a legislative compliance perspective, the organisation needs to define what personal information is (usually ID numbers, birth dates, medical aid numbers and the like) and the same data protection tools can be used to prevent such information from being incorrectly transmitted. These data leakage protection tools also contain anti-phishing technology to intercept links contained in potentially fraudulent emails. These types of technologies are useful because they protect users from themselves and maintain security integrity in the event that a user violates policy by clicking a link when they should know better.
With people in the mix, the only way to enforce policy is with data leakage prevention tools. There are a number of end-point protection systems that scan emails over and above policy requirements and these come in to play when, for example, an attack or malware spreads from within the organisation. These are important because a business still needs to protect its machines and secure employee devices, as much from the inside as the outside. However, these additional controls are only useful insofar as they are up-to-date.
The last tool in our protective arsenal is email encryption, which speaks to preserving the confidentiality of email. It can be done at a server to server or user to user level. With server to server encryption, there is still the risk that someone within the network could intercept the file, and by doing a mailbox to mailbox encryption, it's possible to protect the content from all possible interception as only the intended recipient will be able to read the message.
This type of security comes with additional complexities such as understanding how to issue and manage security certificates, but like all challenges, these need to be understood.
Security is a specialist topic, so it's advisable for organisations to engage with security professionals in understanding their business requirements and solutions. It's one thing to educate employees about email security, mitigating the risk thereof needs to be done in partnership with an expert.
