Most businesses are becoming aware of the implications of the Protection of Personal Information (POPI) Act that will regulate the manner in which personal information is processed, says Craig Freer, head of Product at Vox Telecom.
The Act requires, among other things, that companies take great steps to ensure that they protect confidential personal information, which may include biometric information, physical information, private correspondence and historical data. This has led many businesses to implementing stricter safeguards such as firewalls, mobile device management programmes and encryption tools, but there is one area that experts say they may be overlooking.
“A recent study has shown that more than a third of businesses were impacted by the exposure of sensitive information and the theft of intellectual property via e-mail, whereas 20% have actually had to terminate employees for violating their e-mail policies,” says Freer, head of Product at Vox Telecom.
“Companies are struggling to create and enforce outbound messaging policies to ensure that messages comply with internal rules and best practices for data protection.
“As much as 10% of all outbound e-mails in the average business contains information that can be seen as “sensitive”, including confidential or proprietary company information, valuable intellectual property or trade secrets and personal or identity data that may violate data protection regulations if not secured.”
“There are essentially two flows of information at any organisation,” says Nick Altini, of law firm DLA Cliffe Dekker Hofmeyr. “Data at rest or in use, which lies in the hands of the organisation; and then data in motion, that is both within and outside of the responsible party organisation. Most companies are good at employing safeguards to protect data at rest, but data in motion is a huge concern.
“It’s extremely easy to disseminate sensitive personal information through e-mail, either inadvertently or deliberately. Once disseminated, it is extremely difficult to keep track of or recover that information, especially outside of the responsible party organisation. Companies may not be able to completely eliminate the risk of data leaks, but it is in their best interest to minimise the risk as much as possible.”
Freer believes that the right e-mail system can assist with minimising the risks of data leaks via e-mail, but that encrypted mail may not be enough.
“Encryption is a non-negotiable element of secure mail, but in order to keep track of mail as it leaves the organisation, there has to be an audit trial of some kind. That way, should there be a breach of information, it becomes much easier to track its source.”
Freer highlights the elements that an auditable, secure mail system should have in order to assist with compliance:
* Secure mail protocols – unlike conventional e-mail that makes use of the SMTP protocol, secure mail is delivered over a strict, secure protocol to prevent outside hacking. “E-mail is almost 40 years old, and never meant to do what it currently does – which means that it still uses an unsecured protocol. Secure mail uses secure protocols and does not “hop” between mail servers.”
* Encryption with a For Your Eyes Only (FYEO) feature – “By password protecting e-mails, it lessens the risk of unauthorised individuals gaining access to messages.”
* Automatically blocking the transmission of certain information – “Protocols can be set to automatically block or warn users if sensitive information is about to go out. The system can detect the sequence of numbers in an ID number for example, or block all mails going to a competitor.”
* Monitoring unintended transmission of e-mails – “The audit trial can keep track of how information is being treated once its left the organisation – you will be able to see whether that person has forwarded, read or printed the information they’ve received from you.”
* Limiting forward recipients – “A truly secure mail system will allow you to prevent others from forwarding or replying information, before you even hit the send button.”
* True recall – “Nothing makes people scramble to read a mail message more than when someone recalls it,” says Freer. “True recall actually removes the message from the person’s inbox and network, so that it cannot be read after it’s recalled.”
Altini says that he believes auditable e-mail will make a significant difference in an organisation. “Under POPI, data breaches could be extremely costly – leading not only to possible civil damages claims, on a strict liability basis, but also administrative penalties of up to R10-million,” he says. “It is well worth employing a system that can minimise the risk.”