Most financial institutions have invested a lot of time and resources into implementing secure email delivery systems designed to handle cases where they need to send sensitive data over email. The systems normally automatically detect that there is sensitive data and sends the recipient an email that contains a link to a secure email web portal. Since the sensitive data never travels over the Internet as email, there is no risk that someone on the Internet can intercept an unencrypted email.
But what happens when a critical business partner insists on doing business using email but refuses to use a secure email portal? We hear this sometimes from institutions working with industries like insurance that are not as regulated as financial services. To answer the question, institutions should assess the risks of email. This week, the Friday 5 discusses five factors your institution can consider in assessing the risk of using email to communicate with business partners:
- Assess whether email is encrypted within your institution: When an email is sent it first travels from a PC to an email server. The server can be in-house or can be cloud-based (as is the case with Office 365). If this connection is encrypted, it mitigates the risk that someone intercepts email between a PC and an email server.
- Assess whether data is protected at rest: In many email systems, email is stored on the server unencrypted, as the overhead to encrypt each email is substantial. It is important to make sure that the controls around this server are sound to provide the most protection possible for this data. A common control for Exchange servers, for instance, is to encrypt the disk of the email server using BitLocker. Making sure that the email server is fully patched and contains no critical vulnerabilities is also important. Finally, making sure that access to the email data itself at the server level is fully logged and monitored helps mitigate the risk of someone stealing email data.
- Assess local archiving: Email stored in local PST files on workstations is normally unencrypted. Making certain users that send sensitive data via email are not allowed to archive locally ensures that the data is not sitting in a location that is not as secure as the email server.
- Assess whether the email is encrypted on the Internet: We used to teach that all email was unencrypted, because at one time that was true. But today, a large percentage of email is encrypted automatically while in transit between servers on the Internet. For email to be encrypted between you and your business partner, the email servers of both organizations need to be configured to support encryption. If you can prove that email between the two organizations is encrypted (this can normally be done by looking at the email headers), this goes a long way towards mitigating the risk. Note that encryption methods are always becoming stronger, so as part of this analysis make sure the encryption level is adequate for the data being transmitted.
- Talk to the security officer of the business partner: By speaking with the security officer of your business partner, you will at least make them aware that the problem exists and may be able to eliminate the problem completely. We sometimes find that the people working for the business partner are not following internal policy, and that the security officer will help educate their staff if brought to their attention. In other cases, the security officer has been asked the question before and can provide documentation on how the risk is mitigated within their environment.
Knowing what the right decision is isn't always clear when it comes to risk. Bedel Security regularly works with financial institutions to help them understand security risks and make the best decision for their situation. If you're struggling with difficult technology risk decisions like these don't hesitate to reach out using the button below. We'd love to talk through your situation and help you find clarity.