In our last blog, we discussed the increasing importance of encrypting portable media devices, and why your organization should be proactive in utilizing such a key control. If you haven’t had a chance to read the article, I would strongly suggest you give the article a quick read before you begin this week’s installment. Why is that? Well, when discussing information security, it is important to understand the concept of defense-in-depth.

Simply put, defense in-depth provides redundancy, if one security control fails or is bypassed, by having multiple levels of controls. Therefore, while last week’s blog addressed the importance of protecting data at rest, we must now consider how data is protected when it is in transit.

What is Data in Transit?

Unlike that of data at rest, which is data in computer storage, data in transit is concerned with data that is traversing a network or being temporarily stored in computer memory. One common form of data in transit is e-mail. Since its inception, e-mail has provided a non-intrusive medium through which people can communicate, and in doing so, it has transformed the essence of business communication.

E-mail has become so pervasive that according to a recent report from the McKinsey Global Institute, the average worker spends 28 percent of their workweek reading and responding to e-mails. But, as with any change, it is important to note that certain risks are bound to accompany the derived benefits, and e-mail is not immune to this maxim.

Digital Theft and the Unknown

Theft is not restricted to physical property. Just as a physical package can be stolen while in transit, so can an e-mail be intercepted during transmission; however, there is one key difference between that of physical and digital property. That is, unlike that of the package, which you would be informed if stolen, you may never find out that an e-mail was intercepted.

As such, it should be of no surprise that in regard to confirmed data breaches, a study conducted by the Verizon RISK Team concluded that over 85 percent of breaches took weeks or more to discover, and over 90 percent were discovered by a third party. Thereby, it is not outside the realm of possibility to surmise that your organization may have already had data intercepted, but the breach has remained undetected.

Why E-mail Encryption?

So, how can you ensure that your organization doesn’t become another statistic in a data breach study? Well, the encryption of e-mail is a great place to start. While the encryption of e-mail has always provided business with a sound form of protection, recent laws such as HIPAA and HITECH, in addition to other state regulations, has led to e-mail encryption becoming a more common business practice. Now, before going into details on why e-mail encryption is important, it is beneficial to understand how e-mail works.

After you press the send button, your e-mail embarks on journey across one or more mail transfer agent server(s) before reaching the destination e-mail server and intended recipient. Along this journey, someone can intercept and read your message by gaining access to one of these servers. If thought of in a physical sense, an e-mail is akin to the sending of a post card; that is, any prying eyes can read the contents. But, if the e-mail were to be encrypted, this would be comparable to sending a sealed letter in code, and then calling the intended recipient to inform them of a way to decipher the message. Therefore, even if the letter were opened, it would be useless to the perpetrator.

Additional Matters to Consider

As we previously discussed, there is no single answer to solving your security problems. Therefore, in addition to e-mail encryption, there are three easy steps to ensuring that your information remains secure during the e-mail process:

1. Disable the address autocomplete feature for your e-mail program.
2. Restrict the creation of external e-mail distribution lists to certain individuals who require this function to complete their job tasks.
3. Develop, implement and enforce a comprehensive e-mail policy that addresses such issues as:
   1. E-mail structure
   2. E-mail retention
   3. E-mail monitoring and enforcement

As you can see in the above, the first two controls are technological, and they serve to prevent the accidental dissemination of information to unauthorized parties. But, in addition to such technological controls, it is important to consider the people aspect of security.

People often represent the weakest link in the security chain, but there is nothing to prevent such a weakness from becoming an organizational strength. That is, policy implementation, monitoring and enforcement can assist your organization by improving user knowledge and awareness surrounding information security.

Need Help?

If you are unsure that your business is adequately protected, our Information Security Baseline Review is an ideal starting point for answering all of your questions, and providing you and your key managers with a basic education of both the threats your company’s information faces and what practical approaches you can take to protect it.

Remember, a false sense of security is worse than being unsure. We have a variety of tools and resources to help you. I encourage you to call to take proactive action.

For more information, please contact William Prohn at wprohn@dopkins.com.

About the Author

William Prohn CISSP, CISA, CGEIT, CRISC

Bill oversees all aspects of information technology for the firm, and provides consulting services to a wide spectrum of Dopkins’ clients. He has over 30 years of experience in accounting and business information systems. His specific interests include creating meaningful, practical management information using computer technologies, and the security of business information and systems.