Email Security and GDPR
In 2018, the General Data Protection Regulation (GDPR) came into effect to protect the private and sensitive information of EU citizens. Compliance to the regulation saves companies from being fined up to €20 million or 4% of their annual global turnover (whichever is greater).
Emails, in particular, pose a great threat to data security, given the sheer amount of messages passed from one inbox to another, as well as the number of data leaks stemming from email security breaches.
In fact, there are 122 business emails on average exchanged per day. In 2018 alone, 75% of organisations reported being hit by at least one email fraud attack—and the numbers rise every year.
If your company handles sensitive information of EU residents, how do you make sure that you can email their data securely?
GDPR and Emails: What Does The Law Say?
GDPR defines personal data as “any information which are [sic] related to an identified or identifiable natural person”.
This must be interpreted as broadly as possible, including information assigned to a person (e.g. name, address, IP addresses, credit card, etc), as well as information that will allow you to identify someone even if you don’t know their name (e.g. biometrics).
Emails contain a treasure trove of personal information, often staying in mailboxes for years. With this form of communication specifically, GDPR states that you need to do the following:
- Allow subscribers to positively opt-in your email list — For email consent to be valid, subscribers must actively confirm this action. You should include an unchecked opt-in box on your websites, as pre-ticked boxes do not count as consent.
- Consent requests should not be included in Terms and Conditions — Under GDPR, agreeing to be part of your email list needs to be separate from your Terms and Conditions. This gives people a choice on whether they want to receive continuous emails from you or simply agree to do business with you.
- Allow them to easily withdraw consent — Make sure that the option to unsubscribe is laid out for each person. There also shouldn’t be anything done in exchange for getting removed from your list like paying a fee or logging in.
- Be clear with how you got their consent — Keep track of who consented, when, what you told them when they consented, how they did it (e.g. website, social media), and if they’ve withdrawn. Under GDPR, people can request access to their data and how it’s being used.
Note that GDPR is not only applicable to personal data you’ve collected after it was implemented. The regulations apply to everyone in your email list, regardless of when you got their information. It also doesn’t matter if your company is not within EU borders; as long as you have data of EU residents, you are mandated to comply with GDPR.
How Can Your Company Email Personal Data Securely
If your company stores and processes data of EU residents, the onus is on you to make sure that your organisation emails personal data securely. Here are the steps you can take:
1. Create new systems
By September 2019, more than a year after GDPR’s implementation, only 28% of companies worldwide are fully compliant. If, at this point, you haven’t yet created a GDPR-compliant system, it’s time to do so, as the complexity involved in the new regulations is often cited as the top barrier to compliance.
Also, keep in mind that some of the regulations are time-sensitive (e.g. identifying and reporting breaches within 72 hours). In case you do get attacked, you need to have a process in place so you can respond quickly and effectively.
2. Email hardening
Email hardening refers to the process of securing your emails by reducing its vulnerability to cyber attacks. There are several ways you can do this:
- Turn on 2-step verification — Password brute force attack is one of the top security breaches in 2018. If you’re using some of the popular email platforms like Gmail, Microsoft, or Yahoo, it’s easy to set this up. But if you’re using your other email hosting services, choose those that have this option for another layer of security.
- Add recovery information — If your email becomes inaccessible, setting up recovery information (e.g. phone, email) will allow you to get inside your inbox again.
- Set up spam filters — 55% of emails received are considered spam. While this number is declining through the years, it still poses a threat. Filters can protect you from spam emails that may include malware by reviewing potentially malicious content and diverting these to a different folder.
- Revoke unauthorised apps — If you’re using mobile devices to access emails, check the list of apps that you used previously. Remove any app that looks suspicious or those that you don’t remember using.
- Set up identity protection for emails — Since email spoofing (creating and sending emails from a fake sender address) and phishing are on the rise, the technology to combat these have also evolved. Enabling SPF, DKIM, and DMARC on your emails will allow you to only receive emails coming from verified domains and reject those that are not.
- Set a throttling policy — If you or one of your employees fall victim to a spammer, a throttling policy will limit the number of emails one can send to prevent more recipients from receiving spam emails.
- Restrict attachments — One of the most effective ways to deliver malware is through email attachments. Apart from adding a spam filter, you should also restrict the allowed attachments that can come with each email. Executables (.exe) are the most recognisable and most dangerous, but so are .swif, .vbs, .bat, and ,.jar files. Only allow documents (e.g. PDF, photos) as email attachments. You can also limit the file sizes.
3. Encrypt emails
The EU highly recommends encrypting emails as the most feasible option for GDPR compliance. In fact, GDPR.eu relies on the encryption services of the world’s largest email service, ProtonMail.
Encryption has gone a long way within the last five years, making it possible for a lot of vendors to now offer encrypted emails between sender and recipient. This technology prevents third parties from reading the content of each message.
However, understand that encryption comes with some downsides for businesses. Both sender and recipient need to use compatible software to read the email. It’s not easy to use, so only encrypt messages that are truly sensitive.
4. Educate your team
Regardless of how high-tech your security system is, people’s email practices can still put data at risk. Train your team to identify phishing scams, dangerous files, and even as simple as sending emails to the wrong recipient. Creating a security-conscious culture can go a long way to protecting the private information of your customers.
5. Regularly test your system
Cyber security attacks get more sophisticated by the day. If you let your IT team test your system regularly, you’ll be able to spot any vulnerabilities you may have missed or need updating.
GDPR requires companies to step up their security systems and policies, especially when handling personal data through emails. If you want to make sure that your emails are secure and GDPR-compliant, give our Bristol IT support team a call at 0117 369 4335.