When the National Republican Congressional Committee was breached, an ‘unknown entity’ targeted the emails of four senior committee aides. This is an all too familiar story. Attacks on organizations ranging from Target to the Democratic National Committee to Sony all targeted email. It’s not just corporate emails but personal emails as well. The email compromises of John Brennan, Colin Powell, and John Podesta are a potent reminder that personal emails often provide the bridge into corporate systems or confidential corporate activity.
We’ve also witnessed a trove of Facebook emails being released last week by a U.K. Parliament member. This further demonstrates how private communication by your workforce can be accessed and made public without your consent if you don’t control and protect your emails.
When email is the target and not the attack vector
These aren’t the first and they certainly won’t be the last breaches that integrate email, both as a point of compromise and as the corporate ‘crown jewels’ that attackers seek. Due to the high prevalence of phishing, email is more often thought of as an attack vector rather than the actual intelligence and information that attackers seek. Emails are an important record of the thoughts, actions, and strategy of your organization and should be kept private from any third party. In 2018, employees on average receive 121 emails per day and send 40, with these numbers expected to continue to grow over the next few years, resulting in hundreds of billions of emails annually. This represents a vast wealth of information that often is overlooked when designing corporate data security and privacy policies.
To truly protect your email – and thus key intelligence on the culture and strategy of your organization – no third party should ever have access to your organization’s emails. This not only includes those attackers responsible for some of these high-profile breaches, but also third-party software companies, partners and government agencies. Dominant legacy approaches including PGP and TLS are not solving this real-world problem.
Defining the ‘Data-centric’ security approach
Given just how omnipresent email remains as a source of corporate communication, a more nuanced, data-centric approach to protecting and preserving privacy is essential. Data-centric security requires a shift in thinking about how to protect data, progressing beyond perimeter defenses that are ill-equipped to handle a world of BYOD, IoT, and an ever-expanding attack surface area. As the name implies, data-centric security focuses on protecting the data itself regardless of where it is hosted, such as networks, applications, servers and in the body of an email.
While a data-centric security approach makes sense, too often there are both cultural and technological hurdles that prevent organizations from moving beyond the legacy approach. First and foremost, data privacy must be part of the culture. Both organizations and individuals must take action now to keep their data private and adopt policies that protect a significant amount of the information they are sharing internally and externally. A core part of this includes email communication and attachments, which are rarely prioritized as core data sources despite the wealth of intelligence they contain.
Cultural shifts alone are not enough. A major reason organizations don’t take a data-centric approach to security is that historically, implementation has been too difficult for both the workforce and the security teams. With deadlines, first-to-market pressures and data sharing across a range of environments and partners, data-centric security has simply been too burdensome for wide-scale adoption.
Security and convenience is achievable
Virtru solves this problem by balancing data-centric security with convenience. Our data-centric approach to security operates at scale while remaining data agnostic and format agnostic to not only protect email content but also any unstructured data, at rest or in motion. When it comes to email, data-centric security focuses on ensuring that only the intended recipients can access the information within the email. Further, attribute-based encryption further enables the time-stamping of emails so that they are no longer accessible after a certain time period, greatly limiting both the value of the breach to the attacker and the harm incurred by the sender and the corporation.
This protection integrates seamlessly within the daily workflow. Individuals can easily toggle to customize multi-condition data access policies, including revoke capabilities and time stamps that also enable audits and foster greater data discovery. By combining intuitive access policies with Virtru TDF encryption protection, data owners be confident that the data is accessed and used as intended. Importantly, connecting data-centric security to your SIEM can help provide an early warning system for internal threats and external breaches. For example, this approach could identify anomalous decryption events in hostile IP ranges.
Data privacy no longer must be viewed as a nice to have, but as an essential component within business risk strategies to help reduce both reputational and financial damage. In addition, this year’s General Data Protection Regulation (GDPR) signals a shifting compliance landscape, with organizations required to demonstrate good faith efforts to adhere to the law. This is part of a broader trend – including moves by Brazil, Japan, and California – with governments passing data privacy legislation to meet users’ demands for greater protection. Given this growing data privacy movement at the regulatory level, organizations that fail to take a data-centric approach could well encounter a double whammy of the reputational and financial costs of a breach coupled with regulatory fines.
From the beginning, Virtru has empowered users with greater protection over all of their data. As organizations embark on the cultural and technological shifts required for robust data protection, Virtru offers a seamless way to protect against email hacks and data compromises through an intuitive, data-centric approach. The high-profile email hacks and data compromises we’ve seen are just the latest dangerous and avoidable breaches. As long as they remain effective, attackers will continue to target emails and obtain valuable corporate information..
Let us help you shift the advantage to your side, with greater control and privacy over all of your data. Request a demo of Virtru’s data-centric solution today.