Mastering Security In An Era Of Regulatory Shifts

Uploaded on 2025-05-01 in TECHNOLOGY--Resilience, FREE TO VIEW

Despite debuting more than half a century ago, email remains the primary communication channel for businesses the world over. However, it wasn’t designed to be a secure communication platform; it was simply developed as a means of transferring information as quickly as possible.

As a result, legislators have sought to address commonly exploited email flaws and better protect sensitive data in transit.  

Email security is now a compliance imperative, not just a cybersecurity concern.

This sentiment has been echoed by IT Leaders, as globally the secure communication regulatory environment tightens in an effort to tackle malicious threats and the risks related to data loss prevention, human error and security awareness. 

Whether it is the Cybersecurity and Resilience Bill in the UK to protect critical infrastructure, HIPAA in the United States for strict patient data protection, or NIS2 mandating cybersecurity for critical infrastructure, the global trend in secure communication is towards stricter, evolving regulations. These demand greater time and investment from companies to avoid non-compliance which means email security is no longer just about protection from cyber threats — it is about ensuring regulatory compliance and embedding security as a cultural norm in the workplace. 

The Compliance Gap In Email Security  

The primary function of email is speed and convenience, not security, which means it lacks built-in encryption, risk management and access control. We have seen email security repeatedly exploited through phishing and malware attacks, and it is considered the leading cause of outbound data loss through human error. A notable example is the 2022 cyberattack on the UK Electoral Commission, where attackers gained access to the commission’s email servers and exfiltrated sensitive data on 40 million voters. The breach, which remained undetected for over a year, exposed personal information and raised concerns about election integrity. Investigators suggested that the initial compromise was likely due to a phishing attack, highlighting the ongoing risks of unsecured email communications. 

With standard email platforms lacking the advanced security needed to address both internal and external threats, 2025 brings with it new regulatory frameworks established in Europe, the UK and the US. These are forcing businesses to close the security gap or risk hefty regulatory fines, legal liabilities for executives under new EU and US laws, reputation damage and a decline in consumer trust.  

Key Legislative Requirements For Secure Email Management  

While there are variations in regulatory frameworks across regions, legislators worldwide have identified six key pillars requiring immediate attention to achieve email compliance.  

1.    Proactive Risk Management: Organisations must integrate risk assessment, incident response, and continuous monitoring to pre-empt threats and maintain compliance. 

2.    Intelligent Information Classification: Smart classification systems protect sensitive data with tailored security controls. 

3.    Unbreakable Information Transfer: Encryption and traceability ensure confidentiality and prevent tampering. 

4.    Tightened Access Control: Strong authentication measures like MFA limit access to verified individuals. 

5.    Culture of Cyber Awareness: Regular training helps employees recognise threats and maintain compliance. 

6.    Data Leakage Prevention: AI-driven tools flag and quarantine sensitive emails before breaches occur. 

Despite these common regulatory mandates, our own research shows organisations lack visibility into email security risks. This is shared by the 77% of IT leaders who don’t know whether their messages are encrypted. While reinforcing the minimum security procedures is a straightforward way to close the compliance gap, the lack of awareness amongst indicates a startling lack of over insight.  

Our report also uncovered an alarming lack of transparency when it comes to reporting email related incidents. While IT Leaders estimate that only 34% of outbound email incidents are formally reported, many employees handle mistakes informally, with 56% of employees admitting they would not report the incident to that department or their line manager. This severely undermines the integrity of an organisation’s email system, leaving the IT team in the dark and forcing them to play catch up in the event of a breach. 

This highlights the value in addressing the cultural issues that lead to a lack of diligent reporting.

Improving IT visibility hinges upon a culture of openness and transparency, which can be facilitated through clear reporting channels, a no-blame culture and regular reminders and training about common security pitfalls.  

Common Vulnerabilities & Making Compliance A Cultural Norm 

While employees may seem to be the common denominator in common vulnerabilities, their performance is ultimately shaped by the environment they work in.  A majority of employees (54%) agree that email mistakes are caused by time pressures and information overload, with 40% citing too many messages or communications tools. This reinforces the need to change how organisation view security and compliance, which are often seen as burdens.  

Key decision-makers must take the initiative to equip employees with the right tools, training and processes to strengthen cyber resilience, ensure compliance and reduce compliance fatigue.

When asked what their primary email security focus would be over the next two to three years, almost one-third of IT leaders (31%) said they would prioritise compliance with data protection regulations, and 28% said they would be looking for an “all encompassing” solution for inbound and outbound security.

If these measures are combined with a clear and supportive reporting culture, then we can begin to develop a security-first culture fit for the email challenges of 2025. 

Nadine Hoogerwerf is CISO at Zivver 

Image: Boarding1Now

You Might Also Read:

The Difference Between Perception & Reality In Email Security:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Co-op Shuts Down IT Systems After Attempted Hack
Cybersecurity In Smart Buildings »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

DCL Search & Select

DCL Search & Select

DCL Search & Selection connect candidates to the best companies in the IT Security, Telco, UC, Outsourcing, ERP, Audit & Control markets.

Clifford Chance

Clifford Chance

Clifford Chance are one of the world's pre-eminent law firms with resources across five continents. Practice areas include Cyber Security & Information Protection

InfoWatch

InfoWatch

InfoWatch solutions allow you to protect data and information assets that are critically important to your business.

Ionic Security

Ionic Security

Ionic provide a high-assurance data protection and control platform built on strong encryption, fine-grain control and contextual analytics.

Paladion

Paladion

Paladion is a provider of managed IT security services.

Shadowserver Foundation

Shadowserver Foundation

Shadowserver Foundation aims to improve internet security by raising awareness of compromised servers, malicious attackers and the spread of malware.

SlashNext

SlashNext

The SlashNext Internet Access Protection System (IAPS) provides Zero-Day protection against all internet access threats including Social Engineering & Phishing, Malware, Exploits and Callback Attacks.

Cyber Threat Alliance

Cyber Threat Alliance

CTA is working to improve cybersecurity of our digital ecosystem by enabling near real-time cyber threat information sharing among companies and organizations in the cybersecurity field.

Trail of Bits

Trail of Bits

Trail of Bits combine high-end security research with a real-world attacker mentality to reduce risk and fortify code.

Oxford Internet Institute - University of Oxford

Oxford Internet Institute - University of Oxford

The Oxford Internet Institute is a multidisciplinary research and teaching department of the University of Oxford, dedicated to the social science of the Internet.

PKI Solutions

PKI Solutions

PKI Solutions offers Public Key Infrastructure (PKI) products, services, and training to help ensure the security of organizations now and in the future.

Cognilytica

Cognilytica

Cognilytica’s Cognitive Project Management for AI (CPMAI) training and certification is recognized around the world as the best practices methodology for implementing successful AI & ML projects.

MyTurn Career LLC

MyTurn Career LLC

Looking for a rewarding career in cybersecurity? Explore a wide range of cybersecurity jobs and opportunities in this rapidly evolving field.

Vorlon

Vorlon

Vorlon's agentless patent-pending solution facilitates risk profiling of apps, and provides AI-driven behavioral analytics with response recommendations.

Clumio

Clumio

Clumio provides autonomous backup and recovery for critical cloud data.

Koop

Koop

Koop’s trust management platform helps navigate the complexities of regulatory compliance, security reviews, and liability insurance in a single place.