Business rules in Zivver

Introduction

As an organization you want to prevent data leaks and comply with laws and regulations with minimal extra effort for your employees. With Zivver, you do this with business rules that ensure that security measures are only applied when necessary.

This is done through recommendations and automatic actions based on the content and recipients of a message. For example:

  • If a message or attachment is sensitive according to your policy, Zivver ensures that it is secured with encryption and two-factor authentication (2FA).
  • If there is a risk that an employee sends sensitive information to the wrong person, Zivver helps correct it before the message is sent.
In this document, you can read about the possibilities you have and the optimal use. Specifically, you can read about these subjects:

Set up business rules

The business rules are flexible and can be adapted to your policy. You can choose from a wide range of standard rules or define your own rules. You can also determine what recommendations to employees look like and which automatic actions Zivver takes.

You set the business rules in collaboration with your Zivver Project Leader or Customer Success Manager. This person helps you define your secure mailing policy and translate it into the correct rules in Zivver. These will be set up in your Organization settings under Business Rules. There you can then enable them and manage the security level for each business rule.

Below we explain which rules there are and how the security level affects the user.

en_business_rule_admin_settings


Business rules

To translate your policy into business rules, it is important to know which types of rules Zivver offers. This section will help you by explaining:

  1. What types of business rules are available.
  2. What types of sensitive information each type of rule can recognize.
  3. How to customize your business rules exactly to your needs.

Types of business rules

The rules you choose to determine which recommendations employees receive when they compose a message. It is important to choose rules that suit your purpose. This has these main purposes:

  1. Secure: sensitive information with encryption and two-factor authentication
  2. Prevent errors: Data leaks due to human error
Zivver offers several rules to help you achieve these objectives.

Secure sensitive information

To prevent data breaches and comply with laws and regulations, you must secure sensitive information correctly with encryption and 2FA. However, for these measures additional actions are necessary for senders and recipients. Business rules help to do measures only when the message contains sensitive information. This ensures security and user-friendliness.

You can identify these business rules by the name Secure sending upon [information type]. They make sure that the chosen type of information is sent securely with Zivver.

en_warning_to_send_securely

Prevent human error

While encryption and 2FA are essential, they do not protect against the main cause of data breaches: human error. With Zivver, you help your employees avoid these mistakes.

The cause of many data leaks is that the wrong information is sent to the wrong person. With Zivver, you can warn employees if sensitive information is sent to an unusual recipient. You can recognize these rules by the name. Check a recipient for non-recent sharing of [type of information]. They prevent wrong recipients.

en_check_recipient

In addition, many data breaches occur because too many recipients are put in the TO and CC field and are visible to each other. With Zivver, you can give your employees an alert and encourage them to use BCC. This rule is called Consider using BCC. This prevents data leaks due to incorrect use of BCC.

en_suggest_bcc

Types of sensitive information

Business rules are based on recognizing sensitive information. In this section, you can read what types of sensitive information you can base your rules on. Here we distinguish these types:

  1. Clearly defined patterns, such as a social security number, a passport number, or an IBAN.
  2. Broad categories of sensitive information, such as medical, legal, or private.

You can base rules on both types of information. We explain both categories in more detail below.

Recognize sensitive patterns with Smart Detection

An important type of sensitive information is sensitive patterns, for example, as social security numbers (SSN), passport numbers, IBAN numbers. This information is sensitive because it is used to identify individuals and can therefore be used for fraud, for example.

With the Zivver Smart Detection module you can do automatic protection and human error prevention if sensitive patterns are present. This detection is highly precise because the patterns to detect meet a clear definition.

You have access to a standard library of patterns, such as:

  • Social service number
  • Passport number
  • IBAN
  • Credit card number
  • Internationally relevant patterns, such as UK NHS number and US social security number.

In addition, you can recognize organization-specific patterns such as patient or file numbers. You can set this up in collaboration with your Customer Success Manager.

Recognize sensitive information with Smart Classification

Although detection of sensitive patterns helps you to secure a lot of sensitive information, you still lack a lot of coverage. There is a wider range of sensitive information that does not meet a hard definition. Think, for example, of personal, medical, or legal information.

With Zivver Smart Classification, you can also recognize these types of sensitive information. This is done with a combination of detection of relevant terms and natural-language processing to determine whether the context of these terms is sensitive.

Because the definitions are less unambiguous, the risk of unjustified reports with these rules is higher. Thus, we recommend not using more than 2 or 3 of these rules. Your Customer Success Manager can help you determine which categories are most relevant to you.

Zivver can classify the following categories of information, among others.

  • Personal
  • Confidential
  • Employee / HR
  • Financial
  • Municipalities
  • Legal
  • Social domain
  • Mental health
  • Medical
  • Fiscal
  • Intellectual Property
  • Education

Your Customer Success Manager can give you more insight into the concrete implementation of each category.

In addition to standard classifications, it is also possible to recognize sensitive information based on organization-specific terms. You can provide an Excel file with terms to your Customer Success Manager to make these rules available.

Additional settings

You have these options to customize the rules to your policy even better:

  1. Do not show notifications if the recipients are internal or trusted.
  2. Use machine learning to recognize sensitive information
  3. Integration with your existing classification systems

Do not show notifications if the recipients are internal or trusted

Many email risks apply only if the email is sent outside your organization. As a result, it is often desirable if business rules warn only for external mails.

This is possible if you use the rules with the lines that end with … to external recipients. These rules are only triggered if there is at least one external recipient. This is someone who is not part of the same Zivver organization and is not on one of the claimed domains of the organization.

en_admin page_external_rule

Zivver recommends enabling rules only for external communication where possible. This ensures that information is secured at the right time, with minimal friction for employees.

Besides the prevention of notifications for internal recipients, your organization might also communicate with trusted partner organizations. Here you know, for example, that the partner has 2FA in place and that mail traffic goes over an encrypted connection.

In that case, you can include these partners as trusted domains. When mails go to trusted recipients, you do not get notifications from business rules. The Zivver bar then indicates that all the recipients are trusted and that sending with Zivver is not necessary.

en_trusted_domain_warning

Your Customer Success Manager can advise you on how to make the best use of trusted domains. You can then manage trusted domains at the bottom of the page with business rules. If your trusted partners change, it is important to update this list as well.

en_admin_page_trusted_domain_list

Use machine learning to recognize sensitive information

As described above, sensitive information is often not unambiguously defined. For example, the presence of a few words is not enough to determine whether information is sensitive or not. Smarter methods are necessary to distinguish between, for example:

  • “Will you send me the passport?” (not sensitive)
  • “Attached you will find the passport” (sensitive)

Smart Classification provides a version for each relevant business rule that, in addition to detecting specific terms, also uses machine learning (artificial intelligence). This is to determine whether the context is sensitive. Then, you get results that are three to four times more precise than a purely lexical approach.

You can recognize these rules by the fact that the name contains ‘sensitive’. For example Secure messaging for sensitive “medical” content.

en_admin_page_smart_classification_rule

Because of its higher effectiveness, Zivver recommends that you always use this variant. The exception is if you want rules to go off on specific terms fully predictably.

Integration with your existing classification systems

Do you already use a system such as Microsoft Purview to classify your data? Depending on your classification system, it would be possible to link your classifications to business rules in Zivver. With this, you can effectively extend security policies that are associated with your classifications to secure mail. Ask your Customer Success Manager about the possibilities.

User experience

Business rules translate your policies into recommendations and automatic actions. You have control over how these exactly function with the security level. The security level determines how restrictive the rule is for a user. Below you can see how a user experiences the levels suggestion, warning, and error.

Suggestion
A suggestion alerts employees in a non-disruptive way to the potential presence of sensitive information. Now they actively consider for themselves whether action is required or not. They see a gray notification and decide whether to enable secure mailing.

en_suggestion_to_send_securely

Warning
An alert clearly alerts employees to the likely presence of sensitive information and that this requires action. How this exactly works depends on how this plugin setting is set Automatically use Zivver if a business rule recommends it.

If this setting is off, employees see an orange message. They then choose whether to enable Zivver with the slider in the bar.

en_warning_to_send_securely

If this setting is on, employees see a notification that Zivver is automatically enabled. You can still disable Zivver manually.

en_auto_enable_Zivver

The variant in which Zivver automatically goes to enabled is safer and therefore recommended. This requires that the number of rules at the warning level is limited.

Error
An error informs employees that the mail contains information that they must not sent. They see a red notification and cannot send the message until the problem is resolved.

en_block_sending

In most cases, Zivver advises against using this alert level. The reason is that it can block work processes and encourage shadow IT. Thus, use this level only for rules where you are sure that the mail must not be sent. An example is if there is an SSN in the subject, because Zivver does not encrypt the subject.

Best practices for business rules

For good security, the balance between safety and user-friendliness is essential. Security measures are necessary to prevent data leaks and to comply with laws and regulations. However, if measures are too strict, this leads to an increased risk due to circumvention and shadow IT. The business rules help you find this balance. To help you towards optimal use, here are best practices based on the experience of thousands of organizations.

Use up to 2 to 3 rules for broad categories of sensitive information

It is tempting to enable lots of rules to get the best possible protection. However, recognizing sensitive information is not science. Every rule sometimes gives unwarranted notification. This is especially true for rules that detect broad categories of sensitive information.

An SSN is clearly defined and therefore easy to identify. Sensitive medical, legal, or financial information is not. If you enable many of these rules, at least one rule trigger a notification for many emails. This leads to notification fatigue and thus an increased risk when a notification is really justified. Therefore, we recommend using a maximum of 2-3 of these business rules.

Use safety level Suggestion for most rules

For the same reasons, it is important to limit the number of rules on safety level warning or error. Unnecessary warnings disrupt work and are frustrating. A suggestion is often sufficient for employees to make a conscious choice about safety.

Specifically, we recommend to use:

  • Error only for clearly identifiable information (for example SSN) in the subject, where you will never get a false positive.
  • Warning only for
    • Clearly recognizable sensitive information in the mail text (SSN, IBAN, and others.)
    • Personal information
    • Recommendation of BCC
  • Suggestion for all other rules, such as medical or legal information.

Warn only for external recipients

For many organizations, internal mail traffic is already sufficiently secure. In that case, you can set business rules to go off only to external recipients. This ensures protection when it matters, with minimal disruption to employees.

Evaluate your policy with Zivver Insights

The key to good policy is to evaluate and adjust the policy. In your administrative environment you can use Zivver Insights) to get a better view of the operation of your business rules. With this, you can strengthen your policy and specifically increase awareness among employees.

Work with your Customer Success Manager

Implementing effective secure communication policies is no easy task. Your Customer Success Manager has already helped many similar organizations with this. We are happy to help you make the best use of business rules so that you communicate securely with minimal friction.

Guarantee of privacy and security

The business rules determine the appropriate security based on the content and recipients of messages and attachments. This means that they have to scan the contents of a message. This is often extremely sensitive information. Zivver takes all possible measures to process this information in a secure and privacy-proof manner. In this section we describe these measures.

The message and attachments are scanned by sending the content to Zivver servers over an encrypted connection. Here it is determined whether there is information that is sensitive according to your policy. During this scan, the server keeps the data in memory as short as possible (less than 1 second). After the scan, the server sends back the notifications through an encrypted connection. The notifications contain only the classification and never the sensitive data itself. After the scan, the content is entirely deleted from the server.

Only messages actually sent using Zivver are stored. Stored messages are encrypted with best-practice asymmetric encryption whereby only the sender and recipients can decrypt the message. Read more in Zivver’s Security by Design Whitepaper.

The implementation and effectiveness of these measures are reviewed annually by various independent auditors in ISO27001 and SOC2 audits and with technical pen tests. In addition, an independent data protection officer oversees processing at Zivver. You can find the certifications in our page Security Certifications.

If you have questions about how Zivver ensures privacy and security, you can find more information in our page Legal & Security. You can also discuss your questions with your Customer Success Manager.

Disclaimer

Business rules are an auxiliary tool and errors may occur in the application of business rules. Zivver aims to keep the frequency of errors as low as possible, but gives no warranties or guarantees in relation to the application of business rules and their accuracy.

Closing

The business rules help you prevent data leaks and comply with laws and regulations with minimal extra effort for your employees. To make optimal use of Zivver, it is important to set up the business rules properly. In this document you find all the information you need.

If you have additional questions, speak to your Customer Success Manager.