The rise in targeted email attacks to businesses worldwide continues to dominate the news headlines. Attacks like these are dangerous by their very nature. Not only are they increasing in frequency, but they are also becoming smarter by the day.
At the moment, we’re seeing a rise in activity related to of the Business Email Compromise (BEC) scam. This is where a cybercriminal tricks an employee into believing that they need to make a bank transfer to a known external entity but ends up sending these funds to a criminal instead.
Targeted spoofing is one of the biggest risks that firms currently face. This is not the age-old problem of SPAM emails, but something much more threatening. SPAM email involves a single email, branded as a well-known company such as a bank, sent to millions of addresses.
This ‘hit and hope’ exercise depends on a number of factors in order to be successful. The recipient must actually be a customer with that bank; the SPAM or anti-virus systems must fail to identify the email as a risk, and the recipient doesn’t recognise it as a dangerous email. As a result, the sender may not even get one bite from sending out hundreds of thousands of these emails.
Targeted email attacks are much more sophisticated – and now involve much more than just email; they merge emails, calls and sometimes physical visits to a target firm’s office– this is truly hacking for the masses. A number of hacking tools are now available for anyone to download, along with all the information they need to manipulate employees into performing actions or divulging confidential information – a key hacking term known as ‘social engineering’.
The truth is that the security systems that are needed to protect the majority of firms from the majority of hacks are probably already in place.
What does this mean for the legal sector?
There are typically three ways in which businesses can archive their email; save absolutely everything, rely on users to archive emails or utilise an email archiving solution.
With 269,000,000,000 (yes, that’s billion!) emails being sent and received every day, storing every single one is not really feasible. And with 200 billion of those being SPAM, storing each one is unnecessary, only serving to increase the cost and length of the e-discovery processes.
Neither is it reliable to depend on users to archive their own emails. If they forget or were unaware what they needed to archive, your business has to pay the price if the email is needed for litigation or audit purposes. An email archiving solution, on the other hand, automatically archives, stores and preserves emails for you.
How can your business benefit from email archiving?
1. Reduced storage requirements
Archiving solutions typically use two different techniques to reduce the amount of storage required, neither of which will affect end-users. Advanced compression technologies compress each email and its attachments before archiving, saving 50% or more in overall storage requirements. De-duplication, also known as single instance storage, ensures that the archiving solution only stores one copy of each message or attachment.
2. Prevents users from losing data
Users can easily delete important emails, accidentally or maliciously, and the majority often delete emails between backups, and at times the entire inbox upon leaving the company, which means your business is at risk of losing important data. An email archiving solution can eliminate these risks, by automatically storing and preserving all emails.
3. Increased server performance
Moving emails out of a live environment will help to greatly improve the performance of your email server. Emails can be deleted from the mail server, according to rules-based processes, once they have been archived and stored.
4. Simplified backup and restore
Reducing the email server’s data load allows it to be backed up faster and more simply. Users can also restore emails from the archive to their inbox with a single click, freeing up your IT engineers from having to go through the time-consuming process of recovering them from a backup.
5. Eliminates mailbox quotas
An email archiving solution removes the need to use mailbox quotas as a way to limit the use of a mail server’s storage capacity.
6. Accelerates search capabilities
Most archiving solutions will provide a basic search and retrieval function for data that has been stored and retained. Some solutions will go further and allow users to search by email address, to/from address, attachment name, words within documents, plus more, drastically cutting down the time it takes to locate an email.
7. Accounts for all users
With an archiving solution, you don’t have to rely on users adhering to email retention guidelines. All emails will be automatically stored, archived and preserved.
8. Eliminates PST files
Individual PST files are prone to data corruption or loss, have a huge impact on storage and can be difficult to search through, due to their size and number. With an email archiving solution you can import all historical PST files into the solution, which you can then search with ease.
9. Helps ensure compliance
Many sectors have specific rules and regulations regarding data retention, and an email archiving solutions help ensure you remain compliant. All business must be able to pull back emails on demand for the purpose of litigation or auditing.
10. Lowers costs
Email archiving solutions will typically work effectively on cheap storage, whereas most email server systems require faster, more expensive disks and technologies. The majority of companies will see their data usage grow every year, which will equate to increased storage costs and increased storage management costs.
11. Removes human error
User-driven retention relies on users managing retention with predetermined tags and rules, for specified time periods. This method of retention is prone to user error because you rely on users to consistently adhere to and follow the guidelines. Even with constant policing, it would be easy for a user to “forget” the guidelines, or intentionally ignore them.
12. Typically tamper-proof
While users can search and retrieve emails from the archive, most solutions are tamper-proof – an essential feature for compliance. Not even the IT department will be able to alter or remove emails from the archive. The solution should also have a tamper-proof log which records who reads what in the archive and when they read it. All emails should also be digitally signed to allow them to be used as evidence in a court of law.
There are many types and forms of email archiving solutions available. Some will go beyond the benefits listed here but others may not be as effective. It’s important to carefully research available solutions, both internal or cloud-based, so you can find the right one.
An email archiving solution is critical for your business, and not just so you can comply with regulations. A huge amount of business-critical information is on the IT systems. Some of it may exist solely in email so it’s vital that you don’t lose this.
Unsure how long to save your email for? Check out our handy introduction to email archiving.
A large percentage of business decisions are now made completely via email, yet many organisations have no retention policy in place to protect those messages.
While those businesses may have been lucky up until now, there will likely come a time when they need to retrieve a historical email. At best, they will have to spend time searching for that critical email, but they could end being penalised financially.
However, it can be difficult to establish just how long you should be keeping your emails for. Does every email need to be kept indefinitely, or do different rules apply to each email?
Outlined below, is a brief description of the primary regulatory bodies or regulations which apply to email retention. All organisations should have a clear understanding of the ones which affect them so they can develop an effective strategy.
What are the regulatory bodies?
1. Employment Tribunals
Employers should assess different retention periods for different types of employment data as the Data Protection Act only states that “personal data should be kept for longer than necessary”. Job applications and CVs only need to be kept for a short period of time (e.g. six months). If you wish to keep a CV for future reference you must inform the applicant you are doing so. Personnel records of former employees should be kept for a maximum of six years. Employment tribunals, county court or high court claims are possible for up to 6 years after employment is terminated, so keeping records is considered acceptable on the basis that the employer is doing so to protect against legal risk. For specific documents, like PAYE records or maternity pay, the employer must assess the appropriate guidelines and determine a retention policy.
2. Court Action under the Civil Procedure Rules
Businesses could be at risk if they fail to produce evidence, which may be contained within an email, for auditing or litigation purposes. It is possible to bring a claim for a breach of contract up to six years later, so businesses need to be able to respond quickly. Furthermore, the amendment to the Civil Procedure Rules and the issuance of Practice Direction 31B, Disclosure of Electronic Document essentially mandates that businesses must be prepared for electronic discovery.
3. The Data Protection Act (DPA) 1998
Requires companies to ensure they have taken the appropriate technical steps to protect any personal data they hold from misuse, theft or damage. If a DPA request is received then an organisation has 40 days to provide a copy of this information.
4. Freedom of Information Act
Provides public access to any recorded information including emails and computer documents, held by public authorities. This includes government documents, local authorities, state schools, universities and the NHS.
5. Financial Services Act
The financial services industry is strictly regulated and requires financial organisations to store all business emails sent and received for up to 6 years. Some data must be kept indefinitely so that cases can be reviewed.
6. The Sarbanes-Oxley Act
The US passed this Act, which introduced stricter financial reporting requirements, following two financial scandals. The aim was to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. It can also apply to UK companies if they are subsidiaries of certain US companies, and the Act places requirements to retain business critical emails. Rather than specifying how a business should store records, it defines which records should be stored and for how long.
What do you do now?
As you can see from above, there are many regulations to consider – and this is just a brief overview! There are many other specific retention periods. For example, medical examination records and registers of employees working with hazardous substances must be kept for a minimum of 40 years, under the Control of Substances Hazardous to Health Regulations 1995/3163.
All emails need to be treated differently. When deciding on your policy it is recommended that you:
- Consider legal obligations and business needs
- Establish standard retention periods for different types of information
- Ensure information is kept securely and also destroyed securely when no longer needed.
There are three typical retention policies used by most organisations. Option 1 is to Save Everything, which means all data is retained for use in any litigation matters. While this may seem the safest it will cause issues. There can be decreased performance, prolonged backup and restore processes and extended e-discovery costs – as more data stored equals more data to search through.
Option 2 is User Driven Retention, where users manage retention with predetermined tags or rules. Theoretically, this should mean that the organisation only retains what it needs to, but it depends on the users. There is a high risk of human error as users must remember and understand all retention guidelines.
The third option is to automatically archive emails, which can be carried out by an email archiving solution. It is not feasible to keep every email in a live environment. As volume increases, simple operations like search and retrieval become more time-consuming. An email archiving solution fixes retention periods for emails, which are controlled by automated processes. It provides secure storage for all users to enforce compliance and is ideal for many businesses – particularly heavily regulated industries.