OPINION: Sending the right message


10 Mar 2011

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Aiden Callaly outlines the range of compliance and security issues affecting how organisations protect their email systems.

As we move into 2011, the increasing frequency of data security breaches through email, websites, third parties and lost mobile devices is now everyday news. With email representing the vast majority of how businesses communicate with their customers and share information, the need to address escalating internet security threats and meet data retention compliance standards under laws in multiple jurisdictions is becoming a major focus for not just enterprises and the public sector, but also small and medium businesses.

Every industry vertical, from health to financial services, has specific or general data protection laws that must be complied with, including NHS security policy, Data Protection (Health) Regulations, EU Data Protection Directive, HIPAA and local data protection acts.

The need to protect and retain information is leading to strong demand for email encryption, email archiving and mobile security services. In some cases, for example in health, when exchanging patient records by email, the use of encryption is compulsory. Increasingly, sectors such as financial services are implementing compulsory encryption policies for certain types of email content and archiving for all email.

Archiving doesn’t just address data protection and retention, it also addresses key litigation standards in relation to electronic discovery that certain industries must comply with. Probably the most vulnerable area for companies is the loss of laptops and smartphones containing confidential information. The need to prevent data loss through mobile devices is an extremely important consideration for any business handling sensitive information, which means all businesses.

Some of the areas companies and public sector entities are thinking about include the following:

Are you in control of the information you share?

More than one-third of data loss incidents happen at the hands of third parties. When information is shared with customers, partners, or outsourced, there is a greater risk that the information will not be handled with the same care that is used internally. Loss of sensitive data can raise compliance and regulatory issues, often involves unexpected clean-up costs, and invariably leads to damaged business reputation.

Why risk unnecessary fines and damaged reputations?

Processing client information, such as payroll or personal tax, remains one of the highest-rated areas of risk for both client and firm involved. In the event of data loss, clients are often unaware in the UK that as the data controller they are eligible to be fined up to £500,000 by the ICO for breaching the Data Protection Act.

How to comply with legislation

It is a legal requirement for organisations registered under the Data Protection Acts and EU Data Protection Directive to formalise an information security standard that refers to specific policies and procedures used internally when handling information containing personal data. These standards are generally intended to help employees understand the sensitivity of information they handle and provide guidance as to how data should be stored or transmitted electronically when distributed externally with third parties.

Sharing information securely outside of Government networks

The biggest challenge facing public-sector organisations today is the ability to collaborate securely outside of Government networks. Simply restricting access or preventing the flow of highly sensitive information is not the answer to this complex issue. For example, in the UK, the Code of Connection is a mandatory set of requirements that must be demonstrated before local authorities in England and Wales can connect to the Government Secure Intranet (GSI). The code, which has been in effect since September 2009, requires local authorities to provide a compliance statement that documents how their information technology meets baseline requirements. The same applies to data protection acts and EU data laws.

All of these are key issues organisations need to address. This is leading to the growth of internet compliance services, such as email security, email encryption, email archiving, web security and mobile security solutions that allow companies to exchange confidential and sensitive information securely.

Aiden Callaly is vice president of sales with MXSweep