Tag: Office 365

21 Nov 2016

How to Better Protect Office 365, Help Secure Your Sensitive Data

Are you one of the many organizations that have decided to move on to Office 365? If so then you must have made this decision for a variety of comprehensive business ins and outs including cost savings, infrastructure simplification, and flexibility. While there is no doubt that such a decision is sound and will quickly provide a noticeable return on the investment, given the nature of the cyberspace, it also makes your company susceptible to cyber exploits.

Although I imagine and understand that privacy may not be a top priority for your deployment, but I believe that it soon will be. It is needless to mention the reasons to secure sensitive communications, whether that is with your customers, employees within your organization or with other organizations you deal with. Securing Personally Identifiable Information (PII) is something that every organization is required to be concerned about, especially when communicating via email.

Regardless the industry, there are many rules that govern the use of PII across the globe such as HIPPA (the Health Insurance Portability and Accountability Act), PIPEDA (the Personal Information Protection and Electronic Data Act), as well as the EU’s Data Protection Directive. These rules mandate companies to protect the personal information of its users/customers.

Now the question is, can Office 365 provide the appropriate level of protection for sensitive email communication? The answer is yes.

However, there is a “but” and the “but” is – the encryption capability within Office 365 is neither robust nor easy to use. Ease of use has a direct correlation to the willingness of the sender and recipient to readily adopt encryption in communications. Ultimately, the frustration caused by the complexity and inflexibility of encryption technology, leads to user to giving up on it. Unfortunately, this is a reality in many organizations.

Trusting Office 365 with my sensitive data

But, there is a silver lining. There are robust (and simple) ways to handle sensitive communication which don’t include having to rely upon what comes with the standard versions of Office 365. I encourage you to examine whether Microsoft’s native capabilities are sufficient for your company’s security and privacy. If you do, you will determine that there are indeed security gaps in the software. You should then examine third-party alternatives. This will help ensure the capability to effectively implement policies that are required to strengthen your business processes.

I regularly hear from IT professionals and business leaders that securing communications through encryption is a complicated and inflexible process. Imagine having a simplified option for a sender and recipient to facilitate sensitive email communications. Isn’t that an ideal image?

Simplicity equates to adoption; adoption equates to compliance, and compliance eliminates the potential of your organization’s name appearing in the news for all the wrong reasons. Can your Office 365 environment give you the simplicity and the flexibility to ensure the adoption and adherence of encryption protocols in multiple use case scenarios?

I assume you wouldn’t be reading this article if it didn’t have any limitations.

Some of the things that you should consider when evaluating the encryption capability within Office 365 include:

  1. New recipients must provide sensitive information to create a Microsoft account to then read an encrypted message, or receive a one-time password sent in clear text;
  2. When encrypted messages are sent via the Office Message Encryption (OME) Viewer app or the encryption portal, the sending email address is Office365@messaging.microsoft.com;
  3. Encryption options do not include S/MIME, PGP, Ad hoc encryption or Portal-based encryption;
  4. Users cannot track the usage of documents;
  5. Users cannot revoke access to documents;
  6. Android and IOS devices require access via a downloadable viewer (OME viewer app).

The registration process for new recipients (referenced in point 1 above) involves a 9 step process in order to get an account, and if you don’t want a Microsoft account, your options are even more limited. The only real alternative is to ask for a one-time password that is sent in clear text, which is not something I would call secure. There has to be a better alternative, and preferably one which would also seamlessly integrate the encryption solution with the mobile experience, because do we really need another app to view an encrypted email?

Now, if privacy is a priority within your organization, I comprehend that you need an enhanced encryption capability as an add-on to Office365 – one that makes encryption easy. That is to say, an encryption platform that gives you the flexibility to vary the encryption process for differing use case scenarios – a platform that comes with policy templates that are industry specific.

When sending an encrypted email there may be a need, based on the type of information and the needs of the recipient, to have a shared passphrase, a system generated verification code or even no password. How about leveraging open authentication to have the recipient use passwords they already trust from sites such as Linkedin, Facebook or Twitter? Think about having the capability to use text messaging to create a two-factor authentication process for communications.

When you look at the many use case scenarios that you will implement to send specific information to specific recipients, the limitations within Office 365 become clear. What happens when you need to enable an encryption delivery method not supported through Office 365? Encrypted Portal and PDF and two delivery methods that are being used a great deal by companies across many industry verticals – will you just ignore these?

And what about branding? There is very little flexibility to brand your encrypted communications with Office 365. As with any communication outside of your organization, it should represent your brand. Again, you must look to an add-on capability to ensure you have the ability to reinforce the brand of your company.

When addressing the secure email communications requirement, many organizations will need something more than what comes standard with Office 365 and flexibility will ensure your encryption compliance processes are adopted and adhered to.

You have deployed Office 365 and now it is the time to think about how you will secure communications. This is one area where it is critical to be proactive and not reactive, for, a reactive approach could lead to undesirable outcomes. Why not think about an email encryption solution that is cloud based, pervasive across the web, mobile, and desktop, policy template driven and fully integrated with Office 365?

Hopefully my article has provided you with substantial knowledge and provoked some ideas on how to enhance your Office 365 deployment to effectively deal with the ongoing need to secure sensitive email communications.

If you would like to find out more about how to avoid missteps in the implementation of your compliance process and sure ways encryption can better protect Office 365, the additional content listed below may be of interest.

  • Watch our ON-DEMAND DEMO    OneWorld | Office 365 E-mail Encryption Comparison
  • Download our SOLUTION SHEET     Why OneWorld with Office 365?
  • Read our WHITE PAPER     Making the Business Case for Office 365

By Randy Lenaghan, VP Sales Echoworx

04 Nov 2015

Securing Office 365 E-mail

Office 365 is quickly becoming the de facto standard.

Microsoft Office 365 is the primary cloud-based business e-mail solution in use today and is rapidly displacing on-premise Exchange solutions. Office 365 brings a wealth of productivity tools and services to the market. However, the e-mail encryption component of the solution has some major limitations that have prompted many users to look for third party alternatives.

According to Osterman Research, “the third-party market for cloud-based and on-premise capabilities designed to supplement or replace specific Office 365 features and functions, will grow at a healthy pace along with the market for Office 365”.

Office 365 Encryption Infograph

Office 365 message encryption limitations.

Many users are complaining about the cumbersome experience when encrypting e-mails using the built-in e-mail encryption component of Office 365. One of the most dreaded steps is the authentication process to pickup encrypted messages using Office 365. Authentication includes a nine step process before finally viewing the encrypted message a recipient has received.

Lengthy registration process.

If a recipient does not have a Microsoft account; they need to create one by providing superfluous personal information like birth date and gender. This is alarming considering a recipient is required to accept a privacy policy which gives Microsoft full rights to use this superfluous information for marketing and sales purposes. Microsoft’s terms of service further state that Microsoft “may access or disclose information about you including the content of your communication.”

Lack of robust mobile experience.

Mobile recipients, outside the organization, need to sign in using a Microsoft Hotmail or an Office 365 account. If the external recipient does not have one available, the alternate option is to use a very insecure one-time password (OTP).  This OTP is delivered in a separate e-mail, in the clear, to the same e-mail address that received the encrypted message.

Imagine being in an airport, getting a mission critical encrypted e-mail that can only be decrypted with a downloaded app … only to realize your company has an MDM policy that prevents third-party app downloads. Talk about a frustrating and unproductive experience.

OneWorld integrates seamlessly with Office 365. Both your senders and recipients will benefit from a superior user experience. With no lengthy or cumbersome registration process and full mobile optimization. The feedback we are getting is that senders and recipients appreciate the OneWorld experience because it is hassle free. The mobile experience utilizes either a native PDF reader, or a browser, and it is optimized for any mobile browsers on iOS, Android, Blackberry and Windows Mobile.

Don’t get me wrong, Office 365 offers a wide variety of robust messaging and collaboration features but e-mail encryption is not one of them.  Adding a robust e-mail encryption solution will give you the best of both worlds.

For more information and tips on securing Office 365 e-mail:

  • Watch our ON-DEMAND DEMO    OneWorld | Office 365 E-mail Encryption Comparison
  • Watch our WEBINAR    Securing Office 365
  • Download our SOLUTION SHEET     Why OneWorld with Office 365?

By Robby Gulri, Channel Manager, Echoworx

02 Nov 2015

Your Money Is Safe, but Your Data Might Not Be

Majority of finance professionals access files on the go.

Simple and secure communication that complies with regulatory requirements is vital in the financial services industry. Sensitive information is constantly being accessed and exchanged, both internally and with customers. The majority of financial services professionals now access files on the go, making secure email security and file sharing tools vital. The security risks are heightened, as are sanctions for regulatory non-compliance, so financial institutions must take even greater steps to ensure data is protected in transit.

For the financial services industry, specific legislation like the Gramm-Leach-Bliley Act and the EU Data Protection Directive require organisations to adhere to an ever changing group of standards and laws in order to safeguard company data.

A worrying attitude towards email security.

A recent survey by Echoworx found that despite 83 per cent of financial services professionals using email more than any other form of communications in the office, 23 per cent either do not use or are unaware of any email and file sharing encryption technology in place. On top of this, research by the Ponemon Institute found that 68 per cent of employees ignore policies about emailing unencrypted sensitive documents through secure channels. Further, 61 per cent send unencrypted confidential information through insecure email channels.

This reveals a worrying attitude towards email security in some of the biggest financial services organisations. But, why is this happening? Email is hugely vital for business productivity, and if email security policies are proving to be a hindrance rather than a help, then employees are inclined to find a quicker solution which circumvents security controls.

Email encryption doesn’t have to be hard.

Part of the problem is that a lot of companies and employees think that email encryption implementation is complicated, when actually, it doesn’t have to be. Good email encryption solutions should make the process simple for both senders and recipients, while still keeping non-public personal information secure. Policy based email solutions remove the responsibility for security from individual employees by detecting specified keywords, attachments or number patterns like credit cards or National Insurance numbers.

“It’s difficult to retain customers and regain trust, let alone attract new business after a data breach.”

Tweet this quote

Too many companies are still relying on the basic email encryption solution of Office 365, which is both cumbersome and doesn’t offer the same level of security as third party alternatives. By the time you get to read an encrypted message in Office 365, you will not only have completed nine different steps, but also given Microsoft some very personal information and accepted their privacy policy. Recipients also must accept the message using a Microsoft Hotmail or Office365 account, or sign in using a very insecure One Time Password (OTP).

In implementing a smart communications encryption solution, financial organisations can prevent incoming threats; prevent data loss or breaches and the associated financial and reputational damage. With IBM finding that the cost of a data breach to a company has risen to about $3.8 million, this is something that companies are looking to avoid. It’s both difficult and expensive to retain your customers and regain their trust, let alone attract new business after a data breach.

To find out more, join us Wednesday, December 9th at 9h EST / 14h GMT for a live webinar “Defending Against Email Security Threats” and learn how content-aware encryption can minimize your risk of data loss.

In this 45-minute live webinar, we will cover:

• what type of data organisations need to protect
• how policy and context-rich technology can minimize data loss
• why email encryption technology must drive security adoption

Register Today, click here.

By Greg Aligiannis, Senior Director Security, Echoworx