Organisations should take appropriate security measures in order to protect their email servers and networks as well as the information that email messages may contain.
After all, they wouldn't want to be embarrassed or lose business because of their complacency, would they?
Data protection legislation also requires organisations to implement operational and management security measures where they are processing personal information. With growing concern over the number of data breaches now taking place, legislators and regulators are now looking at how organisations should take proactive measures to protect themselves. They're also taking a tougher stance against organisations that do harm on others after failing to take implement security measures.
Organisations using email are exposed to a number of security issues which fall into 3 categories:
- Email transmission
- Email integrity/authenticity
- Email storage
Data transmission across the Internet is high risk. At any point of the data transmission there exists the potential for the information to be diverted, modified or copied. This may lead to a breach of an obligation of confidentiality owed to the owner of any confidential information. The risks of breaching security or confidentiality may be reduced using email encryption.
Notice and disclaimer
All external email should include an Email Notice And Disclaimer which states:
(a) the organisation’s full name and registered (or other official) address and any other matter which, by law must be printed on the organisation’s headed paper.
(b) that the contents and any attachments of the email are confidential and intended only for the named addressees
(c) that any other use of the message or attachments by unauthorised readers is strictly prohibited, unless stated to the contrary
(d) that the organisation is not responsible for changes made to a message after it has been sent
Use of email encryption
(e) must have detailed procedures in place for the distribution of public encryption keys to allow secure communication with all value chain partners
(f) should introduce an appropriate policy on the type and strength of encryption used for all email storage and archive
(g) have appropriate procedures for the regular review and updating of its email encryption policies and procedures
(e) introduce a policy on the use of digital signatures on email transmissions
(h) appropriate security measures to ensure that stored and archived email is adequately protected from unauthorised access. These measures should include appropriate audit procedures to assist in detecting actual or unauthorised access, together with appropriate procedures to be followed in the event that unauthorised access is detected
(i) Include an auto signature on all emails sent for business purposes, stating the sender’s name, their position in the organisation and contact details
(j) Discourage use of internal jargon
(k) Use synchronisation software to ensure correct date and time stamps on all email.
(l) All email transmissions that require reliability should be sent with a return receipt request which will notify the sender that the email has arrived at the destination and that the recipient has opened it.
(m) When using ‘out of office’ settings consider who might be sending you an email and whether details written in your automated response is appropriate. For example, naming colleagues and giving their contact details will breach data protection rules if they have not consented to it.