Email Security With GDPR Compliance

Email Security With GDPR Compliance

April 19, 2018

4 min read

New requirements and procedures

GDPR pronounces your rights in relation to the personal data that companies and organizations can collect and store within the EU:

For instance, it dictates that a company cannot refuse if you ask for insights into the data it stores about you.

You also have the right to be forgotten: You can now demand that an organization deletes all their data about you.

As such, GDPR sets new requirements for workflows and procedures to be carried out by employees working with sensitive data.

Additionally, the data protection regulation defines some purely technical requirements for our IT systems: As of May 25, 2018, data protection must be incorporated into the systems that process personal data.

This means that by design, systems must process and protect data in accordance with the GDPR. This, of course, applies to email systems as well.

GDPR and email security

Compliance with GDPR prevents you from being fined up to 20,000,000 EUR or 4% of the company’s total revenue globally.

However, in the email area, compliance also implies other business benefits:

More secure email systems counteract hacker attacks. Worldwide, we are currently sending about 280 billion emails a day.

A large number of hacker attacks lead back to infected emails: Viruses spread through clicks on malicious URLs or attachments.

Email gives rise to phishing attacks, Nigerian letters, and similar email fraud such as Business Email Compromises (the so-called BEC attacks) where a hacker sends an email with the manager of a company as the sender to fool money from a vendor to the company.

In one way or the other, all these attacks compromise personal data. This can give rise to enormous unforeseen expenses for the affected company or organization.

The solution

Luckily, it’s neither particularly difficult nor expensive to significantly improve security when it comes to email data protection:

S/MIME certificates like TRUSTZONE’s PersonalSign certificates are already supported by most email systems—including Microsoft Outlook, Thunderbird, Apple Mail, Lotus Notes, Mulberry Mail, and more.

Give emails a digital signature with S/MIME 

Via Secure/Multipurpose Internet Mail Extensions (S/MIME), a recipient can identify the sender of an email with certainty:

Let’s say you are an internet company that sells a subscription service. Often you will find that a customer changes his payment card and that the card that should pay your service therefore no longer works.

When that happens, you will have to ask the customer to update his payment information.

In that case, it will promote trust in your business if you are able to show the customer that it’s definitely your company asking.

In addition, it’s a clear business advantage that a hacker cannot snatch and abuse this email to lure payment information out of gullible customers.

Once the email is digitally signed, you will be notified immediately should someone try to forward the email in a modified edition.

The PersonalSign certificates enabling definite sender identification can be issued as a token of the individual employee.

In addition, a department in the company or the company itself can be issued as the sender of emails.

Depending on the certificate, issuing takes place through an identification process of varying levels.

By using the most authoritative certificates, you will subsequently be able to sign emails and office documents with the same weight as your signature has on physical letters and documents.

Protects personally sensitive emails 

When the S/MIME standard is used to encrypt emails, both the sender and recipient can rest assured that messages are not read by a third party—or changed somewhere during dispatch for that matter.

Only the recipient has the key that will decrypt the email and not even the sender will be able to decrypt it when sent with S/MIME.

The be-all, encrypt-all?

So, why not encrypt all emails?

Well, in order to do that, both the sender and the recipient would need to install the appropriate PersonalSign certificates.

Having said that, you should be aware that 100% security is never available.

Also in relation to S/MIME technology, you will be able to imagine a situation where a hacker steals a user’s private key and is able to decrypt personally sensitive data in an email.

However, this risk is mainly due to a lack of care from the key owner’s side. The technology itself will keep you safe if you are properly trained to use it.