As of May 25th, 2018, data protection must be built into the IT systems that handle personally sensitive data. With S/MIME, you get email security that ensures a number of benefits for your business, including compliance with GDPR.
GDPR pronounces your rights in relation to the personal data that companies and organisations can collect and store within the EU. For instance, it dictates that a company cannot refuse if you ask for insights into the data it stores about you. You also have the right to be forgotten. You can demand that the organisation deletes all their data about you.
Thereby, the GDPR sets new requirements for workflows and procedures to be carried out by employees working with sensitive data. Additionally, the data protection regulation defines some purely technical requirements for our IT systems. From May 25th, data protection must be incorporated into the systems that process personal data. By design, systems must process and protect data in accordance with the GDPR. This, of course, applies to email systems as well.
GDPR and email security
Compliance with GDPR prevents you from being fined up to 20,000,000 EUR or 4% of the company’s total revenue globally. However, in the email area, compliance also implies other business benefits.
More secure email systems counteract hacker attacks. Worldwide, we are currently sending about 280 billion emails a day. A large amount of the attacks we experience lead back to infected emails. Viruses spread through clicks on malicious URLs or attachments. Email gives rise to phishing attacks, Nigerian letters, and similar email fraud such as Business Email Compromises (the so-called BEC attacks) where a hacker sends an email with the manager of a company as the sender to fool money from a vendor to the company.
In one way or the other, all these attacks compromise personal data and can give rise to huge unforeseen expenses to the affected company or organisation.
The business benefits come to light when you observe that it is neither particularly difficult nor expensive to significantly improve security when it comes to email data protection. The technology is there in the form of S/MIME PersonalSign certificates that most email systems support already – including Microsoft Outlook, Thunderbird, Apple Mail, Lotus Notes, Mulberry Mail, and more.
Give emails a digital signature via S/MIME
Via Secure/Multipurpose Internet Mail Extensions (S/MIME), a recipient can identify the sender of an email with certainty.
Let’s say you are an internet company that sells a subscription service. Often you will find that a customer changes his payment card and that the card that should pay your service therefore no longer works. When that happens, you will have to ask the customer to update his payment information. In that case, it will promote trust in your business if you are able to show the customer that it definitely is your company engaging his with the request.
In addition, it’s a clear business advantage that a hacker cannot snatch and abuse this email to lure payment information out of gullible customers. Once the email is digitally signed, you will be notified immediately should someone try to forward the email in a modified edition.
The PersonalSign certificates enabling definite sender identification can be issued as a token of the individual employee. In addition, a department in the company or the company itself can be issued as the sender of emails.
Depending on the certificate, issuing takes place through an identification process of varying levels. By using the most authoritative certificates, you will subsequently be able to sign emails and office documents with the same weight as your signature has on physical letters and documents.
S/MIME encryption protects personally sensitive emails
When the S/MIME standard is used to encrypt emails, both sender and recipient can be sure that the sender’s message is not read by a third party or, for that matter, is changed somewhere during dispatch.
Only the recipient has the key that will decrypt the email and not even the sender will be able to decrypt it when sent with S/MIME. This makes personally sensitive data in emails far more unavailable to unauthorized characters.
Why not then encrypt all emails?
Well, in order to do that, both the sender and the recipient would need to install the appropriate PersonalSign certificates. We are not there yet. That is not to be expected from people at this day of age.
Having said that, you should be aware that 100% security is never available. Also in relation to S/MIME technology, you will be able to imagine a situation where a hacker steals a user’s private key and is able to decrypt personally sensitive data in an email. However, this risk is mainly due to lack of care from the key owner’s side. The technology itself will keep you safe if you are properly trained to use it.
- S/MIME (Secure / Multipurpose Internet Mail Extensions). S/MIME is a standard for digital signature, email encryption and two-factor authentication
- A Digital Signature identifies the sender of an email and notifies her if the email is forwarded in a modified edition
- S/MIME email encryption makes it impossible for anyone other than the mail recipient to read the sender’s email
- Two-factor authentication allows a system to identify a person who attempts to log in