Email is a vital communication resource that many small businesses rely on to send sensitive, confidential information both inside and outside of the organization.
But the prevalence of email as a business tool also makes it susceptible to exploitation and data loss. In fact, email accounts for 35 percent of all data loss incidents among enterprises, according to a white paper from AppRiver, a cyber security company.
Data breaches are not always the result of malicious activity, such as a hacking attempt. Most often, they occur due to simple employee negligence or oversight. (Employees are the leading cause of security-related incidents, according to a Wells Fargo white paper.)
In 2014, an employee at the insurance brokerage firm Willis North America accidentally emailed a spreadsheet containing confidential information to a group of employees enrolled in the company medical plan’s Healthy Rewards program. As a result, Willis had to pay for two years of identity theft protection for the nearly 5,000 people affected by the breach.
In another instance, also from 2014, an employee of the Rady Children’s Hospital in San Diego erroneously sent an email containing the protected health information of more than 20,000 patients to job applicants. (The employee thought she was sending a training file to evaluate the applicants.)
The hospital sent notification letters to the affected individuals and worked with an outside security firm to ensure the data was deleted.
These and many other such incidents point to email’s vulnerabilities and underscore the need for businesses large and small to secure, control and track their messages and attachments wherever they send them.
Here are five steps, from AppRiver, that small businesses can follow to simplify the task of developing email compliance standards to safeguard sensitive information.
Email Compliance Guide
1. Determine What Regulations Apply and What You Need to Do
Start by asking: What regulations apply to my company? What requirements exist to demonstrate email compliance? Do these overlap or conflict?
Once you understand what regulations apply, determine if you need different policies to cover them or just one comprehensive policy.
Example regulations that small businesses many encounter include:
- Health Insurance Portability & Accountability Act (HIPAA) – governs the transmission of personally identifiable patient health information;
- Sarbanes-Oxley Act (S-OX) – requires that companies establish internal controls to accurately gather, process and report financial information;
- Gramm-Leach-Bliley Act (GLBA) – demands that companies implement policy and technologies to ensure the security and confidentiality of customer records when transmitted and in storage;
- Payment Card Information Security Standards (PCI) – mandates the secure transmission of cardholder data.
2. Identify What Needs Protecting and Set Protocols
Depending on the regulations your company is subject to, identify data that is deemed confidential — credit card numbers, electronic health records or personally identifiable information — being sent via email.
Also, decide who should have access to send and receive such information. Then, set policies that you can enforce through the use of technology to encrypt, archive or even block transmission of email content based on users, user groups, keywords and other means of identifying transmitted data as sensitive.
3. Track Data Leaks and Losses
Once you understand what types of data users are sending via email, track to determine if loss is occurring and in what ways.
Are breaches taking place inside the business or within a particular group of users? Are file attachments being leaked? Set additional policies to address your core vulnerabilities.
4. Identify What You Need to Enforce Policy
Having the right solution to enforce your policy is just as important as the policy itself. To satisfy regulatory requirements, several solutions may be necessary to ensure email compliance.
Some solutions that organizations can implement include encryption, data leak prevention (DLP), archiving of emails and anti-virus protection.
5. Educate Users and Employees
An effective email compliance policy will focus on user education and policy enforcement for acceptable use.
As unintentional human error remains the most common cause of data breaches, many regulations require the training of users on behaviors that could potentially lead to such violations.
Users and employees will be less likely to let their guard down and make mistakes when they understand proper workplace email usage and the consequences of non-compliance and are comfortable using appropriate technologies.
While no “one-size-fits-all” plan can help small businesses comply with every regulation, following these five steps can help your business develop an effective email compliance policy that safeguards security standards.
Email Photo via Shutterstock