21 Mar 2018

Echoworx Expands Encryption Business to Underserved Asia-Pacific Region

Cloud Security Expo, London (UK) – Email encryption provider Echoworx continues to expand its operations around the globe, with the Asia-Pacific countries (APAC) the latest region to benefit from Echoworx’s OneWorld secure communication platform.

With data centres in Mexico, UK, Canada, the United States, Ireland, and Australia, coming this spring, OneWorld offers organizations around the world a single, flexible, easy-to-use encryption solution that can be integrated into their existing infrastructure. To learn how Echoworx is emerging as a global leader in email security, stop by Booth S2715 at the Cloud Security Expo from March 21-22 at the ExCel Centre in London, England.

There is an urgent need for data security solutions in APAC. A new study from Marsh & McLennan Companies found that Asia-Pacific region has the worst cyber security in the world. Most breaches are never made public and discovery time on average was 520 days; the global average is just 146 days

Echoworx President and CEO Michael Ginsberg says companies in more countries are recognizing the importance of encryption and security in thwarting cyberattacks and data breaches, and APAC is an underserved market.

“We moved into Mexico to serve Latin America and are one of the few encryption companies in that market,” says Ginsberg. “We have a first-mover advantage there and would like to parlay that stance in APAC, starting in Australia.”

Organizations using Echoworx advanced solutions reap the benefits of being able to communicate with customers and partners quickly and securely. Large institutions, such as those in the financial sector, have new and improved ways to engage customers and increase market share by offering secured services like e-statements.

Echoworx can address another growing concern among clients in various parts of the world: that their data is stored in their jurisdiction and not in another country or region.

“Different areas have different maturities and different concerns, such as where is their data being housed,” says Ginsberg. “Jurisdictional awareness is a big security purchasing decision when it comes to countries’ data.”

Ginsberg says Australia will be the launching point for Echoworx’s operations in APAC, with plans to have a data centre operating by mid-May, with Indonesia or Japan next on the agenda.

“With the advent of Cloud management, we have the capability to be up in a jurisdiction in a very short time and in an economical fashion,” says Ginsberg. “By utilizing Cloud services, we are no longer restricted by physical resources or IT intensive infrastructure maintenance, enabling us to be 100 per cent focused on how we can help our customers communicate better with the outside world in a secure fashion.”

The European Union (EU) is another area that will benefit from Echoworx OneWorld platform, as encryption is a logical solution for companies in EU and while it’s not mandatory or the only solution, the GDPR encourages its use as a best practice to protect sensitive information from breaches. To learn how your organization can better protect its important data from attacks, stop by booth #S2715, grab a latte, and sit in on one of our presentations.

Don’t miss the Echoworx session, 10 Ways to Leverage Encryption by Taking a Customer-First Approach, in the Get GDPR Ready! Risk, Compliance Theatre on March 21, 2019 from 13:20 to 13:45 with Steve Davis, Solutions Architect.

With many areas around the world needing to step up information security as more organizations are realizing the importance of protecting their data, Echoworx intends to leverage its expertise in communication security.

“For our company, these types of opportunities will allow us to be truly global,” says Ginsberg.


About Echoworx

Echoworx is a trusted path to secure communications. As a pure-play encryption solutions provider, Echoworx works with finance, government, healthcare, legal, and compliance professionals to tailor secure communication solutions that don’t impede on customer experience. Our scalable encryption platform, OneWorld, can address multiple uses across an organization. Our encryption experts take pride in transforming chaos into order for leading multi-national enterprises using our SaaS encryption platform. Visit us at Echoworx.com

Media Contact

Lorena Magee, VP Marketing
416 226-8600

07 Mar 2018
Encryption, helping address GDPR compliance

Encryption, helping address GDPR compliance

As of May 25, 2018, all companies dealing with personal data in the European Union (EU) must be employing a high level of security to safeguard EU citizens’ information. Under the General Data Protection Regulation (GDPR), companies that aren’t taking adequate measures in protecting the data of those residing in the 28 EU countries (prior to Brexit) face fines of up to 20 million euros ($21.9 million) or 4 percent of a company’s global annual revenue. Regulatory authorities will have greater powers to act against businesses that don’t comply.

GDPR sets the baseline
David Broad, Information Security and Audit Lead for Echoworx, says the GDPR sets the baseline for how companies must protect their own information and that of their clients’. The baseline security practices must also be consistent with any third party service the company uses (such as Amazon), even if the company is located outside the EU. Regulations across the EU “used to be a fairly wide patchwork,” says Broad, and the GDPR will harmonize those rules. The EU has always had stringent regulations, but there were significant problems if a company was doing business in multiple countries as rules could differ in each.

“It was seen by many as a disadvantage, and an impediment to business,” says Broad. “Now, there will be one standard everyone understands and knows.”

A logical solution
Encryption is a logical solution for these companies and while it’s not mandatory or the only solution, the GDPR encourages its use as a best practice to protect sensitive information from breaches. Increasingly, encryption is viewed as the go-to method to protect communications in transit and to safeguard stored information, according to Jacob Ginsberg, Senior Director with Echoworx.

Ginsberg says companies are recognizing the importance of encryption and security in thwarting cyberattacks and data breaches and utilizing it. The GDPR encourages the idea of security and privacy by design from the early stages of development, he says. Those two aspects – privacy and security – were not always working in conjunction with each other and the GDPR will help to align them. Encryption can play a role in aligning these aspects.

The importance of encryption
Protecting information in transit – whether through email or large file exchange – can be a challenge for some organizations, as they may not control the network or the email server, and the server may not even be in the EU, says Broad.

“You can’t just send customer data over a network you don’t have control of,” he says. An organization may use some form of encryption for data in transit, or opt not to send encrypted data by email. Instead, it could send a benign message to a client telling the client to log in to the company portal to retrieve the pertinent information.

Not every company wants to build a portal due to the heavy investment in technology required, or because they may not need it all the time. For example, some companies may only need a portal for a short time each year – such as to receive annual tax documents.

Just as Amazon provides e-commerce solutions for sellers who don’t want to deal with logistics, payments, hardware and data storage, encryption providers such as Echoworx can help companies comply with the GDPR by providing encryption solutions and services to help customers protect important data.

Let’s connect
I along with my colleagues will be at Cloud Security Expo at the ExCeL Centre in London, England this month. If you plan to be in town, you’ll find the Echoworx team in booth #S2715We will be presenting real use cases of how organizations are gaining value by integrating encryption into their business processes, while securing communications. Stop by, join us for a latte!

By Christian Peel, ‎VP Customer Engineering, Echoworx

01 Mar 2018
Security 101

Security 101: A 2018 Thesaurus for InfoSec

There is much emphasis being given to information security in today’s digitally connected ecosystem, and it truly is the need of the hour – below you can find answers to some of the most pertinent topics in information security.

Slava Ivanov, Distinguished Software Engineer at Echoworx with his years of progressive experience in delivering security solutions to solve business challenges, coupled with his strong knowledge of software development cycles is committed in developing a 2018 Thesaurus for information security.





A: Phishing scams mimic reputable entitles like banks, online resources, legitimate and authorized organizations in an attempt to obtain sensitive information such as usernames, passwords, credit card details, etc. It’s called Phishing due to long-time hacker tradition to use “PH” instead of “F”. Be careful not to fall for the tricks set up by those Phishermen and prevent yourself from getting caught in the Phish net.


A: Diffie-Hellman (DH) is a key exchange protocol originally conceptualized by Ralph Merkle. It’s named after Whitfield Diffie and Martin Hellman – two cryptographers. DH allows to securely exchange cryptographic keys over a public channel without having anything shared beforehand. An established shared secret key can then be used to encrypt subsequent communications. DH exchange itself doesn’t provide authentication of the parties and could be vulnerable to man-in-the-middle attack. Variants of DH with authentication should be considered.


A: SSL/TLS connection between a client and a server starts with a “handshake.” This includes a few steps – starting with validating the identity of the other party and concluding with the generation of a common Session key. First the server sends a Public key to the client to be used for encryption; The client generates a Symmetric key, encrypts it and sends it back; Then the server decrypts this Session key using its Private key. Now the server and the client are ready to use this Symmetric key to encrypt and decrypt transfer of data.





A: Face recognition technology is already helping in many areas of our lives such as, airport security screening, friendly unsupervised video surveillance, investigation of crime scenes, etc. Lets explore how the technology can be used to personalize marketing approaches? It can, for example, replace a store loyalty card. When you walk into the store, the staff would know what you bought the last time, provide you with personal offers, and redeem your points. The store itself may tailor your offerings by analyzing facial data, such as gender, age, and ethnicity. The possibilities are endless.


A: Both. TLS uses asymmetric encryption algorithm only to establish a secure client-server session. For asymmetric encryption, the sender needs a Public key to encrypt data and the receiver needs a Private key to decrypt it. The bulk payload encryption requires speed, so a symmetric encryption algorithm is used to exchange information over an established secured session. For symmetric encryption both sender and receiver share a single Symmetric key to encrypt and decrypt data.


A: Voice enabled assistants, like Google Home, Amazon Echo, etc., can answer your question, provide a weather report, turn up the thermostat, control the lights, or even order a pizza. This convenience comes with a price. Assistant is always listening. Consider using the “mic mute” button to turn it off when not needed. Anyone can control your device. Consider not connecting some IoT appliances like smart door locks; disable payment options not being used. Enjoy your digital home assistant, but don’t make it the host.


A: The purpose of obfuscation is to prevent someone from understanding the meaning of something. In software development, it’s often used on the computer code to make tampering, reverse engineering, or theft of a product’s functionality more difficult. It’s important to understand that obfuscation is not like encryption, but rather like encoding. It can be reversed by using the same technique or simply as a manual process that just takes time.


A: There are three main categories of Authentication:

  • Knowledge is something you know, for example simple user name and password;
  • Possession is something you have, it may be your access card or keyfob;
  • Inherence is something you are, your biometric characteristic, like fingerprint.
    Sometimes, your location is considered a 4th factor.Multifactor Authentication significantly increases security but will obviously impact user experience.





A: In computer technology, encoding transforms original data into another format so it can be transferred and consumed by different systems. For example, use binary-to-text Base64 encoding for binary files to send it over email. Encoding uses publicly available algorithms and can be easily reversed (decoded). The main purpose of encoding is not to keep information secret, but to ensure it’s safely and properly consumed.


A: Biometrics is the technical term for metrics related to human characteristics, like your fingerprint, voice, eye iris, etc. Many consumer products have adopted biometrics for authentication as a matter of user convenience, while enterprise grade products are opting-out to ensure maximum information security. The main authentication factor is knowledge, such as a password or PIN. Biometric data was never designed to be the secret. Can you imagine yourself wearing gloves all the time?


A: Apple claims there is a 1 in a million chance someone can unlock your device using Face ID compared to 1 in 50000 chances of someone having the same fingerprint as you. Does this mean the security of Face ID is 20 times higher? The important thing to remember is that Face ID and Touch ID are more about convenience and design than security. Your password (PIN) will always remain the biggest point of weakness on your device. So, it’s best to make it a strong one.


A: Hexadecimal numbers (hex or base-16) are widely used in computing and math as representation of binary values. Each hexadecimal digit represents four bits or half a byte. 16 unique symbols 0-9 and A-F used to represent a value.

HEX.jpgThis purple color has HTML hex number #7334A4
#73(hex) is (7×16) + (3×1) = 115 (decimal) of red
#34(hex) is (3×16) + (4×1) = 52 (decimal) of green
#A4(hex) is (10×16) + (4×1) = 164 (decimal) of blue
In RGB space our color will be rgb (115, 52, 164)

This is a very condensed version of the many security terms and acronyms in use today, but we hope it helps. Don’t stop now. Learn how you can use encryption to build trusted communications with white papers, reports, webinars, and videos.



26 Feb 2018

Is there a certainty to security?

The choice between Protection + Prevention vs Detection + Response is an illusion. As security practitioners, we all learnt that defence in depth was key. Yet we focused too much on defence as just a wall or line that would protect us. This type of thinking has been proven to be insufficient time and time again.

First, we put up firewalls and thought we were safe. Then we realized we need IDSes and eventually IPSes. SIEMs and other tools were next. These fulfil parts of the equation, but not all of them.  Once your defences are static and do not evolve based on feedback of what is actually happening, then they can be worked around. Aligning to only one of Protection + Prevention or Detection + Response will leave gaps.

If modern threats have taught us anything it is that no one solution is going to solve all the problems.  We need blended approaches that implement tools to protect our perimeters, but also other tools and systems that can detect anomalous traffic and tune networks on the fly to respond.

No significant Information Security standard – be it ISO 27001, the NIST Cyber Security Framework, Webtrust, or others – stops at simply doing one aspect of security. The key is to keep them balanced and all fed with tools, resources and funding to enhance capabilities across the board.

Many companies think that once they have a few tools deployed to control their perimeter they are done.  But how effective are these tools that they have deployed?  Just because the tools don’t detect anything doesn’t mean that there is nothing there.   For each tool that is deployed, businesses should think of how they will measure its effectiveness.

  • What did traffic look like before it was deployed?
  • What does it look like after?
  • What would it look like if it wasn’t working?
  • What could it be missing?

Understanding the limitations of tools that are deployed is key to understanding what else you should be monitoring for and being able to feed this into your Risk Management processes to forecast the next tools that you should be deploying. Reacting after an attack is too late. The damage is done.

It’s not a question of Protection + Prevention or Detection + Response, it’s more of a question of Protection + Prevention + Detection + Response. The hope would be that if you are monitoring your current tools, then you will detect gaps before they are an issue and the Response will then be a planned upgrade or deployment as opposed to an incident investigation.

 By David Broad, Information Security and Audit Lead, Echoworx

25 Jan 2018

How bad is bad? Mexico’s threat landscape

Mexico is one of the fastest growing economies in the world, focused in employing technology to spur businesses forward. But this dependency on technology comes with a dark side – businesses are significantly more vulnerable to cyber threats and data breaches.

Mexico has been attracting the attention of malicious cyber threat performers. The attraction is largely thanks to its growing regional and global geo-strategic significance, coupled with the nation’s increasing economic and financial wealth.

According to recent studies, Mexican organizations are facing similar threats to those operating in the world’s most developed economies. Mexico ranks second in Latin America – just behind Brazil – for the most cyberattacks, with the banking, retail, and telecommunications sectors targeted most.

Serious time of reckoning

The occurrence of cybercriminal activity in Mexico, the diversity of financial institutions, and the sector’s growing capital value are all targeting factors. Criminal groups, clearly capable, besieged the Mexican financial sector by compromising ATMs and defrauding bank customers on a significant scale. Less sophisticated attacks, such as the use of banking Trojans, ransomware, and POS malware, are widespread and pose a significant threat.

Key vulnerabilities observed in Mexico’s cyber landscape are a lack of a cybersecurity culture, old-fashioned system configurations, and obsolete versions of software applications. The right to privacy along with protection of personal information for both individuals and corporations is an extremely relevant issue for international organizations and the public sector. If cybersecurity is not strengthened, more businesses in Mexico will become exposed.

If Mexico wants to be a pioneer of data rights, the new infrastructure must effectively adapt to changes in the way information is transmitted around the world and they must comply not just with national and regional directives, but with international protection of information practices.

The question arises

Is your business at crossroads? Shoulder the costs of increasing defenses or become increasingly susceptible to the risk of attacks!

Sound choice would be to migrate towards a proactive model by incorporating security checkpoints opposed to a reactive model. Having the right security measures in place could prove to be a differentiator in edging out competitors.

A positive drift

According to PwC Mexico, “91% of Mexican companies have prioritized cybersecurity in their organizations and Mexico is the country with the most investment in cybersecurity in Latin America.” The financial sector has led the way in this area, followed by telecommunications, both of which are Mexico’s most globalized economic sectors.

Here is where the Government of Mexico should work closely in conjunction with private firms. The benefits of furthering research on the issue of data protection would be mutually beneficial, keeping the focus on creating a sustainable and securely growing economy.

Echoworx has responded to Mexico’s data security demands by setting up our advanced encryption platform OneWorld within a local data center near Mexico City. This expansion has been fueled by the increasing demand from multinational enterprises operating in Mexico to process and protect their sensitive information locally.

With our agile email encryption platform, it’s easier than ever for organizations to be compliant, maintain brand reputation, build customer trust, and gain a competitive edge – while maximizing the protection of their confidential communications, intellectual property, and other sensitive data.

Mexico is touted to be among the global leaders in digital transactions, and with security being of paramount concern safeguarding communications must be a top priority. As a leader in email encryption, Echoworx is focused on strengthening cybersecurity by collaborating with various equally passionate stakeholders to safeguard the collaboration and communication of sensitive information throughout Mexico.

By Christian Peel, ‎VP Customer Engineering, Echoworx

23 Jan 2018

Echoworx forges partnership with Moneta Technologies

Fortifying relations in Mexico

TORONTO, ONTARIO — It’s a New Year and with it comes new opportunities. Echoworx is delighted to announce its new strategic partnership in Mexico with Moneta Technologies. It was only last year that email encryption provider Echoworx opened a local data center near Mexico City, catering to Mexico’s demand for in-country data security, offering its advanced encryption platform OneWorld.

Moneta Technologies is a technology solutions company with expertise in electronic payments and focused in technology infrastructure development for banking and financial services, retail, and telecommunications.

Commenting on the partnership with Echoworx, Juan Pablo González, Managing Director at Moneta Technologies said, “These are very interesting times in Mexico’s vibrant economy and this alliance will help us serve as a trusted partner to our clients by providing best in class information and communication technologies that enable their growth and economic progress. Echoworx’s encryption solutions will help our clients to safeguard their customers’ sensitive information against theft and other data privacy attacks that favor targeting email.”

“Mexico ranks as the second country in Latin America with the most cyberattacks, behind Brazil, with many large organizations suffering from outdated and incompatible encryption capabilities. Stricter data security regulations continue to be put in place, such as the EU’s General Data Protection Regulation and Mexico’s General Law for the Protection of Personal Data, that will further impact organizations’ data protection and information practices. Our timing in engaging with Mexico could not be better,” echoed Randy Lenaghan, VP Sales at Echoworx. “Our email encryption platform is designed to address the diverse information and communication requirements within the banking and financial services industry and to effectively adapt to the changes.”

Mexico is touted to be among the global leaders in digital transactions, and with security being of paramount concern it is pertinent that a sustainable infrastructure is in place to safeguard every customer’s interest. This partnership reaffirms Echoworx’s commitment to Mexico and its focus in strengthening cybersecurity by collaborating to safeguard sensitive information.

About Echoworx

Echoworx brings simplicity and scalability to encryption. OneWorld, our flagship solution, is the first smart messaging encryption platform that makes secure messaging easy and cost effective – designed to adapt to any environment and all forms of encryption. Our passionate encryption experts transform chaos into order for world leading enterprises and OEM providers who understand the requirement for secure communication is of the utmost importance. Visit us at https://www.echoworx.com/

About Moneta Technologies

Moneta Technologies, is the expert company in electronic methods of payments, dedicated to the development of projects of technological infrastructure for financial institutions, retail, and telecommunications operators, among others, to accept and process electronic payments safely and without setbacks.

Media Contact:

Lorena Magee
VP Marketing

05 Jan 2018

Spectre and Meltdown attacks, think the sky is falling?

Like most companies, Echoworx is aware of the recently announced vulnerabilities impacting most modern microprocessors.  We wanted to take a minute to provide the following guidance on the Spectre and Meltdown attacks to ensure awareness of the issues and to inform you on the steps that Echoworx is taking to address them.

What are these attacks?

Spectre is actually two different vulnerabilities, and Meltdown is one.  Both of these attacks exploit features of ‘modern’ microprocessors called ‘speculative execution’.   Speculative Execution is a technique of prefetching data and pre-executing instructions in case they are needed.   Basically if they are not needed, there are still remnants of the data in memory which can be read by other processes.

The Meltdown attack is the worst of the two in that it can reveal all of the computers memory, not just a few bits and pieces of it.  Meltdown is also easier to exploit.  Fortunately Meltdown is also easier to patch against.  Spectre on the other hand is harder to exploit, reveals less, but is harder to address through patches.  There are patches out for specific known exploits.

What is affected by these attacks?

“Modern” isn’t so modern… at least not in computer terms.   Basically any Intel processor built since about 1995 would be impacted.  Intel, AMD, ARM, processors and others are also impacted to varying extents.  There are some reports that certain processors are not exposed to all of the vulnerabilities, but it is unclear if this is proven to be so, or just hasn’t been accomplished yet. It would be best to err on the side of caution.

What should you as an individual do on your personal devices?

You should always keep up to date with patches, and this case is no different.   There are patches for Linux, Microsoft (Windows, Edge, IE), Apple (MacOS, iOS, tvOS, Safari), Android, Firefox, Chrome, and likely many other applications.  Applying these will help to protect you.

You should also make sure that your Anti-Virus/Internet Security software is up to date.   Microsoft has announced that their fixes might have compatibility issues with some anti-virus software.   The patch for windows will not install if you have an outdated AV or one that is incompatible.  I would update the AV software first, and then apply the MS patch.

Be aware that some of the fixes to this issue could cause a performance impact.  There are some pretty wild estimates of how bad of an impact there could be, but the vendors I have seen have so far reported minimal impacts.  For example, Apple reports a maximum of 2.5% against 1 benchmark for these fixes.

By David Broad CISSP, Information Security and Audit Lead, Echoworx

23 Nov 2017

Trust Me: Be the Good Bank

Hey banks, millennials have trust issues. Yup, these sophisticated, well-travelled, highly educated people have conflicted relationships with personal information.

A new OnePoll survey commissioned by Echoworx revealed that millennials are more careful with romantic partners than they are with financial institutions. Almost 50 percent of respondents age 18 to 35 would not give a partner their home address until after at least five dates. Yet, 56 percent had shared sensitive information by email with their bankers and brokers, not realizing that email can be easily hacked and sifted to steal identities and key information. And not to put too fine a point on it, but less than 60 percent of the surveyed millennials could accurately define “encryption.”

All of your customers expect you to treat them well, so your ability to make them trust you lies in how well you do it. And a big part of that is having strong cybersecurity so they don’t have to worry about having their data lost or stolen.

Information culture shift

Millennials’ contradictions around personal information make sense when you think about how human interactions have changed. Today, dating isn’t only about meeting someone through hobbies, work or friends – you can do it through apps, too. But with apps, the community relationships aren’t there, so millennials are naturally careful about revealing their home addresses. On the other hand, they’re so used to the continued refinement of tech, especially in business, that they trust it to work for them.

People born in the 1980s and ‘90s grew up as handheld devices morphed into the multimedia portals that they are now. They take digital convenience for granted in the same way they take their own hands and feet for granted, and because of that, they don’t have their parents’ suspicion of devices and software. But they also don’t have the media-savviness of the generation following them, who started learning about privacy and internet safety as early as grade school.

The good, the bad and the non-committal

Millennials expect financial institutions to integrate their processes seamlessly into mobile, and that’s created a classic battle between good and evil.

On the evil side, there are people doing whatever they can to steal information. On the good side are businesses who use the highest security protocols in all their communications. But between good and evil, you’ll find others who are simply hoping they won’t get burned when things go wrong.

Millennials are now your primary workforce and client base, and the bad side will exploit every opportunity you leave open. All workplace communications are targets, so strong encryption is critical for front-lines, back-end and all internal media tools.

Business relationships, like romantic relationships, thrive on trust, and it’s much harder to rebuild than it is to behave responsibly from the get-go. Be the good side –secure communications, encrypt everything at the highest level, and don’t ever ask for info through unsecured email or apps.

And visit our Getting Personal portal to learn more about the risks and opportunities of sharing sensitive information

15 Nov 2017

Indecent Exposure and Robotic Hacking

Would you send a naked selfie by email? A lot of us would say ‘no’, because we’re well aware of what could go wrong. What if the person you send the message to accidentally (or deliberately) shares it with someone else? What if your email account or theirs gets hacked? We’ve seen too many public figures humiliated when their private emails have been exposed.

But even if we won’t share certain photos, many of us will ignore 21st-century common sense and share other extremely personal information by email, just because a bank, broker or other service provider asks us to. Darn it, if they tell us to do this, it must be okay – right?

People, your gut fears are correct.

In a new OnePoll survey commissioned by Echoworx, 45 percent of millennials had been asked to send sensitive information by email to their banks, and 85 percent of millennials reported that they’d been specifically asked for their social security numbers by email. Almost 60 percent questioned whether using email to send this info was a good idea, and 55 percent have either had their personal information stolen, or suspected that it had been.

Yet they still shared these personal details by unsecured email. And by the way, less than 60 percent could accurately define the word, “encryption”, which is the process of converting information into code so the wrong people don’t see it.

Robotic hackers are real.

More than five million personal records are lost or stolen every day because they are not properly stored or encrypted. And when you’re transferring info from your wallet to your bank, you could increase the likelihood that you become a victim, especially if you use email.

Most email services can be easily hacked. This isn’t because some evil genius is after you, specifically; it’s because any number of bottom-dwellers are creating bots (robot software with malicious code) that go after everyonesimultaneously. Those bots have databases behind them that include every password that’s ever been hacked, plus dictionaries and languages and other sources of text that people might use for passwords and logins. The bots spin rapidly through combinations of passwords and logins until they break into your account, and then they sift it for personal information.

Really, it’s almost that easy.

How to play safely

While financial companies can’t control your email, they can control their own processes, interfaces, servers and encryption. In fact, there are a slew of regulations throughout the world telling companies they must do it or face consequences. For example, a regulation known as the GDPR applies to everyone doing business in Europe (e.g., most of the big US financial companies), with fines of 20 million euros for not protecting customer data. Yet it seems that some of our trusted institutions would rather risk the fallout than proactively create secure interfaces, so we could still send and receive personal information by email.

So, what can you do to protect yourself? Start by refusing to exchange private info by unsecured email. Ask what your institution does to protect your sensitive email communications, and think twice about the ones that don’t have clear policies and practices in place. And visit our Getting Personal portal to learn more about the risks and opportunities of sharing sensitive information.

By Alex Loo, VP Operations, Echoworx

05 Oct 2017

People More Willing to Share Data Online Than with New Dating Partners

 New study from the information encryption experts at Echoworx

TORONTO, ONTARIO – People are more willing to divulge their personal data in an email than they are to share that same information with potential dating partners, according to a new study from the information encryption experts at Echoworx.

The study, commissioned by Echoworx and conducted by market research company OnePoll in August 2017, surveyed 2,000 adults from across the United States. It found that while most people won’t reveal personal details, including their full names, to a potential partner until after an average of two and a half dates, they will readily provide sensitive information online.

“It’s interesting that those surveyed were more willing to send personal information across the web than to divulge facts to a person they are getting to know. It reveals that people are not aware of the risks they are taking in case of a breach,” says Sam Elsharif, VP Software at Echoworx.

Most Americans take just 20 seconds to decide whether an email in their inbox is safe, 28 seconds to determine if it’s safe to enter personal data into an online forum and 31 seconds to decide whether a website is safe to make a credit card purchase from, the study found. Yet when it comes to dating, most aren’t comfortable disclosing their home address until after an average of four dates and it takes six and a half dates before they’ll discuss salary. One in three say they wouldn’t feel comfortable about talking salary after any amount of dates.

They don’t have the same hesitation when it comes to divulging personal details of their lives online. Three-quarters of survey respondents admitted they have shared sensitive or personal data electronically and on average, they share three pieces of personal information by email each week. Thirty-eight per cent have sent information online to a healthcare provider, 35 per cent to a bank and 25 per cent to a government official.

Even though they may regularly share personal data online, most survey respondents question if it’s safe to do so and more than a quarter of them are unsure what encryption is, despite it being an important security measure.

“When it comes to sensitive personal data, like your social security number and banking details being shared online, it’s important to be cautious and verify the privacy policies, real needs, and legitimacy of the companies requiring it,” says Sam Elsharif of Echoworx.

Surprisingly, five per cent of survey participants say they feel comfortable disclosing their social security number with a possible partner after just one date – unfortunately encryption can’t help with that type of personal disclosure.


About Echoworx
Echoworx is a trusted path to secure communications. OneWorld, our flagship solution, is the first smart messaging encryption platform that makes secure messaging easy and cost effective – designed to adapt to any environment and all forms of encryption. Our passionate encryption experts transform chaos into order for world leading enterprises and OEM providers who understand the requirement for secure communication is of the upmost importance. Visit us at www.echoworx.com

Media Contact:

Lorena Magee
VP Marketing

04 Oct 2017

Is Your Company Practicing Safe … Relationships?

Thank you to all the media who helped us spread the important message of practicing safe communications! They didn’t have to. They had a choice of hundreds to cover but they chose our story. When Trust Matters – Security is Critical.

Getting Personal: In the News

Media Post | Oct 5, 2017 |
People Are More Likely To Share Info In Emails Than On Dates: Study

LittleThings Oct 3, 2017 |
Study Shows That Americans Trust Computers With Personal Information More Than New People

MensHealth | Sept 28, 2017 | 
You Probably Trust Your Computer Way More Than You Trust Your Girlfriend

EBL News | Sept 28, 2017 | 
We trust the internet more than new lovers

Yahoo News | Sept 27, 2017 |
We Reveal More On Social Media Than On A Date

USA Today | Sept 27, 2017 |
We trust the internet more than new lovers

New York Post | Sept 26, 2017 |
Americans trust the internet more than new lovers

MSN Sept 26, 2017 |
Americans trust the internet more than new lovers

InfoSecurity Nov 28, 2016 | 
What Role Does Privacy Play in Your Digital Transformation Strategy?

04 Oct 2017

Getting Personal: Trust, New Lovers and the Internet

You’re a single woman on your first date with a new guy. The conversation is flowing, he’s laughing at your jokes – but you don’t feel comfortable sharing your full name yet or revealing exactly where you live.

Yet you may have readily shared personal information in an online form or in an email, with a cyberspace entity you don’t know.

A new survey, commissioned by Echoworx and conducted by market research company OnePoll, found that while most people won’t reveal personal details to a potential partner until after an average of two and a half dates, they are much more willing to provide sensitive information online. The study, conducted in August 2017, surveyed 2,000 adults from across the United States.


Does this surprise you to learn many people are more willing to provide personal details online than with someone they are getting to know?

If you’re like most of the Americans in the survey, you take just 20 seconds to decide whether an email in your inbox is safe. You take 28 seconds to determine if it’s safe to enter your personal data into an online form. If an item on an online shopping site catches your interest, you take 31 seconds to decide whether the website is safe to make a credit card purchase from. Yet you likely won’t give your home address to a potential dating partner until after an average of four dates and you won’t discuss your salary until after six and a half dates. You might be among the one in three who doesn’t feel comfortable talking about your pay cheque after any amount of dates.

Have you shared sensitive or personal data while filling out an online form or in an email?
You’re not alone. Three-quarters of survey respondents admitted they have shared personal info while filling in an online form and on average they share three pieces of personal information by email each week.

You may have been sent information online to a healthcare provider, to a bank or a government official. But if you’re like most people, you say an online shopping purchase – perhaps those fabulous Manolo Blahniks – was the main reason you shared your data online. Other reasons include applying for a job or applying for a mortgage or insurance.

If you have shared your info online, you may have questioned how safe it was. Thirty per cent of the survey respondents feel uneasy about giving out information online. Have you sent an email you later regretted sending? So have 40 per cent of those surveyed.

You may have had your personal information stolen (24 per cent say so) or suspect it has been (22 per cent) or had your computer hacked, like one in five Americans. You may not know what encryption means, even though it’s a powerful tool for protecting your sensitive data.

Now back to that first date. If the romance continues, you’ll share your address, birth date, medical history and other personal details with this potential partner but you’ll be cautious and take your time.

When it comes to info such as your social security number and banking details, maybe it’s best to exercise the same caution before divulging your data online.

Before you leave, make sure to visit our Getting Personal portal to learn more about the risks and opportunities associated with sharing sensitive information.

You may also like: Solving the Encryption Conundrum in Financial Services 

14 Sep 2017

GDPR: Reduce your risk, protect your customers

You’ve met the GDPR, but you could still be breached, and the fines are massive. How can you minimize the risk?

By May 25, 2018, companies doing business with EU residents must meet General Data Protection Regulation (GDPR) standards or risk fines as high as 20 million euros or 4 percent of their annual worldwide profits. But even if your company meets the Regulation, hackers will keep trying to get at your data, and if they’re successful, you could face class-action lawsuits and the destruction of hard-won consumer trust.

And you could still face GDPR fines.

The news is full of good reasons for consumer distrust, such as the 2017 Equifax breach when 143 million records were stolen, including social security numbers linked to them. But if you can show that you have taken every possible step to protect the people who rely on you, the courts and your customers are more likely to give you the benefit of the doubt.

Encryption is an obvious step, and it is part of GDPR, so under the Regulation, you must convert your data into a coded, difficult-to-unlock format that maintains authentication, integrity and non-repudiation. But you also need to implement data minimization and de-identification.

In simple terms, data minimization means that you don’t ask for or keep more than you need, while de-identification temporarily removes links between the data points and the individuals they describe.

  1. Data minimization

With so much personal data available, it may be tempting to collect and cross-reference new information to learn more about your customers. But consumers don’t like it, and are increasingly suspicious of sharing their details. So while a next-of-kin’s name and phone number on a financial services account could help verify family if the account holder dies, asking for the relative’s workplace data may be going too far. And you’re definitely crossing the line if you use any of the data for a purpose that the customer hasn’t agreed to.

The GDPR explicitly states that you need to limit the amount of data you collect, as well as the way you use it. It also says that you can only use the data for its specified, lawful purpose, and stresses the importance of having a plan to destroy the information once the agreed-upon use is finished.

And frankly, less data means you have less to steal.

  1. De-identification

Your institution might need to have some data linked directly to individuals’ names in some instances, for example, keeping names, account numbers and addresses together for account-statement generation. However, other work clusters will not need identifying information, but may need to be able to link it back later.

De-identification is different from anonymization; the information is still linked, but steps are taken to mask it. This can include giving people pseudonyms, plus “k-anonymization”, which hides or replaces details that could expose an identity, such as a birth date.

As a part of encryption, de-identification makes it that much harder for hackers to make use of stolen information.

The rewards of minimizing risk

While it’s EU law, complying with the GDPR has value no matter where your company does business. Meeting these standards, minimizing your data collection and ensuring de-identification will help you protect your reputation, add reasons for your customers to trust you, and reduce your overall risk.

Want to learn more?  Click on the link below to watch an in-depth discussion with the Privacy by Design creator Dr. Ann Cavoukian, and know how you can prepare for the GDPR. 

 By Alex Loo, VP Operations, Echoworx

08 Sep 2017

Privacy by Design – or by Disaster?

Got any European business? If you do, the GDPR could trigger fines of 20 million euros against you after May 25, 2018, unless you’ve built the highest levels of privacy protections into your systems.

The General Data Protection Regulation (GDPR) protects individuals’ privacy and human rights, and comes into effect in May. It applies to EU-based companies, plus overseas companies doing business in the EU. The scope covers a broad range of personal data, for example, names, email addresses, social media, bank details or computer IP addresses.

For companies that don’t meet the GDPR, there are fines as high as 20 million euros or up to 4 percent of your annual worldwide profits – a big bite out of your bottom line. The good news is that there is a directive to guide you, known as Privacy by Design, or “PbD”.

Privacy by Design
Meeting GDPR means following the seven PbD principles that are included almost verbatim in the regulation.

  1. Proactive not reactive; preventative not remedial Think of this as “privacy by design or disaster.” If you build appropriate privacy, encryption and overall cybersecurity into your products and services, you’re less likely to have the disaster-side breach that means fines, class-action lawsuits, and damage to your reputation.
  1. Privacy as the default setting Most people don’t read EULAs or the lengthy legal documents from financial institutions. Make your offerings easier to use by defaulting to the highest levels of privacy and encryption, and ask clearly for specific permission to use the customer’s data for anything other than what they intend. For example, keep opt-in boxes empty so the distracted end-user doesn’t give permission by accident.
  1. Privacy embedded into design How well are your apps and data-management systems encrypted? This needs to be a default, no-choice, built-in fact of all of your data architecture.
  1. Full functionality – positive-sum, not zero-sum There’s an argument that full security and full privacy are not compatible, but it’s wrong – strong encryption lets you have both. What’s more, when your clients and customers know you’re using it, they’ll have a higher level of trust for you, and be more willing to share their data.
  1. End-to-end security – full lifecycle protection With your system designed to respect and maintain privacy at every touch, what happens when you’re done with the data? From the moment a customer gives their name, to the closing of the account, you need to ensure their data is securely managed, and eventually, destroyed.
  1. Visibility and transparency – keep it open Be able to demonstrate that you are using the data as it’s intended at every step. But you also need to be willing to share all the data you’ve collected about someone with that individual, because the data belongs to them. And being able to see it means they can correct inaccuracies, making it much more useful to you.
  1. Respect for user privacy – keep it user-centric Being user-centric means that your company and data architects are proactive about protecting customer privacy. But incorporating strong data encryption and overall cybersecurity isn’t just about being safe. The investment in these technologies and practices will foster the respect and trust of your customers, which is a good thing no matter where you do business.

Still have questions? Watch our webinar, along with Privacy by Design creator Dr. Ann Cavoukian, for an in-depth understanding on how to prepare for the GDPR. 

 By Alex Loo, VP Operations, Echoworx

22 Aug 2017

Method-Agnostic Encryption Delivery

Encryption until very recently was considered as a niche market with an inconsequential prospect to emerge as a global industry. There was a time when small and medium-sized data security service providers around the world started using homegrown cryptographic systems to encrypt emails and secure vulnerable information. As more solution providers surfaced with varied styles of cryptographic systems, the data security space began to clutter, causing incongruity in encryption delivery formats and user interfaces even within the same organization. Comprehending this predicament early, and looking to break siloed cryptographic systems, Echoworx developed OneWorld, a method-agnostic email encryption platform designed to decipher the unique encryption requirements of a company and offer an appropriate solution.

What sets OneWorld apart from its peers in the market, is its flexible delivery approach for policy-based encryption. The platform can automatically utilize up to six push encryption methods (TLS, PGP, S/MIME, Encrypted PDF, and Encrypted ZIP) or web portal pull encryption method based on the sensitivity of the content. OneWorld allows administrators to effortlessly define and facilitate email policies to reduce the risk of data loss. “We don’t believe in maintaining a particular style of encryption, and our flexible platform intelligently deciphers the requirements of the clients and molds itself to suit their specific needs,” says Mike Ginsberg, CEO of Echoworx. The firm has penetrated deep into the dynamics of the software to build a platform that is agnostic to any particular style or delivery method.

Ginsberg explains how a top global banking institution found it cumbersome to support multiple data security service platforms to achieve different encryption delivery methods in their enterprise. The diversity of UIs and UXs coming from the various providers also brought inconsistency to the overall standard of the financial institution. More so, the legacy solutions were capable of encrypting only an approximate 1.5 million messages a month. After implementing Echoworx’s OneWorld, the bank instantaneously stepped up their delivery to 100,000 encryptions in less than an hour. Echoworx’s global presence also helped the banking institution to provide the solution in 22 different languages to suit their customers’ specific needs.

When it comes to data protection, however, the tenets go far beyond just providing a software solution; an organization has to ensure that the software complies with the data protection laws or the privacy legislation system of the country it is operating under. To ensure protection from territorial leakage of sensitive information, such as financial statements, credit card data, or personal information, Echoworx has set up multiple data centers in various geographic locations worldwide. “When we started working for a bank in Mexico, the client made it clear that none of their data should leave the periphery of the country, and hence we had to establish a data center in that location,” states Ginsberg. Likewise, Echoworx has two data centers in Canada, one each in the U.S. and UK, and two facilities in Dublin. The firm’s SaaS solution can easily migrate databases to another data center, making it possible to setup in any geographic location in a very short deadline. With the help of Echoworx’s global cloud solutions, one of the world’s largest insurers was able to start its operation in a new country overnight.

Echoworx has plans to add authentication services, such as biometric scanning, face and voice recognition, etc. to its suite of offerings in the future. Apart from product expansion, the firm has sights to expand geographically to Asia within 12 months. Echoworx has already established substantial grounds for encryption in the banking and healthcare industries and intends to broaden its horizon to include the airline industry in the years to come.

In fact, Echoworx was selected by CIOReview as one of this year’s Top 20 Most Promising
Banking Technology Solutions Providers

“We are glad to announce Echoworx in our annual ranking list of 20 Most Promising Banking Technology Solution Providers 2017,” said Jeevan George, Managing Editor of CIOReview  “The company’s encryption platform is designed to address the diverse secure communication requirements of the banking and financial services industry.

Echoworx will be demonstrating it’s solution to the industry in Miami, Florida – at the largest Latin America technology and innovation event – the 17th Annual CL@B 2017 Conference. You can get the details here:  https://www.felabanclab.com/

This article originally appeared in CIOReview Banking Technology Special