Tag: security

08 Nov 2016

Combating Insider Threats

When Edward Snowden leaked NSA’s classified documents of their surveillance program, it sent a message out and loud to companies; if an employee can steal sensitive documents from the NSA, an employee can do that with anyone.  The authorized access of employees to a company’s confidential data poses a self-evident risk to its cyber & financial security because such data can be used to exploit the company.

The motivation behind such treasons? It could range from a fraudulent opportunity dangled in front of an employee to resentment harbored by them which foments into action. It may be because of deeply held morals or beliefs of an employee or in fact, the financial gain. Access to the company’s best kept secrets and inside knowledge of its security weaknesses, always gives the culprits an upper-hand.

Intentional theft isn’t the only insider threat.

Imagine your company, now imagine an employee in your company sending a confidential document to a customer. Maybe he is in a rush, or he is groggy or he is sending the email before his caffeine kicks in and he sends the confidential document without encrypting it. The hacker is waiting at the end-point to find a vulnerability, and guess what, your employee of the month just handed your company’s security to him on a silver platter. In 2015 over 116 billion business messages were sent a day. That’s 116 billion chances for sensitive information to be intercepted – either with malicious intent or accidentally.

The amount of data which circulates within business networks everyday can be staggering and much of it is deemed to be confidential. Companies in highly regulated industries hold large amounts of confidential data- information which includes biometrics, health records, financial transactions & inventory tracking. Simply the chance of getting hands on a wealth of highly confidential info in a single hit, makes highly regulated industries a top target.

Since many companies are favoring firewalls and server security, and shying away from email encryption- they are leaving a huge loophole for message interception and are putting information at risk. Policy-based email encryption is a key to combating cybercriminals who are dedicating even more effort to breaching corporate email data.

Email encryption solutions, which can be configured to recognize and encrypt specified email based on a company’s preset policies, provides a user-friendly experience for employees and peace of mind for IT management. But will your workforce reliably use it? Case after case has shown us that companies and even entire industries have neglected to ask the question.

If email security solutions – or any other technologies for that matter – are too complicated, employees will almost certainly find easier means to complete a task. In this scenario, security is the ball that is dropped. Insider threats continue to keep senior business leaders awake at night. A recent PwC report in the US found that 32 per cent of respondents consider insider threats to be costlier and more damaging than external incidents.

Encryption is crucial to ensuring that this confidential information remains private and secure – while emails are in transit and at rest. If you would like to find out more about how email encryption can help your business and your employees protect sensitive data, the additional content listed below may be of interest.

  • Download our REPORT  | How Much Do You Trust Email?
  • Watch our DEMO  | OneWorld B2C Encryption Protection
  • View our INFOGRAPH  | 5 Encryption Factors to Consider

By Ali Kiassat, Echoworx

13 Nov 2015

Encryption is Easy

The math of encryption.

Modern encryption is based on mathematical problems that are assumed hard to solve, such as prime factorisation, quadratic residuosity, and discrete logarithms. It would take fundamental advances in higher mathematics to weaken them.

Today, well-designed Open Source libraries like Bouncy Castle and OpenSSL make encryption routines freely available to software writers. These libraries make encryption easy for them to implement.

So why then, if encryption is easy, do you seem to be bombarded by news stories containing high-profile data leaks?

“The flaw in email security? HUMANS.”

Tweet this quote

Encryption libraries are written by people. People make mistakes. The Heartbleed vulnerability discovered in April 2014 is a perfect example. Security vulnerabilities in software applications are hard to avoid. Furthermore, malicious techniques such as SQL injection, buffer overflow/underflow, and cross-site-scripting are all commonly used by hackers to steal your data, despite underlying encryption.

Firewalls, network intrusion detection systems, and project deadlines create a false sense of security and lure software writers into simply not encrypting at all.

root_causes4

Lapses leave networks exposed.

It takes a lot of technical resources to keep your server operating systems up to date. Even when they are, zero-day vulnerabilities, malware, spyware and viruses are often found. Additionally, you have anti-virus and anti-spam systems which also require constant updates. Any lapse in maintenance will leave your computer networks exposed; with no warning of trouble until it is too late. Social engineering techniques used by hackers can trick you into revealing crucial system information, and malicious insiders or disgruntled employees can leak data out of spite and retribution. Not to mention, someone can simply physically break-in and steal your computers.

Ways to compromise data, constant.

Unintended mistakes are continuous. Emails are often sent in error and data drives are forgotten in cafés. These are all potential sources of highly-sensitive information. Again, the weakness in data security comes down to – Humans. In this day and age, people expect their financial and personal data to be secured.

The liability of breach and potential damage to your reputation is incalculable. More and more companies are outsourcing their security and encryption, subscribing to software-as-a-service (SaaS) from reputable security providers. These providers typically meet and exceed regulatory requirements, providing up-to-date security and scalable encryption services at a reasonable cost.

These security providers hire technical staff that are highly specialised and well-trained in the areas of computing security. Their services provide policy-based controls that can automatically encrypt and protect data according to your sensitivity and confidentiality classifications. Moreover, their computing networks are constantly scanned and updated against potential and new types of attacks.

For companies not specialised in security, it is simply infeasible to implement the same level of protection in-house. Encryption is easy, security is hard. To succeed, companies need to minimize the Human factor and build a solution that is comprehensive, automated, and adaptive. Given the industry-wide acceptance of SaaS models, the case for security and encryption SaaS is particularly compelling.

For more information on the importance of encryption interoperability:

  • Watch our WEBINAR  | Using Encryption to Defend Against Email Threats
  • Watch our DEMONSTRATION  | OneWorld’s platform interoperability

By Kai Cheung, VP Architecture, Echoworx

02 Nov 2015

Your Money Is Safe, but Your Data Might Not Be

Majority of finance professionals access files on the go.

Simple and secure communication that complies with regulatory requirements is vital in the financial services industry. Sensitive information is constantly being accessed and exchanged, both internally and with customers. The majority of financial services professionals now access files on the go, making secure email security and file sharing tools vital. The security risks are heightened, as are sanctions for regulatory non-compliance, so financial institutions must take even greater steps to ensure data is protected in transit.

For the financial services industry, specific legislation like the Gramm-Leach-Bliley Act and the EU Data Protection Directive require organisations to adhere to an ever changing group of standards and laws in order to safeguard company data.

A worrying attitude towards email security.

A recent survey by Echoworx found that despite 83 per cent of financial services professionals using email more than any other form of communications in the office, 23 per cent either do not use or are unaware of any email and file sharing encryption technology in place. On top of this, research by the Ponemon Institute found that 68 per cent of employees ignore policies about emailing unencrypted sensitive documents through secure channels. Further, 61 per cent send unencrypted confidential information through insecure email channels.

This reveals a worrying attitude towards email security in some of the biggest financial services organisations. But, why is this happening? Email is hugely vital for business productivity, and if email security policies are proving to be a hindrance rather than a help, then employees are inclined to find a quicker solution which circumvents security controls.

Email encryption doesn’t have to be hard.

Part of the problem is that a lot of companies and employees think that email encryption implementation is complicated, when actually, it doesn’t have to be. Good email encryption solutions should make the process simple for both senders and recipients, while still keeping non-public personal information secure. Policy based email solutions remove the responsibility for security from individual employees by detecting specified keywords, attachments or number patterns like credit cards or National Insurance numbers.

“It’s difficult to retain customers and regain trust, let alone attract new business after a data breach.”

Tweet this quote

Too many companies are still relying on the basic email encryption solution of Office 365, which is both cumbersome and doesn’t offer the same level of security as third party alternatives. By the time you get to read an encrypted message in Office 365, you will not only have completed nine different steps, but also given Microsoft some very personal information and accepted their privacy policy. Recipients also must accept the message using a Microsoft Hotmail or Office365 account, or sign in using a very insecure One Time Password (OTP).

In implementing a smart communications encryption solution, financial organisations can prevent incoming threats; prevent data loss or breaches and the associated financial and reputational damage. With IBM finding that the cost of a data breach to a company has risen to about $3.8 million, this is something that companies are looking to avoid. It’s both difficult and expensive to retain your customers and regain their trust, let alone attract new business after a data breach.

To find out more, join us Wednesday, December 9th at 9h EST / 14h GMT for a live webinar “Defending Against Email Security Threats” and learn how content-aware encryption can minimize your risk of data loss.

In this 45-minute live webinar, we will cover:

• what type of data organisations need to protect
• how policy and context-rich technology can minimize data loss
• why email encryption technology must drive security adoption

Register Today, click here.

By Greg Aligiannis, Senior Director Security, Echoworx

13 Oct 2015

Conforming to HIPAA

Email Compliance in Healthcare.

Email supports quick communication among those that might be worlds apart, enabling users to attach, transmit and access messages as well as other assets. However, depending upon the industry in which an organization operates, there may be specific rules that govern their email’s use. Healthcare is among the most prominent examples.

Hospitals, doctors and other practitioners are privy to sensitive patient information which they must keep safe. The Fox Group noted that healthcare providers are increasingly using email to connect with patients and discuss medical conditions and treatments. These providers must use email in a way that is compliant with industry rules.

For companies in the US, the most important standard is the Health Insurance Portability and Accountability Act, or HIPAA, which outlines the proper treatment of sensitive patient details and digital records.

What does HIPAA say about email?

The Fox Group noted that HIPAA guidelines don’t prohibit the use of email, but ask that healthcare providers observe certain considerations when transmitting sensitive information. According to the HIPAA FAQs page, “The Privacy Rule allows covered healthcare providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so. For example, certain precautions may need to be taken when using email to avoid unintentional disclosures, such as checking the email address for accuracy before sending, or sending an email alert to the patient for address confirmation prior to sending the message.”

“Healthcare organizations must use encryption to safely transmit sensitive e-PHI over an open network.”

Tweet this quote

HIPAA also notes that when patients initiate email contact with the provider, the healthcare organization assumes the responsibility for ensuring that messages are acceptable and that the patient understands the potential risks of using an unencrypted platform. The provider can make the patient aware of these possible threats and let him or her decide whether or not to continue communicating in this manner.

The HIPAA Privacy Rule isn’t the only standard that applies here, however. The Fox Group noted that The Security Rule can also come into play, particularly when it comes to sending electronically protected health information, or e-PHI. According to HIPAA, “The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control, integrity, and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.” This includes not only policies, but encryption as well. Healthcare organizations must use encryption to safely transmit sensitive e-PHI over an open network.

Mobile Outlook support

Considerations for compliant email.

While much of compliance depends upon usage, the email platform itself must also be compliant. Not all email systems are by default aligned with HIPAA guidelines. In fact, most free services – including Gmail, Yahoo Mail and others – do not have the proper protections in place to be used for e-PHI, either within the body of the email or as an attachment. You should not use these within a healthcare setting.

There are hosted platforms, however, that are HIPAA-compliant. These implement top security measures, including encryption and message expiry to ensure protection of sensitive health information. A message expiry date can be attached to communications that contain e-PHI, allowing them to be remotely deleted after a certain period of time. This prevents protected data from being stored or accessed inappropriately.

But using a compliant email solution isn’t just about aligning an organization with HIPAA. This strategy comes with its share of benefits as well, such as streamlined delivery of lab results, enhanced communications among doctors and staff, access to e-PHI while away from the office, and better connections with patients.

Top-tier HIPAA compliant hosting.

One of the best ways you can ensure compliance is to leverage services of a HIPAA-compliant hosting provider like Hostway. Our service allows healthcare providers to have granular management control, view daily reviews of security event log files, and to deploy a robust firewall and intrusion detection and prevention system.

Guest post by Chris Kruck, Product Manager, Hostway Corporation