Support Portal ContactGet in touch

Delivering Data Breaches by Email

   Words by Paul McQuillan

   on 09/03/2018 08:00:00

imageWhen we think of a Data Breach, we tend to think of malicious hackers tunnelling their way into systems to steal or access data.  However for many companies the most likely Data Breach is the simple tool we use every day, Email.

Email is obviously a great tool for fast communication that is instantly accessible and easy to use, essentially everyone gets it.  However Email also allows us to attach any document and click send, without checks on whether sensitive data is being sent along with the email.

We frequently see this with PDF or Word Documents that contain an individual’s details and address, or lists of contacts with individual data being collected in a Spreadsheet and sent via email internally or externally.

The risk here is that any attachment is duplicated when we send in an email – so a copy of the Document resides in our Sent Items + in the Inbox of anyone receiving the email, and we naturally have no control what happens to the data once it is outside our system.  This means that personal or sensitive data can easily be distributed by email, and this constitutes a data breach as we are no longer managing or auditing access to this data.

IT Experts have been warning about the risks of data leakage via email for some time – however the incoming GDPR legislation places stiff new tests on our ability to identify and respond to a Data Breach, to the point where we should consider whether email attachments should be used at all in the future.

A useful analogy of this is to think of the data existing in our systems as residing within our ‘security envelope’, where we manage the level of protection available to avoid data breaches.  Any data we send via Email is essentially being thrust outside of this security envelope, and so any protections we have in place are rendered null and void.

However if we store and distribute this data, then we are responsible under GDPR and so should take precautions to avoid this type of data breach.

How to avoid Email Data Breaches..

  • Stop using Email Attachments - The inherent copying of data in an email attachment moves data out of our well managed audited systems.  Instead we can use systems that allow us to send Documents via a Secure Link – such systems will typically audit each user’s access to the document or file, and so produce an audit trail of access to the potentially personal or sensitive data. 

Obviously we cannot stop someone downloading the file and then emailing out themselves, but if this happens then we can identify the data breach to who has misused their access to the information.

There are various ways to implement secure links – SharePoint and Office 365 providing excellent tools for sharing via link rather than attachment.  For CRM and Dynamics, we use our in-house DocMan App to track both incoming and outgoing Email Attachments securely in CRM to then only share via secure link to avoid accidental data breaches - 

  • Online Portal – We can also avoid accidentally distributing data outside of our security envelope by using an Online Portal that our Clients or Suppliers can log into to access data, documents or files we need to share with them.  This has a great advantage of logging access as Users log-in or log out of the Portal, and essentially invites them into our security envelope in controlled conditions rather than sending the information outside our envelope.  This effectively enforces the same level of protection as a secure link, as the data never leaves our security envelope.

Data Breaches in GDPR

GDPR has originated from several high profile data breaches where large companies were found to be storing data in a less than secure way that left them open to significant breaches.

As such the regulation takes Data Breaches by organisations holding personal or sensitive data very seriously.

You should have procedures in place to detect, report and investigate a potential data breach.

If the breach is the result of data sent via an email, this can be very difficult to comply, as we simply have no way of knowing what a recipient has done with that attachment – whereas any audited access to data can be reported back so the impact of the data breach is identified and minimised.

For more information on GDPR and it’s implications on CRM and Document Management, the following two articles may be useful:


Implementing GDPR with Dynamics CRM

Further Reading

ICO. Information Commissioner’s Office on Personal Data Breaches

Barracuda Explanation of DLP 

Everything you need to know about GDPR Compliance and Email Security

Share this Article

Search Articles

Filter Articles

CRM Tech DocMan

Recent Articles

CRMCS Quick Start Guide: How To Produce a Microsoft Teams Live Event Dynamics 365 Marketing: Lead Scoring and Sales Acceptance Designing and Developing Microsoft Power Apps Portals Thank You for Attending CRMCS’ Webinar - Achieving B2B sales excellence with Dynamics 365 & Microsoft Teams Thank You for Attending Our Webinar - Achieving B2B sales excellence with Dynamics 365 & Microsoft Teams Webinar: Discover How CRMCS Have United Dynamics 365, SharePoint and Microsoft Teams To Create Sales Excellence Ignite your workflow by adding DocDrive365 to Office 365 The CRMCS guide to everything you need to know about integrating Teams with Dynamics 365 Saving Time By Keeping Documents In One Place TDE Database Encryption with On Premise Dynamics The Key to Successful Compliance in 2020 Part 2: Let’s get GDPR Compliant with Microsoft Power Automate Top 3 Essential Tips for Remote Working Dynamics 365 Marketing: Top 5 Best Features Dynamics Day in the Life - Puma Investments Can you use Teams to amplify collaboration in Dynamics? Part 1: Using a Scheduled Power Automate to Trigger Expiry Date Reminders The secrets of successful document collaboration in Dynamics CRMCS launches new AppSource approved DocDrive365 Dynamics Day in the Life - Moneypenny Release Management Add the App to Dynamics DocDrive365 Security: Day One - Getting Started with Dynamics to SharePoint Permissions Building a New Scheduled Process using Flow
  • "Paul has made a real difference to how my team of 24 people record and store valuable customer data and sales opportunities. Highly recommended."

    James, Operations Director

  • "Understanding your business allows us to advise when to implement aspects of CRM and, likewise, when not to."

    Paul McQuillan, Managing Director

  • "Dynamics 365 and CRMCS have made a real lasting difference to our business, allowing us to replace older systems that were holding back our performance."

    Grahame, Chief Operating Officer

  • "James worked well with us to help connect CRM with Outlook and relate how this might benefit our team using CRM for Property Care."

    Natalie, Property Care Supervisor

  • "Matt was really good with helping us run User Testing on the new Compliance Module of our CRM System."

    Tom, Compliance Administrator

Prefer to go old-school?

Write to us using the below addresses.

Head Office
CRM Consultancy
61 Oxford Street
M1 6EQ

London Office
CRM Consultancy London
Grosvenor Avenue

Content © CRM Consultancy.