When you think back to some of the big technical evolutions that changed our lives in positive ways, email certainly stands among them. While the basic tenants of email haven’t really changed, how we use it has. For many, email has morphed from a pure messaging system to an instant messenger, file transfer system, data storage location, and more. While the email’s functions, abilities, and uses have increased exponentially; so have the liabilities. I’m not advocating that we get rid of our email servers (sorry Postal Service). I am advocating rethinking how it’s viewed in our corporate environments. Both regulatory (HIPAA[i]) and non-regulatory bodies (PCI[ii]) have requirements regarding storage and transmittal of sensitive information. When Email servers are used to process, store, and/or transmit such data these elements fall under the scrutiny of these governing bodies (and I won’t get into E-Discovery issues here either). So what’s my point? We need to educate users on how to use email appropriately when it comes to sensitive information. Email is fantastic but users need to be aware of what can be sent in the clear versus encrypted. Do users know when and how to encrypt data before they send sensitive information outside your organization? And the oft forgotten, do they know what to do when they receive such information either? Don’t incur the penalties of breach notifications because someone else sent you sensitive materials that remain on your server in some inbox. Beyond training there is always more that can be done, however it needs to align to your organization’s security posture and culture. From experience, some have gone as far as disallowing or limited attachments, deleting all emails over 3 months, utilizing spam filters to also search incoming emails for sensitive elements (beyond just spam and other malware), using a Data Loss Prevention (DLP), and performing periodic scans of the email server to ensure that sensitive information is not stored within just to name a few. With proper controls and training we can still use email and all it has become but in a more secure and compliant manner.

[i] HIPAA §164.312(a)(2)(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.
[ii] PCI-DSS Requirement 4.2: Never send unprotected PANs [Primary Account Numbers] by end-user technologies (for example, email, instant messaging, chat, etc.)