Support Portal ContactGet in touch

Delivering Data Breaches by Email

   Words by Paul McQuillan

   on 09/03/2018 08:00:00

imageWhen we think of a Data Breach, we tend to think of malicious hackers tunnelling their way into systems to steal or access data.  However for many companies the most likely Data Breach is the simple tool we use every day, Email.

Email is obviously a great tool for fast communication that is instantly accessible and easy to use, essentially everyone gets it.  However Email also allows us to attach any document and click send, without checks on whether sensitive data is being sent along with the email.

We frequently see this with PDF or Word Documents that contain an individual’s details and address, or lists of contacts with individual data being collected in a Spreadsheet and sent via email internally or externally.

The risk here is that any attachment is duplicated when we send in an email – so a copy of the Document resides in our Sent Items + in the Inbox of anyone receiving the email, and we naturally have no control what happens to the data once it is outside our system.  This means that personal or sensitive data can easily be distributed by email, and this constitutes a data breach as we are no longer managing or auditing access to this data.

IT Experts have been warning about the risks of data leakage via email for some time – however the incoming GDPR legislation places stiff new tests on our ability to identify and respond to a Data Breach, to the point where we should consider whether email attachments should be used at all in the future.

A useful analogy of this is to think of the data existing in our systems as residing within our ‘security envelope’, where we manage the level of protection available to avoid data breaches.  Any data we send via Email is essentially being thrust outside of this security envelope, and so any protections we have in place are rendered null and void.

However if we store and distribute this data, then we are responsible under GDPR and so should take precautions to avoid this type of data breach.

How to avoid Email Data Breaches..

  • Stop using Email Attachments - The inherent copying of data in an email attachment moves data out of our well managed audited systems.  Instead we can use systems that allow us to send Documents via a Secure Link – such systems will typically audit each user’s access to the document or file, and so produce an audit trail of access to the potentially personal or sensitive data. 

Obviously we cannot stop someone downloading the file and then emailing out themselves, but if this happens then we can identify the data breach to who has misused their access to the information.

There are various ways to implement secure links – SharePoint and Office 365 providing excellent tools for sharing via link rather than attachment.  For CRM and Dynamics, we use our in-house DocMan App to track both incoming and outgoing Email Attachments securely in CRM to then only share via secure link to avoid accidental data breaches - http://www.crmcs.co.uk/docman-for-dynamics/ 

  • Online Portal – We can also avoid accidentally distributing data outside of our security envelope by using an Online Portal that our Clients or Suppliers can log into to access data, documents or files we need to share with them.  This has a great advantage of logging access as Users log-in or log out of the Portal, and essentially invites them into our security envelope in controlled conditions rather than sending the information outside our envelope.  This effectively enforces the same level of protection as a secure link, as the data never leaves our security envelope.

Data Breaches in GDPR

GDPR has originated from several high profile data breaches where large companies were found to be storing data in a less than secure way that left them open to significant breaches.

As such the regulation takes Data Breaches by organisations holding personal or sensitive data very seriously.

You should have procedures in place to detect, report and investigate a potential data breach.

If the breach is the result of data sent via an email, this can be very difficult to comply, as we simply have no way of knowing what a recipient has done with that attachment – whereas any audited access to data can be reported back so the impact of the data breach is identified and minimised.

For more information on GDPR and it’s implications on CRM and Document Management, the following two articles may be useful:

GDPR and CRM

Implementing GDPR with Dynamics CRM

Further Reading

ICO. Information Commissioner’s Office on Personal Data Breaches

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/

Barracuda Explanation of DLP

https://www.barracuda.com/glossary/dlp 

Everything you need to know about GDPR Compliance and Email Security

https://www.vircom.com/blog/gdpr-compliance-and-email-security/

Prefer to go old-school?

Write to us using the below addresses.

Head Office
CRM Consultancy
61 Oxford Street
Manchester
M1 6EQ

London Office
CRM Consultancy London
Grosvenor Avenue
London

Content © CRM Consultancy.