CSI Resources

The Source banner

Email Encryption Warrants a Higher Place in Cybersecurity Mindset

  • by Gary Hein
  • May 11, 2015

The latest cybersecurity threats have bankers focused on such initiatives as DDoS, social engineering and external penetration. But while these concepts are important, they shouldn’t distract from the more commonplace areas. So, in the hierarchy of cybersecurity controls at your organization, where does email encryption fall? For too many of us, it’s not nearly high enough on that checklist—according to various industry experts and reports.

For example, a recent Computerworld piece, What’s Your Security Fail?, called out the gross neglect of basic email security protocol in high profile cases involving Hillary Clinton, Jeb Bush and Sony. In each, the practices employed—including the use of unencrypted email to send sensitive information and failing to archive important messages—left the users wide open to cybercrime.

For financial institutions, email encryption is just one area on which regulators are casting a stronger eye, since customers’ financial information is at greater risk while traveling outside your firewall and over the public Internet.

Regulators Heightened Scope Includes Email Security

In a report summarizing its 2014 cybersecurity assessments at 500 community financial institutions, the FFIEC disclosed a very unsettling fact: banks are not taking the basic cybersecurity actions to protect their operating environments, and thus, their customers’ private information. As a result of these cybersecurity assessments, the FFIEC has stated that its members are reviewing and updating current guidance to align with increasing cybersecurity risks.

As part of its assessment, the FFIEC evaluates five key financial institution areas for cybersecurity risk preparedness:

  • Risk management and oversight
  • Threat intelligence and collaboration
  • Cybersecurity controls
  • External dependency management
  • Cyber incident management and resilience

Of those, risk management and oversight directly applies to email encryption and its role of protecting the privacy of consumer financial information. In fact, the FFIEC Examination Handbook states that, “Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.”

How Do Regulators Protect Their Own Emails?

Encrypted email is the best way to protect sensitive customer and institution data as it passes over the Internet.  In fact, federal regulators like the FFIEC rely on advanced email encryption solutions that provide transparent, policy-based encryption.

The Benefits of Transparent Email Protection

A best bet for financial institutions is cloud-based email encryption that features a highly available, robust infrastructure providing:

  • Policy-based encryption, including full content scanning of the subject line, message body and attachments to ensure sensitive data is always encrypted according to the policies determined by the organization
  • The ability to send secure email to anyone with automatic, transparent encryption
  • Automated key management handled through industry-leading key directory services to safeguard against expired keys by providing centralized distributions among all email encryption members
  • Diagnostic reporting available to track encrypted message data, including policies triggered, delivery method used and message status
  • Archiving for encrypted messages; retained and accessible for 60 days

A Secure Portal Provides Further Protection

In addition, today’s leading managed services providers offer hosted email portals, which offer the ultimate protection for sensitive messages, and feature:

  • Ability for external portal users to compose new encrypted messages to your organization, rather than only replying to existing email strings
  • Address book for external users to reference when composing new messages or replying to existing strings for which they wish to add recipients
  • Extended retention support for messages for up to one year
  • Support for an organization’s system administrator to manage external user accounts
  • Additional message recall features for added control
  • Mobile-friendly webmail features for remote user access

It’s true—securing your organization’s email messages should rank highly on your cybersecurity checklist—especially with the heightened scrutiny from examiners. After all, if the federal regulators rely on email encryption, so, too should your institution. 

Gary Hein serves as cloud services manager for CSI Managed Services. With nearly 20 years of IT experience, Gary has extensive knowledge in cybersecurity, enterprise messaging and systems architecture. You may contact Gary at gary.hein@csiweb.com or (800) 545-4274.