In May 2018, a groundbreaking regulation went into effect that changed how data is collected, processed, stored, and used by businesses, governments, and organizations around the world. The European Union’s General Data Protection Regulation (GDPR), a directive passed in 2016, affects any organization that handles the personally identifiable information (PII) of EU citizens.
The Global Impact of GDPR
The goal of the regulation is to establish a standardized set of protection laws that would enable citizens of EU member states to have a greater understanding and control of how their personal information is used. It also provided them with a way to raise concerns about the usage of their data by companies in countries.
Some of the protections outlined in the GDPR include:
- “The right to access by the data subject”;
- “The right to erasure” (right to be forgotten);
- “The right to restriction of processing”; and
- “The right to data portability” (the right for the data subject to receive the info an organization has collected on them).
And even though this is an EU regulation that is centered around the rights of EU citizens, it has a global impact. Any company that is doing business in the EU or has customer data for EU residents has to comply with GDPR, or be at risk for some very hefty financial penalties.
How the GDPR Affects Anti Phishing Initiatives and Efforts
What do all of these data protections have to do with email security and anti phishing solutions? According to Caleb Barlow, vice president of IBM Security, GDPR has some unintended effects on anti phishing software and security processes.
In a June 2018 interview with TechRepublic, Barlow stated that while some aspects of the GDPR are positive — such as forcing companies to clean up and remove unnecessary data that no longer needs to be collected, processed, or stored — there also are some potential concerns that must be acknowledged. One such impact is to the use of WHOIS, a free and open system used by companies to see who is behind any given registered web domain.
WHOIS is a system that has been used to help identify and block malicious activity and users, decrease spam, and prevent malware through phishing attacks. Of the changes in how companies are allowed to collect, store, and use personal data — even to enable more effective anti phishing software — Barlow says:
“WHOIS data was the tool that we use to pivot on to identify all the activities of bad actor... Although they may not fill in the real information, like they're not going to use their real name and their real address, they have to use a real phone number. They have to use a real email address. That might be a burner phone. That might be a temporary email address, but you have to understand this is organized crime. They don't register one or two emails at one or two domains. They register them by the thousands. We find one that goes bad, we block them all, and all at once, and we do this in a matter of minutes. This is the big tool that the security industry's been doing to keep that spam out of your inbox, and all of that's going away.”
How Many Anti Phishing Solutions Approach Phishing
One of the shortcomings of many antispam and anti phishing solutions is that they are ineffective at balancing security and privacy. Their systems automatically scan through users’ email content, which could contain confidential or sensitive information relating to personal, financial, or health-related communications. Even with this drastic measure, these types of email security tools are ineffective at identifying bad emails from good ones.
As we discussed in another article on privacy and security, many anti phishing solutions or software:
- Falsely identify valid emails as spam or phish, resulting in good messages ending up in spam and trash folders.
- Don’t catch all phish, allowing these dangerous communications through their defenses to the inbox where users can interact with them.
How Clearedin’s Phishing Prevention Solution Protects Without Invading Privacy
Wondering how to protect against phishing when it comes to your business’ communications? Clearedin differs from other anti phishing solutions in that we offer a phishing prevention solution for businesses in this post-GDPR age that values end user privacy. Rather than “reading” users’ emails, our anti phishing software only looks at the metadata of email and chat content to develop a trust graph or social model that can be used to identify communication patterns of senders and recipients within an organization.
Messages that fall outside the normal patterns will be flagged to warn the user of potential danger. However, our anti phishing solution takes it a step further by locking down suspicious URLs and providing information to the user to inform them about why each message is suspicious. This enables them to make an informed decision about each email and whether to mark it as safe.
Furthermore, Clearedin’s anti phishing software supports the GDPR’s right to erasure by data subjects (the right to be forgotten). Our platform enables companies to abide by these measures by surgically removing a particular user in the graph, along with any related data and inferences that we've built based on that data.
Together, these methods and features help leave end-user privacy intact while offering more comprehensive security.
To learn more about how Clearedin is changing the world of anti phishing solutions and what our platform can do for your business, contact our team of cyber security experts today.