BRAL, Ltd.: Meet audit compliance by protecting sensitive financial data in email

• Customer Profile: Outsourced accounting services
• Goals: Secure email exchanged with clients
• Solution: PGP Universal™ Gateway Email secures communications
• Alternatives: Secure webmail; multiple, disparate desktop solutions
  
• Deployment: Smooth & within budget; by PGP® partner
• Benefits: No user training; flexible solution; lower operational costs
  

BRAL chose PGP Universal Gateway Email to secure confidential financial and payroll data in email to meet customers’ requirements and ensure audit compliance.

Established in 1984, BRAL Limited is a Business Support Services Company within the Blick Rothenberg group, a London-based independent firm of chartered accountants. BRAL assists clients worldwide with outsourced financial administration, management accounting, and payroll services. The company’s 60+ multilingual employees also provide specialized tax, VAT, and other advice to U.K. businesses as well as companies setting up business in the U.K.

The Challenge

Because BRAL works with many U.S. organizations looking to launch U.K. operations, the company has obtained a SAS 70 Type II accreditation under a widely recognized auditing standard developed by the American Institute of Certified Public Accountants. This audit both highlights and confirms the control activities and processes that organizations have in place and allows them to be relied upon by their customers and their customers' auditors. In addition, Section 404 of the Sarbanes-Oxley Act makes SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal controls over financial reporting.

Protect financial information. Given the company’s need to comply with Sarbanes-Oxley and customers’ need to secure sensitive financial and payroll information exchanged via email, many of BRAL’s clients had begun to ask about encryption. “At the time, we weren’t able to set something up,” recalls Dan Davies, IT manager at BRAL.

Meet client requirements. Several U.S. clients had requested that BRAL provide an encryption service, and one customer had already stated that using encrypted email would become a communications requirement for doing business. “Because we didn’t yet have a solution, we had one client that enabled us to pick up emails from its system and reply securely the same way,” Davies recalls.

Provide security options. In addition to being able to exchange encrypted emails with clients, Davies also wanted a solution that would work with end users who didn’t have an encryption solution. “It’s important that we can communicate easily with our clients and whatever systems they’re using, rather than imposing something on them.”

The Solution

One of the solutions Davies considered was PGP Corporation’s email encryption offering. “Instead of just asking for an email encryption solution, some clients had specifically asked whether we could secure email with PGP® technology,” he says. “As far as I’m concerned, PGP Corporation is the market leader.”

Strong partners. Davies had evaluated PGP® Desktop Email in the past, but only as a standalone solution. PGP Corporation advised him to have Nebulas Security, an IT security expert and PGP® Silver Partner, analyze the company’s needs. The consultants quickly recognized that BRAL would benefit from an enterprise solution and recommended PGP Universal Gateway Email, especially because it doesn’t require that users be trained or change their behavior.

Successful evaluation. Nebulas Security’s consultants used a standard desktop computer to evaluate the server software. They routed the emails of five users to the PC to verify the encryption process was working effectively. Two external organizations agreed to take part in the tests by sending and receiving encrypted email. Davies was impressed with Nebulas Security’s expertise, commenting, “The installation engineer was one of the best consultants I’ve worked with on any piece of software.”

The Results

Following the successful trial, Davies deployed PGP Universal Gateway Email to secure BRAL’s electronic communications. The IT Manager said that one of the most compelling reasons for deploying the system was that it appeared seamless to the company’s users. “Internally, users don’t really see any difference because they don’t have to do anything to encrypt or decrypt an email,” he explains. “They just send and receive email in the normal way.”

Transparent use. The only thing users may notice is that incoming emails now include a statement identifying when each was received and decrypted. “Having to impose change on users is always difficult, but now we can provide encrypted email without changing their daily habits. That’s a real benefit,” says Davies. His experience when integrating external partners was also positive: “The PGP solution worked well when we were dealing with external partners who already had either a desktop solution or an enterprise solution. Others could use PGP Universal™ Web Messenger, which only requires a Web browser to receive secure messages.” 

Lower operational costs. Davies connected PGP Universal Gateway Email with BRAL’s Microsoft Active Directory, enabling the company to leverage its infrastructure investment. “We were already familiar with Active Directory, so integrating the two makes it a much easier system to manage because we don’t have to change users in several places, resulting in reduced operational cost,” he says.

Extensible solution. If BRAL wants to secure shared files or laptops and USB flash drives with encryption in the future, Davies can take advantage of the extensible PGP® Encryption Platform architecture to easily add other encryption applications.

Summary

Extending the email encryption system into BRAL’s parent company is part of Davies’s strategic plan. Having assessed how the implementation is working and noted the increasing demand for encrypted communication from clients, he is very pleased with the way Nebulas Security completed the successful PGP© implementation. “I think the whole project went very well,” he concluded. “It’s a true success story.”

About the PGP Encryption Platform

The PGP Encryption Platform reduces the complexities of protecting business data by enabling organizations to deploy and manage multiple encryption applications cost-effectively from a single management console. Deployed with the first encryption application, the PGP Encryption Platform makes installing a separate or additional infrastructure unnecessary when the organization needs other encryption applications. The PGP Encryption Platform supports the broadest range of integrated applications to secure email, laptops, desktops, instant messaging (IM), PDAs, network storage, file transfers, automated processes, and backups.

About Nebulas Security

Nebulas Security is a leading provider of advanced IT security, mobility and compliance solutions. Based in London, the company offers true managed security services and consultancy for the UK market. Nebulas Security builds partnerships with customers to develop their Internet security and mobility strategies to provide highly scalable network architectures. Nebulas Security's broad-ranging customer base includes organisations in the retail, telecommunications, pharmaceuticals and healthcare sectors, as well as financial institutions including several FTSE 250 companies. With its experience, vendor relationships, product knowledge and flexible approach, Nebulas Security is continually focusing on providing individual "Next Generation Security" solutions and services to its customers.