What you need to know about GDPR compliance and email security

By Oliver Prevrhal May 28, 2018

In Singapore 42% of businesses reported phishing incidents
Education and awareness amongst employees should be a top priority

What you need to know about GDPR compliance and email security

What you need to know about GDPR compliance and email security THE European Union’s (EU) Global Data Protection Regulation (GDPR) came into full force on May 25. Although it is a known fact that that the GDPR is an EU-driven legislation, this regulation applies to all companies that collect and process data belonging to EU citizens.

Essentially, the applicability of GDPR is not determined based on the headquarters of the company, which could be in Singapore for example, but rather the markets in which it operates.

Companies in Asia Pacific, especially in the Southeast Asia region, will be impacted by the GDPR as the EU is both the region’s second largest trading partner, accounting for about 13% of Asean's trade, and the largest investor in Southeast Asian countries.

Failure to comply with the GDPR can have severe consequences on companies. Fines of up to 4% of annual global revenue or 20 million euros, whichever is greater, can be levied against any company that processes personal data of EU residents.

The introduction of the GDPR also comes at a critical time, where protecting the data and privacy of individuals has become a critical concern for many governments.

2018 alone has experienced a slew of personal data and privacy breaches, such as the Facebook-Cambridge Analytica scandal that has involved the collection of personally identifiable information of up to 87 million Facebook users.

These incidents serve as a reminder of the urgent need for companies to secure and manage the personal data of their customers.

Managing GDPR for email

Email, for example, is the most ubiquitous form of communication amongst companies that involves the exchange of personal data involving customers.

According to the European Commission, personal data is defined as “any information relating to an individual, whether it relates to his or her private, professional or public life. This can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”.

The GDPR brings the regulation of enhanced email protection, as this communication channel continues to remain a target for cybercriminals and an attack vector.

With the number of email users worldwide expected to reach 2.9 billion by 2019, it has never been more important for companies to secure their email communication.

However, email security remains as a pain point for companies, as 91% of email-related data breaches have been discovered to be a result of poor practices by staff, who often send confidential documents by email without encryption.

On top of email-related data breaches, financial account information can be leaked, ransomware and malware can infect networks, and reputational damage can occur due to disclosure now becoming mandatory under the GDPR.

With email being leveraged on as the first point of entry for cyber-attacks, data loss prevention and other security measures are crucial when it comes to data protection.

Email security strategy

Developing an email security strategy can be relatively simple. The first step for companies is to explore the deployment of a comprehensive solution that offers Advanced Threat Protection (ATP) options to simplify their journey to compliance with the GDPR, while providing protection against the latest cyber-threats.

In Asia, business email compromise (BEC) attacks, also known as CEO fraud, has emerged as one of the region’s main cyber threats, given the 20% year-on-year increase in such attacks.

ATP enables employees to recognise faked sender addresses and expose emails as attempted fraud before sensitive transactions such as proving financial information or responding to a request for a customer’s personal data are carried out.

Phishing also continues to remain a popular method for cyber-attacks.

A report by A.T. Kearney has revealed that the top 1,000 companies in Southeast Asia potentially stand to lose US$750 billion in market capitalisation from cyber-attacks, most of which originate from phishing emails.

In Singapore, phishing is considered a primary cyber-threat vector, with 42% of businesses reporting phishing incidents, according to a report by PwC.

To combat phishing attacks that involve malicious attachments, a solution that uses sandboxing examines attachments in a virtual, secure test environment for irregular behaviour by means of complex simulation procedures before they are delivered to recipients.

Moreover, a security solution that scans all links contained in emails for target addresses suspected of phishing so as to warn employees before they click, also adds another layer of security.

However, while a comprehensive solution helps to mitigate such risks, education and awareness amongst employees should also be a top priority.

By developing security guidelines and educating employees on how to secure, process and manage data, companies can more easily avoid the implications of non-compliance with the GDPR.

Oliver Prevrhal is the managing director of Retarus Asia.