Sending sensitive data information via email has become common practice. However, evolving legislation means that ‘regular’ email no longer provides the security assurances to protect sensitive data or ensure compliance. Indeed, when it comes to transmitting sensitive information, there are a number of factors that CISO’s and DPO’s must now take into consideration to ensure the proper handling of sensitive data.
Let’s start with the risks of non-compliance and the introduction of the upcoming NIS2.
Protection of personal data under the GDPR
The GDPR imposes strict requirements on the processing of personal data. Organizations must take appropriate technical and organizational measures to ensure the confidentiality, integrity and availability of personal data.
Non-compliance can have serious consequences. First, it can lead to reputational damage, as consumers, patients, residents - the general public, in fact - are becoming increasingly aware of their rights around the use of their data.
A loss of trust can have a negative impact on corporate image and customer relationships. In addition, individuals are entitled to compensation in the event of a breach, leading to claims and legal proceedings against the organization. Moreover, legal consequences can arise, such as fines that can amount to millions of euros, imposed by supervisory authorities such as the Dutch Data Protection Authority and ICO in the UK.
The introduction of NIS2
NIS2 will come into effect for all European countries by October 2024. NIS2 requires medium to large entities to take appropriate technical and organizational measures to manage risks to their network security and information systems.
One of the main requirements of the NIS2 guidelines, set out in Article 21, is to have policies and procedures in place regarding the use of encryption and of secure communication platforms. Specifically, operators of essential services and digital service providers will be required to use multi-factor authentication or continuous authentication solutions to ensure data protection.
The new legislation introduces more stringent supervisory measures and stricter enforcement requirements. NIS2 also places greater emphasis on the responsibility of executives, and obliges more entities and sectors to take measures to increase cybersecurity. Read more in our blog here.
How secure is email?
It may surprise you to learn that email is inherently insecure. According to research, 88% of employees say they rely on email to get their job done and 81% see email as the most secure way to send sensitive information.
However, standard email traffic is not encrypted, meaning that the content of the emails can be intercepted and read by third parties. So, for sharing sensitive data, such as medical information, personally identifiable information (PII) or financial data, for example, email requires additional security measures to prevent potential security incidents.
Limitations of Transport Layer Security (TLS) email security
TLS is a protocol used to encrypt email traffic and improve its security. Unfortunately, TLS is optional and opportunistic, meaning it depends on the settings of sending and receiving email servers. If either server does not support TLS, or if the settings are not configured correctly, the email will be sent unencrypted, putting the privacy and confidentiality of the information at risk.
The importance of DANE for proper server control
TLS presents an additional often overlooked problem. While TLS does provide encryption, it does not guarantee that the email will be sent to the correct server. TLS is susceptible to so-called Man-in-the-Middle (MitM) attacks, in which third parties are able to route encrypted emails to another server, instead of the recipient's, without anyone noticing.
Domain Name System-based Authentication of Named Entities (DANE) improves the security of email traffic through proper server control using DNSSEC (Domain Name System Security Extensions) to verify the authenticity of the email server, and ensures emails are delivered to authorized servers only. Provided that both the recipient and sender have configured their mail servers correctly DANE eliminates the risk of emails not being delivered to the right servers. In the Netherlands, 'only' 59% of domain names are secured with DANE’ and adoption in almost all other countries in the world is considerably lower.
How two-factor authentication (2FA) improves email security
While DANE ensures that emails are delivered securely from the sending to the receiving server, it does not protect the email once at rest in the recipient’s inbox. After all, any individual with access to a user's mailbox can read the email, including administrators of the email service, the organization, a colleague (if a device is left unattended), partner, or any unauthorized person who has obtained the user's password. Consider how much data an unauthorized user could find or the actions they could take if they were to gain access to your inbox right now - we know, it doesn’t bear thinking about.
2FA is a familiar protocol for most of us today, used frequently to protect sensitive data in banking applications, healthcare or government portals, or work platforms. 2FA provides an extra layer of security that requires users to provide a second form of authentication, such as a unique code sent to their mobile device, in addition to their password.
While 2FA is considered best practice for securing accounts, it is lacking in ‘regular’ email. It’s time to apply this security measure to our emails, ensuring only authorized individuals can access their sensitive contents and attachments.
How to email securely
Organizations are recognizing the limitations of regular email and starting to enhance their clients (such as M365 and Gmail) with additional security solutions - often in addition to their Secure Email Gateways (SEGs).
The addition of security solutions enhances ‘regular’ email with advanced functionalities to automatically recognize sensitive information in emails and attachments, tailored to an organization’s data loss prevention and privacy policies. In this way, employees are empowered to apply the right security levels at the right time, through the application of strong encryption and 2FA to ensure the confidentiality and integrity of data in accordance with the requirements of the GDPR and NIS2.
In short, it is time to expect more of email. Alone, standard email does not ensure compliance with NIS2 or the GDPR, or many other data protection legislations.
We see thousands of progressive IT leaders leading the way for their sectors, going above and beyond on the matter of compliance, through the introduction of intuitive security solutions designed to empower employees to prevent the leading causes of data leaks. By investing in the right security measures, CISOs and security professionals can ensure that sensitive information is securely exchanged and that it meets legal data protection requirements.
To find out how our Secure Email and Secure File Transfer solutions can support your organization, book a free demo or find out more.