Reading Co-operative Bank needed a secure email solution so it could quit the inefficient, time-consuming and expensive process of faxing and mailing confidential information to board members, regulators including the FDIC and the Federal Reserve, and borrowers.
While the bank had a contract to use a solution that would encrypt sensitive email and attachments based on pattern recognition, that system resulted in too many false positives. For example, it would encrypt banal items, such as plans for golf outings, because they included contact information in the email signature.
The application would judge these emails to be sensitive because the amount of digits or the type of information in the email signatures were too close to data characteristics governed by the solution's rule set aimed at flagging truly sensitive information, like account numbers. Thus, emails with simple contact info would trigger encryption. And if a recipient had never used the secure email solution, he'd be asked to set up a username and password, needlessly.
"People on the other side of that email were getting very frustrated," says Anthony J. Patti, senior vice president, CFO and treasurer at Reading. "We'd have to take off the rules, let the email go out, and then put the rules back again."
Turning on and off the rules, however, created the risk that the bank would send confidential data unsecured. That's because doing so required depending on staff to selectively encrypt and to remember when to turn the rule set back on.
Plus, when any senior executives or major clients complained about having to create usernames and passwords just to exchange innocuous emails, it created tremendous pressure on IT to simply take out the rules, and encrypt very little.
Mostly, the $350 million, Reading, Mass.-based mutual savings bank would fax regulatory and loan documents, and mail hard copies of financial packets to board members.
The problems are not unique to Reading nor its solution. Nearly all pattern recognition software suffers from false positives, because pattern matching is inexact. The level of specificity is often not granular enough for the pattern matching to discern real confidential information from material that simply carries similar characteristics of sensitive data sets.
But about five years ago, when Reading's auditing firm began sending the bank results of its audit reports via DataMotion's secure portal, Patti decided to let the legacy contract run out and switch to SecureMail. The bank has been using the cloud-based SecureMail Gateway for the last year to secure email it considers confidential.
In an effort to more accurately discern what it should encrypt, Reading plans to add a feature called "exact match" to DataMotion's software.
Instead of simply matching to a pattern, the exact match feature purports to find and match, for instance, actual, individual bank account numbers, based on a file the bank dynamically updates with the most recent account data.
SecureMail Gateway works with the bank's existing Outlook email client, enabling Reading's senior executives to securely email meeting materials to board members every two weeks. The interface enables the bank to write rules so that all attachments are encrypted. This secures most communications with the board and regulators, because financial information is typically sent via attached documents.
The solution has reduced processing time in the loans department, Patti says. "With commercial loans we need three, four years of tax returns," he says. "They used to have to fax them all. Now they just email them to us." Pages requiring signing are printed out, scanned into a PDF and resent.
Users can encrypt specific emails by clicking a button within the email client, whether that's Outlook, Lotus Notes or Novell GroupWise. A notification feature also tells senders when an email has been opened.
All outgoing and incoming email is filtered through DataMotion's SecureMail Gateway, where encryption rules the bank creates are applied. Users choose whether to deploy SecureMail software on onsite servers or on DataMotion's hardware. Regardless, DataMotion manages all the keys needed to decipher email text and attachments. The solution also accommodates the bank's branding.
While Datamotion focuses on securing email and file transfers, the vendor will support existing data loss prevention (DLP) systems already deployed in the enterprise. Other vendors offer both DLP and transport layer security email encryption. Very few offer push-based AES encryption or support S/MIME or OpenPGP, according to Forrester. So know what you require before shortlisting providers.
Bank: Reading Co-operative Bank
Problem: Simple pattern-matching tools encrypt too much.
Solution: Encrypt only actual account numbers.