EMAIL SECURITY WITH GDPR COMPLIANCE (ABOUT S/MIME CERTIFICATES)
From May 25th, data protection must be built into the IT systems that handle personally sensitive data. With S/MIME, you get email security that ensures a number of benefits for your business, including compliance with GDPR.
GDPR pronounces your rights in relation to the personal data that companies and organisations can collect and store within the EU. It dictates for instance, that a company cannot refuse if you ask for insights into the data it stores on your person. You also have the right to be forgotten. You can demand that the organisation deletes all their data on your person.
Thereby, the GDPR sets new requirements for workflows and procedures to be carried out by employees working with sensitive data. Additionally, the data protection regulation defines some purely technical requirements for our IT systems. From May 25th, data protection must be incorporated into the systems that process personal data. By design, systems must process and protect data in accordance with the GDPR. This, of course, applies to email systems as well.
GDPR & EMAIL SECURITY
Compliance with GDPR prevents you from being fined up to 20,000,000 EUR or 4% of the company's total revenue globally. However, in the email area, compliance also implies other business benefits.
More secure email systems counteracts hacker attacks. Worldwide, we are currently sending about 280 billion mails a day. A large amount of the attacks we experience lead back to infected emails. Viruses spread through clicks on malicious URLs or attachments. Email gives rise to phishing attacks, Nigerian letters, and similar email fraud, to Business Email Compromises, the so-called BEC-attacks, where the hacker sends an email with the manager of a company as the sender to fool money from a vendor to the company.
In one way or the other, all these attracts compromises personal data and can in the aftermath give rise to huge unforeseen expenses to the affected company or organisation.
The business benefits come to light, when you observe that it is neither particularly difficult nor expensive to significantly improve security when it comes to email data protection. The technology is there in the form of S/MIME PersonalSign certificates that most email systems support already - including Microsoft Outlook, Thunderbird, Apple Mail, Lotus Notes, Mulberry Mail, and more.
GIVE EMAILS A DIGITAL SIGNATURE VIA S/MIME
Via Secure/Multipurpose Internet Mail Extensions (S/MIME), a recipient can identify the sender of an email with certainty.
Let's say you are an internet company, that sells a subscription service. Often you will find that a customer changes his payment card and that the card that should pay your service therefore no longer works. When that happens, you will have to ask the customer to update his payment information. In that case, it will promote trust in your business if you are able to show the customer, that it certainly is your company engaging his with the request.
In addition, it definitely is a business advantage that a hacker cannot snatch and abuse this mail to lure payment information out of gullible customers. Once the email is digitally signed, you will be notified immediately should someone try to forward the email in a modified edition.
The PersonalSign certificates enabling definite sender identification can be issued as a token of the individual employee. In addition, a department in the company or the company itself can be issued as the sender of emails.
Depending on the certificate, issue takes place through an identification process of varying levels. By using the most authoritative certificates, you will subsequently be able to sign emails and office documents with the same weight as your signature has on physical letters and documents.
S/MIME ENCRYPTION PROTECTS PERSONALLY SENSITIVE EMAILS
When the S/MIME standard is used to encrypt emails, both sender and recipient can be sure that the sender's message is not read by a third party or, for that matter, is changed somewhere during dispatch.
Only the recipient has the key that will decrypt the email and not even the sender will be able to decrypt it when sent with S/MIME. This makes personally sensitive data in mails far more unavailable to unauthorized characters.
Why not then encrypt all emails?
Well, in order to do that, both sender and recipient needed to install the appropriate PersonalSign certificates. We are not there yet. That is not to be expected from people at this day of age.
Having said that, you should be aware that 100% security never is available. Also in relation to S/MIME technology, you will be able to imagine a situation where a hacker steals a user's private key and is able to decrypt personally sensitive data in an email. However, this risk is mainly due to lack of care from the key owner's side. The technology itself will keep you safe, if you are probably trained to use it.
In TRUSTZONE we have a wide range of PersonalSign certificates that use S/MIME technology.
Published: April 19, 2018