Encryption technology has been around for a long time and is essential for securing data in motion. In essence, encryption is a set of algorithms that protect electronic data from being intercepted and viewed by unintended recipients. How it works is less important than how it’s implemented. In fact, many of the most important elements have nothing to do with the technology itself. Here are three critical elements for developing a plan to secure data in motion.
1. Start With Assembling a Team
Securing data in motion isn’t the job of just one person. Be sure to include all necessary positions and departments from the beginning. To determine who in an organization should be a part of these discussions ask these questions:
- Who in the organization "touches” the data we need to secure on a regular basis?
- Who can lend valuable knowledge about defining our policies?
- Who would be responsible for enforcing our policies?
- Who has the technical skills needed for selecting and implementing a solution?
Involving everyone up-front means less backtracking and unnecessary changes down the road. Be sure to consider people from legal, compliance, HR, IT and marketing departments. Marketers can help translate policies into layman’s terms for your end-users and help “sell” them on policy compliance.
2. Conduct an Information Risk Assessment
The security needs of every organization vary. Unless an organization has recently conducted a holistic risk assessment, the threat of a data breach is probably much larger and more immediate than realized. Organizations often underestimate their risk because they erroneously believe all their sensitive data is contained within a few secure systems. In reality, this is seldom true.
Examine all business processes that involve moving data. Think about the situation from a workflow perspective. Do employees access corporate systems from their personal devices or use company-issued devices to work from home? What happens when employees take their devices on business trips? How is data transferred between devices or communicated to other stakeholders? What do customers or business partners do with any sensitive files sent to them? Before moving anything, understand and know where sensitive data resides, who needs to share it and with whom they need to share it. Especially take a good look at what third-party users exchange with, including inbound workflows. Find out what file sharing services are often used and what their potential risks are. Get a good understanding of how this data will flow.
After determining how a company transmits information such as credit card numbers, personally-identifiable information and health records, organizations can begin to formulate a plan for how to safeguard that information during transit.
3. Complete a Policy Review
The third step is to complete a policy review, update existing policies and develop new ones that are needed. There are five recommendations for completing a policy review. (a through f below).
a. Understand what is driving security policy for data in motion. Implementing effective policies requires knowing what factors, internal and external, are driving the need to secure data.
Some industries and businesses are more heavily impacted than others by government and industry regulations like HIPAA, PCI, GLBA and FERPA. Healthcare entities and financial services organizations are examples of industries strongly impacted by government regulations. Get a clear understanding of the regulations an organization must abide by when transferring sensitive data.
Another driver for developing security policies is to protect the organization from a cyber-attack or security breach. Besides being costly, data breaches often cause major damage to the organization’s reputation with a corresponding hit on revenue. It’s important here to understand the organization’s tolerance to this risk. Organizations like investment advisors, medical care providers, legal services and high-tech development may have less tolerance for risking a breach. Other organizations may be willing to take on more risk in order to facilitate conducting business. What is needed is to understand where an organization falls on this risk tolerance line.
A third driver is the desire for greater efficiencies in business workflows. Security has been a hindrance to conducting business, and employees will find ways around it because it is too difficult. Some organizations are now driven by a need to transform old workflows that are “too hard” into something more efficient, easy to use and also secure and compliant.
b. Identify the data. Identify and understand what data needs to stay private and why. This step will be driven by the reasons that were outlined for needing policies, discussed in the previous section.
Some data sets, like social security numbers, are obviously sensitive and apply to most organizations. Other sensitive data may be specific to the organization, such as an account number or an entire department whose communications need to be protected and encrypted. This is why a team is needed.
c. Forget about patterns. Match sensitive data exactly. Whenever policy filters are commonly used to secure data in motion, the filters search for patterns in outbound messages and secure the content when those patterns are found.The problem with this functionality is that one keystroke can break a pattern and then private information gets sent unsecured.
Work to match actual data sets and not a pattern of what the data should look like. For example, a pattern may be that an account number has 2 letters followed by 6 numbers. But instead of writing a pattern match to search, set filters to look explicitly for the exact account numbers in the messages.
d. Know the user. In order to ensure that outbound email security policy is adhered to, there needs to be an understanding of the end-user experience - know who end users are. This can have a huge impact on whether or not policies are followed. To keep it simple, make sure policies integrate and work within existing business processes. If users must change their behavior too much to add security, they have a harder time getting their job done and are then resistant (and resentful) about the change.
e. Combine protection and policy. Whenever possible, try to layer protection in the policy creation. For example, providing users a way to explicitly mark an outgoing message to be sent securely benefits the message load (those tend to be very quick filter checks) and also by providing a first pass security checkpoint. Users can serve as the first step to identify what outgoing data needs security. Often times they know that some data should be sent securely even if it doesn’t conform to filtering rules. This increases the success rate of sending the right data securely by combining user knowledge and company policy.
f. Remember to keep it simple. Regardless of how bulletproof data in motion security policy is, rules won’t be followed if they are too complex. For maximum policy compliance, keep policies clear and concise. To make sure they are understood, start by outlining and communicating why the policies exist and what the dangers and risks are if they are not followed. Also, be sure the policies adhere to business processes and do not interrupt the daily flow of work for end users.
An outbound email security policy is important to protect a company, their clients’ and customer’s data. These recommendations will help your company transfer information safely and securely. Remember, it’s important to understand why data protection is needed; whether it’s to adhere to government regulations or to protect from a data breach. This will help to know what data needs to be protected and will make it easier to set up filters to match the exact data that should be protected. Finally, make sure policies are clear, concise, and adhere to business processes.