Best Practice Tips for Outbound Email Security Policy
An outbound email security policy protects your company, your clients, your data and your staff from noncompliance nightmares. With so much at stake, you want to implement best-in-class practices when developing, defining and implementing your security policies.
In this blog post we will outline the best practice steps that will keep the information you transfer internally and externally safe and encrypted. We’ll also introduce you to automatic filtering of outbound email messages and file attachments by using content filtering technology, including “exact matching” – a cutting edge best-practice that minimizes outbound security risks.
Best Practice Tip 1: Know What’s Driving Your Outbound Email Security Policy
In order to implement effective policies, you need to know what factors, internal and external, are driving the need to secure your data.
Depending on your industry and business you might be impacted by government and industry regulations like HIPAA, PCI, GLBA and FERPA. If that is the case, then avoiding noncompliance and resulting penalties may be what’s driving your need to develop policies.
Another reason companies and organizations lay out security policies is to protect themselves from a cyber-attack or security breach. According to Ponemon Institute, these events can be costly with the average breach in the United States at $7.35 million – an increase of 5% over the previous year. Breaches also come with the expense of a tarnished reputation and loss of customer confidence.
Best Practice Tip 2: Assemble Your Troops
Best-in-class companies know that an outbound email security policy isn’t the job of one person. They involve all of the necessary positions and departments from the beginning. To determine who in your organization should be a part of these discussions ask yourself these questions:
- Who can lend valuable knowledge about defining our policies?
- Who would be responsible for enforcing our policies?
- Who touches the data we need to secure on a regular basis?
Involving everyone up-front means that you won’t have to backtrack and make unnecessary changes down the road. Be sure to consider people from your legal, compliance, HR, IT and marketing departments. Marketers can help translate policies into layman’s terms for your end users and help “sell” them on policy compliance.
Best Practice Tip 3: Identify Your Data
In this step identify and understand what data needs to stay private and why. With your team of experts assembled, identify the data that needs protecting. This step will be driven by the reasons you outlined for needing policies, which are discussed in step one.
Some data sets, like social security numbers, are obviously sensitive and apply to most organizations. Other sensitive data may be specific to the organization, such as an account number or an entire department whose communications need to be protected and encrypted.
Best Practice Tip 4: Forget About Patterns, Match Sensitive Data Exactly
Policy filters search for patterns in outbound messages and secure the content when those patterns are found. The problem with this functionality is that one keystroke can unbreak a pattern and then private information gets sent unsecured.
Best-in-class companies strive to match your actual data sets and not a pattern of what the data should look like. For example, you may know that an account number has 2 letters followed by 6 numbers. But instead of writing a pattern match to search, set your filters to look explicitly for your account numbers in the messages and know that they are secure.
Best Practice Tip 5: Know Your User
In order to ensure that your outbound email security policy is adhered to, you need to understand the end user experience and know who your end users are. This can have a huge impact on whether or not your policies are followed. To keep it simple, make sure policies integrate and work within your existing business processes. If the user must change their behavior too much to add security, the user has a harder time getting their job done and is then resistant (and resentful) about the change.
Best Practice Tip 6: Combine Protection & Policy
Whenever possible, try to layer your protection in the policy creation. For example, providing your users a way to explicitly mark an outgoing message to be sent securely benefits you in terms of message load (those tend to be very quick filter checks) and also by providing a first pass security checkpoint.
Users can serve as the first step to identify what outgoing data needs security. Often times they know that some data should be sent securely even if it doesn’t conform to filtering rules. This increases your success rate of sending the right data securely by combining user knowledge and company policy.
Best Practice Tip 7: Remember to Keep It Simple
Regardless of how bulletproof your outbound email security policy, your rules won’t be followed if they are too complex. For maximum policy compliance, keep your policies clear, concise and short. To make sure they are understood start by outlining and communicating why you have the policies and what the dangers and risks are if they are not followed. And make sure the policies adhere to your business processes and do not interrupt the daily flow of work for your end user.
Bonus: Best Practices for Writing Filter Policies
- Do not make policies that are broad or very general. It will cause a lot of false positives and make diagnosis difficult.
- Try to minimize the number of messages your filters apply to. Some users have different requirements and may not need every filter applied to their email, or they may have specific needs that are unique to them and not necessary to apply across the board.
- The fewer filters you have the better. False positives mean extra hassles for your recipients, so you don’t necessarily want to turn on every possible rule. Also, every rule that is not relevant but must be scanned adds to the time it takes to move an email through the system. For example, a financial institution likely has no reason to search for ICD-9 healthcare codes.
- Start small and move up/out. Scanning takes CPU time, and the more effort you need to put into the scan, the fewer scans you can do or the longer they take. Do the simplest rules that are very specific first to minimize the load as matches are made.
- Exit immediately on a match. Once a match is made, there is no reason to continue scanning the message. You have already determined it needs to go secure. One match or 100 matches in the same message lead to the same result of needing to go secure, so don’t waste time continuing scans once you have a positive match.
- Use Subject line tagging when possible. Users generally know when things need to go secure (and sometimes do even when a filter will not). Subject line tags are easy to implement (such as by an email client add-in, manually typing the tag or by macros or other built-in tools), and finding the tag is a very quick, low power search since the content filter does not need to search anything past the subject line (such as the message body or attachments).
- Make sure you consider attachments. Attachments can have a lot of sensitive information that is not readily viewable within the message. It is important to be able to scan attachments as well as the message body to ensure matches.
- Consider the email clients and devices sending the messages. Especially when using tagging, you should consider how a sender can easily tag an outbound email as needing to go secure, including from an iPhone or Android device.
- Leave users an OUT when necessary. Sometimes users understand that something in their message is likely to get caught by a filter and be sent secure when it shouldn’t be for some reason. Leave the users with a way to explicitly send an unsecure message, and then monitor the usage (say by keeping a copy of any message using this out and letting you know it was done) to ensure proper usage and compliance.
- Use exact matching when possible. If it is possible to create a filter that matches your data exactly, instead of a matching pattern, the results will always be much better. A list that can be dynamically updated as the information changes is ideal.
An outbound email security policy is important to protect your company’s, clients’, and customer’s data. In this blog we discussed seven best practice tips that will help your company transfer information safely and securely. Remember, it’s important to understand why your company wants to protect their data; whether it’s to adhere to government regulations or to protect themselves from a data breach. Understanding this, will help you understand what data needs to be protected and it will make it easier to set up filters to match the exact data that should be protected. Finally, make sure your policies are clear, concise, and adhere to your business processes. If you follow the steps outlined above, then your company will implement safe and effective outbound email security policies that are easy to understand and will protect your data.