Does your company currently have a formal email policy? If you don’t, you need one, and sooner, rather than later. As the first “killer app” in the world of computing, email is, to this day, one of the most widely used communications tools in business. Unfortunately, it’s also the source of the most breaches and accidental data leaks. In fact, your own employees are, in addition to being your company’s most valuable asset, also the biggest source of data loss. No, it’s not always intentional – accidents can and do often happen, but it is true nonetheless, which is why a solid policy is of the utmost importance.
If you don’t have one, then the first step on your road to creating one is to get some understanding of the rules and regulations governing your business, and by extension, your use of email. The heavy hitters in this area are:
PCI DSS(Payment Card Industry Data Security Standards) – outlines how cardholder data is to be transmitted, and under what circumstances.
GLBA (Gramm-Leach-Bliley Act) – governs policy and technologies to be used to secure the confidentiality of stored or transmitted customer records.
S-OX (Sarbanes-Oxley Act) – Requires company to establish internal controls, and properly track and report financial information.
HIPAA (Health Insurance Portability and Accountability Act) – Governs the storage and transmission of patient health information and personally identifiable patient information.
Once you’ve got a good sense for what rules you’re playing by, you’ll need to assess the information you have to see which particular bits should be deemed confidential, then set strict limits on who has access to that information and create rules governing its transmission. These rules will also govern if or whether such information must be encrypted during transmission.
After that, you’ll need to put tracking and enforcement mechanisms in place, and most importantly, to educate your users on the importance of abiding by the new policies. Unfortunately, it is this last step which is often skipped, or skimped on, and it is actually the most critical to the success of whatever policy you implement.