In the UK, the major information assurance requirements stem from the Financial Services Authority (FSA) and Data Protection Act (DPA) and the directives of the global Payment Card Industry Data Security Standard (PCI DSS).
Under European data protection laws, organisations must safeguard personally identifiable information from being unlawfully processed or accessed by unauthorised people. It is important to remember that 'unauthorised people' can include your own employees and one of the main ways that they communicate is via email.
A lot of attention has been paid to the threat from hackers and cyber thieves, however, many of the biggest data losses have stemmed from internal communications that have gone awry.
Consider the recent example of Gwent Police Force, which inadvertently emailed a journalist the personally identifiable details of 10,000 citizens who had undergone Criminal Record Bureau checks.
The unencrypted file was intended for internal circulation to five employees. However, the employee fell foul of the email address auto-complete function and the Force was subsequently found to be in breach of the Data Protection Act.
For large financial organisations, bound by the requirements of the FSA and Security and Exchange Commission, the management of internal email communications is a key requirement to prevent insider trading or information leakage whether intentionally or by accident.
Companies going through a merger, acquisition or divestment must keep tight control over internal email exchanges until deals are finalised.
Points 7, 10 and 11 of the core PCI DSS requirements also point to the importance of governing internal communications. These points demand that merchants 'restrict access to cardholder data on a business need-to-know basis'; 'Track and monitor all access to network resources and cardholder data'; and 'Regularly test security systems and processes.'
This final requirement to regularly test security is an important one, since it demonstrates that compliance is a journey not a destination. Regular auditing and reporting are a key part of maintaining security.
As stated, many companies complain of the financial burden that compliance places upon them, with some opting to risk a fine rather than paying to upgrade systems and software to achieve a 'tick in the box'.
However, recent research by the Ponemon Institute and Tripwire found that, while it costs organisations an average of £2million to gain compliance, the cost of non compliance is closer to £6million. This additional cost was wrought by the loss of productivity, revenue and reputational damage caused by data breaches.
A notable finding of the Ponemon / Tripwire research was that organisations that undertake regular audits spend less on both compliance and non compliance.
For the largest organisations this means central management and enforcement of policies across the organisation, linked to high capacity reporting that can demonstrate that your company’s security posture is being maintained.