4 DLP Security Best Practices for Email
Data Loss Prevention (DLP) is one of the most effective tools to reduce the risk of inadvertent breaches. Properly implemented, it can catch costly mistakes before they harm your organization, and even help employees learn your security policies. However, DLP is not a one-size-fits-all solution — it needs to be properly configured for your organization. Here’s how to apply Virtru DLP security best practices to your organization.
The High Price of Mistakes
HIPAA, CJIS, PCI DSS, Sarbanes-Oxley — if it’s a compliance regime that requires security, it can be breached by a stray email. Send credit card information in an email, and you’ve put your entire email system in scope for PCI — and probably broken compliance. Mistype an email address confirming a customer’s appointment, and you have a HIPAA privacy violation. Send an unencrypted email about an ongoing investigation, and you may be in violation of CJIS security policy.
Even small email security breaches can be extremely expensive. Compliance organizations like the Office of Civil Rights regularly hand out multi-million dollar settlements, and enforcement is likely to become even more aggressive in the future. It doesn’t matter if you have the best DLP security policies or the strongest encryption — without the right training backed up by the right tech, it’s only a matter of time until someone in your organization breaks compliance.
Virtru Data Loss Prevention: Security Basics
Virtru Data Loss Prevention (DLP) (now available for Gmail and Outlook) is a tool to prevent workers from making costly mistakes over email. Virtru DLP detects sensitive information before it leaves your workers’ outbox — including address, body and title — and applies configurable compliance rules to it. When an user tries to send an email that breaks one of the rules, Virtru DLP will trigger one or more actions, based on the rules you’ve enabled. Actions include:
- Warning the employee
- Encrypting the message
- Stripping attachments
- Sending a copy of the message to a supervisor
- Adding text (e.g. a legal disclaimer)
Virtru DLP can enforce a wide range of email security best practices. It can prevent workers from forwarding confidential business files outside the organization, it can automatically encrypt personally identifiable information, just to name a couple of examples.
Why Choose Virtru DLP Security?
Functionally, Virtru DLP is similar to a number of other DLP security solutions. However, what’s under the hood puts it ahead of the pack. Most DLP tools scan emails on the backend — once they’re sent to the email server. This means the email server receives an unencrypted email, which could be intercepted by a hacker en route. This poses a completely unnecessary risk, and can break compliance in regimes that require client-side encryption along the message’s entire journey.
An even bigger problem is the inability of other DLP security vendors to detect sensitive content in encrypted emails and attachments. Encrypt an email with PGP or S/MIME and the message will pass straight through the DLP tool, no matter what data it contains. You could use such a system to stop employees from sending unencrypted data — Social Security numbers, for example — but you’d have no way to prevent them from exposing encrypted data to the wrong recipient.
As an integral part of Virtru Pro, Virtru DLP solves both problems. When you hit “Send,” Virtru’s DLP engine scans the message, applies DLP security rules, and encrypts the message — all before it leaves your computer, and all without Virtru ever seeing you message content. That means you can detect potential breaches of compliance rules without the risk of sending an unencrypted email to your server. And since this is all done before it leaves the users’ computer, unauthorized parties or service providers (like Virtru) never have access to message content.
Virtru DLP Security Best Practices
Setting Goals for Virtru DLP Security
Most Virtru clients initially come to us for encryption. Some have failed to get clients and partners to use their secure client portals, and are looking for an encryption solution their recipients will actually use. And sometimes, the customer is just looking for a user-friendly way to increase security without disrupting workflow. Others are embarking on major projects such as cloud migrations. These clients may have DLP policies as part of governance, but very few have considered the way it ties in with email encryption specifically.
If that sounds like your situation, it’s time to do some brainstorming and develop a few DLP security goals. Use these questions to get started:
1. Whose communications are we most concerned with?
Often, it makes sense to start with DLP security in the most critical application — the one that prompted the move to encryption. For example, with the increase in enforcement of HIPAA email requirements, HR departments are coming under more scrutiny because of the type of data they store and process. That could make your HR department a good place to roll out DLP tools. Alternately, you may want to start with departments who handle sensitive customer data, or the executives in charge of executing a merger.
2. What sensitive data are we concerned about sharing?
Make a list of all the types of data that workers in your target sector encounter as part of their jobs. The list should include data they may be incidentally exposed to, as well as data that’s central to their job description.
For example, human resources deal professionally with sensitive personally identifiable information such as employment history, current terms of employment, financial information, and protected health information. However, they also come in contact with other sensitive business information. They’ll know about how your business is organized, and may have incidental knowledge of classified projects or other company secrets. All of this data should go on the list.
Once the list is complete, narrow it down to the information you want to protect. Sorting information by reason for inclusion, degree of potential damage, likelihood of a breach and other factors may help you prioritize DLP security measures.
For example, DLP security measures for HR should protect personally identifiable information. The reasons would include compliance with HIPAA or other data protection laws. Risk of exposure would be relatively high, since they’re in charge of storing, sharing and updating personnel records, as well as dealing with medical claims and other personnel issues. The consequences would also be high, and would have to account penalties for violating local, state and national data protection laws.
3. Who are we communicating with?
DLP security best practices require careful and precise calibration. If rules are too narrow, you risk missing sensitive data. If they’re too broad, you risk creating a situation where workers get used to false positives, and click through warnings without heeding them. Understanding who your workers are communicating with and what type of data they share with other parties allows you to tune Virtru DLP precisely to organizational requirements.
If practical, you may want to describe communication with individual domains, or even particular email addresses. For example, Columbia County used Virtru DLP to automatically encrypt all emails going to the sheriff’s department, since they generally dealt with sensitive Criminal Justice Information (CJI). The more detailed you can get about what sensitive information goes where, the better.
4. What rules should govern DLP security?
Now, it’s time to turn the information you’ve gathered into a set of rules. Write out a set of instructions that minimize the risks you’ve identified, while allowing the user to do their jobs. Depending on the situation, you may want to go role-by-role, write out rules for the whole department, or use a combination of strategies.
This isn’t as hard as it sounds. One strong set of rules for a category like PII or financial data security can usually satisfy multiple security and compliance concerns. Often, making a broad rule (e.g. “human resources are not allowed to email PII”) and listing exceptions is easier than writing out each prohibition. If your organization already has security and compliance policies for individual job descriptions, use those as a template for your DLP security rules.
Implementing DLP Security Best Practices
Understand Virtru DLP Security Features
As we mentioned before, Virtru DLP can detect sensitive information in an email’s title, the recipients the emails are addressed to, body and attachments, and use its findings to warn users, automatically encrypt, strip attachments, add text or copy a supervisor. These rules can be applied as narrowly as needed. For example, a rule can apply to all recipients, or only to those in the “to” “CC” or “BCC” fields. Similarly, the automatic forwarding feature can CC or BCC the supervisor if desired.
To trigger rules, Virtru DLP looks for patterns in the data. It can detect particular words like “patient” or “confidential,” as well as types of data (e.g. a driver’s license number). Virtru comes with prebuilt rules to catch confidential data like employee identification and Social Security numbers. An optional HIPAA Compliance Rule Pack detects other PHI, including patient number and diagnoses number.
Virtru DLP users can create or customize rules to meet their organization’s needs. These rules can string together multiple conditionals to address very specific circumstances. For example, you could create a rule that only CCs a supervisor if a worker emails someone outside the company AND includes an attachment AND includes a customer ID number in the email.
Get a quick tour of how admins can create Virtru DLP rules here:
Reinforce DLP With Security Best Practices Training
The purpose of DLP is not to replace security awareness, but to reinforce it. DLP security rules and policy should be as close to identical as possible. Ideally, if a worker sees a warning pop up or has their message encrypted, they should immediately know why, and be able to avoid triggering DLP next time. There will be some exceptions — keywords like “account” can turn up false positives, for example — but they should be rare.
You’ll get the best results if you treat DLP security as a collaborative process, as opposed to a new set of requirements you’re imposing on workers. Send out a message before you implement Virtru and Virtru DLP, explaining what changes they’ll see and why you’re implementing the new program. Have a webinar or training meeting to discuss the new rules with workers, address any concerns, and make sure everyone understand how, when and why to use Virtru.
Continue to check in with workers as your DLP security program continues, Use their feedback on false positives and other issues to make your Virtru DLP rules even more effective. Consider identifying users who are struggling for extra training. In addition to receiving automatic forwards, Virtru DLP admins can also see when rules are triggered and check in with workers who seem to be regularly making email mistakes.
Tell Your Partners About Your DLP Security Program
It can be tricky to get people outside your organization to use encryption. Most portals, email encryption and secure messaging apps need to be installed and configured by both the sender and receiver. Virtru is the only secure email provider that allows recipients to read encrypted emails, download attachments and respond securely with their own message and attachments without installing anything. Recipients without Virtru will get a message instructing them to click through to the Virtru Secure Reader, which will then decrypt and load the message.
Before using Virtru, you may want to send partners and clients an unencrypted message, explaining your new DLP security program. They’ll know to expect encrypted emails from you, and to encrypt replies when appropriate.
As partners get comfortable with the technology, you may want to incorporate DLP security into future contracts — particularly If you’re required to use a HIPAA Business Associate Agreement or other formal contract to protect privacy, Partners can get you in legal hot water by sending confidential information over unencrypted email, so agreeing on DLP security best practices is in everyone’s interests.
Virtru lets you customize an unencrypted introduction that is sent with your encrypted email. Encourage workers to use this feature — particularly if they’ve never sent an encrypted message to a particular recipient before. A personalized message will let the recipient know the sender is who they say they are.
Learn Other Virtru Secure Email Features
Virtru has plenty of non-DLP features that can give workers more control over their email, reduce the odds of breaches and make remediation easier and more successful. As a Virtru user, you can see who has read your emails, set time limits on messages, recall an email you’ve already sent and even disable message forwarding.
Other features like PDF watermarking and G Suite Encryption allow you to move beyond protecting your inbox, and secure all your cloud data, wherever it goes Use the resources below to learn more.
- Recall an Email: How Encryption Makes it Easy
- Virtru Now Provides Read Receipts
- Is It a HIPAA Breach Notification or a Close Call?
- PDF Watermark With Virtru
- How to Encrypt Your Email and Files
- What is the Most Secure Google Drive Encryption Service?