15 Feb 2019

Got Danish Data? Email Encryption is Now Mandatory in Denmark

To encrypt or not to encrypt: that is no longer the question in Denmark – where new interpretations of the General Data Protection Regulation (GDPR) are making encryption history. As of January 1, 2019, all organizations working in any capacity with Denmark must now apply acceptable encryption when communicating sensitive data.

Why Denmark?

While the GDPR does apply to all EU members and their citizens, regardless of where they reside, each country has unique interpretations of the specific parts of the regulation. In the case of Denmark, a more literal definition of Section 9 of the GDPR, addressing the ‘processing of special categories of personal data,’ has been adopted. As a result, any sensitive data in transit falling under Danish jurisdiction needs to be protected – meaning mandatory email encryption.

What does this mean for Danish business?

Any organization conducting business in Denmark or involving Danish citizens, including in a third-party capacity, must protect personal data with either secure TLS or end-to-end encryption. But how you employ data protection measures is also important. Opportunistic TLS, for example, where unsuccessful connections fall back to clear text, does not offer adequate protection. Non-abiders to the new rules can face sanctions or, worse, crushing fines in the aftermath of a breach. This new GDPR development is expected to spur similar measures in other EU countries.

Learn more about encryption delivery methods.

What measures can an organization take?

Since the GDPR came into effect last May, the message has been clear and simple from Europe: Protect personal data or do business elsewhere. And, by adopting proactive privacy by design policies, using the GDPR as a baseline, an organization can ensure they are compliant in the EU and anywhere else where similar privacy policies exist. Therefore this newest Danish development should be viewed as a competitive advantage – not a hindrance.

While a closed system theoretically might work for Danish companies who interact solely with Danes, this mindset can cause compatibility problems the second business is conducted abroad. A flexible secure message platform can help avoid compatibility issues and maintaining compliance.

Learn more about the flexible features of Echoworx’s OneWorld encryption platform.

By Christian Peel, VP Engineering, Echoworx

15 Feb 2019
cyber security your competitive advantage

Can cybersecurity be a competitive edge?

In the old days, before organizations became customer-obsessed and held off-site leadership events to drill down on their value proposition, information security was simple. There was the CIO and a few stewards of the air-conditioned server room which was invisible to the non-IT eye. Back then, cybersecurity operated in the shadows and it worked just fine … until it didn’t.

Fast forward to today when cyber security is front and centre for senior leadership, boards, customers and partners. All these stakeholders can tell you what Target is now famous for: a customer data breach that cost the company over $200 million[i] to resolve.

And in an increasingly-competitive business landscape, forward-thinking organizations are integrating information security into business processes to avoid becoming the next cautionary tale on the six o’clock news.

Enough to make organizations WannaCry: Evolving cybersecurity threats

The continuously evolving cybersecurity threats organizations face include malicious security breaches and attacks, accidental breaches initiated from well-intentioned employees and known governmental surveillance. Ironically, as businesses benefit from connected infrastructure networks (think of advances in supply chain management, for example), that connectedness also increases the risk of security threats—because attacks can spread across connected networks so quickly.

CIOs and chief security officers are no longer alone at the table advocating for better privacy and data security measures but there’s still room for improvement. The 2018 Global State of Information Security Survey report found that only 40 per cent of corporate boards participate in their organization’s security strategy.[ii]

But perhaps the biggest threat of all is a lingering notion that cyber security is an IT problem. It’s not an IT problem. It’s a business problem. Unfortunately, most business leaders don’t understand the nuts and bolts of data security and digital threats which can make it more difficult to address the issue.

Security specialists may get more traction at the leadership and board level by framing cybersecurity as a competitive edge. That’s not finessing the facts considering that 92 per cent of organizations surveyed through the EY 2018-19 Global Information Security Survey called their information security insufficient.[iii] 92 per cent!

Four ways cyber security investment helps organizations gain a competitive edge:

  1.  Reduces compliance risks and fines – Legislation such as the GDPR, HIPAA and PIPEDA affects the way companies do business and fines can be substantial. Did you know that GDPR violations can cost up to $20 million or four per cent annual turnover (whichever is greater)?[iv] Since EU citizens are covered under the GDPR even when they’re out of the EU, international companies can stay on the right side of compliance by using proactive policy-based email encryption measures that automatically apply protection to predetermined groups of users (e.g., EU citizens).
  1. Reduces unnecessary cost – The average cost of a single data breach is $3.6 million (USD).[v] But Target’s breach cost 55 times that much which is why a cybersecurity strategy that protects the downside is so valuable. For example, investing in a flexible encryption platform means encryption can be automated to accommodate any business situation and keep data secure—without any hassle.
  1. Protects the company brand – Inadvertently allowing malicious entities or hackers to access your customers’ personal information is a quick way to reduce or eliminate their trust in you. Imagine how long it will take Equifax to win back the trust of 147 million Americans after the 2017 breach. Investing in proactive cybersecurity measures, like encryption, helps you preserve the fragile relationship that is the reality of digital trust.

 

  1. Delivers a value proposition for your customers – Your customers may not be able to keep up with the ever-evolving world of cybersecurity, but they expect protection to be a built-in feature of doing business with you. Proactive cybersecurity measures make conducting online business safer and more reliable which saves customers time, streamlines their experience and delivers real value to them.

 

Quick tip: Make your competitive edge easy to use

An information security program likely has multiple lines of defense, including encryption, authorization and data integrity measures, but these systems and processes only work if people use them. We encourage you to implement cybersecurity systems and processes that are easy for employees and customers to use. Because even when cybersecurity is top of mind, most employees and customers won’t be inconvenienced for the sake of security.

By Alex Loo, VP of Operations at Echoworx

——–

[i] https://www.nbcnews.com/business/business-news/target-settles-2013-hacked-customer-data-breach-18-5-million-n764031

[ii] https://www.pwc.com/us/en/cybersecurity/assets/pwc-2018-gsiss-strengthening-digital-society-against-cyber-shocks.pdf

[iii] https://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2018-19/$FILE/ey-global-information-security-survey-2018-19.pdf

[iv] https://www.echoworx.com/project/encryption-in-the-gdpr/

[v] https://www.ey.com/en_gl/advisory/global-information-security-survey-2018-2019

07 Feb 2019
Encryption is about more than technology— it innovates the way we deliver and safeguard our communications

How Secure is Your Encryption Process?

Encryption – sounds secure doesn’t it? It is. But, like any locked door, chest or vault, some things can be even more secure than others, right? Correct.

While out-of-the-box email security products may offer email encryption as a built-in feature as part of a larger bundle, there are natural extensions you might consider to further protect your brand and customers. And, in today’s customer-centric world, where digital trust is easily won, more easily lost and impossible to get back, you need to take every precaution available to protect even encrypted communications.

Here are some ways to add some more muscle to your encryption efforts:

  1. Flexible controls for every scenario 

    Whether you’re sending millions of e-statements or just sending a sensitive document, not every encrypted message is the same. Look for an encryption platform which offers a customizable user experience for both senders and recipients. This ensures you stay in control of your encrypted message in transit or even at rest.

  2. Multiple language and branding options 

    If your organization operates internationally, there’s a high chance that English might not be the mother tongue of some of your customers. Offering encrypted communications in the language of your users helps eliminate confusion and is just good customer service. With Echoworx OneWorld, for example, you can set language policies which can automatically be applied to encrypted communications based on sender, brand, locale or receiver attributes.

  3. A more streamlined user experience 

    Encryption is hot – application of it is not. Echoworx data finds that only 40 per cent of organizations who have encryption capabilities are actually using them throughout their organizational structure. Making encryption a consistent path of least resistance is a good non-intrusive way of getting your employees and customers to communicate securely.

  4. Multiple delivery methods 

    With traditional secure message delivery, where TLS is used, if a TLS connection isn’t available or supported at the recipient’s end, there are only two outcomes: receiving an error or sending a message unencrypted. Supporting multiple secure delivery methods offers effective fallback options – ensuring sensitive data is always able to be sent and is never sent unprotected.

  5. Better password systems 

    While a one-time-password encryption method is secure, the password itself is only as secure is where it is sent. In other words, if both the one-time-password and the encrypted message are sent to the same mailbox, there’s a lot of trust being put into the security of a recipient’s device or email inbox. A natural solution to this issue would be to send the password to the sender, who can then communicate it as they please to the recipient.

The Echoworx Difference

Echoworx innovates the way we encrypt and deliver secure messages. Our OneWorld encryption platform is a natural extension for most existing systems and offers a wide range of flexible, adaptable and dependable encryption delivery methods for use at enterprise-level corporations.

Learn more about Echoworx OneWorld encryption delivery methods.

By Derek Christiansen, Engagement Manager, Echoworx

23 Jan 2019

ECHOWORX EXPANDS EU REACH WITH NEW GERMAN DATA CENTRE

TORONTO – Echoworx is pleased to announce the opening of their new data centre in Germany. This move further entrenches Echoworx’s presence and competitive edge within the EU region.

Known for its proven manufacturing industries, from automotive to pharmaceutical, established financial core and growing industries, like cybersecurity and tech, Germany is an unofficial economic leader within the EU region. And, with new country-specific regulations spurred by the launch of the General Data Protection Regulation (GDPR) last spring, the timing could not be better.

While the GDPR is a blanket term across the EU region, implementation varies from country to country. And, when it comes to data residency, nearly every German company demands their data remain within German borders. Both domestic and international companies looking to do business in Germany need to have access to German-hosted data centres to effectively compete.

“Knowing where and how data is stored is important when looking for a third-party partnership under new privacy regulations like the GDPR. When data starts to leave a protected zone, for example, the regulations still apply. Having access to a data centre within a target region, like Germany in this case, offers competitive advantages,” says Alex Loo, VP Operations at Echoworx.

To accommodate all business needs, in addition to their new German location, Echoworx currently has data centres in Canada, the US, Mexico, the UK and Ireland. All Echoworx data centres are specifically engineered with the highest standards in-mind to protect data and ensure regulatory compliance is met for specific geographic areas.

Echoworx is dedicated to offering enterprise businesses encryption solutions which work. The Echoworx OneWorld encryption platform features multiple secure delivery methods, a seamless end-to-end encryption experience and multiple branding and language options. The Echoworx system is specifically tailored for conducting international business, whether in Europe or abroad.

 

About Echoworx

Echoworx is a trusted path to secure communications. As a pure-play encryption solutions provider, Echoworx works with finance, government, healthcare, legal, and compliance professionals to tailor secure communication solutions that don’t impede on customer experience. Our scalable encryption platform, OneWorld, can address multiple uses across an organization. Our encryption experts take pride in transforming chaos into order for leading multi-national enterprises using our SaaS encryption platform. Visit us at www.echoworx.com

Echoworx Media Contact:

Lorena Magee
VP Marketing
416-226-8600

18 Jan 2019
Protecting sensitive incoming data

Inbound Encryption: The Why and How

While your organization has systems in place to encrypt outgoing emails, what happens when you receive an email that contains sensitive information? If it’s not already encrypted, do you refuse to accept it? Does it get caught in your compliance filters? If so, what message are you sending by not receiving?

What is inbound encryption?

Inbound encryption is the process by which emails containing sensitive information, such as credit card numbers, are encrypted before they are stored in an organization’s mail servers. Inbound encryption filters scan all emails against a set of established rules, looking at content and attachments, as well as recipients.

Why is inbound encryption needed?

PCI requirements state that emails containing cardholder data must be encrypted during transmission across open, public networks, and that cardholder data must be protected while it is stored. This means that sensitive or personal information such as credit card numbers cannot be saved on your network without being encrypted.

For example, you might run a large retail organization to which customers are sending email queries containing sensitive data – like credit card information. In order to comply with PCI legislation, your email filtering system might be set up to block or delete these types of emails. This, in turn, might lead to customer dissatisfaction as their emails go unanswered – leading to lost business and unintended brand damage.

How does inbound encryption work?

Using a Secure PDF delivery system allows organizations to minimize their PCI risk. Instead of doing the encryption themselves, they employ a third-party service which provides on-the-fly email encryption, triggered by automated policies on a PCI-certified platform. When messages containing sensitive information arrive encrypted and secure, they are less likely to be blocked by existing email filtering services.

Any incoming emails that trigger an encryption policy are automatically encrypted within a Secure PDF, along with any attachments, before being delivered direct to a recipient’s inbox. Upon receiving the email, the recipient simply downloads the encrypted attachments and enters a self-registered passphrase to authenticate, open and read the contents.

What to look for in an effective inbound encryption solution

Providing a secure encryption option for all inbound email doesn’t have to be complicated. Using a Secure PDF delivery system not only guarantees secure storage of sensitive information, it also ensures that your organization will comply with privacy regulations and data security standards.

Learn more about inbound encryption with Echoworx OneWorld.

In addition to Secure PDF delivery, any encryption solution worth its salt needs to offer additional secure delivery methods, from Web Portal, to Secure Attachments, SMIME/PGP and TLS. Although replies and any additional dialogue may be performed via built-in Secure Reply features, your employees might also exercise additional options to communicate securely with their clients.

Learn more about Echoworx OneWorld secure encryption delivery methods.

By Derek Christiansen, Engagement Manager, Echoworx

10 Jan 2019
Multiple encryption methods

How do I choose the right encryption method?

Encryption is an important part of any serious proactive cybersecurity plan. You need it. Your customers demand it. And regulators applaud it.

But one does not simply ‘encrypt.’

In fact, algorithms aside, there are multiple ways to successfully encrypt, package and send sensitive information securely online. Each method has unique benefits and choosing a correct method can make all the difference when it comes down to your customer experience.

But how do you choose an encryption method that is right for your customers?

Here are a few questions to consider:

  1. Why do I need encryption?

    Before choosing a correct method of encryption, you need to determine why you need to encrypt in the first place. What sort of sensitive information are you sending or collecting? In what format? Who are your recipients? What privacy regulations do you need to be aware of? Do your messages need to be encrypted in transit? At rest? Or both? These are just a few questions which can help you begin your encryption journey.

  2. Who are your customers?

    Are your customers tech-savvy? Where are your customers located geographically? Are your customers protected under region-specific privacy regulations? What devices do they operate on? In order to understand which encryption method is right for your customers, you need to determine what exactly is required for communicating securely with them or if further encryption options are needed. If your recipients do not have a TLS connection, for example, multiple secure encryption delivery options are needed to ensure no sensitive information is sent over open channels.

  3. Who are your employees?

    In today’s customer-centric world, you need to ensure all proactive cybersecurity details put your customers first. While this might sound solely like an end-user issue, good customer experience also involves your employees who are interacting with them. You need to ensure encryption is the path of least resistance for any employees sending sensitive customer information – whether internal or to customers direct.

  4. What industry do you operate in?

    When it comes to encryption: One size doesn’t fit all. Different industries have different encryption needs. A large bank, for example, has considerably different demands than a large manufacturer – needing to send millions of secure statements a day as opposed to needing secure communications to collect customer payment information. This needs to be reflected in your decision-making process when choosing an appropriate method of encryption.

  5. What are some common encryption solutions?

    When deciding how to best encrypt a message or document, determine what exact aspect of your message needs to be protected in transit and how you want it to be received by your end user. Here are some common solutions used by different industries:

    B2B Communications: Since it is easy-to-use and effective, provided a connection is available, TLS (Transport Layer Security) is the industry standard for delivering secure emails within B2B environments. In a nutshell, TLS encrypts the connection between two parties, like an encrypted tunnel, enabling secure messages to be sent without additional steps required for the end user.

    Learn more about TLS encryption.

    Banking and Financial Services: Since they send emails frequently that contain confidential financial information, banking and financial services organizations need robust encryption to provide data security and access controls in the event of a cyber-attack. The right encryption solution can also give different departments within the organization better access to and management of sensitive financial data and messages. The PCI DSS standard requires that personal account numbers be encrypted even before emails are sent, so encrypted attachments are a good option here.

    Attachment Encryption is where an attachment is encrypted, as opposed to the entire message body. This type of secure delivery works for one-way messaging, like sending an e-statement, where all the sensitive material can be encapsulated in its native format within a secure encrypted attachment. This type of encryption delivery eliminates the need to convert or download files from different formats – creating a more streamlined user experience.

    Learn more about attachment encryption delivery methods.

    Healthcare Services: Personal information, like patient records, must be exchanged in real-time between healthcare providers, administrators, insurance companies and patients. But, in addition to being a fast and seamless experience, exchanging healthcare information needs to be a secure experience. On account of its portable nature and excellent mobile experience, where recipients are simply sent a notification prompting them to sign in to a secure online portal, without the need for any special software or infrastructure, web portal encryption is popular with many health care providers.

    Learn more about web portal encryption

  6. Seek partnerships which put your customers first

    You just can’t take chances when it comes to handling sensitive personal information online. But, from new privacy regulations with teeth, like the GDPR, to increasingly creative malicious actors online to security-investing competition, staying on top of a cybersecurity program can be challenging for many organizations. But the consequences of falling behind or suffering a breach can cost you time, money and, ultimately, your customers.

 

When you partner with Echoworx, you’re partnering with a full-time team of dedicated encryption specialists. Our job is to make ensure your data stays secure, compliant and that your encryption experience is seamless end-to-end – because good customer service doesn’t end when you press ‘send.’

Learn more about our array of secure encryption delivery methods.

02 Jan 2019
Generation Z, Personal Data and Digital Trust: Unlike Any Before

Generation Z, Personal Data and Digital Trust: Unlike Any Before

Solve this riddle: I am always connected – but avoid social situations. I demonstrate a firm attention to detail – but have the attention span of a goldfish. I freely give out personal information – but demand it be protected. I distrust corporations – but communicate to them as if they were family.

Who am I?

If you guessed a Millennial, you’re on the right track. But these characteristics are more appropriately attributed to members of Generation Z – the first generation of digital natives, born beginning in the mid-90s through the 2000s, set to bloom into the consumer market. And, given that they are to make up a whopping 40 per cent of all consumers by 2020, [1] with $44B in buying power,[2] this is one group your organization needs to prepare for – especially when it comes to data protection.

How does Generation Z share digital information?

As digital natives, Gen Z’s do not know life without being connected to the digital world. And, since most of their life is already online, some even making their first digital selfie appearance via an uploaded ultrasound from the womb, they are much more comfortable with having even their most intimate details available at the click of a mouse. They are ‘always on,’ with some members of Generation Z checking their social media a hundred times a day or more, and this is reflected in how they share digital information.

According to Echoworx data, the level of comfort which Generation Z share personal information online is at-par with or even exceeding those same metrics for Millennials. For example, 56 per cent of Generation Z are not opposed to publishing their credit score on social media. This same metric is considerably lower for Millennials, with 44 per cent being comfortable, and continues to decline through older generations.

Are Generation Z gullible? Or just faster?

The average attention span of a member of Generation Z is 8 seconds, according to data from the Digital Marketing Institute. And, as digital natives, they crave instant gratification for the price of personal data – without much consideration for long-term consequences or questioning what their details are being used for. But, on account of their low attention spans, Gen Z’s are experts at filtering and retaining information presented to them.[3]

So, are they gullible? No. But this doesn’t necessarily mean they are responsible. And their lightning quick digital speed can lead to sloppy practices when it comes to protecting their data. For example, according to Echoworx data, nearly half of Gen Z’s change their digital passwords regularly. Compare this same figure to Millennials, where nearly three quarters of them regularly update their online login credentials.

Are Generation Z reckless with their personal digital data?

In order to understand the point of view of a Gen Z, you need to look at things from their perspective. For example, would you trust your parents with your SIN? Would you ask your sister for advice on the best way to peel an apple? If you answered yes, simply substitute your family member with an online influencer or one of your favourite brands. If you are always on, you live online.

And you trust people you care about to point you in the right direction. This is why Gen Z’s are so comfortable providing details for or taking advice from brands or influencers.

When you look at it from this perspective, readily divulging personal information online is not as crazy as it sounds to older generations.

And older generations are not perfect either. According to a recent Gallup Poll, nearly a quarter of Americans were victims of cybercrime in 2018.[4] This is despite the claim of 71 per cent of poll respondents who worry about cyber crime and the two thirds of Americans, according to data from the American Bankers Association (ABA), who are taking measures to protect sensitive data.[5]

Digital trust is a fragile game to play

Unlike its offline equivalents, digital trust carries its own hubris of sorts in that if it is easy to get, it’s even easier to lose and nearly impossible to get back. In fact, according to Echoworx data, over three quarters of Generation Z consider leaving brands after a data breach. So how do you play the game?

Easy. You protect them.

According to Deloitte, consumer expectations online are at an all-time high and your customers demand control over their personal data. And a full 69 per cent of customers do not believe organizations are doing everything they can to protect their data.[6] But, according to data from the ABA, nearly half of Americans continue to trust traditional industries, like banks and healthcare.[7]

While some might view this newfound fascination with personal data collection to be detrimental to conducting business – your organization should view it as a competitive differentiator. If your brand goes all-out in a quest to protect customer data, employing best proactive practices, such as a personalized and cusotmer focused encryption experience for sensitive documents in transit, your customers will take notice.

Learn more about maintaining the digital trust of your customers.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx

——

[1] https://digitalmarketinginstitute.com/en-ca/the-insider-3987498273498375892/19-10-16-is-your-business-ready-for-the-rise-of-generation-z?blog

[2] https://www.forbes.com/sites/kristinwestcottgrant/2018/05/09/data-privacy-social-media-visual-content-adobe-through-the-lens-of-generation-z/#5c812c243a9c

[3] https://digitalmarketinginstitute.com/en-ca/the-insider-3987498273498375892/19-10-16-is-your-business-ready-for-the-rise-of-generation-z?blog

[4] https://bankingjournal.aba.com/2018/12/gallup-poll-quarter-of-americans-victimized-by-cybercrime/

[5] https://bankingjournal.aba.com/2018/12/survey-data-privacy-growing-as-concern-banks-seen-as-trusted/

[6] https://www2.deloitte.com/insights/us/en/industry/technology/digital-media-trends-consumption-habits-survey.html

[7] https://bankingjournal.aba.com/2018/12/survey-data-privacy-growing-as-concern-banks-seen-as-trusted/

28 Dec 2018

New Year? New Information Security Challenges!

As we head into the New Year, we reflect on the trials, tribulations and challenges faced over the past year – before outlining specific resolutions to these problems. In the world of information security, these improvements are usually within the realms of identifying threats, preventing cybersecurity issues and staying on top of the latest and greatest in data protection technology.

And what a busy year it’s been! From the introduction of new privacy-building legislature, like the GDPR or California’s AB 375, to new privacy-destroying laws, like Australia’s new encryption laws calling for data backdoors, it’s been quite the rollercoaster. We’ve also seen data breaches and instances of ransomware bring even the massive corporate conglomerates, like Marriot, to their knees.

So what is to be done in 2019?

The unfortunate reality of the world of information security is that new threats, new scams and new malicious actors to worry about seem to pop up every day. Staying atop this constant morphing information is enough to drive someone nuts. And the consequences of falling behind can be detrimental to your business, your reputation and, ultimately, your customers.

This past year, our Distinguished Software Engineer at Echoworx, Slava Ivanov, has made it his mission to gather and coagulate the latest cybersecurity tricks and tips into a concise serial 101 document of definitions. From lighter topics, like the newly emerged Japanese ‘posterior authentication’ technology, which grants access to a system or machine via ‘butt prints,’ to more serious information security issues, like spearfishing, to data protection issues, like blowfish cryptography used in encryption, Slava’s index of terms offers an excellent primer to anyone starting research on a term.

So, before you formalize your organization’s New Years resolutions this year, consider a quick glance at Slava’s ‘Information Security 101’ to see if there is something you missed in 2018!

Click here to browse last year’s top trending information security terms and definitions.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx

18 Dec 2018
Digital Onboarding

Accelerating Your Customer Onboarding Through Digital Adoption

With so many digital choices to choose from, traditional client onboarding, which can take weeks, even months to complete is certainly a poor customer experience. Many processes are still manual, time-consuming, expensive and ineffective. And, with fintech snapping at your heels, if you fail to onboard your customers quickly, they might start to consider other more-nimble options.

But moving to digital can carry regulatory risks – especially if your organization is not taking proper privacy precautions with client data. Here’s how you can onboard new clients safely, quickly and, most-importantly, digitally:

Why bother going digital?

In every industry, including finance and banking, customer interactions are increasingly moving to purely digital channels. In order to stay relevant, even large banking and financial service providers must do the same. While technologies such as mobile and digital banking were first adopted by millennials, they are now widely used, by customers of all ages.

In a nutshell: Digital onboarding lets customers choose how, where and when they wish to join your bank.

And, for banks, where customer centricity is paramount, employing digital channels brings personalization and engagement for all their banking customers. The transition to digital also lowers costs and it is easier to measure effectiveness. In fact, according to a recent eMarketer report, the importance of increasing the use of digital channels, among financial institutions, is rapidly outpacing other business objectives, seeing a year-over-year increase of 15 per cent in importance from 2016 to 2017[1]

The importance of protecting customers

A recent Echoworx survey shows that most customers take less than 30 seconds to assess the safety of an email. Yet only 40 per cent of organizations that have encryption technology use it to protect sensitive data. In these instances, fully one third of emails that should be encrypted, are sent in the clear.

Our research shows that 64 per cent of customers are more concerned about their online privacy than a year ago. And 62 per cent don’t trust that their Internet activity is private. Given the number of data breaches in recent months, these figures shouldn’t be a surprise.

Yet customers assume your organization is protecting their interests, and their data. Your customers must be able to trust that their information is secure in your hands. The stakes are high: 80 per cent of customers will consider leaving your organization after a breach.

Additional digital perks for your customers

Implementing digital channels and enabling faster onboarding will also bring other benefits for financial institutions:

  • Reducing the onboarding touch points to complete onboarding faster and more easily. Customers want to complete their onboarding and application journey with the minimum of interactions before they can access services.
  • Faster onboarding means it is less likely that new customers will develop negative impressions about their financial institution.
  • Establishing rapport quickly to provide products and services. Customers are more satisfied when the relationship is put into place immediately.

 

A Scottish case study

The challenge with digital onboarding is to strike the right balance: the process must be easy to use, but document security must be maintained.

One of Scotland’s largest banks came to us with this challenge and the results have been favourable.

After implementing our solution, all their application forms for accounts, loans, mortgages and investments are now emailed as secure PDFs. The customer then fills out the documents and emails them back, also securely. Because the process is digital and uses secured encryption, onboarding can be completed in a few days.

The bank estimates they are reducing the time to onboard new customers by over a week. As a bonus, they have also drastically reduced the postage costs associated with the old onboarding process. Everyone benefits: customers find the onboarding experience easy to navigate, and the bank can trust in the security and integrity of the process.

The Echoworx difference

The Scottish bank example discussed above is just one of the unique ways your financial institution can leverage the power of our OneWorld encryption platform to help streamline your client onboarding processes. With multiple delivery methods and the ability to send millions of secure documents at the click of a mouse, in addition to other perks, like being able to brand your secure communications, OneWorld speeds up your onboarding process, reduces confusing clutter and keeps your banking institution airtight in the eyes of regulators.

Learn more about how we can help your client onboarding process.

By Derek Christiansen, Engagement Manager, Echoworx

———–

[1] https://www.digitalbankingreport.com/trends/2017-account-opening-and-onboarding/

11 Dec 2018
Australia demands encryption backdoors

Trouble in Oz: Australia’s New Controversial Data Backdoors

Dangerous privacy precedents are now being set in Australia – a nation traditionally known for its dedication to Commonwealth democratic stability. As of December 2018, Australia has newly-minted legislature under its belt which allows their intelligence and law enforcement to demand backdoor access into the sensitive encrypted data of target organizations.

As other friendly governments take note of this new development, this legislature might signal the beginning of dark times for digital privacy and the way we store and share sensitive information.

But first – a little background:

Since their inception, members of the so-called ‘Five Eyes,’ a collective body of intelligence and law enforcement organizations hailing from the UK, the US, Canada, New Zealand and Australia, have been lobbying for more access to their citizens for years. Gaining access to private citizen data represented a unique opportunity to not only keep an eye on those few amongst us with malicious intent – but also represented another opportunity to control and manage their populaces.

In recent history, this has manifested itself in digital ways – from legislature, like the US Government’s PATRIOT Act or the UK’s more-recent Investigatory Powers Act, to the use of dangerous euphemisms, like “responsible encryption.” Sensitive digital data is a treasure trove to the Five Eyes and they have been salivating for years at the prospect of getting in.

Backdoors are still doors

In layman’s terms, the new privacy legislature passed by in Australian Parliament demands that third-party digital service providers create backdoors through which state organizations may access end-to-end encrypted information when prompted. While they can make these requests formally to an organization, it’s worth noting they also now have the power to demand individuals at target organizations, from Sally the CEO to Bill in IT, provide this backdoor access upon request.

And these demands have serious teeth.

If an organization refuses a request by an Australian Government body, like a law enforcement agency, they face millions of dollars in fines. Individuals who fail to comply face jail time.

Sound scary?

It gets worse.

There’s a global impact of these new privacy laws

As a member of the Five Eyes, Australia is a major player in the global intelligence community. Not only does this country, and their legislature, help set a considerable part of the bar of what is acceptable for government intelligence agencies to do – but they also have created a dangerous precedent which might spread other members of the Five Eyes collective.

The danger of testing the depth of a river with both feet

An unintended consequence of creating these backdoors is the new potential vulnerabilities they pose to the Australian Government organizations who demanded them. While they claim to have solved major issues of national security, with their new ability to spy on their own citizens, the Australian Government has ironically created dangerous vulnerabilities in their own systems available for exploitation by malicious agents.

What can be done?

At Echoworx, and throughout the cybersecurity community, we firmly believe in the protection of encrypted data. Without the ability to send and receive confidential data via digital platforms, everyone’s privacy is at risk, and what’s worse, we could be opening doors to the very criminals we’re trying to stop.

By Derek Christiansen, Engagement Manager, Echoworx

01 Dec 2018
information security

Security 101: A 2018 Thesaurus for InfoSec

There is much emphasis being given to information security in today’s digitally connected ecosystem, and it truly is the need of the hour – below you can find answers to some of the most pertinent topics in information security.

Slava Ivanov, Distinguished Software Engineer at Echoworx with his years of progressive experience in delivering security solutions to solve business challenges, coupled with his strong knowledge of software development cycles is committed in developing a 2018 Thesaurus for information security.

 

DECEMBER |

 

Q: CONFUSED WITH THE INTERNET, DEEP WEB OR DARK WEB?

A: The Internet consists of tonline resources available through search engines, like websites we use to shop, bank or socialize. The Deep Web is the part of Internet that is not indexed by major search engines. To visit such places, you would need to go directly to the resource. It isn’t necessary malicious, but just too large to be indexed. The Dark Web is the part of Deep Web not just unindexed, but also requiring special access. The Dark Web is often based on additional sub-networks, like Tor or Freenet and often associated with criminal activities.

Q: WHAT IS ‘POSTERIOR AUTHENTICATION?’

A: When we speak about biometric security, usually we are referring to face recognition or fingerprints – but this authentication method is all about your posterior. Japanese researchers have developed a seat with 360 sensors, which apparently measure your seat groove, aka ‘buttprints,’ or rear-pressure. The researchers claim 98% accuracy in correctly identifying a sitting person. Not bad eh? This method of authentication could have applications in effective anti-theft systems for our cars or yet another method to log in into your device when you sit behind your desk.

Q: WHAT IS A KEYLOGGER?

A: Keyloggers are also known as keystroke loggers. There are many types of keyloggers based on a variety of keylogging methods including two well-known: software- and hardware-based keyloggers. The hardware keyloggers are usually fitted between a keyboard and a device. As they run entirely on hardware, security software wouldn’t be able to detect it. Software keyloggers can be built into rootkits or other less detectable forms. While the programs themselves are legal, many of them used for the purpose of stealing confidential information. Detecting any type of keyloggers is a difficult task since they’re designed to stay hidden.

 

NOVEMBER |

 

Q: WHAT IS SOCIAL ENGINEERING?

A: Social engineering is the art of manipulating people so they give up confidential information. Even highly secure systems that cannot be penetrated by digital, or cryptographic means, can be compromised by simply calling an employee of the target organization on the phone and impersonating a co-worker or IT personnel. Some well-known social engineering techniques include phishing, clickjacking, vishing, and baiting. There is no simple solution to prevent a social engineering attack, but the best defense is user education and security awareness.

Q: VULNERABILITY VS. EXPLOIT: WHAT’S THE DIFFERENCE?

A: A security vulnerability is an unintended flaw in software or a system which leaves it open for potential exploitation, such as unauthorized access or malicious behavior, like viruses, worms and other malware. Exploit is another term for a security vulnerability, however it’s an actual active problem, as opposed to a potential problem. For example, a broken lock on your cottage door would be a vulnerability, which must be addressed sooner than later. But a broken door lock in a major city would be an example of an exploit – there might be people in the area, actively exploiting for this known vulnerability.

Q:WHAT IS A PENTEST?

A: Pentest is the short form of penetration test. This is a security exercise where a trusted cyber-security expert attempts to find the vulnerabilities of a system before malicious attackers can exploit them. To produce a pentest report, the system is targeted by simulated attacks: brute-force, SQL injections, etc. The findings are then shared with the target company’s security team for the implementation of subsequent security fixes and patches. In order to keep the system secure, the pentest should be performed on a regular basis, especially when new technology is added.

Q: WHAT DOES CIA HAVE TO DO WITH CYBERSECURITY?

A: In Information Security, the CIA Triad stands for Confidentiality, Integrity and Availability – not to be confused with the US Central Intelligence Agency. Confidentiality – keeping sensitive data secure; Encryption is a reliable solution to ensure confidentiality. Integrity – keeping data intact; Cryptographic hashes and digital signing are used to verify information hasn’t been altered. Availability – keeping data accessible; Strategic planning and resource allocation ensures services and applications are available 24/7, including backup plans, data recovery and services scalability.

 

OCTOBER |

 

Q: WHAT IS BOTNET?

A: The word “Botnet” is a combination of the words robot and network. The botnet is known as a group of Internet-connected devices – IoT and mobile devices, computers, networks – affected by malware. Each compromised device is called “bot” and can be controlled remotely by a botnet’s originator, known as a “bot master.” Botnets are increasingly rented out by cyber criminals as commodities and commonly used in DDoS attacks. Botnets are able to take advantage of collective computer power, send large volumes of spam, steal credentials en masse or spy on people and organizations.

Q: IS CRYPTOJACKING A NEW THREAT IN THE WILD?

A: Cryptojacking is the unauthorized use of a victim’s computer to mine cryptocurrency. According to a recent Symantec security report, cryptojacking just came out of nowhere and exploded like nothing before. Hackers see it as a cheap and easy way to make more money with less risk. Unlike other types of malware, cryptojacking does not damage a victim’s data or computer. But, since they do steal CPU processing resources, the victim will be paying with a reduced device lifecycle, more power usage and overall performance issues.

Q: WHAT IS SPYWARE?

A: Spyware is a type of malicious software installed onto your computer, often without your knowledge. It is designed to monitor your computing activities and collect and report the data back to companies for marketing purposes. The data collection usually includes your personal information such as your name, address, browsing habits, preferences, interests or downloads. Besides being an invasion of privacy, this software can cause serious performance issues.

Q: WHAT IS THE BIRTHDAY ATTACK?

A: The Birthday Attack is a type of brute-force attack based on the birthday paradox, which states that out of 253 people in a room, there’s a 50% chance someone has your birth date; however, only 23 people need to be in the room to get a 50% chance of any two sharing the same birthday. This is because the matches are based on pairs. This statistical phenomenon also applies to finding collisions in hashing algorithms because it’s much harder to find something that collides with a given hash than to find any two inputs that have the same hash value.

Q: WHAT IS SAME ORIGIN POLICY?

A: In computing, Same-Origin Policy is the browser-based defense mechanism that ensures certain conditions must be met before content (usually JavaScript) will be run when served from a given web application. Under the policy, the browser permits one web page script to access data in another web page only when they have the same origin; where the origin is a combination of web resource protocol, domain and port.

 

SEPTEMBER |

 

Q: ARE OPEN SOURCE PROJECTS MORE SECURE THAN PROPRIETARY ONES?

A: A common misconception is that open source projects are more secure, either because anyone can inspect the source code, or because so many eyes are watching it. And, vice versa, a commercial product of a well-known company is more secure because everyone trusts it. The security of the project comes from a combination of many factors, including how many developers are working on it, what are their backgrounds, quality control of the project, etc. There are many examples of horribly insecure applications that come from both camps.

Q: WHAT IS CROSS-SITE REQUEST FORGERY?

A: Cross-Site Request Forgery (CSRF) is the type of attack on web site where an intruder camouflages as a legitimate and trusted user. For example, a webpage image tag may be compromised and point to a URL associated with some action; when the user loads this page, the browser executes this action and the user might not be aware that such attack has occurred. The attack can be used to modify firewall settings, post unauthorized data on a forum or conduct fraudulent financial transactions.

Q: WHY DOES MY PKI IDENTITY INCLUDE TWO KEYS?

A: A public and private key pair is a pair of asymmetric keys that perform the encrypt/decrypt functions of a secure data transmission. Public key is public and available to everyone. On the other hand, the Private Key must remain confidential to its respective owner. When encrypting data, the public key of the recipient is used – and only this recipient will be able to decrypt it. When signing, the private key is used to confirm identity of sender.

Q: IS IT “DOS” OR “DDOS” ATTACK?

A: A denial-of-service (DoS) attack is a type of cyber attack designed to make a computer or network unavailable to its intended users by disrupting the services of a host. This is typically done by flooding the host with an overwhelming number of packets to oversaturate server capacity, resulting in denial-of-service or memory buffer overflow which can cause the host to consume disk space, memory, or CPU time. A distributed denial-of-service (DDoS) attack is analogous to DoS, but traffic would come from different sources, which makes it impossible to prevent by just blocking a single source of attack.

 

AUGUST |

 

Q: I USE GOOGLE CHROME, DO YOU?

A: There are plenty of browsers available these days to choose from: Chrome, with its built-in Google search engine; Edge, with its ability to make notes right on the page; Firefox, with its option to continue reading the pages where you left on another device; Safari, which is perfectly tailored for mobile devices. No matter what your criteria for choosing the Internet browser, the most important thing is to keep it up-to-date with all security patches and updates. Enjoy your safe browsing.

Q: WHAT IS A DIGITAL CERTIFICATE?

A: In cryptography, a Digital Certificate is an electronic form of identification, much like your passport or driver’s license. It provides information about your identity and is issued by a certification authority (CA) for a specific period of time. The CA guarantees the validity of the information included within the certificate. The most common format for digital certificates is defined by X.509 standard. There are a variety of areas where certificates are used: SSL/TLS, S/MIME, code signing, etc.

Q: WHAT DO COMPUTER COOKIES TASTE LIKE?

A: A cookie is a small file from a website which is stored on your computer by a web browser. The yummy part of the cookie is that it can store, for example, login info, zip code, etc. so you don’t need to type it in over and over again. The bitter part of it is that it can keep track of your habits and be used by advertising networks. The yucky taste comes when a cookie carrying sensitive information is intercepted by a hacker. Clean up cookies regularly, keep your antivirus software up-to-date, and visit the websites you trust – enjoy the great taste of cookies!

Q: WHAT DOES SSO STAND FOR?

A: SSO stands for Single Sign-On. With single sign-on, the user can authenticate once and then use multiple systems or applications without having to log in again. Without SSO of any kind, users may have to remember a different username and password (different credentials) for each system used. This leads the user to use short, simple or similar passwords for every resource. To reduce password fatigue, time to re-enter identity info, “forgot password” requests, etc., many organizations are implementing Single Sign-On.

Q: WHAT IS S/MIME?

A: S/MIME (Secure Multipurpose Internet Mail Extensions) is the standard to secure MIME messages which brings SMTP communication to the next level by allowing widely accepted e-mail protocol to be used without compromising security. It uses PKI (Public key Infrastructure) to encrypt and/or sign the data. S/MIME provides cryptographic service benefits into e-mail: confidentiality and data integrity with message encryption; authentication and non-repudiation with digital signing.

 

JULY |

 

Q: WHAT IS MIME?

A: MIME (Multipurpose Internet Mail Extensions) is the Internet standard that defines how a message has to be formatted for transfer between different e-mail systems. MIME is a very flexible format and allows the inclusion of virtually any type of data such as text, images, audio, applications, etc. With appropriate encoding MIME is able to handle messages written in international languages as well. MIME is designed for SMTP communications, but many definitions of the standard are widely used in WWW communication protocols.

Q: WHAT IS TABNABBING?

A: Tabnabbing, also known as Tabjacking, is a phishing attack that makes use of the inattention of a user to opened multiple browser tabs to steal the user’s sensitive information. For example, you have opened the page affected by the exploit along with other tabs in the browser. If the script of the malicious tab detects inactivity, the web page will be reloaded and display, for example, a fake Gmail login page instead. Due to lack of attention to the opened tabs, user may enter the requested credentials and they will be stolen by the criminals.

Q: HOW CAN A VPN ENHANCE MY PRIVACY AND SECURITY?

A: A VPN (Virtual Private Network) extends a private network (ex.: company network) across a public network, (ex.: Internet) and enables users to access private network resources as if they were directly connected to this private network. A VPN uses encryption technology to encrypt network traffic, so if an attacker sniffs on the packets, he only gets encrypted data. It detects modification of transmitted data and provides its integrity. A VPN uses authentication to prevent unauthorized access to the resources.

Q: IS “PHARMING” YET ANOTHER WORD WITH A MISTAKE?

A: Pharming is an advanced type of cybercrime, similar to phishing, which combines the meanings of the words “phishing” and “farming”. The usual purpose of pharming is to obtain usernames and passwords from online retailers or banks, without needing to phish you with malicious e-mails or links. You go to a well-known web resource, as always, but end up at the hacker’s system – made to look like a legitimate website. One of the techniques used in a pharming attack is the corruption of the DNS services on the computer system by malicious code known as DNS cache poisoning.

 

JUNE |

 

Q: HOW TO BE SAFE WHEN MAKING ONLINE PAYMENTS?

A: There are a few things to consider when you shop online: 1. Make sure the retail website is using an SSL connection and that the business is trustworthy. 2. Always favour credit card transactions over debit. 3. Do not make payments when connected to a public Wi-Fi network. 4. Consider to opt out of storing your credit card information on a retailer’s website – even if you use it often. 5. Never enter your PIN code or banking password when completing a transaction. The last word: Check your credit card statement regularly, sign up for transaction notifications, if possible, and stay safe.

Q: HOW TO BE SAFE ON STARBUCKS WI-FI?

A: To stay safe while using a public Wi-Fi network, use only a secure connection (SSL) to websites you trust. Avoid using personal usernames and passwords, even just to check your email, as hackers can monitor unprotected Wi-Fi networks and your information can be stolen. Turn off File Sharing and AirDrop options, and check that your laptop’s firewall is enabled.  For even better protection, secure and encrypt your connection by using a Virtual Private Network (VPN) – a safe digital tunnel to your device.

Q: WHAT IS IOT ANYWAY?

A: The Internet of Things (IoT) is an ecosystem of connected devices able to communicate with us, and with one another, over the Internet. A smart thermostat, controllable from our phones and tablets, for example, is a well-known IoT-connected device. Everything these days is “smart,” from simple sensors and actuators to refrigerators and cars. The future of the IoT is very exciting and stands to revolutionize the way we live, making entire cities and countries function in a smarter and more efficient way. It truly is a Golden Age for IoT devices.

Q: HOW WELL IS BLOWFISH SWIMMING IN CRYPTOGRAPHY?

A: Blowfish is a symmetric encryption algorithm designed by Bruce Schneier in 1993 as the replacement for older DES and IDEA algorithms. It has a 64-bit block size and uses a variable-length key, from 32 bits to 448 bits, which is suitable for both domestic and export uses. Blowfish attempts to make a brute-force attack difficult by making the initial key setup a fairly slow operation. This algorithm is unpatented, unlicensed and is available free to everyone. Blowfish shouldn’t be used for large files due to small block size (64-bit as opposed to AES’s 128-bit block size).

 

MAY |

 

Q: ARE BLUEJACKING, BLUESNARFING AND BLUEBUGGING NEW SHADES OF BLUE?

A: Bluejacking, the earliest Bluetooth attack, is the sending of unsolicited messages to Bluetooth-enabled devices. Bluejacking is quite harmless and is usually limited to sending text messages, images or sounds to a targeted device. Bluesnarfing is more damaging and targets a user’s privacy – with an attacker connecting to an early-Bluetooth device, without the owner’s knowledge, and downloading their phonebook, calendar and more. Bluebugging goes further – with complete virtual takeover of the device. Once connected, an attacker can access your contacts, make calls, listen to calls, read your messages and emails and even track your location, without your knowledge.

Q: SAML OR OAUTH?

A: SAML (Security Assertion Markup Language) is usually used when solution requires centralized identity management; involves SSO with at least one enterprise participant; provides access to an application. OAuth (Open Authorization) is usually used when a solution provides access to resources, such as accounts, files, etc.; or involves mobile devices. Both technologies can be used at the same time. For example: SAML for authentication; once SAML token is processed, use it as the OAuth bearer token to access protected resources over HTTP.

Q: WHAT ARE THE TYPES OF BIOMETRICS?

A: There are two main types of biometrics: Physiological biometrics is something related to what we are, including specific measurements, dimensions, and characteristics of our body. Your face, eyes, vein pattern or a fingerprint are an example of physiological biometric data. Behavioral biometrics is what we do and is related to our personal habits and unique movements. Your voice, gestures, walking style, and the handwritten signature is the simplest example of this type.

Q: IS IT POSSIBLE TO STOP IDENTITY THEFT?

A: It’s almost impossible to completely prevent identity theft, however it is possible to reduce the risk by following some simple tips: 1. Be aware of your privacy settings on social media. 2. Use strong and different passwords when creating online accounts. 3. Do not check out suspicious emails which may be phishing for data. 4. Do not provide any information to websites which not using an SSL connection. 5. Protect your PC by using a firewall, antivirus and spyware protection software, and by keeping it up to date.

 

APRIL |

 

Q: WHY USE SAML?

A: The Security Assertion Markup Language (SAML) is an open standard that represents an XML-based framework for sharing security information about identity, authentication, and authorization across different systems. SAML eliminates the need for multiple applications and services passwords by enabling a token-based authentication exchange. It solves the key challenge by enabling single sign-on (SSO) functionality. SAML saves administrative time and increases security with centralized control over authentication and access.

Q: WHAT IS PCI COMPLIANCE?

A: PCI stands for the Payment Card Industry, and is often followed by the letters DSS, which stand for Data Security Standard. PCI compliant businesses must consistently adhere to the rules defined by the PCI Security Standards Council. Some of which are: Maintain an information security policy; Monitor and maintain a secure network; Implement strong access controls; Protect sensitive information. Customers, of such businesses, should feel safe and confident that their data will be protected.

Q: WHAT IS IDENTITY THEFT?

A: Identity theft is unwanted or unauthorized access to your personal information. Once someone gets hold of your personal details, they are able to commit all sorts of crimes using them, including telecommunications fraud, money laundering, cybercrimes, and more. Criminals use seemingly harmless pieces of information, like your date of birth, to gain access to other information about you, including your address, email, place of birth, insurance numbers, and passwords. Take care to protect your data by being aware of your privacy when sharing sensitive data.

Q: WHAT IS ADVANCED ENCRYPTION STANDARD (AES)?

A: The Advanced Encryption Standard (AES) is a symmetric-key block cipher algorithm. AES is a subset of the Rijndael cipher developed by two Belgian cryptographers, Vincent Rijmen and Joan Daemen. AES is capable of handling 128-bit blocks, using keys sized at 128, 192, and 256 bits. Key size is unlimited, whereas the maximum block size is 256 bits. AES is more secure and enables faster encryption than its predecessors DES and 3DES. Overall AES has proven to be a reliable cipher over time.

 

MARCH |

 

Q: BLUETOOTH: CONVENIENCE WITH A PRICE?

A: We are using Bluetooth technology every day to connect our headphones, fitness trackers, car’s hands-free system, etc. It’s important to know about security issues associated with technology. Bluetooth sends data wirelessly where it can be intercepted by the wrong people. To protect your information, consider to set your devices to “undiscoverable” when not in use. Never accept pairing requests from unknown parties. Download and install regular security updates for your devices.

Q: IS THERE A MISTAKE IN THE WORD “PHISHING”?

A: Phishing scams mimic reputable entitles like banks, online resources, legitimate and authorized organizations in an attempt to obtain sensitive information such as usernames, passwords, credit card details, etc. It’s called Phishing due to long-time hacker tradition to use “PH” instead of “F”. Be careful not to fall for the tricks set up by those Phishermen and prevent yourself from getting caught in the Phish net.

Q: WHAT IS DIFFIE-HELLMAN KEY EXCHANGE?

A: Diffie-Hellman (DH) is a key exchange protocol originally conceptualized by Ralph Merkle. It’s named after Whitfield Diffie and Martin Hellman – two cryptographers. DH allows to securely exchange cryptographic keys over a public channel without having anything shared beforehand. An established shared secret key can then be used to encrypt subsequent communications. DH exchange itself doesn’t provide authentication of the parties and could be vulnerable to man-in-the-middle attack. Variants of DH with authentication should be considered.

Q: WHAT IS SSL HANDSHAKE?

A: SSL/TLS connection between a client and a server starts with a “handshake.” This includes a few steps – starting with validating the identity of the other party and concluding with the generation of a common Session key. First the server sends a Public key to the client to be used for encryption; The client generates a Symmetric key, encrypts it and sends it back; Then the server decrypts this Session key using its Private key. Now the server and the client are ready to use this Symmetric key to encrypt and decrypt transfer of data.

 

FEBRUARY |

 

Q: IS FACE RECOGNITION TECHNOLOGY FOR AUTHENTICATION ONLY?

A: Face recognition technology is already helping in many areas of our lives such as, airport security screening, friendly unsupervised video surveillance, investigation of crime scenes, etc. Lets explore how the technology can be used to personalize marketing approaches? It can, for example, replace a store loyalty card. When you walk into the store, the staff would know what you bought the last time, provide you with personal offers, and redeem your points. The store itself may tailor your offerings by analyzing facial data, such as gender, age, and ethnicity. The possibilities are endless.

Q: DOES TLS USE SYMMETRIC OR ASYMMETRIC ENCRYPTION?

A: Both. TLS uses asymmetric encryption algorithm only to establish a secure client-server session. For asymmetric encryption, the sender needs a Public key to encrypt data and the receiver needs a Private key to decrypt it. The bulk payload encryption requires speed, so a symmetric encryption algorithm is used to exchange information over an established secured session. For symmetric encryption both sender and receiver share a single Symmetric key to encrypt and decrypt data.

Q: “OK, GOOGLE” SHOULD I BE CONCERNED ABOUT MY PRIVACY?

A: Voice enabled assistants, like Google Home, Amazon Echo, etc., can answer your question, provide a weather report, turn up the thermostat, control the lights, or even order a pizza. This convenience comes with a price. Assistant is always listening. Consider using the “mic mute” button to turn it off when not needed. Anyone can control your device. Consider not connecting some IoT appliances like smart door locks; disable payment options not being used. Enjoy your digital home assistant, but don’t make it the host.

Q: WHAT IS OBFUSCATION?

A: The purpose of obfuscation is to prevent someone from understanding the meaning of something. In software development, it’s often used on the computer code to make tampering, reverse engineering, or theft of a product’s functionality more difficult. It’s important to understand that obfuscation is not like encryption, but rather like encoding. It can be reversed by using the same technique or simply as a manual process that just takes time.

Q: WHAT ARE THE FACTORS OF AUTHENTICATION?

A: There are three main categories of Authentication:

  • Knowledge is something you know, for example simple user name and password;
  • Possession is something you have, it may be your access card or keyfob;
  • Inherence is something you are, your biometric characteristic, like fingerprint.
    Sometimes, your location is considered a 4thfactor.Multifactor Authentication significantly increases security but will obviously impact user experience.

 

JANUARY |

 

Q: WHAT IS DATA ENCODING?

A: In computer technology, encoding transforms original data into another format so it can be transferred and consumed by different systems. For example, use binary-to-text Base64 encoding for binary files to send it over email. Encoding uses publicly available algorithms and can be easily reversed (decoded). The main purpose of encoding is not to keep information secret, but to ensure it’s safely and properly consumed.

Q: IS BIOMETRICS THE ULTIMATE AUTHENTICATION SOLUTION?

A: Biometrics is the technical term for metrics related to human characteristics, like your fingerprint, voice, eye iris, etc. Many consumer products have adopted biometrics for authentication as a matter of user convenience, while enterprise grade products are opting-out to ensure maximum information security. The main authenticationfactor is knowledge, such as a password or PIN. Biometric data was never designed to be the secret. Can you imagine yourself wearing gloves all the time?

Q: IS FACE ID MORE SECURE THAN TOUCH ID?

A: Apple claims there is a 1 in a million chance someone can unlock your device using Face ID compared to 1 in 50000 chances of someone having the same fingerprint as you. Does this mean the security of Face ID is 20 times higher? The important thing to remember is that Face ID and Touch ID are more about convenience and design than security. Your password (PIN) will always remain the biggest point of weakness on your device. So, it’s best to make it a strong one.

Q: WHAT THE “HEX”?

A: Hexadecimal numbers (hex or base-16) are widely used in computing and math as representation of binary values. Each hexadecimal digit represents four bits or half a byte. 16 unique symbols 0-9 and A-F used to represent a value.

HEX.jpgThis purple color has HTML hex number #7334A4
#73(hex) is (7×16) + (3×1) = 115 (decimal) of red
#34(hex) is (3×16) + (4×1) = 52 (decimal) of green
#A4(hex) is (10×16) + (4×1) = 164 (decimal) of blue
In RGB space our color will be rgb (115, 52, 164)

This is a very condensed version of the many security terms and acronyms in use today, but we hope it helps. Don’t stop now. Learn how you can use encryption to build trusted communications with white papers, reports, webinars, and videos.

ENCRYPTION RESOURCES

 

16 Nov 2018
TLS encrypted delivery

Is TLS good enough for secure email?

When it comes to collecting sensitive customer data, you simply cannot afford to take any chances. Your customers trust you and you need to protect them – and their most-personal details. But, while protecting your digital perimeter is important, your organization also needs to ensure sensitive data stays secure during transit.

One way to do this is to leverage a TLS encryption solution. But what exactly is TLS? How does it work? And when is it good enough for secure email?

Here’s what you need to know about TLS:

What is TLS?

In layman’s terms, TLS, short for ‘Transport Layer Security, is a method of encrypting the connection between two parties communicating over the Internet – think of an encrypted tunnel. TLS can be applied to email to prevent unwanted eyes from viewing messages in transit – or from accessing data transmitted between a user and a website. The ease of this type of message encryption makes it one of the more popular types of delivery methods.

When is more message security needed?

TLS is one of the most primary and simple methods of delivering secure messages. But is it secure enough? It depends – you tell us.

Do you have access to alternative encryption methods if a TLS connection is not available? What exactly are your security needs? Are you worried about third-parties, like Google via Gmail, scanning your correspondence? Are you worried about man-in-the-middle attacks, where a secure connection is compromised? These are just a few of the questions you need to address when determining whether TLS is secure enough for you.

How do you get more message security?

While regular TLS-encrypted messages do have their benefits, this delivery method doesn’t always meet every one of your customers’ needs. That’s why Echoworx OneWorld goes further, automatically offering more encryption delivery methods. OneWorld also offers flexibility within the TLS environment – with the ability to create specific policies for using TLS and branded email footers highlighting that a message was delivered securely.

Are there secure alternatives to TLS?

In instances where TLS is not desireable you need to have other options – to ensure no message goes out unencrypted or to a compromised environment. And there are a variety of other secure delivery options available, from public key encryption methods, like S/MIME and PGP, to Secure Web Portals.

Echoworx’s OneWorld encryption platform offers all these options, as well as encrypted attachments. And, since OneWorld checks to see if TLS is available before transit, sensitive messages are never sent unencrypted.

See more secure message delivery methods.

By Christian Peel, VP Engineering, Echoworx

15 Nov 2018
protecting your customers is more than just building a bigger firewall

The World Turned Upside Down? Digital Trust, Paradox and Encryption

Gaining a customer’s trust is a reward earned only after many years of careful branding, superb service and product quality. And a trusting customer is a loyal customer who you can count on to work with you every time – through thick and thin.

Right?

Not quite.

When it comes to gaining digital trust, traditional approaches can go topsy-turvy in a hurry. Paradoxically, unlike the delicate offline relationships you nurture so carefully, gaining digital trust is a piece of cake – an ooey gooey cake – where users are more likely to share more personal details with you than they would a person they are dating. In fact, according to Echoworx research, the average user takes just 30 seconds to assess the safety of an email before sending along their most-personal data.

Sounds sweet? It is. Maybe even too sweet – since the ease of getting customers to trust your brand online comes with a huge price tag of responsibility that is too much to chew for the digitally unprepared. And you are only one slip-up away from losing them forever – with 80 per cent of customers considering leaving your brand after a breach.

So, given that your organization invests so much money and time building your brand, why take the risk of not adequately protecting sensitive data to avoid it all crashing down? This is suddenly where pre-emptive investments in cybersecurity infrastructure start making sense – in the organizational sense.

In the past, cybersecurity was traditionally seen as a more internal issue. In layman’s terms, the mantra was, if you keep the bad guys out, the money stays in the bank. But, given today’s customer-centric view on providing digital services, and the real threats of ransomware attacks, this view has evolved into an organizational problem – a crisis of brand.

So how do you prevent losing your customers?

Easy: You protect them.

And protecting your customers is more than just building a bigger firewall. You also need to consider sensitive data which leaves your walled garden of information. While encryption is an effective way at securing your communications, clunky solutions make your messages look like spam – to the detriment of the end-user or customer and therefore defeating the point.

Secure encrypted messages should look authentic and be flexible to cater to the needs of your customer base. Branding, languages and any other organization-specific details should be customizable as to not affect user experience. This not only eliminates confusion (something scammers thrive off) but is also just good customer service.

You also need to consider offering multiple delivery methods to meet different customer needs. For example, sometimes you want to encrypt a document, not an entire message. You might look for a delivery method which allows for attachment-only encryption.

The more your encrypted messages mimic the look and feel of your regular communications, without sacrificing user experience, the more your customers trust digital interactions with you. And the more you protect them, the less likely you are to experience a devastating breach. This is how investing in data privacy is not only good for protecting your organizational infrastructure – it’s also good for your business, your brand and is just good customer service.

By Lorena Magee, VP of Marketing, Echoworx

09 Nov 2018
Get ready for PIPEDA

Are You Prepared for Canada’s Mandatory Breach Reporting Law?

With the introduction of new rules under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), saying sorry for a data breach is no longer good enough. As of November 2018, all data breaches involving Canadian data of a personal nature must be reported and affected parties must be notified.

But who does PIPEDA apply to?

PIPEDA is Canada’s federal privacy law for private-sector organizations. In a nutshell, this law applies to all personal data collected, used or disclosed in the course of commercial activity when doing business with Canada. Under the new data breach rules, if any of this personal data is leaked, a report must be filed with the Office of the Privacy Commissioner of Canada, a record of the breach must be created, and all individuals affected by the breach need to be notified that their information has been compromised.

Following Europe’s privacy protective lead

The updates to PIPEDA comes on the heels of the European Union’s GDPR – which launched last May. While existing Canadian data privacy protection practices do satisfy current GDPR demands, these additional rules serve as a proactive reassurance as European rules continue to harden over the next few years. They are also designed to help keep Canadian businesses competitive in Europe – and avoid massive fines.

And these new changes to PIPEDA don’t come without teeth!

In addition to brand damage, and the potential for lawsuits, violations to PIPEDA now carry serious fines of up to $100,000. While not as high as the devastating multi-million-dollar fines of the GDPR, the penalties are high enough to enforce compliance.

So how do you stay compliant?

Adequate protection of sensitive personal data is easier said than done – often requiring a multi-pronged approach. In order to comply with new PIPEDA rules, you need to take proactive steps to help prevent a breach from occurring in the first place – this includes protecting data leaving your system. And encryption of sensitive data is a key indicator demonstrating that information has been adequately protected under any privacy regulation or law.

Here are 10 ways you can secure sensitive data in transit.

By Alex Loo, VP of Operations at Echoworx

09 Nov 2018
Encryption shouldnt be cryptic

Encryption Shouldn’t Be a Cryptic Experience!

Encryption, encryption and more encryption – the security buzz word on the tip of everyone’s tongue. In an increasingly treacherous digital landscape, protecting your data with airtight algorithms seems like a logical strategy, yes?

Absolutely.

But making the decision to encrypt confidential emails that are leaving your secure network is about more than just encryption.  The algorithms are not the differentiator when comparing various secure email solutions.  You can find 2048-bit RSA encryption, 256-bit AES encryption, in SHA2 signatures in almost all modern security products.

The component of the solution that does the encryption and decryption is (most of the time at least) solid and predictable.  But sitting on top of that core security is the more interesting topic.  Controlling which emails need encryption, the different types of delivery, the simplicity of registration, the look and feel (known as “branding”) of the emails and web site, are the real differentiators of a 1st class secure email solution.

As Director of Client Engagement at Echoworx, a recognized leader in secure digital communication, it is my job to help enterprise-level organizations understand how email encryption fits into their business model. And for me, this starts with helping them create a seamless end-to-end experience for their clients.

When I work with a new enterprise, a little time is always necessary to cover the basic security aspects of the platform.  However, you may be surprised to learn that much more time is spent on fine-tuning the customer experience to align with the enterprises goals and expectations.  Secure email becomes an integral part of the communications strategy for the entire business.  It needs to look authentic, and use phrases and terminology that match the company’s web site and advertising.

Also important to consider is how varied the recipients of secure email will be.  A grandmother at home with minimal computer experience who needs everything explained in detail, versus a tech-savvy millennial that expects efficiency and automation.  The same secure email experience is used for both, so it had better not alienate anyone!

Your clients are unique, but they all need to trust you with their most personal data, and they will leave you if you lose it. A recent Echoworx survey, for example, found a full 80 per cent of customers consider leaving a brand after a data breach. That’s no small figure.

So how do we achieve this perfect blend of secure email that is still easy to read and send?

For the employees of your company, they don’t want any extra steps or separate systems.  If it’s inconvenient, they won’t use it.  Fortunately, your corporate network is already secure with firewalls, access controls, and native security in your mail server.  So let the encryption happen as the email is about to leave your network (commonly called the “gateway” or “boundary”).

It is the recipient who needs to work with the encrypted version of that email, and the best way to make them happy is to send it in the format they understand. A business partner should receive transparent encryption (called TLS); while a customer receiving a monthly statement should have a secure PDF attachment.  A European bank may demand PGP emails since the employees have PGP software running on their desktops.  The secure email platform should figure this out based on policies you define during initial customization of the service.

If you’re doing business internationally, you also want to be aware of local jurisdictional laws and regulations. In our post-GDPR world, you know where and how you store your clients’ data matters. But don’t forget to consider how your communications will reach people in many non-English speaking countries.  Here’s another example of that usability layer that lives above the actual encryption.

You want your clients to feel at home with you and comfortable sending sensitive information through encrypted channels. A confused customer is likely to second guess the validity of a secure message and may be more susceptible to scams. Investing in data privacy is not only good for your brand – it’s good customer service.

When done right, it’s “plain and simple!”

By Sarah Happé, Director of Client Engagement, Echoworx