7 steps to improve your email security in time for the GDPR
Approximately 200 billion emails are sent every single day, and hackers are constantly trying to attack them. Despite the predominance and importance of email to small businesses, security strategies are still often overlooked.
In business, emails are used for everything from exchanging client details to arranging payments and transferring sensitive documents. With the General Data Protection Regulation (GDPR) coming into force in May 2018, keeping your business email data compliant is going to be of great importance.
Now's the time to get it right.
The second section of the GDPR says that businesses must "protect personal data against accidental or unlawful destruction or accidental loss and prevent any unlawful forms of processing, in particular, any unauthorised disclosure, dissemination or access, or alteration of personal data."
Personal data is defined as: "any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
This regulation will require increased email security because, as the WannaCry and Petya cyber-attacks of late show, email is still incredibly vulnerable to infiltration.
A report by Symantec in July 2017 discovered that the email malware rate has gone up to one in every 259 emails, and phishing emails have risen to one in every 1968 emails. Alongside this, the 2017 Data Breach Investigations report from Verizon found that two-thirds of malware came from email attachments being opened accidentally.
Infected emails are not the only risk businesses are being exposed to, there is also a real and present danger of company financials being leaked, ransomware being spread on networks and loss of trust and reputation which will occur when the disclosure of hacks becomes mandatory under the GDPR. Just take a look at the anger and upheaval caused by the recent Equifax breach.
An email security policy that conforms to the GDPR requirements can be relatively easy to set up, but it’s key to remember that systems are only as good as the people using them.
Here are some simple steps you can take to improve your email security in line with the GDPR.
1. Ensure OS and apps are patched
It's cheap, easy, and the first thing you should check with any security system. The correct patches and latest updates should be installed immediately. In reality, many businesses may delay doing this because of concerns over downtime or compatibility checks. However, not doing this quickly can be an expensive mistake for you and your business. Hackers are actively looking for vulnerabilities that haven't been patched and so you could find your delays being exploited.
2. Use anti-virus on all email
We have previously written about how anti-virus alone is no longer a good enough solution for your business security, but it can still be very helpful first step for emails. Of course, with such advanced and intricate hacking tactics it doesn't work well on its own, but it will help your company to spot easy-to-find threats quickly. This will free up time to allow IT security providers and IT staff to work on more complex cyber-attacks.
3. Consider white listing or black listing
Businesses may want to try white listing or black listing to keep their emails safe. White listing allows only known and trusted sources through to your inbox, while blacklisting blocks only known malicious email sources. As you can probably tell from this description, whitelisting will offer you more protection but it is likely to also block important emails here and there, which can be a source of frustration for you and your employees.
Organisations may also want to look at attachments and blocking them to a certain degree. Some companies may decide it is safer to block all attachments. This is effective at stopping malicious attacks, but can also very obviously be a hindrance to using email for business. To mitigate that consequence, your email server can be set up to inform recipients of blocked attachments and let them request for them to be unblocked by IT security. Of course, this method of listing does not stop employees from clicking links within emails!
4. Outsource scanning and filtering
Large or public sector organisations tend to use domain-based message authentication, reporting and conformance, or Dmarc nowadays, which works by blocking emails with spoofed addresses; a common attack method. SMEs can check with internet or email providers to see if this is something that would help them, although it is usually only used by larger organisations or companies. Risk scoring tools are also useful for finding emails that are suspect and quarantining them to be looked at later.
Small businesses should consider scanning emails using an outsourced email services provider and also look into using network segmentation, which isolates email servers from the wider network and limits access to sensitive areas. Also, email filtering can be helpful for businesses, as it allows emails to be opened in a virtual sandbox environment to detect any malware or host/network activity before the email even reaches your server.
5. Consider your worst-case scenarios
It may sound slightly pessimistic, but the worst could always happen! So, it makes business sense to have up-to-date disaster protocols in case malware manages to make it onto your network. Do an audit of your risks and vulnerabilities and ensure that you have a disaster recovery plan in place so that your business is not put at risk. Remember, when the GDPR comes into place, a data breach from email could leave you with a costly fine (€20 million or 4% or annual global turnover).
Businesses should consider using a variety of different security applications that overlap to provide extra defence layers. Employees must also be educated to spot suspicious emails and understand malicious emails and what they can do.
6. Encryption as standard
The recent spate of leaked and hacked emails has meant that more organisations are considering or have already installed encryption protocols for their business.
End-to-end encryption is helpful for businesses as it does more than just secure email content. It also adds an extra level of compliance with the GDPR. Verifiability is of high importance for the GDPR. Being able to prove that you have consented to send an email and the data it contains is easy with end-to-end encryption as the party receiving the email must actively opt in to unencrypt the email before reading it. End-to-end encryption is becoming more popular, especially considering these new regulations.
7. Consider turning on read receipts
Most email providers allow read receipts to be ignored by those receiving the email, however, there are some secure applications that make it mandatory. On sending an email, the person sending it will get an email saying whether it has been delivered to the recipient's server, and then a further email when the message has been opened.
This is perfect for GDPR compliance, as it allows for a clear and auditable email trail to be created. It shows that an email has not only been sent, but that has also been received and read on the other end. However, the main drawback is the increase in email traffic that follows this system. Ultimately, if you’re looking for total compliance, turning on read receipts is a great place to start.
Security is at the heart of our email protection services. Our layered cloud-based system offers the most inclusive malware and spam filtering shields available and will help you stay compliant with the GDPR. To find out more contact us now for an informal chat.