Consider this: What would be the cost to your business if an email with sensitive client information—such as credit card numbers or health records—got into the wrong hands?
In 2010, more than 107 trillion emails (Pingdom) were sent – and this number is drastically increasing year over year. Email has become such second nature that we don’t think twice before sending our most personal information through this easy communication channel.
Most good email providers go to great lengths to protect your email in datacenters, and many companies have put good security practices into place to protect email access. But, as email travels across the Internet, it is vulnerable to data breaches, data leaks, and hackers. Rogue employees also pose risks for distributing information inappropriately.
Businesses can face litigation, fines, and loss of reputation if any personal information about their customers is exposed via email or other means. For instance, the Federal government’s HIPAA act mandates that healthcare providers secure email communication with encryption technology. Financial services firms also face regulation under the Sarbanes-Oxley act. Several states, including California and Massachusetts, have passed their own legislation requiring email encryption.
Yet, even now, many businesses have no email encryption technology in place. One data breach can jeopardize the trusted relationship you have with your customers. Unfortunately, many businesses are unaware that the problem can be solved with simple controls over the communications coming and going from their company – anything from bad language to confidential information.
Potential Cost of Unsecured Data Email Breach
The average cost of a data breach incident for U.S. organizations in 2011 was $5.5 million and $194 per record. No matter the size of your business, your company may be held financially responsible in the event of a data loss. Many companies look to do the bare minimum to protect themselves, but this leaves the business and all of its data vulnerable. Encryption adds an additional layer of protection on top of your regular email security that any business dealing with personal and confidential information needs to have. By encrypting your email, it makes the information virtually unreadable as it travels across the Internet, thus protecting private information about you and your customers.
Savings are not just accrued in avoiding penalties and fines. A study from Thomson Reuters found that 71 percent of global compliance professionals foresaw that an increase in time and resources would be required to work with regulators and exchanges to ensure they would be ready and prepared to meet rising compliance requirements. Up-front investment in encryption will assure safety and can save small businesses from having to put personnel resources toward fixing the problem once it occurs.
Private Information Overload
It’s important to note that emails do not often end at the original destination. If you forward information about an employee’s medical condition to your HR manager, he or she may need to forward that on to your corporate lawyer and your health insurance provider. Now information that was originally traded internally has moved outside your network and can continue to move without your knowledge. Yet, your company is still responsible for controlling the dissemination of that information.
Not only can email encryption protect against poaching of confidential information, but IT managers can also set in place rules to automatically flag and review all outbound emails before they leave the internal network. This prevents sensitive information or even email with profanity from leaving your company.
Questions and Actions
Now that you have the background, you still might be asking yourself, how do I know if my business really needs encryption? A good rule of thumb is to consider an encryption solution if you answer yes to one or both of these questions:
- Do you share confidential information about your business or customers over email – such as account numbers, dates of birth, or highly sensitive internal strategy documents?
- Do you operate in a regulated industry or geography?
- Here are some examples of current legislation in place:
- Health Insurance Portability and Accountability Act (HIPAA)
- California Security Breach Notification Act (SB 1386)
- Massachusetts Encryption Law (201 CMR17.00)
- Sarbanes-Oxley Act (SOX)
- Gramm-Leach-Bliley Act (GLBA)
- Here are some examples of current legislation in place:
If you answered yes to either of these questions, it is time to start the encryption discussion with your email provider. By taking this step now, you could be saving a lot of time and money later.
There’s a lot at stake for businesses that are not compliant with federal and industry regulations regarding email encryption, including litigation, fines, and loss of reputation in the event of a data breach. While many states and industries have passed laws holding businesses financially responsible in the case of a leak, email encryption still remains an afterthought. Businesses need control of the communications that are coming and going from their company, from foul language to confidential material. SMBs should consider the potential costs they could face and the security their email services have to offer.
Contact Bob Buono @ 609.709.8150 to answer all your questions about email encryption today.
I hear it all the time. “I would never put my critical data in the cloud.” It’s a prevailing point of view. The idea being that putting your personal data, documents, or music on a computer other than your own means that you are somehow more vulnerable to privacy invasions, hacking, and other problems.
There can be no argument that you are taking a risk by trusting someone else with your data. However, I think it’s worth pausing for a moment and asking yourself a question that few ever think about: Is your data really safer if you manage it yourself? Here are a few things you may want to consider.
1) You probably don’t have a good, always-current backup of your data.
Sure, you run your backup program every so often (maybe even nightly). Perhaps it backs everything up directly to your trusty external hard drive that’s constantly plugged into your computer. Maybe the IT guy comes into the office every so often to swap backup tapes on the server.
Now consider – what happens if your house burns down, your office floods, or someone breaks in and steals your laptop and backup drive? What happens if your computer gets a virus which decides to delete all of the files on your local hard drive as well as any external drives it happens to be connected to? What happens if there’s a nearby lightning strike that results in a power surge destroying your laptop and your backup drive? Taking it a step further, how often do you actually test your ability to restore from the backups you create? Are you sure the tapes created by your IT guy actually contain your critical data?
The reality is that there’s no cost-effective backup strategy the typical home-user or SMB can implement that provides a truly secure, always-accessible solution to protecting against all of the scenarios mentioned above unless you leverage the cloud in some way to create off-site backups.
Cloud-based backup solutions give you a simple, cheap way to keep your important data backed up in a location other than your home or office (the key here being that your backups must reside in a location separate from your computer, so that if one is stolen, damaged, or lost, the other remains intact).
Plenty of online backup solutions today offer fully encrypted backups (the kind that can’t even be decrypted by employees of the company) – so you should obviously do your homework before choosing one. Any (minimal) risk associated with your backups possibly being stolen and decrypted by a (very ambitious) hacker should be mitigated by the fact that your data is actually backed up properly, and not vulnerable to every-day threats.
2) Your most sensitive personal information is probably already in the cloud.
Most people don’t understand that their personal data exists in the cloud today, even if you didn’t put it there. Your bank account details exist on the bank’s website. Your credit scores are on the servers of the 3 credit bureaus (regardless of whether you’ve ever logged in to pull up the data, it’s sitting there). Your travel reservations are on the airline’s web-site, and hundreds of other pieces of important information about you are out there, waiting for you to view it.
Obviously, these companies go to great lengths to keep your data private, but there have been cases where something happens and criminals are able to retrieve the data. Remember, in many cases, this is data you didn’t even put there, but it’s sensitive information about you, nonetheless.
The point is – you’re not going to avoid this risk by not participating. In many cases, you may be making yourself –more- vulnerable to particular forms of identity theft (see the case where folks were caught creating fake Facebook profiles for people who had not yet joined Facebook). You’re likely safer taking an active role in knowing who has your personal information, and managing those accounts carefully.
3) Your computer is probably full of spyware, viruses, and other forms of malware.
Unless we’re talking about the true computer-geeks of the world, statistically speaking, nearly every Windows home and SMB computer out there has some sort of spyware, virus, adware, or other form of malware installed and running. I’m sure you faithfully run your favorite anti-virus software in the background, but remember, virus creators test their stuff against the latest and greatest as well (to make sure it’s not detectable).
This stuff poses a massive risk to the typical home and SMB user. Typical spyware will take screen-shots of your activities, scan your hard drive for personal information, or even use your computer as the middle-man in hacking attacks. If you’ve got spyware on your computer, nothing you do or store on that computer can be considered safe or secure.
The typical business computer user is really not professionally qualified to be the system-administrator of their own computer, and yet that’s precisely the role they’re asked to assume. This leaves the door wide open for hackers.
In a cloud-storage scenario, you mitigate this risk by trusting your data to people who are security experts and make their living by providing clean, secure, and hacker-resistant storage solutions. Do they always get it right? Definitely not. Is your data safer with them, than in your spyware, virus-infected laptop? Absolutely.
4) Your laptop is at risk of being lost or stolen
One of the most common arguments people make for not storing their data in the cloud is that they don’t want their documents and data to be stolen. I can certainly respect this, and I understand why someone might feel safer if they keep their data in a place where they see and touch it.
Why, then, does the typical laptop owner leave their computer sitting on the front-seat of their car while they stop in for their morning cup of coffee?
If you don’t want your data to be stolen, you’re far better off keeping it in a location where it’s not vulnerable to being lost, damaged, or stolen with one of your devices. Keep it in the cloud where it’s being stored in a military-grade data-center, behind bullet-proof glass, biometrically secured, and watched 24×7. This way, at least you’ll have the peace of mind knowing that, even if someone steals your laptop, they’ve gained access to nothing.
The cloud isn’t perfect, but it provides an opportunity for the average SMB employee to step up their game in terms of providing better security, backups, and overall protection in what is otherwise a very dangerous technical landscape. Unless you plan to become an expert in computer systems administration and data security, your best option to keep yourself as safe as possible is to put your trust in someone with expertise in these areas. It’s the same reason you use a bank to store your cash instead of handling it yourself– the bank is simply better equipped to keep your money safe than you are.
Brian Shellabarger, VP of Product Innovation