A feature of Office 365 has been enabled that uses sophisticated algorithms to detect 'sensitive information' in the content and attachments of email sent by our organization.  When these algorithms find sensitive information in this context, messages are encrypted before they are sent onto recipients.  

Nearly every choice in the field of security is made as a compromise between convenience and security, weighing the risk from one choice against the cost of another choice.  The purpose of this article is to convince you that you should not want to send sensitive information over email without an added measure of security to ensure that sensitive information is kept private between only those that should have access to it.    

  • We are stewards of our client's data


Supply chain attacks are an increasingly prevalent reason for cyber security breaches.  Every client we engage with takes on the cyber security risk that our organization brings to the relationship.  Our professionals are often given client data that includes sensitive information related to the client's customers or employees, bank account numbers, etc.  What would it mean to our company if a client's sensitive information were compromised by the action or inaction of a one of our professional?


  • Risk to reputation and finances


The Wendy's restaurant chain settled a 2019 suite brought against them for the exposure of personal information through a breach in security with their point of sale system.  The $50M settlement will cost the company $27.5M of its own funds after insurance.  If our company were to be found liable for leaking a client's data, what would it mean to the company's finances, reputation, and willingness of other potential clients to engage with the company?


  • Violation of contractual agreements


Our clients have an international presence.  Some clients are including in their contractual arrangements with vendors provisions that dictate specific controls regarding how their data, particularly personally identifiable information (PII), is stored, transmitted, and processed following the GDPR regulations in the EU.  Among the elements of those agreements is that PII is not transmitted or stored "in the clear" (unencrypted).  Sending PII through an email without encryption would violate those terms.  
 


Which brings us to the final message:


  • Email is not a secure channel of communication


Every email will pass through three domains of risk where it's vulnerable to leaking its data, and you should make no assumptions about the security of any of these domains.


The sender and receiver's devices


Every email you send and receive is stored on the devices that interact with that message for some period of time.  Anyone with sufficient access to that device can read that data with forensic data tools that are publicly available and not difficult to use.  It's not a safe assumption that you know who will have access to these devices and what their motivations and actions may be.  What might a disgruntled spouse, or an accidentally playful toddler, do with a device and messages left unsecured? 


The networks connecting the sender and receiver


Traditionally email is sent from one server to another without encryption.  Email protocols were designed and implemented in the very earliest stages of the Internet when security was barely an after-thought.  It's very common for messages to follow many varying paths through a system of mail servers that move message through different systems, networks, and geographies making several hops from one server to another before reaching its final delivery location.  Anywhere along this path an unencrypted message can be read by anyone with access to the network layer.  Even if you're the administrator of network on one side or another of the send / receive chain with absolute control of your network, there's no way you can say with certainty that a message will pass from sender to receiver through secured network channels. 


The servers the messages are passed through


Message may be stored, copied, redirected, or otherwise processed in ways that are completely invisible to the sender and receiver at every hop in the transport of the message.  Generally, these systems are run by responsible administrators that take these action for justifiable business reasons, but can you foresee the consequences of how data that you're responsible for transferring will be access and used by any number of intermediate systems and persons with access to the data along the way?


Therefore, given the risk and potential consequences of being part of a security breach involving personal or sensitive data, we have made the decision as an organization that the company is putting automatic message encryption functionality in place.  


References:




2) Files types that are scanned for 'sensitive information'



3) Supply Chain Hacks
City of Tallahassee hack via payroll processing firm
Target breach from a hack of a 3rd party HVAC vendor