Informationweek.com points out that electronic mail is still the leading cause of data breaches at companies, despite its use being “on the wane” due to inroads by new social media. The same technology–such as laptop encryption software from AlertBoot–that guards data stored on computers can also be applied successfully to protect outgoing e-mails.
According to informamtionweek.com:
35% of large enterprises launched investigations into data leaks via e-mail in 2009
72% are worried about personal and financial information breaches via outbound e-mail
71% are also concerned about ex-workers e-mailing trade secrets and other corporate secrets via e-mail
48% performs audits of outbound e-mail
37% have employees monitoring the contents of outbound e-mail (33% have people whose jobs are exclusively reading and analyzing such e-mail)
Readers will readily note that some of the practices listed above are not exactly preventative, nor do they come close to being preventative. For example, audits of outbound e-mail, while necessary in order to get a grip on whether current security is adequate, cannot do much to secure information that has already been sent out to an outside party. Even if the audit were to catch it relatively quickly, there’s no way to prevent the receiving party from reading it.
Another example is a situation where an e-mail is sent with an attachment that contains sensitive information. The correct person received it; however, the e-mail should have been encrypted due to the sensitive nature of the attachment. An auditor runs across the situation, but if the company does business in Sin City, it’s already afoul of Nevada’s data breach law, which was amended one year later: e-mails that contain personal information, such as SSNs, must be encrypted.
Email Encryption, Automated
Human monitoring and auditing is needed, and this fact won’t change for the foreseeable future. However, a company can make inroads into securing their e-mails.
DLP (Data Loss Prevention) solutions exist out there that will actively encrypt any e-mails that contain sensitive information, or prevent them from leaving a company’s servers. It works based on filters that are set to recognize key words and number patterns. For example, a mortgage company might want to prevent any unencrypted e-mails with numbers in the xxx-xx-xxxx pattern being sent: these are probably Social Security numbers.
Likewise, a filter would be set up for Social Security, SSN, SSNs, and other key words that indicate such a number is contained within e-mails.
Combining the above with disk encryption software will ensure a broader degree of company data security. Of course, it will never be total security, which is why you also need access control (via physical locks and authorization levels), employee training in good data security practices, monitoring and auditing, etc.
However, it will go a long way in terms of reducing your company data risk profile.
Related Articles and Sites: