What does GDPR mean for email security?
The European Union has put into place one of the strictest data protection laws in history. The General Data Protection Regulation (GDPR) is a law that takes effect on May 25, 2018. If your business collects any types of information that might profile European citizens, even if you are located outside the EU, then you must meet GDPR compliance.
Email Security is one area where the GDPR regulations are quite vague. The threats that can come in and data that can go out by email along with the storage of email are all critical pieces that need to be properly evaluated.
One of the most important points under this law is that any firm doing business in the EU must meet these standards put forth under GDPR or be liable for substantial fines.
The law states, in part, that companies:
- Obtain EU residents’ consent to store or process their personal data
- Maintain “privacy by design”
- Respond quickly to “right to be forgotten” and “subject access” requests
Personal Data includes:
- Email Address
- IP Address
- Medical Information
- Social Networking Posts
- Banking information
- Anything that can be used to identify someone
Failure to Comply with GDPR
The penalties for non-compliance with GDPR are significant. A firm can be fined €20 million or 4% of its annual worldwide revenues. This type of fine can have a significant impact on any size business. Enterprises will find themselves dealing with PR crises if they don’t fully comply with these new regulations.
What email security features should be in place for GDPR?
- Data loss prevention (DLP) –A firm needs to also do everything reasonable under GDPR to prevent data loss. DLP prevents sensitive data like driver’s license numbers, credit card numbers and hundreds more from leaving outbound by email. Since users are the weakest link when it comes to data security, having an automated system to enforce your policies in outbound email is invaluable.
- A secure email archive – The ability to securely store, and search through past email is powerful and important for GDPR compliance. You should have a record of what data was sent and received, without archiving messages you may never know what data they contain. In the event that you discover an email data breach by a user, it gives you the ability with eDiscovery to find what data was sent. A cloud based solution like ContentCatcher is the most effective way to handle this with minimal management.
- Attachment Protection – Malicious attachments are among the most common way that malware, ransomware, keyloggers and many other threats enter a system and network. ‘Attachment Sandboxing’ is an email security feature that opens unknown attachments on virtual machines and watches what they do. This greatly reduces the risk that users will receive an email with a malicious attachment. Many common files that carry malware and viruses, such as .VBS, .BAT, .EXE, .PIF, and .SCR files, all should be outright restricted when implementing GDPR compliance policies.This means that all email security systems must scan attachments and look for malicious software in every attachment. Staff and other system users must be trained to look for and recognize potentially malicious attachments. Clearnetwork Attachment Defense uses system emulation which is more advanced than just sandboxing to see what attachments do before they are received by the recipient.
- URL Protection–URLs in emails are one of the biggest sources of concern when it comes to phishing threats. The bad actors are becoming very good at making sites that mimic legitimate ones – Clearnetwork has a solution with URL Defense which dynamically checks all links to see if they are malicious before they can be accessed.
Educating users not to click URLs that they can’t see and don’t recognize and using software that dynamically scans URLs in emails is extremely important. We recommend Knowbe4 for Security Awareness Training.
- Email Encryption – You are not required to automatically encrypt all emails under GDPR but it is a wise choice. Email encryption ensures that only the intended recipient can access the email, it can also can be configured to delete the email after a period of time. An ideal service will automatically encrypt your outbound emails if they contain information that is considered sensitive by your company policy. ContentCatcher Email Encryption is fully cloud based, requires nearly 0 management, and will automatically encrypt outbound emails that contain data based on your policies.
Biggest email threats for data under GDPR
Each of these threats are commonly distributed through email, highlighting the importance of having an advanced email security service.
Phishing – Seeks to gain confidential information or money by imitating a trusted source such as your bank, an online store, creditor, co-worker and many other sources. There are many forms of phishing that range from very widespread attacks that are broad, to very personalized spear-phishing attacks that contain accurate information about the company and person being targeted.
Business Email Compromise – In these attacks, a bad actor gains access to a corporate email account or makes one that looks very similar. They then try to trick other employees to do a wire transfer or send them information that may be of value.
Ransomware – As most already know from the well-publicized Wannacry and Petya ransomware attacks that struck across Europe, the risk for data loss or data exploitation is great. These attacks most commonly enter networks through a malicious attachment or link in a targeted phishing email. Data being held at ransom with the risk of being stolen, deleted or damaged is a major risk that companies must mitigate under GDPR through proper email security features and policies.
Advanced persistent threats (APT) – is a network breach where an attacker gains access to the network and dwells there for a long period of time, collecting data, causing damage or just waiting for the right time to strike. These attacks commonly first enter a network through a malicious link or attachment in an email that contains malware of the APT.
Keyloggers – these threats track all keystrokes of a victim’s computer to mine confidential information and steal passwords. These are typically hidden within malicious email attachments and links. They can be hard to detect once they are successfully installed on a victim’s network and sometimes are used as a gateway to gain information needed for more sophisticated attacks.
GDPR addresses two requisite categories of changes: human changes and technological changes.
The human changes include the need to hire a data protection officer whose job it is to handle sensitive data. Also, companies must institute training for all personnel. Under article 35, organizations will be mandated to complete Data Protection Impact Assessments (DPIAs). These assessments are a process that helps you identify, assess and mitigate privacy risks from data. DPIAs are mandatory under GDPR.
The technological changes include things like proper data classification, data storage, data transfer limitations, and data loss prevention.
One of the more powerful aspects of the law includes the ability for individuals to request that all their personal data be deleted from a company’s database. The law also mandates record levels of consent needed for each step of a person’s addition to a database. Users will likely see many more opt-in forms and longer user agreements simply because they will need to grant permissions not previously required.
The Guidelines of GDPR Security
There are several guidelines that will apply to email:
Privacy Notice – Article 12 of the GDPR requires that a privacy notice be “explicit,” “specific,” “informed,” and “intelligible.” It has to be written in clear, plain language. The privacy notice is designed to tell the user why the information is collected, who is collecting it, what they are going to use it for, and, importantly, the right to be forgotten upon request.
Communication of Data Breaches – GDPR requires that corporate authorities advise users of a data breach within 72 hours. The breach needs to present a high risk to the “rights and freedoms” of the individual. There are very specific guidelines regarding how these notifications must be done. This includes employees falling prey to phishing scams and sending confidential information.
GDPR – The Right Way Forward
GDPR is, in reality, the next logical step in cybersecurity. There are additional expenses for companies requiring time to be invested in buying, implementing and learning new policies and technologies but in the end, it is all for the betterment of society. GDPR really raises the bar and over the next few years, we will likely see countries outside of the EU follow suit and implement similar laws to protect their citizen’s data.
If you are looking for an email security solution that meets and exceeds the requirements of GDPR, ContentCatcher is a great solution with EU datacenters, and packages to meet the needs of GDPR and your growing business.