Email, Security and GDPR

So everyone is emailing you for your renewed consent to comply with the GDPR regulations coming into force on the 25th May. Like everyone else we’ve contacted our newsletter subscribers and clients to obtain their informed consent to continue emailing our (ir)regular updates. However there is a lot more to GDPR than email marketing consent, for a start Personally Identifiable Information, (PII), covers a lot more types of information than were protected previously and now both digital and paper records are covered. GDPR places a wide range of requirements and obligations onto businesses.

One of the areas that we feel is receiving too little attention in the run up to GDPR day is breach reporting.

Here is what the UK Information Commissioners Office have to say on breach reporting:
The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
(https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/)

So what do you have in place that provides robust breach detection and investigation? There are a number of products in the enterprise market, but very few for the small to medium enterprise.  There is however a low cost, reliable alternative available.  Look below for more about how Webtree IT can help by providing Sophos Intercept X.

The ICO have a handy guide to GDPR preparations here (https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf). It’s still not too late to start becoming GDPR compliant.

We’d all rather not have the breach in the first place, prevention is better than cure so have you reviewed your email security and tools recently? According to the Verizon 2017 Data Breach Investigations Report, (DBIR), 43% of data breaches utilized phishing emails to gain a foothold in the organisation.
(https://www.verizonenterprise.com/verizon-insights-lab/dbir/)

Having good email scanning and filtering can significantly reduce your risk of phishing emails arriving in your users mailboxes. Additionally using a standardised signature solution can ensure all legitimate emails have the corporate signature and disclaimer attached, regardless of the device used to send the email.  This not only simplifies and improves branding and company image, it also making identifying and preventing CEO fraud and phishing easier by adding another indicator to valid email. See below for more details.

Sophos Intercept X is the world’s most comprehensive endpoint protection solution. Built to stop the widest range of attacks, it is proven to prevent even the most advanced ransomware and malware by leveraging a unique combination of next-generation techniques, including the ability to use deep learning detect never-before-seen malware, stop ransomware with Sophos anti-ransomware technology, and take attackers’ favorite tools out of their hands with signatureless exploit prevention. Intercept X also includes root cause analysis to provide insight into threats, and instant malware removal to ensure no attack remnants remain.  Root cause analysis allows you to identify where and how a breach occurred, and perform investigation of the actions taken by the intruders.

 

Here is a sample view from Intercept-X’s Root Cause Analysis.
See more at sophos.com/intercept-x

To prevent threats reaching your users it’s important to have robust email filtering in place. This is why we have partnered with The Email Laundry (https://www.theemaillaundry.com/) to be able to provide their range of solutions, either with an Office 365 subscription or as a stand alone product to supplement your existing email environment.

According to the Verizon DBIR 4% of people will click on any link so if you can prevent the links from arriving you are stopping that risk occurring. In 2016 in a presentation by the CEO of Email Laundry (https://www.infosecurity-magazine.com/news/isc2congressemea-ceo-fraud/) he revealed that from their testing program that 90% of CEO fraud tests were successful.


We also recommend Exclaimer Cloud Signatures Manager to provide a seamless and robust signature service for all users for all email within your organisation. Gone are the days of having to ask users to update their outlook signatures, no longer do emails from mobile devices or webmail escape without a corporate signature and disclaimer.

Find out more about Exclaimer Cloud Signatures Manager for Office 365 here
https://www.webtreeit.co.uk/download/439/  and https://www.exclaimer.co.uk/exclaimer-cloud/signatures-for-office-365/ (Also available for G Suite)

You can read the executive summary of the Verizon Data Breach Investigation Report here:
https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_execsummary_en_xg.pdf

There is a good article on CEO fraud here:
http://businessadvice.co.uk/tax-and-admin/invoicing/what-is-ceo-fraud-and-how-can-i-identify-it/