One of the world’s largest financial institutions discovered that well-intentioned employees were inadvertently creating a data security and compliance risk.
The bank lacked an enterprise-wide standard for data protection, leaving employees and departments to choose their own methods for securing sensitive information. The result was a patchwork of passphrase-based and certificate-based encryption, using a variety of user-selected tools, some of which provided inadequate protection.
The inconsistent approach to encryption created difficulties when users needed to share sensitive data internally. When users shared data outside the organization, the situation became even more problematic.
The bank had invested significant resources in a data loss prevention (DLP) system in order to prevent unauthorized sharing of sensitive data. However, the DLP system was unable to inspect emails or attachments that were encrypted with user-selected tools.
With DLP unable to inspect encrypted email, the bank’s security team was faced with two unacceptable options: route the messages for manual follow-up, or allow them to leave the company network without inspection. The first option was simply not feasible for such a large organization—with encrypted email accounting for 3% of total traffic, the DLP system was locked out of thousands of outgoing messages each month. Allowing these messages to bypass DLP, on the other hand, exposed the bank to multi-million dollar fines and other sanctions in the event that sensitive data was shared inappropriately.