There are seven major industries whose electronic communications are governed by strict regulations: financial, retail, healthcare, defense, consumer data, insurance, and energy. For these seven sectors, cybersecurity is vital, and violations come with harsh penalties.
As a small business owner, you may be governed by some of these regulations, even if you don’t directly interact with consumers. For instance, even a small webhosting company can be bound by data encryption regulations if those servers are being used by a company that transmits electronic health data.
Unfortunately, these regulations are often overlooked by small business owners because they’re not commonly discussed in industry-specific seminars or meetings. Many don’t believe the rules apply to them and assume they’re off the hook.
However, these regulations are taken seriously and unless you’ve got endless cash flow, non-compliance is expensive.
There’s a reason for the regulations
Regulations governing these sectors – HIPAA, for example, in the healthcare sector – are designed to prevent data breaches that give hackers access to personal and financial information like credit cards.
If your business is in a sector where the transmission of electronic data is governed by strict rules, you can’t afford to choose the wrong email and data security solution.
Most regulations require data to be encrypted at all times. That means data needs to be encrypted in transit and at rest, no matter what device is used to send or receive it, and without any gaps.
Not all popular encryption solutions are complete
Popular security solutions like Office 365 Message Encryption allow you to send encrypted messages to anyone, even if they don’t use 365 applications. It’s a great solution for most B2B and B2C situations. However, one aspect makes it incomplete for industries bound by strict compliance regulations:
Microsoft first sends the message, unencrypted, to its server. This initial unencrypted data transmission isn’t a big deal for most businesses, but for those operating under the rules of HIPAA, CJIS, and other regulations, it’s a violation that could cost you everything.
This initial unencrypted transmission is why you should be using a third-party plugin for Microsoft 365 to complete the encryption process.
Encryption experts at Virtru have gone the extra mile to create a plugin that completes the encryption process for all. In a detailed analysis, they explain why it’s a challenge to meet encryption standards defined by regulatory agencies:
“There is no standardized email encryption solution that is easily used by all email clients and across all use cases.” And, “Unless a vendor steps up to cover more use cases, IT organizations will be forced to adopt a patchwork of email encryption solutions that do not work well together and are expensive to replace.”
The article linked above explains why the security of your email communications – even when encrypted by Microsoft – relies on both your service and the recipient’s service using TLS. As a message travels to its destination, it’s relayed between multiple servers. Each time it reaches a server, a secure connection is created and the message is decrypted, and then encrypted again before being sent to the next server. This happens until the message reaches its destination.
When both the sender and recipient use TLS, there’s little risk of the message being hijacked. However, if at any point that message passes through a vulnerable server, a third party could intercept and read it.
Most Microsoft customers choose to purchase Azure RMS to add more layers of protection to their electronic communications, although that’s still not enough to meet some regulations. That’s why Virtru created a plugin for Microsoft 365 that eliminates the problem of not having control once the message leaves your outbox.
The difference is, Virtru’s plugin “protects emails and attachments using object-level or data-centric, encryption. This means that data is encrypted the moment it is created, and it remains encrypted no matter where it travels.” This meets compliance standards.
Data breaches can happen to anyone
You don’t need to be a big name in your industry to suffer an attack. So far, 2016 and 2017 have been flooded with data breaches in the healthcare sector alone:
- Henry Ford Health – Using stolen employee credentials, hackers stole the data of 18,470 patients.
- Arkansas Oral Facial Surgery Center – a cyber attack using ransomware encrypted the x-rays, files, and documents of 128,000 patients. Ransomware is used to lock a business out of their own files, demanding money in order to restore the files. In most cases, the money is requested in Bitcoin, which is untraceable, and the data is seldom restored.
- Emory Brain Health Center and Bronx-Lebanon Hospital Center – hackers scanning the internet for open databases managed to hijack 22,000 unsecured MongoDB databases. Two of these databases belonged to healthcare organizations. One of which contained three years worth of research on leukemia patients. The hackers held the databases for ransom at $650 each.
View this slideshow from Healthcare IT News for a list of 41 major healthcare breaches in 2017 as of December to get an idea of what’s happening.
Data breaches are inevitable, but that doesn’t mean you need to experience one. If you haven’t secured your electronic communications from the ground up, now’s the time to do it.