1

Sender’s Remorse:How Safe Are YourEmail Attachments?

White Paper

2

With so much buzz around new file sharing technologies, it’s easy to think that email is on its way out. But email is far from dead. In the enterprise, it’s actually still the number one way that employees collaborate on files, especially across companies. The average worker sends 5 to 10 email attachments per day, many of them to external parties: partners, vendors, contractors, customers and more.

There’s a lot of sensitive information contained in those files. Financial data. Product roadmaps. Upcoming partnerships and acquisitions. Information on customers and partners. Pricing and discounting. Personal details too, like salaries and medical histories.

Yet even the most security-minded companies and individuals have challenges when it comes to safeguarding email. Once the attachment leaves your firewall, it’s gone, and there’s no getting it back.

Major names across sectors and industries have felt the impact in a variety of ways.

Damaged reputations. Strained relationships with partners, clients, and vendors. Disgruntled employees and reduced productivity. Regulatory fines and penalties. Loss of business-critical intellectual property.

With threats on the rise, enterprises in all sectors and markets are looking for a way to protect and control outbound email attachments programmatically, quickly, cost-effectively, across the entire organization, without requiring any additional steps on the part of end users. And while organizations are investing in secure Enterprise File Sync and Share (EFSS) solutions to leverage a wide range of benefits – such as improving mobile collaboration, providing a single point of access for content, and enabling users with self-service control over workspaces and permissions – protecting outbound emails in this automated, systematic way is a unique requirement. A requirement that exists whether you already have a secure EFSS solution in place today or not.

Email Attachments: Why There’s So Much at Stake

White Paper

The Problem with Email Collaboration

Corporate IP• Design Specs• Finances• Strategic Plans• Creative Works

Business Materials• Contracts• Pricing• Discounts• Customer Data

Personal Information• SSNs• Job Applications• Salaries• Medical Records

In a survey by The Ponemon Institute, 61% of employees confessed to sending unencrypted emails, failing to delete confidential documents, or accidentally forwarding sensitive data to unauthorized recipients. Given the recent upturn in targeted phishing scams, it’s important to implement a solution that systematically protects the sensitive information that leaves your firewall.

What could happen if an employee inadvertently forwards confidential information about a business partner to a third party? How much damage a phishing scam could do if it allowed criminals to get hold of your employees’ personal information? What might competitors do with access to your intellectual property?

3

White Paper

Another way enterprises are trying to prevent leaks and breaches associated with email attachments is through email data loss prevention (DLP) technology, which scans fields for high-risk keywords or details that violate security rules.

It’s a great first step. But what do you do with an email once the DLP system flags it as risky? Aside from blocking every potentially sensitive attachment (which is a productivity killer), there are generally only two options, and both have significant drawbacks:

1) Quarantine the email and have a person (seniorenough to be security-cleared) manually review itand decide what to do. This is time-consuming,cumbersome and expensive – and interrupts theworkflow.

2) Document the security risk and then let the emailgo. This means that sensitive information leavesyour company, and although you have a record of it,there’s nothing you can do to get it back.

In an ideal world, you could connect file-level protection with your DLP security policies, gaining automated policy enforcement and granular control. That way, you could maintain peak productivity and keep work flowing – without compromising security.

Built on the industry-leading, highly secure BlackBerry Workspaces file management platform, BlackBerry Email Protector is a unique, market-leading, standalone solution that allows administrators to apply a wide range of access and usage rules to attachments sent through their email gateway.

With Email Protector, you can safeguard every attachment that leaves your company via email, enforcing file-level security programmatically across your organization.

When Email Protector detects an attachment, it automatically strips the file from the email, places it in a secure Workspaces repository, and replaces it with a link to the protected document.

What happens when the recipient clicks the link? Your organization can decide in advance, by setting permissions that are appropriate for each use case and risk profile – and change them, as and when required.

Email DLP: A Great Start, But Not Enough On Its Own

Control Every Attachment that Leaves Your Firewall

BlackBerry Workspaces is the leading secure EFSS solution, earning accolades from Gartner, Forrester and its thousands of security-conscious customers around the globe.

4

White Paper

BlackBerry Workspaces provides digital rights management (DRM) with file-level security. Each file (and its metadata) is wrapped with 256-bit encryption that makes it safe while at rest and in transit, on the server and on the device – and after it leaves your firewall.

With Workspaces DRM, you can customize the level of protection a file receives: full file access, rights managed downloads, or view online only. Administrators can:

• Control what a recipient can do with a file, such as access, view, edit, copy, print, download andforward. To really lock things down, they can provide documents in “View-Only” mode via the secure Workspaces browser client on desktops or via Workspaces mobile device clients.

• Whitelist and blacklist certain recipients or file types to suit your use-cases.

• Set an expiration date or revoke file access at any time – even after the document has been downloaded or shared. Once access to the file expires, the recipient’s local copy becomes an unhackable, encrypted data blob.

• Set up customized watermarks to deterscreenshots, and include specific user details such as the recipient’s email or IP address.

• Further deter against screen capturing with theSpotlight feature in the online viewer, which blurs the screen except where the mouse pointeris hovering.

• Change the permissions on a shared documentat any time – remotely allowing the user to printthe document upon their request, for instance.Again, changes can be applied even after the file is downloaded and saved elsewhere.

Email Protector is painless for end-users – no extra steps, no unnecessary complications. They attach files in the same way they always have, and hit send. The rest happens automatically.

The recipient’s experience is simple as well; they’re automatically provided with appropriate access to view and/or download files. The very first time they receive a link to a file from Email Protector, they’ll be asked to set up an account, and afterwards their browser will remember their credentials.

File-level Security Through Industry-Leading DRM

Take Advantage of Industry-leading DRM from BlackBerry Workspaces

• 256-Bit Encryption• Authentication & Access Control• Digital Rights Management (DRM)• Watermarking

5

White Paper

Email Protector is a standalone solution, and its benefits don’t require that you have a DLP solution in place. At the same time, if your organization is using an email DLP solution, Email Protector integrates with it seamlessly, so you can enforce security policies without impacting anyone’s workflow.

Put simply: the combination allows you to apply DRM protections using a rules engine (DLP) to classify the documents and Email Protector as the enforcement mechanism.

Many organizations have invested significantly in DLP – both in the software itself, and by taking the time to create the security policies that drive it. Leverage those rules, and extract more value from your existing investment: Email Protector can provide protection right on top of those security policies. It requires very few changes to the rules and conditions in an already established DLP deployment.

In addition to applying granular security controls based on those established rules, they can easily modify how security is enforced as needed. Administrators can tailor the way Email Protector works together with DLP to secure their organization.

Here’s a simple use case. You’re working with an important new vendor that has a less than stellar approach to security. Your DLP system can be set to detect all sensitive attachments sent to this vendor, and Email Protector can automatically ensure those attachments are “view-only”. And this all happens without the user having to do anything differently. Employees can continue their work unhindered, and you don’t need to worry about putting important information at risk.

Workspaces tracks everything that happens to each file that it protects. Logs tell you who did what, when they did it. You can even see the device type they were using, its IP address and location. These capabilities are powerful for regulatory compliance and whenever file security is a high priority.

Extract More Value From Your DLP Investment

• Business Rules• Data Scanning• Classification

• Rules Enforcement• DRM Protection• Watermarking

DLP Email ProtectorEmail Protector Provides a Way for DLP to Enforce Security Policies

Email Protector: Use it on its Own or With BlackBerry Workspaces EFSS

Email Protector is designed as a solution that stands on its own. However, i you’re using Workspaces or EFSS today (or plan to, soon) Email Protector is a great way to enhance your file protection capabilities by systematically protecting every email attachment that leaves your firewall. Administrators can seamlessly control both services through a common interface. Find out more about the secure EFSS solution that’s earned accolades from Gartner and Forrester, among others – and find out why the New York Times suggests it could prevent the next major email hack.

6

White Paper

There are many ways you can use Email Protector to protect your organization and, if you’re using DLP, extract more value from that investment, too. Here are two typical use cases.

Protecting Financial DataAn employee sends an email attachment containing credit card numbers to a partner agency. After scanning the attachment, the DLP system recognizes the presence of sensitive financial information. Email Protector applies the appropriate, pre-determined file protections, limiting file access to only the recipient. No matter where the file ends up, only the intended recipient can access it. Even if the file falls into the wrong hands, it remains encrypted, safe and unhackable.

Safeguarding Product SecretsAn employee sends an email attachment containing pre-release product information to a marketing vendor known for a lax approach to security. The DLP system recognizes both the vendor’s email domain/location and the presence of internal-only code names. Once again, Email Protector applies the appropriate file-level protections:

• View in a secure browser only, with no ability todownload, forward, or print

• Spotlight viewing to deter against screen capture

• Watermark with email and IP address

• Expiration set for one week

No other solution captures this data or offers this level of granularity in terms of file usage and IP protection.

Usage information can be captured within the interface, or exported to your enterprise analytics, log management or Security Information and Event Management (SIEM) tools, such as Splunk.

Email Protector can even integrate with STMP-based email eDiscovery solutions, allowing for additional insight into your emails and attachments.

Using Email Protector in Your Business

Workspaces Can Track Activity onEvery Outbound Attachment

• Who accessed a file• What they did with it• When they did it• Where it was accessed• How it was accessed• You can even see the user’s device type and IP address

7

White Paper

BlackBerry is securing a connected world, delivering innovative solutions across the entire mobile ecosystem and beyond. We secure the world’s most sensitive data across all end points – from cars to smartphones – making the mobile-first enterprise vision a reality. Founded in 1984 and based in Waterloo,

Ontario, BlackBerry operates offices in North America, Europe, Middle East and Africa, Asia Pacific and Latin America. The Company trades under the ticker symbols “BB” on the Toronto Stock Exchange and “BBRY” on the NASDAQ. For more information, visit www.blackberry.com.

About BlackBerry

© 2016 BlackBerry Limited. Trademarks, including but not limited to BLACKBERRY, BLACKBERRY UEM, BBM and EMBLEM Design are the trademarks or registered trademarks of BlackBerry Limited. All other trademarks are the property of their respective owners. Content: 12/16 | Rev. 01DEC2016

Email Protector can be purchased separately from, or in addition to, Workspaces EFSS licenses.Contact Sales for a quote that’s specific to your requirements.

To find out more, visit blackberry.com/emailprotector

Next Steps

Enterprise email remains a core communication tool – and that won’t soon change.

With more high-profile hacks and leaks hitting the news weekly, every company wonders if they might be next. You don’t need to wait and see.

With easily-applied DRM, ready integration with existing DLP systems, and powerful controls, BlackBerry Email Protector protects your attachments at rest and in transit, on the server and on the device – and after they leave your firewall. There’s no other solution like it.

Toughen Up Your Approach to Email Security