Why email could be a business’s biggest compliance downfall

Sharing sensitive data over email could result in hefty fines, but do your employees know the rules? Dr Guy Bunker explains why it’s too easy for organisations to slip up

For all organisations, a data breach is now a case of ‘when’ not ‘if’. Everything from cyber criminals targeting central servers, to disgruntled employees leaking company information, is now a threat. However, the most common cause of data breaches is something routine. The standard, and seemingly innocuous, email is the chief concern for every organisation’s cyber defence efforts.

63 per cent of employees share sensitive data over email frequently, making it a significant risk factor for businesses – even something as simple as accidentally sharing a company document with a customer could result in a headline data breach.

The problem lies with unstructured data, where sensitive information finds its way into email and documents. It could come from a customer who sends in their personal details, or a report run from a database. It could also be something obvious, like within the body of an email, or hidden, for example a column in a spreadsheet.

Information flows like water in an organisation and so the details are sometimes overlooked, which leads to the risk of a data-loss incident and a compliance failure with regulations such as GDPR and PCI DSS (Payment Card Industry Data Security Standard).

PCI compliance

Introduced in 2004, PCI DSS is an information security standard for organisations that handle credit cards. Designed to protect consumer payment card details and reduce credit card fraud, it is the single global financial security regulation.

Compliance with PCI DSS involves an organisation being able to protect card holders’ details. Therefore, non-compliance can be as simple as receiving a customer’s credit card number in error on a customer email, or replying to one with the payment information still included. These small slip-ups have the ability to cause monumental risk to businesses, incurring fines of up to $100,000 and more significantly, the potential to have credit card processing revoked, which for many businesses would stop them in their tracks.

Innovative solutions

In a world where email is the primary form of contact for many businesses, with 132 billion emails estimated to be sent every day, the likelihood of mistakes becomes significant. Recent Clearswift research shows that as many as 45 per cent of employees have mistakenly shared emails containing key data with unintended recipients.  

Historically, when an employee unintentionally shares sensitive data via email, it’s been the job of IT and compliance teams to monitor, detect, block and then manually delete the email, and with it the critical information it contained.

However, this approach is both time consuming and blocks ongoing collaboration, which has the potential to grind any business that uses email as a primary form of communication to a halt.

Today’s data loss prevention (DLP) technologies serve as a first and last line of defence in an organisation’s cyber strategy. After encryption, it is DLP that will keep your information safe by catching the mistakes. The next generation of adaptive DLP solutions scan every email entering and leaving an organisation, and removes any sensitive data that breaks policy, i.e. it is unauthorised to be read by the recipient.

This approach, rather than the traditional ‘stop and block’ method, ensures the email will still be delivered, even if some data has been removed. Continuous collaboration with assured information security keeps the business running as well as removing the frustration that traditional solutions create.

It is important that all employees are trained and made aware of the ways in which their everyday activity could put an organisation at risk, but implementing an adaptive solution which ensures mistakes are caught reduces the potential for human error. No matter how skilled employees are in security measures, there will always be mistakes, but it is ensuring these mistakes do not put an organisation at unnecessary risk that will be vital to the organisation’s compliance as well as cyber defence efforts.

Dr Guy Bunker is senior vice president of products at Clearswift