For organizations relying on traditional Secure Email Gateways (SEGs) (such as Proofpoint, Mimecast, and Barracuda), now is the time to ask the question: do you have the tools you need to meet the requirements under new data privacy regulations such as DORA and NIS2?
Fortunately for CISOs and security professionals seeking a secure alternative to their outdated SEG, there is a solution to this headache. Email data protection (EDP) solutions strike the balance between security and user-experience, empowering users to handle sensitive data in accordance with data protection laws. In fact, according to Gartner, many organizations are supplementing Microsoft and Google with EDP solutions to leverage intuitive AI-driven functionality to go above and beyond their compliance requirements.
However, finding the right EDP for your organization is complex. So, here are ten questions (and solutions!) to consider when evaluating your email security strategy.
1. Does your email security solution support you to avoid making mistakes?
Traditional SEGs fail to detect and prevent common human errors, such as sending emails to incorrect recipients - some of the leading causes of data incidents. This is often because SEGs rely on basic filters and rules that do not adequately address simple mistakes.
Moreover, SEGs operate as gateways without user interaction, offering no user-friendly way to warn employees about potential errors, and providing little support in helping users to proactively manage sensitive data securely.
Solution: Specialist EDP solutions are powered by machine learning algorithms, adding an extra security layer to email clients (e.g. Outlook, M365 and Gmail), alerting and guiding users on how to handle sensitive information safely.
Whether there is an unfamiliar recipient in the ‘to’ field, or sensitive data hidden in an attachment, employees are notified in real-time to potential mishaps, and empowered to take appropriate action.
2. Are you empowered to apply security levels that reflect the sensitivity of emails?
SEGs typically require users to add trigger words such as ‘[Secure]’ in messages, or apply specific properties such as labels to sensitive information. Some SEGs try to classify data on the gateway and block, quarantine, or decrypt when sensitive information is detected.
However, this approach, based on simple words and REGEX, will in many cases result in false positives or negatives.
Solution: EDP solutions can automate security with advanced classification rules and algorithms. Combined with in-the-moment decision support, users can apply security measures to align with company policy, or (depending on your preferences) automate security protocols when sensitive data is present, supporting compliance with data protection legislation.
3. Do your tools improve security awareness?
Many privacy and data protection legislation explicitly refers to improving employee awareness on the matter of security. However, this falls outside the scope of SEGs.
Gateways focus on filtering and blocking threats, but do little (if anything at all) to educate and guide employees in real-time on best practices for handling sensitive information.
Solution: The best time to educate employees about security best practice is in the moment they are handling sensitive information. EDP solutions build a culture of security with non-intrusive alerts to the presence of sensitive information and potential mistakes - so users can take action to prevent them.
4. Can you revoke access to emails?
Once an email is sent through a traditional SEG, retracting or revoking access is generally difficult (or impossible). The inability to recall sensitive information after sending can result in otherwise entirely avoidable data loss events.
However, SEGs lack the functionality to undo or correct mistakes after the fact, leaving sensitive data exposed.
Solution: Providing users with control of their data even after sending is a vital function provided by many EDP solutions. Recipients are not required to ‘accept’ a revoke request (as with M365 or Outlook); senders can simply click to revoke access and even view who has or hasn’t viewed their data, allowing swift action when necessary.
5. Can you share large files by email?
Do your employees have a simple and secure way of sharing large files? File size limitations are a common issue with SEGs, making large file sharing directly from email clients impractical. This often necessitates additional tools or cumbersome workarounds, increasing the potential for a security leak.
Solution: Sharing large files with Outlook, M365 or Gmail is possible with integrated EDP solutions. Supported by advanced encryption and human error prevention tools, users can share large files and folders safely from their email client. Say goodbye to separate file transfer solutions and platforms!
6. Can recipients easily access secure emails?
Requiring recipients to jump through hoops to access secure emails is outdated and impractical. SEGs require recipients to create accounts or remember passwords, creating a barrier between organizations and their stakeholders, leading to frustration, inefficiency and often decreased security in the instance that recipients employ weak passwords.
Solution: With the right EDP solution, recipients can access sensitive messages as easily as normal emails, without creating guest accounts or navigating additional websites.
7. Are you employing two-factor authentication (2FA) to protect sensitive emails?
Under GDPR, DORA and NIS2, 2FA is a vital function for protecting sensitive information. However, SEGs don’t provide 2FA, making the platforms unsuitable for compliantly sending sensitive data.
Solution: Integrating 2FA into your email client is possible with a specialist EDP solution, enabling users to share sensitive information with confidence. Administrators have complete control over verification methods, from access codes to codes sent by SMS.
8. Can you employ enhanced email transport security, such as DANE?
SEGs typically rely on TLS encryption. However, TLS does not guarantee that an encrypted message is sent to the right server, meaning there is still a potential risk of interception.
DANE (DNS-based Authentication of Named Entities) is a global internet protocol that ensures encrypted transport to the correct server. DANE helps to secure the connection against threats such as tampering, eavesdropping, or forgery, bringing trust to the connection between the sending and receiving servers.
Solution: Some specialist EDP providers support sending emails with DANE, with automatic fallback mechanisms to message encryption methods in case DANE is not supported by the recipient, meeting the requirements of NIS2, DORA, and similar legislation.
9. Can you replace traditional fax or signed post with certified or registered email?
The ability to attain legal proof of delivery for sensitive messages is vital for organizations in the financial, legal, and healthcare industries. Traditional SEGs fall short on providing legal proof of delivery, leaving organizations to rely on outdated communication methods such as fax or signed post.
Solution: Leveraging EDP solutions enables organizations to replace outdated snail mail with email, with the benefit of secure and legally certifiable proof of delivery reports, enhancing security, speed, and cost-efficiency.
10. Is your data protected from third party access, such as Microsoft, Google or government agencies?
SEGs typically encrypt emails but retain access to decryption keys. Additionally, a SEG cannot prevent the preceding mail server (for example, Microsoft or Google) from accessing your data, making them vulnerable to insider threats and attractive to hackers.
Furthermore, most SEGs are US-based and must provide data to the US government upon request - even if hosted on non-American servers.
Solution: End-to-end or zero-access encryption, provided by EDP solutions, prevents vendor access to decryption keys, and even prevents Microsoft and Google from accessing data, providing total protection against the Cloud Act and similar regulations.
Finding the right email data protection solution for your organization
When it comes to meeting compliance, SEGs fall short in a number of critical security areas. As organizations face increasingly stringent requirements, intuitive email data protection solutions are stepping up to fill the gaps.
Striking a balance between user experience and security, Zivver Secure Email empowers users to meet evolving data protection regulations with:
- Large file transfer integration
- 2FA and expiration controls
- Email recall you can rely on
- Human error prevention tools
- Machine learning powered business rules
…and more.
Zivver is recognized by Gartner as one of the leaders in email data protection, and trusted by over 10,000 customers globally.
Learn more about how we can support your organization with compliant email security.
Last updated - 18/06/24
