This week, it was reported that just over 35,000 student records were compromised at Riverside Community College District in California when an employee accidentally sent these records to an external email address. As a consequence of this error, students have become anxious about their security and mistrustful of the college administration. To correct the mistake, the college is offering one year of free credit monitoring to any student listed in the leaked database. As with any data breach casualty, Riverside Community College is taking a hit to its reputation and to its budget.
While we would hope that anyone sending an email containing sensitive information (such as a student record database) would take the time to make sure they are sending it to the correct address, the fact remains that people make mistakes. We send so many emails through the course of the day that the security exceptions begin to blend with the regular correspondence. What happened at Riverside Community College was an honest mistake that can easily happen to anyone, especially when email address auto-complete is active. Moreover, many email systems do not display the full email address and instead only show the name of the recipient. A user may check to see that “Alice Smith” is in the address line, but not know whether it’s Alice Smith’s home or work address – or even if it is the correct Alice Smith.
Thankfully, TITUS makes security tools that can protect against this very occurrence. TITUS Message Classification for Microsoft Outlook, and TITUS Mail for mobile devices, force users to classify – or indicate the sensitivity – of all outgoing email. By forcing users to classify, they are brought out of the haze of their everyday email routine and are explicitly asked to consider what they are sending.
Now you might be thinking that even had the employee at Riverside Community College classified the email, the classification would not have prevented the email from being sent to an external (and unauthorized) email address.
However, the classification metadata enables automated data loss policy to catch such mistakes. So, while the user may not notice that they addressed an email to Alice Smith’s home email address, the TITUS policy engine will. TITUS solutions for email leverage the user-applied classification to enforce the appropriate policy. For instance, if TITUS recognizes that an email is classified as “Internal,” it will check all the addresses in the TO, CC and BCC fields to verify there are no external domains. If an external domain is found, TITUS will block the email from being sent and warn the user of the policy violation.
Other security policies could also be enacted based on the classification. Had the user applied a higher classification, such as “Restricted,” TITUS could have activated S/MIME or Microsoft RMS encryption to protect the email even further.
It is not practical to expect that users will always verify the addresses in an email or will know when or how to apply encryption. But it is possible to make your users reflect briefly on the sensitivity of their correspondence. The simple act of classifying an email provides a dramatic increase in security, and can help ensure that what happened at Riverside Community College does not happen in your organization.