We’ve all seen the damage that can be done by failures to comply with acceptable information security practices. Headlines constantly report on companies that have been caught transmitting information across unsecured channels, customers whose private financial data has been lost in transit, or patients whose private healthcare data has been stolen by hackers or other nefarious types. Ensuring that this information is protected is now of paramount importance, and deserves the same attention that has been given to protecting organizations against inbound threats such as spam, viruses and denial-of-service attacks. By understanding the reasons for e-mail privacy compliance and then developing and enforcing a universal policy to control outbound messaging at the network gateway, you can ensure that your organization never ends up on the front page for all the wrong reasons.
Over the past few years, several laws targeting the dissemination of private information have forced businesses in every industry to rethink how they communicate. Three primary regulations, the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and Sarbanes-Oxley (SOX) affect virtually every aspect of an organization’s information sharing practices, and complying with these laws necessitates an approach to communication that involves constant awareness of them. As e-mail is now firmly entrenched as the most important communication tool for any organization, special care must be taken to ensure that all messages sent or received are within the realm of legally appropriate interaction.
Each of the three primary regulations affects a different area of an organization’s communication strategy. The HIPAA and GLBA regulations are similar in scope, but differ in their targeted industries; SOX differs in that it pertains not only to personal information, but also to the integrity of financial reporting data. While the acts differ from one another in their language, they all share one common attribute: stiff penalties for those who violate them.
Need convincing that it’s time to focus on your e-mail compliance? This may help: CipherTrust Research has determined that close to 95% of all information leaks occur over the SMTP protocol. Thus, an e-mail gateway without outbound security is essentially an invitation to anyone on the network to send information out of the organization with virtually no risk of being caught. Information commonly involved in information leaks includes trade secrets, competitive data, customer information and countless other types of sensitive data that must be protected at all costs. Whether these information leaks are inadvertent or intentional, your inability to regulate them will can very easily lead to catastrophic consequences for the organization, including negative media coverage, audits from the Federal Trade Commission or other regulatory bodies, financial penalties as mentioned above, and perhaps most devastatingly, loss of trust from your customers.
The surge in PC-based multimedia such as mp3 files, mpeg videos and other content has resulted in a corresponding surge in the size and quantity of attachments found in outbound e-mail. These files are passed from one user to another; often within the network, wasting bandwidth and filling valuable server storage space several megabytes at a time. The time spent sending and viewing/listening to these files results in decreased employee productivity, and exposes your organization unnecessarily to potentially malicious files masquerading as videos or music. In addition, the usual suspects of chain letters, inappropriate jokes and countless other types of forwarded time-wasters are more popular than ever, and are used increasingly by phishers and other would-be fraudsters as innocuous “fronts” for criminal activity.
How to Secure Outbound Messaging
Fortunately for today’s organizations, compliance is within reach, and very likely easier than you expect. A three-step process of Policy Definition, Detection and Enforcement will put you on the fast track to securing critical data within your enterprise.
The first step to battening down the hatches in your organization’s outbound e-mail traffic is to define a comprehensive policy that encompasses both federal regulations and corporate best practices. What information poses a threat to HIPAA compliance? What about inappropriate jokes, pictures or chain letters? Are your employees allowed to send resumes out? Confidential internal memos? Political manifestos? Rumors and innuendo?
For many organizations, the policy definition step is the most intimidating. The expertise required to understand the myriad requirements in each of the regulatory acts is not commonly found in most enterprises, and fees paid to third-party compliance consultants to develop comprehensive policies can easily eat up a department’s budget before the first hint of implementation. Fortunately for these organizations, CipherTrust has spent years perfecting the process of policy definition, and the CipherTrust suite of gateway security products ships with pre-loaded policy creation tools to simplify the process, including lexicon-specific dictionaries for all major legislation and default policies based on industry-specific best practices. These policies are easily modified and are constantly updated through CipherTrust’s Threat Response update program.
Once policies are defined, it’s time to ensure that you can detect any and all violations of these policies. The text contained within an e-mail message must be thoroughly scanned in order to identify terms that could constitute a violation of the law. Dynamic dictionaries of regulation-specific terms must be maintained and common formats such as Social Security and credit card numbers must be identified before the message leaves the e-mail gateway. File attachments present an additional risk, as they can contain libraries of information that must also be handled in accordance with federal guidelines. To neutralize the threat of file attachments, file attachments must be verified based on their encoding, not just their extension. Archives such as .zip files must also be thoroughly scanned in order to evaluate everything contained in the archive.
To provide the most comprehensive compliance protection for organizations in any industry, CipherTrust developed the ComplianceProfiler™, a series of best-of-breed engines designed to search all outbound message traffic for violations of corporate or federal regulatory policy. What separates the Compliance Profiler from other gateway-based solutions are CipherTrust’s Advanced Compliance features, including:
Once a message has been processed by the Compliance Profiler, appropriate action must be taken. Administrators need as much flexibility as possible in determining the action to be applied to each message, and CipherTrust Compliance allows them to take as granular an approach as they desire. Messages found to be free of violations can be allowed to leave the network without further processing, while “conditional permission” can be granted to messages that are appropriate, yet need further treatment:
Take the Next Step toward Complete Compliance
The last thing your enterprise needs is regulatory trouble, and the surest way to find it is by violating federal legislation or disseminating private company information. To that end, CipherTrust Compliance features best-of-breed policy enforcement capabilities, giving compliance officers and executives the peace of mind that comes with staying on the right side of the law. To learn more about how IronMail can help your organization comply with the stringent rules surrounding information privacy, visit CipherTrust on the Web at http://www.ciphertrust.com or call 1-866-448-8625.