Companies should consider developing an encryption policy. This includes defining the information that should be encrypted and who has permission to send encrypted messages. Not every employee should have access to sending encrypted messages, and unauthorized encrypted e-mails should be treated as a potential security breach.
It’s a rare week when the news doesn’t include a report about a corporate data breach — putting personal, financial, or medical records at risk for theft. Often — all too often, say security experts — these breaches are caused by a lack of a solid email policy. Email has not just revolutionized the way we communicate, it has transformed the way we do business today. Along the way, it also added a significant layer of risk. An employee can now easily share confidential information with an unauthorized co-worker or friend. Former employees are often kept on an email circulation list long after they’ve left the company or continue to have access to their old work accounts months after leaving an organization. And then there are issues such as sending personal emails and forwarding jokes, which may not necessarily be risks but do put a drain on company resources.
However, despite the clear security risks, an Osterman Research survey found that 86% of companies do not have a tool in place to address email usage, a practice that, according to Avivah Litan, VP and distinguished analyst at Gartner, Inc., needs to be rectified. “Email accounts are often compromised.” She points out that email should not be used as a secondary channel (e.g., in addition to the web or a call center) to convey sensitive information such as example passwords or secret questions and answers used to log into an account.
There are three reasons a company should put an email policy in place, according to Litan:
- Email is a major attack vector for crooks. For example, it is used to spread malware across enterprise and individual PCs and to entice individuals to give credentials and other sensitive information away through phishing attacks.
- Email account credentials are often compromised (e.g., email user IDs and passwords).
- Email trails are valuable tools for investigators and can implicate a company or individual in legal or forensic investigations.
“Companies need to recognize that email should not be relied on to convey sensitive, timely and/or confidential information,” Litan says. “For example, banks can’t rely on email to send financial statements to customers since they may not trust or read it.”
Yet an alarming amount of risky email still gets sent. According to a survey commissioned by Proofpoint, Inc. and fielded by Forrester Consulting, one out of 10 outbound emails poses a risk for organizations, whether legal, financial, or regulatory. In addition, only half of the email that should be encrypted actually is.