GDPR and email security
On 25 May 2018, the EU is set to roll new regulations on data protection that will bring in stricter laws to replace the Data Protection Act.
The new data protection 'guidance' will be named the General Data Protection Regulation (GDPR) and with over two years' notice, businesses will be expected to be fully compliance by the 25 May next year, or face some hefty fine costing over £15million.
Rules for GDPR have been clearly outlined by the EU and government with how data should be stored and exchanged. Finding the key elements to the regulation is easy, but where it becomes more difficult is when applying to individual aspects of a business.
Email security and the regulation
When getting compliant, there's much more than just securing stored data. Business emails can contain huge amounts of information that fall into the GDPR meaning current security practices may not stand up when May 2018 comes around.
Some major factors from the regulations that impact directly with email include the way personal data is classified. Contact details which include email addresses are protected under the act. These addresses are often used in both marketing and customer service and mean that any employee email which has had contact with a customer email will need to demonstrate outbound protection as well as inbound protection.
Depending on the business, a deeper email security plan may be required. Industries that work under retail, finance and healthcare require additional layers of protection. This can include two-factor authentication, strong encryption and data loss protection.
A new regulation to be added into the GDPR will include the 'privacy by design'. This is a requirement that demands the implementation of technical and organisational measures from the very beginning. Systems will need to be designed and implemented with data protection embedded in the email security infrastructure, and not implemented as an after thought.
Network perimeters and data protection
The GDPR requires businesses to efficiency secure personal data and in the event of a breach, inform the correct authorities.
Many current businesses are running extremely old firewall's, or in more worrying cases, running their business without one. Firewall's exist to protect the perimeter of a network, fighting to keep out unwanted threats. Working without a capable firewall on a business network, it essentially the same as leaving the office unlocked, wide open and easy to infiltrate leaving any data extremely unsecured.
To confidently claim personal data is safe from threats at the perimeter, next generation firewall devices are required. These devices are capable of detecting advanced and never before seen threats and also scanning encrypted traffic which older firewalls lack the ability to do.
In the regulations, it is stated that businesses are required to inform the proper authorities within a specified time frame if and when a breach occurs. To comply with this, the business needs to actually have knowledge of the breach.
Surprisingly, many businesses are unaware they have been breached. Attackers can lie dormant for months on a network before making a move and very specific technology is required to have these kinds of breached flagged up. Certain next generation firewalls come equipped with multi-engine sandboxes which defend and record all threats that pass through the network. The same devices also quarantine any unknown files/data that passes from the outside through a network perimeter which prevents any unknown threats entering.