Email Encryption - Not an option, now a necessity - Clearswift

White paperEmail encryptionNot an option, now a necessity

Email encryptionNot an option, now a necessityData breaches occur with frightening frequency to organisations the world over. No one sets outto lose data, but as news of sensitive data leaks from public and private sector organisationsalike becomes an all-too-regular occurrence, it’s clear that something needs to change.2Another day, another data breachEnsuring the safety and security of an organisation’s emailand web communications is now a crucial component of anyviable security strategy. Any such strategy should include:• Highly granular, flexible web and email policies• Automated encryption, eliminating the‘human error’ factor• Provision for the safe use of web 2.0technologiesA recent YouGov Trust Index poll conductedin the UK found that only 48% of respondentstrusted the public sector with their privatedata; 28% of those surveyed gave the publicsector a score of 3 or less (out of 7) when itcame to trust levels. Social networking andonline publishing sectors fare no better, as60% of respondents awarded these industriesa trust score of 3 or below. 1 At a time whenenterprises are under increasing pressure toadhere to the frequently competingdemands of compliance, transparency,cost-effectiveness, privacy andcollaboration, data loss incidents are indanger of undermining the reputations andachievements of organisations across all industries.No organisation can function without legitimately gatheringand using sensitive information about the individuals orcompanies they serve. Technology has made a significantcontribution to that process, but has also introduced newrisks. For example, the shared services model that has beenadopted by many public agencies around the world createschallenges, raising issues of appropriate access, secure dataexchange and storage as agencies strive to offer secure,‘single view of the citizen’ service delivery. While thepublic sector bears the brunt of punitive data breach fines,the private sector is by no means immune to the problem ofdata leakage: in fact the private sector accounted for overa third of all reported data breaches in the UK betweenMarch 2011 and February 2012.1 YouGov UK Trust Index 2011The evolving IT security standards landscapeAdherence to clearly defined IT security standards hasbecome the norm. While the specifics vary from region toregion, most share a common thread calling for proactivedata protection policies, positive enforcement, regular riskreviews, end-user education and a capacity to demonstratethat such actions are being taken.The fact that email encryption should be anintegral feature of any DLP strategy is nolonger up for discussion. In many jurisdictions,personal data is required by law to beencrypted; for example:USA: Health Insurance Portability andAccountability Act (HIPAA) – sets nationalstandards for the security of electronicprotected health information. HIPAA mandatesthat all protected health information shouldbe encrypted on public networks and digitallysigned. There are criminal penalties forviolations, with fines of up to $1.5m perincident. Many US states, includingMassachusetts and California, require thatpersonal data of all residents be encrypted,with the latter mandating that all agenciesencrypt personal data on state-ownedportable devices.USA: Sarbanes Oxley Act (SOX) – the SOX is a US federal lawthat sets enhanced standards for all US public companyboards, management and public accounting firms. The billwas established in 2002 in the wake of several high profilecorporate and accounting scandals (think Enron and TycoInternational) to restore public confidence in the nation’ssecurities markets.EU: Data Protection Directive – national governments in all25 member states have adapted the EU’s Data ProtectionDirective into their national laws. Spain and Italy requirethe encryption of all sensitive data shared over publicnetworks; non-compliance is a criminal offence. Germanydoes not prescribe which security method to use, butbreach reporting is mandatory.

White paper Email encryption: Not an option, now a necessity“ A cursory glance at some of themost recent instances of data lossreveals a common thread: humanerror. If it’s a laptop stolen froma car, a CD accidentally thrownout with the rubbish or a mis-sentemail sending private informationto the wrong person”UK: Data Protection Act – the Information Commissioner(ICO) has the power to fine organisations that breach theAct. The ICO has announced that data losses occurring‘where encryption software has not been used to protectthe data’ are likely to result in regulatory action against theorganisation. The largest fine to date was issued to Brightonand Sussex University Hospitals Trust in June 2012 followinga staff and patient data breach: £325,000 for losing highlysensitive personal data.Global: Payment Card Industry Data Security Standard (PCIDSS) – this comprehensive security standard was designed toenable organisations to protect customer account data. Itapplies to any organisation, public or private, large or smallthat’s involved in the storing, processing or transmitting ofcardholder data.In addition to compliance initiatives, IT managers in thepublic sector are required to adhere to state-sanctionedminimum security standards and procedures, such as theUK’s Government Connect Secure Extranet (GCSx) Code ofCompliance (CoCo) or Australia’s Government Informationand Communications Technology Security Manual (ISM),which includes standards governing information securitymanagement, risk management and a code of practice.Australia’s move towards a nationwide e-Health initiativethat will see private health records made available onlineto authorised healthcare professionals is shining anincreasingly strong spotlight on public data security andpending legislation to introduce mandatory data breachnotification.The human factorSome problems can’t be predicted. The reality, however, isthat most security breaches can. A cursory glance at someof the most recent instances of data loss reveals a commonthread: human error. If it’s not USB sticks left in the pub,it’s a laptop stolen from a car, a CD accidentally thrown outwith the rubbish or a mis-sent email sending privateinformation to the wrong person (or people).Despite the presence of the kind of clear standards,procedures and penalties outlined above, policies andtechnologies can only ever be as good as an organisation’scapacity to follow through on them. Recent findings fromthe US Government Accountability Office (GAO) attributed a650% increase in security breach reports to the fact thatfederal agencies had not fully implemented theirinformation security programmes, meaning they had‘limited assurance that controls are in place and operatingas intended to protect their information resources.’According to the GAO, it has, over the past couple of years,made ‘hundreds of recommendations’ to agencies fornecessary action to resolve their information securitydeficiencies. In common with so many other organisations,key weak spots were found to be inadequate training ofemployees with significant responsibilities, failure to ensurethat controls were monitored continuously and failure toensure swift and effective remediation of vulnerabilities.Automated encryption removes the ‘human error’ factor.Clearswift’s SECURE Email Gateway enables organisations tocommunicate with confidence while protecting them fromthe risk of sensitive data loss. Encryption and decryptionare performed automatically and centrally, within flexiblepolicy parameters and without the need for userinteraction, meaning than accidental encounters with the‘reply all’ button don’t have to end with a hefty fine.3

Email encryption: Not an option, now a necessitySecurity in the real worldLocking down or blocking data is no longer a real-worldsolution. Information needs to flow freely betweengovernment agencies, contracted service providers andmembers of the public, and between private enterprisesand their customers. Data loss prevention (DLP), web andemail gateways, flexible policies and strong encryptionform a unified information security solution that, in tandemwith effective education and management policies, allowsusers to interact and share information the way they needto without compromising on security. Ready-made orcustomisable policies that draw on an extensive collectionof managed lists, editable terms and compliancedictionaries, ensure that your data flows only in theintended direction.While many organisations recognise the need to enablepervasive use of email and other evolving communicationschannels, they’re also increasingly concerned about thesecurity risks arising from open communications.Clearswift’s SECURE Email Gateway provides an easy-to-useapproach to secure email communications. The highlygranular, flexible technology enables users to provide theprivacy, authenticity and integrity of communications thatsecure messaging offers, but without the complexity andhigh administration costs of other systems. The beauty ofencryption is that it allows the exchange of sensitive datawithout compromising on security. Even if data isintercepted, encryption makes it unreadable and tamperproof.Running to stand stillEvery organisation has unique information securitychallenges. Many perform under intense scrutiny from thepublic or other stakeholders while being expected to deliverhigh quality services in the face of often conflictingdemands. Information exchange plays a key role in the aimsof twenty-first century governments; without it,e-government strategies have little worth and a ‘single viewof the citizen’ service is close to impossible. As governmentsthe world over change service delivery strategies in stepwith shifting economic and political requirements, increaseduse of third-party providers brings additional risk. And theonus is increasingly on individual departments, localauthorities or agencies to ensure outsourced providers haveappropriate security measures in place.Encryption and flexible web and email policies can enableorganisations around the world to communicate securelywithout compromising communications or losing sight ofeconomic efficiencies. As organisations face the increasedpressures of compliance and best practice when it comes toprotecting sensitive private information, the time forchecking boxes and hoping for the best has long passed. At atime when purse strings are tight, those charged withdelivering data security must increasingly look to solutionsthat unite technology with strong policies and people,striking a balance between compliance, risk and real-worldworking requirements.If you’d like to know more, contact your local Clearswift team:UKinfo@clearswift.com+44 (0)118 903 8903Japaninfo.jp@clearswift.com+81 (3)5777 2248Australiainfo@clearswift.com.au+61 2 9424 1200Rest of Europeinfo.es@clearswift.com+34 91 790 1219Germanyinfo@clearswift.de+49 (0)89 904 05 206United Statesinfo@us.clearswift.com+1 856 359 23604