Compliance and the dangers of lax email practices

Organisations are bound by an increasing raft of regulatory requirements, tempting some to risk a fine rather than invest the necessary time and expense to gain compliance.

In the UK, the major information assurance requirements stem from the Financial Services Authority (FSA) and Data Protection Act (DPA) and the directives of the global Payment Card Industry Data Security Standard (PCI DSS).

A lot of attention has been paid to the threat from hackers. However, many data losses have come from internal communications gone awry. Consider the recent example of Gwent Police Force, which inadvertently emailed a journalist the personal details of 10,000 citizens who had undergone Criminal Record Bureau checks. The unencrypted file was intended for internal circulation, but an employee fell foul of the email address auto-complete function and the Force was subsequently found to be in breach of the DPA.

For large financial organisations, bound by the requirements of the FSA and Security and Exchange Commission, the management of internal email communications is a key requirement to prevent insider trading or information leakage whether intentional or accidental. Companies going through a merger, acquisition or divestment must keep tight control over internal email exchanges until deals are finalised.

Points 7, 10 and 11 of the core PCI DSS requirements also point to the importance of governing internal communications. They demand that merchants “restrict access to cardholder data on a business need-to-know basis”, “track and monitor all access to network resources and cardholder data”, and “regularly test security systems and processes”.

This final requirement is an important one, since it demonstrates that compliance is a journey, not a destination. Regular reporting is a key part of maintaining security.

Many companies complain about the financial burden of compliance. However, research by the Ponemon Institute and Tripwire found that, while it costs organisations £2m to gain compliance, the cost of non-compliance is closer to £6m.

This additional cost was wrought by loss of productivity, revenue and reputational damage caused by breaches.

A notable finding of the research was that organisations that undertake regular audits spend less on both compliance and non-compliance.

For the largest organisations, this means implementing a strategy of central management of policies, linked to sound reporting, that demonstrates a company’s security posture is being maintained.