The General Data Protection Regulation (GDPR) is meant to protect the personal data of EU residents, no matter where the data resides. The regulation enforces data privacy rules on how organizations collect, store, and use the information, including digital identifiers like email addresses, information exchanged over email, as well as email contact lists (most emails are encompassed by “personal data” protected by the GDPR).
Email is a particularly weak link for companies because of its role as a communication tool, and the fact that it is still the number one threat vector for cybercriminal exploits. In the first quarter of 2018 alone, the Trend Micro™ Smart Protection Network™ blocked almost 9.5 billion threats — 82 percent of those were email related.
Email is a predominant avenue of attack because it’s a ubiquitous and widely used mode of communication. A 2017 survey by the Radicati Group, a marketing research firm, found that 269 billion email messages were sent every day that year. And aside from the volume, email is also used by a whole range of people, from young students to CEOs of multinational companies. It has become a part of everyday life, so people usually open emails and scroll though the content or click on links nonchalantly. Cybercriminals rely on this mindset and employ a variety of tactics to try and take advantage of users:
Phishing: This is an old but still widespread technique that involves a cybercriminal impersonating a trusted company associate and then asking the would-be victim for personal information or account details. Phishing is sometimes used to gain deeper access into a corporate network. Email is just one of different forms of phishing.
Business email compromise (BEC): In a BEC scam, cybercriminals compromise the email of an executive and try to trick an employee or finance executive into sending funds to a fraudulent account.
Spam: Spam is another old but still used technique. Based on our findings in 2016, 71 percent of ransomware was delivered through spam. Cybercriminals would create legitimate-looking emails — anything from seemingly official work-related emails to marketing emails — and attach malicious files or links. They could deliver all kinds of malware to compromise a user’s or enterprise’s system.
How enterprises can secure email systems and comply with the GDPR
Enterprises can use a variety of solutions to comply with the GDPR and to also help better protect and manage user data. To start with, email systems should have the following:
Ability for data subjects (users whose personal data are collected) to access their own data. This mandate by the GDPR is part of giving users more control over their personal information. Since data subject rights are a fundamental part of GDPR, this is a necessary responsibility for enterprises that collect and process email addresses or email content from their customers, suppliers, and other organizations.
Encryption capabilities. Since emails can contain sensitive personal data like credit card details, social security or national identification numbers, and more, they should be encrypted by the email system. Established email services already offer automated and customizable encryption.
Archiving and organization features. Enterprises also have to ensure that they will be able to comply with requests for data deletion (or “the right to be forgotten”). Emails and related data should be organized so that users’ personal data can be erased as requested, and systems have to be able to cease further dissemination of data. Companies must also be prepared to inform users of the details of the personal data collected and how it is being processed. A good archiving system and data retention policies can help with these requirements.
Be ready for a breach. Breach notification is a major component of the GDPR — the regulation gives companies 72 hours to report a data breach after discovery or penalties could be imposed. Security solutions should be able to identify indicators of compromise and detect breaches in email systems. Administrators or data protection officers (DPOs) should then follow breach reporting procedures, which depend on the severity of the breach.
Secure servers and databases where data is stored. Email servers should be monitored 24x7, have security solutions installed, and be protected by limited accessibility. If a third party stores the data, physical or cloud-based, enterprises should make sure the service provider is GDPR compliant.
Installing state-of-the-art security Because email has become commonplace, its security can be taken for granted. Enterprises need to be more cognizant of the risks of unsecured email systems and invest in comprehensive security solutions or email service providers with built-in security features. Organizations, either as controllers or processors, should implement state-of the-art security measures in line with the GDPR. They must deploy effective measures against malware and protect personal data. For email systems, this means installing solutions that will protect organizations from malicious links and attachments, phishing attacks, BEC attacks, and more of the common email-borne threats that can compromise personal data.
Email threats often contain suspicious attachments that deliver malicious software, making sandboxing an essential defensive measure for enterprise systems. Sandboxing gives administrators the ability to isolate and analyze potentially malicious files in a separate environment without compromising the whole network. For sophisticated email threats, smart sandboxes can provide more advanced information gathering and analysis.
It is also important to educate employees on identifying social engineering tactics and avoiding phishing attacks. A large part of safe email practices is about building a culture of privacy and awareness in an enterprise. People need to become more informed about the different threats, and learn what they can do to help.
Of course, every enterprise is unique and there is no silver bullet solution that will automatically safeguard every system against every attack. Effective solutions need a tailored and multifaceted strategy that can adapt to evolving threats and shifting priorities of enterprises.
Trend Micro Solutions Trend Micro™ InterScan™ Messaging Security stops email threats in the cloud with global threat intelligence, protects your data with data loss prevention and encryption, and identifies targeted email attacks, ransomware, and advanced threats as part of the Trend Micro™ User Protection Solution. The hybrid software-as-a-service (SaaS) deployment combines the privacy and control of an on-premises virtual appliance with the proactive protection of a cloud-based pre-filter service.
Trend Micro™ Deep Discovery™ appliance provides detection, in-depth analysis, and proactive response to attacks that use exploits. As a part of our Trend Micro Network Defense Solution, it includes specialized engines, custom sandboxing, and seamless correlation across the entire attack life cycle allow it to detect threats like zero-day attacks — even without any engine or pattern update.
Trend Micro™ Hosted Email Security™ solution is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach your network. As part of the Trend Micro™ User Protection Solution, it protects Microsoft® Exchange™, Microsoft® Office 365™, Google Apps, and other hosted and on-premises email solutions.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).