Phishing attacks are emails that attempt to trick the user to click on a hyperlink to access a system they shouldn’t. In order to convince the user to click, hackers will often include the business logos of trusted brands to bestow a feeling of legitimacy and importance.

On July 21, 2020, Google announced a new security feature that’ll be rolled-out to G-Suite users to help protect them from these kinds of attacks.

The feature implements an emergent email standard called Brand Indicators for Message Identification (BIMI) and its function is to uniquely verify the use of corporate logos using the DMARC system - the same system that’s used to validate the authenticity of an email sender.

Emails delivered to Google’s mail system are scanned for fraud and abuse. Under BIMI, a registered brand logo will be validated and presented to the G-Suite end user in the round avatar slot aside an email. It’s a visual cue that both re-affirms brand-trust and indicates safety to the end user.

Messages that fail validation for the use of a corporate logo are filtered from the end user.

The technical side of BIMI requires email senders to:

• use SPF and DKIM, and to publish a specific DMARK enforcement policy for the domain of either “p=quarantine” or “p=reject”.

• publish a SVG logomark;

• register their logo with the BIMI working group and publish a BIMI record;

• acquire a Verified Mark Certificate for their logo (a Google-specific requirement currently offered by only Entrust, DataCard, and DigiCert).

All of these controls benefit the G-Suite user as fraudulent use of corporate logos would potentially be filtered, making their use within spam and phishing attacks useless.

Google intends to implement this feature (and many others related to mail safety) over the next year.

Uh Oh, Spaghetti-o ...

A client approached me the other day with a concern.

He feared that an employee that recently left the company was poaching his client base. He needed me to make sure that his systems were secure. I confirmed that was the case, but then he asked, "What about her email?"

Prior to engaging me, the client just had his employees setup private Yahoo! accounts. Now, with the employee gone, he needed to take control of that data.

And Now ... The Bad News ...

"No-can-do," I had to tell him, and I needed to explain some rules of the road.

Yahoo! is a private email container. As an employer of the employee, he can't access it nor control it; the EULA (End User License Agreement) is between the provider and his employee. FCC rules say that's private property, and, attempting to monitor what goes on in those email accounts is tantamount to eavesdropping on your employees.

"But those are my clients," he argued, and I empathized, but I suggested there's little he can do. 

"You shouldn't have been relying on private email accounts for company business," I suggested.

And then I had to explain the really bad part.

Classified Data

You see, this guy is in the business of working with confidential, classified forms of Protected Health Information, or, PHI. Every now and again, PHI about his customers were probably emailed to this individual and fell outside of his control. Further, it was possible that customer's drivers license information was shared with the former employee.

"Technically, that's potentially a breach," I had to explain, "where you've lost control of classified forms of data under two sets of law: HIPAA - federal law managing PHI - and State of Washington Data Breach Law. You've lost control of the data and can't account for its whereabouts, access control, or destruction."

So What Do We Do Now?

At that point, he started looking at me pretty nervous-like, and I discussed his options going forward.

• The company should set up a secure email and storage system. It just so happens that I'm a reseller for Google Apps. Google Apps has sought and received FISMA, ISO 27001, and SSAE 16 certifications for information system security, and understands its Business Associate obligations for managing PHI. Google's server traffic is encrypted and the data stored on its cloud platform is encrypted; Google Apps Privacy and Security are some of the best practices in the industry. Google's a big proponent of responsible computing and that's why I work with them.
   
• Under the company's flag, they own this asset. They can control and audit and revoke access. They can determine who and what devices receive confidential forms of information that they're responsible for. And if a termination event happens again, we're in control.
   
• Implement an Administrative Control (a policy) that states employees can only use the corporate email system for company business. Violating that policy is grounds for dismissal. That sets up management's intention and clarifies the obligations of employees. That's called an Acceptable Use Policy, and it turns out that I've got a stock policy just hanging around that he could modify.
   
• Finally, we train the employees on handling classified forms of information, and advise them of their responsibilities and tips for best practices.

In this way, I helped him craft a more successful strategy going forward that would limit his liability, protect the interest of his customers, and bring him closer to a state of information compliance.

That's the kind of value I bring to every engagement with my customers. Want to know more? Give me a jingle - I'd be happy to talk about how I can help you.

R