Tag: echoworx

21 Nov 2016

How to Better Protect Office 365, Help Secure Your Sensitive Data

Are you one of the many organizations that have decided to move on to Office 365? If so then you must have made this decision for a variety of comprehensive business ins and outs including cost savings, infrastructure simplification, and flexibility. While there is no doubt that such a decision is sound and will quickly provide a noticeable return on the investment, given the nature of the cyberspace, it also makes your company susceptible to cyber exploits.

Although I imagine and understand that privacy may not be a top priority for your deployment, but I believe that it soon will be. It is needless to mention the reasons to secure sensitive communications, whether that is with your customers, employees within your organization or with other organizations you deal with. Securing Personally Identifiable Information (PII) is something that every organization is required to be concerned about, especially when communicating via email.

Regardless the industry, there are many rules that govern the use of PII across the globe such as HIPPA (the Health Insurance Portability and Accountability Act), PIPEDA (the Personal Information Protection and Electronic Data Act), as well as the EU’s Data Protection Directive. These rules mandate companies to protect the personal information of its users/customers.

Now the question is, can Office 365 provide the appropriate level of protection for sensitive email communication? The answer is yes.

However, there is a “but” and the “but” is – the encryption capability within Office 365 is neither robust nor easy to use. Ease of use has a direct correlation to the willingness of the sender and recipient to readily adopt encryption in communications. Ultimately, the frustration caused by the complexity and inflexibility of encryption technology, leads to user to giving up on it. Unfortunately, this is a reality in many organizations.

Trusting Office 365 with my sensitive data

But, there is a silver lining. There are robust (and simple) ways to handle sensitive communication which don’t include having to rely upon what comes with the standard versions of Office 365. I encourage you to examine whether Microsoft’s native capabilities are sufficient for your company’s security and privacy. If you do, you will determine that there are indeed security gaps in the software. You should then examine third-party alternatives. This will help ensure the capability to effectively implement policies that are required to strengthen your business processes.

I regularly hear from IT professionals and business leaders that securing communications through encryption is a complicated and inflexible process. Imagine having a simplified option for a sender and recipient to facilitate sensitive email communications. Isn’t that an ideal image?

Simplicity equates to adoption; adoption equates to compliance, and compliance eliminates the potential of your organization’s name appearing in the news for all the wrong reasons. Can your Office 365 environment give you the simplicity and the flexibility to ensure the adoption and adherence of encryption protocols in multiple use case scenarios?

I assume you wouldn’t be reading this article if it didn’t have any limitations.

Some of the things that you should consider when evaluating the encryption capability within Office 365 include:

  1. New recipients must provide sensitive information to create a Microsoft account to then read an encrypted message, or receive a one-time password sent in clear text;
  2. When encrypted messages are sent via the Office Message Encryption (OME) Viewer app or the encryption portal, the sending email address is Office365@messaging.microsoft.com;
  3. Encryption options do not include S/MIME, PGP, Ad hoc encryption or Portal-based encryption;
  4. Users cannot track the usage of documents;
  5. Users cannot revoke access to documents;
  6. Android and IOS devices require access via a downloadable viewer (OME viewer app).

The registration process for new recipients (referenced in point 1 above) involves a 9 step process in order to get an account, and if you don’t want a Microsoft account, your options are even more limited. The only real alternative is to ask for a one-time password that is sent in clear text, which is not something I would call secure. There has to be a better alternative, and preferably one which would also seamlessly integrate the encryption solution with the mobile experience, because do we really need another app to view an encrypted email?

Now, if privacy is a priority within your organization, I comprehend that you need an enhanced encryption capability as an add-on to Office365 – one that makes encryption easy. That is to say, an encryption platform that gives you the flexibility to vary the encryption process for differing use case scenarios – a platform that comes with policy templates that are industry specific.

When sending an encrypted email there may be a need, based on the type of information and the needs of the recipient, to have a shared passphrase, a system generated verification code or even no password. How about leveraging open authentication to have the recipient use passwords they already trust from sites such as Linkedin, Facebook or Twitter? Think about having the capability to use text messaging to create a two-factor authentication process for communications.

When you look at the many use case scenarios that you will implement to send specific information to specific recipients, the limitations within Office 365 become clear. What happens when you need to enable an encryption delivery method not supported through Office 365? Encrypted Portal and PDF and two delivery methods that are being used a great deal by companies across many industry verticals – will you just ignore these?

And what about branding? There is very little flexibility to brand your encrypted communications with Office 365. As with any communication outside of your organization, it should represent your brand. Again, you must look to an add-on capability to ensure you have the ability to reinforce the brand of your company.

When addressing the secure email communications requirement, many organizations will need something more than what comes standard with Office 365 and flexibility will ensure your encryption compliance processes are adopted and adhered to.

You have deployed Office 365 and now it is the time to think about how you will secure communications. This is one area where it is critical to be proactive and not reactive, for, a reactive approach could lead to undesirable outcomes. Why not think about an email encryption solution that is cloud based, pervasive across the web, mobile, and desktop, policy template driven and fully integrated with Office 365?

Hopefully my article has provided you with substantial knowledge and provoked some ideas on how to enhance your Office 365 deployment to effectively deal with the ongoing need to secure sensitive email communications.

If you would like to find out more about how to avoid missteps in the implementation of your compliance process and sure ways encryption can better protect Office 365, the additional content listed below may be of interest.

  • Watch our ON-DEMAND DEMO    OneWorld | Office 365 E-mail Encryption Comparison
  • Download our SOLUTION SHEET     Why OneWorld with Office 365?
  • Read our WHITE PAPER     Making the Business Case for Office 365

By Randy Lenaghan, VP Sales Echoworx

08 Nov 2016

Combating Insider Threats

When Edward Snowden leaked NSA’s classified documents of their surveillance program, it sent a message out and loud to companies; if an employee can steal sensitive documents from the NSA, an employee can do that with anyone.  The authorized access of employees to a company’s confidential data poses a self-evident risk to its cyber & financial security because such data can be used to exploit the company.

The motivation behind such treasons? It could range from a fraudulent opportunity dangled in front of an employee to resentment harbored by them which foments into action. It may be because of deeply held morals or beliefs of an employee or in fact, the financial gain. Access to the company’s best kept secrets and inside knowledge of its security weaknesses, always gives the culprits an upper-hand.

Intentional theft isn’t the only insider threat.

Imagine your company, now imagine an employee in your company sending a confidential document to a customer. Maybe he is in a rush, or he is groggy or he is sending the email before his caffeine kicks in and he sends the confidential document without encrypting it. The hacker is waiting at the end-point to find a vulnerability, and guess what, your employee of the month just handed your company’s security to him on a silver platter. In 2015 over 116 billion business messages were sent a day. That’s 116 billion chances for sensitive information to be intercepted – either with malicious intent or accidentally.

The amount of data which circulates within business networks everyday can be staggering and much of it is deemed to be confidential. Companies in highly regulated industries hold large amounts of confidential data- information which includes biometrics, health records, financial transactions & inventory tracking. Simply the chance of getting hands on a wealth of highly confidential info in a single hit, makes highly regulated industries a top target.

Since many companies are favoring firewalls and server security, and shying away from email encryption- they are leaving a huge loophole for message interception and are putting information at risk. Policy-based email encryption is a key to combating cybercriminals who are dedicating even more effort to breaching corporate email data.

Email encryption solutions, which can be configured to recognize and encrypt specified email based on a company’s preset policies, provides a user-friendly experience for employees and peace of mind for IT management. But will your workforce reliably use it? Case after case has shown us that companies and even entire industries have neglected to ask the question.

If email security solutions – or any other technologies for that matter – are too complicated, employees will almost certainly find easier means to complete a task. In this scenario, security is the ball that is dropped. Insider threats continue to keep senior business leaders awake at night. A recent PwC report in the US found that 32 per cent of respondents consider insider threats to be costlier and more damaging than external incidents.

Encryption is crucial to ensuring that this confidential information remains private and secure – while emails are in transit and at rest. If you would like to find out more about how email encryption can help your business and your employees protect sensitive data, the additional content listed below may be of interest.

  • Download our REPORT  | How Much Do You Trust Email?
  • Watch our DEMO  | OneWorld B2C Encryption Protection
  • View our INFOGRAPH  | 5 Encryption Factors to Consider

By Ali Kiassat, Echoworx

28 Oct 2016

The Encryption Rally Cry

Stronger yet simpler solutions.

Email has been around for decades, and remains the mainstay of enterprise communications. Despite efforts within companies to introduce collaborative solutions that reduce reliance on email, Radicati Group reports that the average number of business emails sent and received per employee will actually grow from today through 2019.

These emails, of course, often contain sensitive text information as well as attached documents, and despite the rise in cloud- and premises-based collaboration software that might account for that drop in sent emails, that practice is likely to continue. It’s simple and easy to attach a document and send it, after all—no logging into a different system to move files, or take other steps to share information.  Users will always take the easiest path.

As security and compliance concerns continue to rise across industries, businesses are not only looking for new ways to keep sensitive data safe, but also to cut costs. As a result, many organizations are migrating some or all of their email users to the cloud, marking a fundamental change in the way that email and email-related services such as archiving and encryption are managed.

As this shift is occurring, there are two other factors also in play:

  • Lines of business are becoming increasingly more influential in determining a company’s encryption strategy, while the influence of IT is dropping, according to a recent report from Ponemon Institute. According to the report, respondents from three countries—the United States, the UK and France—actually chose their organization’s lines of business management as being more influential than its IT group in terms of determining the company’s security posture.
  • Breaches are becoming more public and more costly. Compliance with privacy and data security requirements is a big driver of encryption, not only in expected vertical markets, but across the board in all industries.

Cost and Simplicity
Businesses are migrating email to the cloud for a variety of reasons, according to a recent report from Osterman Research, but the key driver for the use of cloud-based email—cited by more than half of all respondents (52 percent)—is reducing the cost of delivering services. Also on the costs side, gaining certainty over costs was listed as a key driver by 40 percent of respondents.

Businesses are also looking for simplicity in their move to the cloud; 44 percent of respondent said cloud-based email would help streamline IT operations and 35 percent said it would enable agility in a changing user environment. Interestingly, only one-third of respondents (34 percent) listed improving organizational communications as a key factor, and 39 percent sought to drive user productivity by migrating email to the cloud.

Although the majority of respondents 43 percent said they would prefer on-premises virtualized servers as the hardware/delivery platform of choice, nearly one-third indicated a cloud-based system operated by a third party would also be a viable option. To meet the goals of cost reduction and control, many businesses will likely find that a hybrid solution—a customized blend of on-site services and off-site cloud-managed services, with different resources available to different users—will offer the best of both worlds. With many users now working remotely—either permanently as telecommuters or temporarily on mobile devices, on-premises solutions just can’t offer the flexibility of the cloud.

The big concern, of course, is security, and believe it or not, regardless of whether email is hosted in the cloud or on-premises, careless employees are a company’s worst security threat. One out of every four corporate emails contain attachments that include sensitive personal or business data. The majority of emails are openly sent without any form of encryption; 61 percent of employees admit sending confidential information through open email channel. According to the Ponemon study, 52 percent of respondents cited employee error as the most significant threat to sensitive or confidential data. Thirty percent chose system or process malfunction as the biggest threat, and 28 percent selected hackers. The fact that the top two findings on threats relate to mistakes or errors, despite recent headline-grabbing targeted threats, is significant. Ironically, that gaping hole in a company’s security posture can be quite simple to fix with the right encryption solution.

However, many companies are struggling to do just that. According to the Ponemon report, 57 percent of respondents say the biggest challenge to encryption deployment is discovering where sensitive data resides in the organization. Ponemon indicates this isn’t a surprise, and we agree; there’s more data, more endpoint devices and more use of the cloud. In addition, neatly half of all respondents (49 percent) cite initially deploying encryption technology as a significant challenge.

It’s an interesting paradox—the industry is approaching the issue of data leaks caused by employee error by offering solutions that employees will likely ignore because they are too difficult to use. If only there was a better way…

The additional content listed below may be of interest.

  • Download our REPORT  | How Much Do You Trust Email?
  • Watch our DEMO  | OneWorld B2C Encryption Protection
  • View our INFOGRAPH  | 5 Encryption Factors to Consider

By Chris Peel, Vice President Engineering, Echoworx

 

23 Oct 2016

What Role Does Privacy Play in Your Digital Transformation Strategy?

If you are a senior leader in an organization, I am sure you have been asked the question – “What is your digital strategy?” You may also be getting tired of people telling you that new market entrants (especially millennials) are disrupting traditional business models and are forcing you to redefine the end to end customer experience. And here is another good one- “Have you hired a digital transformation executive yet?”  While I make light of all the digital hype, this transformation is not a joke – it is a survival necessity.

In my view, there are two approaches that an organization can take to modernize digitally – ‘internal business process out’ or ‘customer experience in.’ While it is beneficial to do both, prioritizing one is pragmatic. If you are one of those esteemed organizations which have prioritized their digital presence around customer experience, you must have thought how you can protect the privacy of your customers or you are thinking about it right now.

Tracking and analyzing customer data and behaviour is a vital part of any digital strategy. It reveals possible opportunities by providing customer experience insights and helps maintain rapport with your client base. You can obtain information about your customers from many sources apart from the traditional online or mobile interaction. You can collect sensor data from homes, cars, wearables, and potentially implants as well.  But how will this data be used?  Will it be shared?  I am going to assume that customer data will be shared within and outside the organization- be it driving patterns tracked by P&C Insurance companies, health data procured by Life Insurance Companies and investment patterns followed by Wealth Management firms. Currently, the easiest way to communicate or share information is to use existing and familiar tools such as email or text messaging applications. When using these applications to send/share customer information, how are you ensuring it is kept confidential? I will come back to this later, but first, let’s consider the consequences of leaked client information and the possible opportunities that exist if customer privacy is properly managed.

Making privacy, priority
As customer interaction with organizations becomes more digital, the risk of sensitive information ending up in the wrong hands has dramatically increased.  We have seen a myriad of brand names in the news around privacy breaches where customer information was compromised. What does this do to the relationship you have with your customers that are affected, as well as prospective clients?  When confidence is lost between an organization and its customers, there is a direct negative impact on profitability and reputation. Alternatively, if your customers understand that you are making their privacy a top priority, there is a new level of affinity resulting and in turn a positive impact on profitability can be realized. A reliable relationship makes it much easier to increase one’s wallet share of existing customers and capture new customers through word of mouth – I’m showing my age – I should have said through social media!

Let’s come back to the question of how to ensure that customer data stays confidential when sending this information with traditional communication tools.  Most tech savvy people would say “that’s easy – encrypt it.”  The problem is, it’s not easy. We face complex interaction between user experience, manageable infrastructure, and security. If you are a large organization, consider the myriad of encryption delivery methods- TLS, SMIME, PGP, Portal, ZIP, PDF and the list goes on. Each method has its own value depending on the use. Also, the recipients you are communicating to and the local privacy standards must be taken into account. Alas, it’s tough to simplify your infrastructure when dealing with the multiple flavours of encryption delivery alternatives. It doesn’t stop there – this complexity tends to expose itself to the user or recipient. This causes problems when a big part of your digital strategy is based on simplifying processes and the entire user experience.  Why do so many organizations have one or more encryption solutions and none is used to the extent it should or must be? Complexity of the solution!  And who wants to invest in on-premise infrastructure and the resources to manage this encryption complexity. This problem cannot be ignored, although many try to do just that.

Securing, Mobile experience
Another issue that must be addressed as part of a digital strategy is the mobile experience. How do you ensure mobile users enjoy a risk-free experience while sending and receiving secure information using encryption technology? Some might say through Javascript or an external app. But who wants another mobile app? The mobile experience must be natively inherent in the solution you deploy.

I would say that there are only a few solutions that can enable you to share sensitive information in a simple way that will enhance the effectiveness of your digital transformation strategy. Even fewer that can in turn alleviate infrastructure complexity, enable you to confidently manage privacy, allow you to deal easily with numerous encrypted messaging alternatives, enable a seamless mobile experience and ensure the ability to create unique branding based on a business unit or market segment.

Email communication makes it easy for your customers and partners to receive and send information and is a key element of digital communications. It’s time for a solution that makes it simple to secure confidential information through this pervasive communications mechanism.

Reach out to the experts at Echoworx for further insights and visit the links below to additional content that may be of interest.

  • Download our REPORT  | How Much Do You Trust Email?
  • Watch our DEMO  | OneWorld B2C Encryption Protection
  • Download our DATA SHEET  | OneWorld Encrypted Documents

By Randy Lenaghan, VP Sales, Echoworx