27 Nov 2019

Uniform or Patchwork Privacy Laws? How Your Bank Can Mitigate Cyber Risk

As more state privacy laws come into effect in the US, navigating privacy, data residency and jurisdictional requirements is more complicated than ever for banks and financial institutions with national and international reach. Let’s look at what these privacy laws are and how encryption helps banks and financial services institutions mitigate the risk that comes with juggling multiple privacy laws.

Patchwork privacy laws

America is gearing up for the California Consumer Privacy Act (CCPA) that goes into effect on January 1, 2020. The CCPA is now one of many privacy and data security laws that protect consumers across some states.

Current state privacy laws:

  • California Consumer Privacy Act (CCPA)
  • Nevada Senate Bill 220
  • Act to Protect the Privacy of Online Consumer Information (Maine).

While three privacy laws might not seem like much to handle, that’s not the whole picture. There are also laws governing cybersecurity, data security and data breach notification in Washington, Texas, Oregon, New York, New Jersey, Maryland and Massachusetts.

That’s a lot for any national company to keep up with and with each new law enacted, it becomes easier for companies to fall out of compliance, especially if they don’t implement proper risk management.

National privacy laws

National privacy laws include:

  • The General Data Protection Regulation (GDPR) in Europe.
  • The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
  • The Act on Protection of Personal Information (APPI) in Japan.
  • The Health Insurance Portability and Accountability Act (HIPAA) in the USA.
  • The Electronic Communications Privacy Act (ECPA) in the USA, often critcized for being outdated and having no impact.


What kind of privacy legislation is best for banks?

Banks and other financial institutions are subject to strict legislation outside of general privacy laws. For example, the Gramm-Leach-Bliley Act (GLBA) governs what kind of information can be shared with third parties and requires financial institutions to disclose how they protect their clients’ private data.

We won’t list the regulations financial services companies are subject to here—suffice to say, banks are already heavily regulated.

The best type of privacy legislation for banking, financial services and insurance companies is legislation they influence to meet their needs (and the needs of their customers).

We’d suggest that one national privacy law would be easier to manage than multiple state laws on top of international privacy laws. Whatever the answer is, banks would be wise to weigh in on the idea of a national privacy law in America—because other businesses sure are.

Why the business community is advocating for an American national privacy law

The CCPA is hailed as “America’s answer to the GDPR” but that doesn’t hold up in terms of reach. The GDPR and the CCPA are similar regulations and both allow for sharp fines for lack of compliance. But the GDPR protects citizens of nations belonging to the European Union—that’s 512 million people. There are 327 million people in the US and 39.5 million people in California.

How many more laws need to be enacted for all 327 million Americans to enjoy the same privacy rights as Californians and Europeans? For many people and businesses, the answer is “too many.”

The complications of patchwork privacy legislation is one reason the Business Roundtable—an association of chief executive officers who promote the U.S. economy through sound public policy—is advocating for a national privacy law for Americans.

Marc Benioff, CEO of Salesforce, writes in a Politico article that a national privacy law is “the right thing for consumers and the industry.”

But this advocacy work hasn’t yet borne fruit so businesses must deal with what is, instead of what could be.

How Echoworx OneWorld—a flexible encryption solution—helps banks navigate patchwork privacy laws

Encryption allows organizations to enhance data protection and breach notification practices. It’s an essential risk management tool that supports an organization’s overall cybersecurity strategy.

Echoworx OneWorld is a user-friendly and customer-centric encryption solution that helps banks and financial services organizations navigate patchwork privacy laws.

OneWorld features that help banks stay compliant to multiple privacy laws:

  • Definable policies – This feature allows you to control which communications get encrypted (and how) based on the message content. This is based on your needs and encryption best practices. Flexible controls for every scenario allow you to create a customizable user experience for senders and recipients and stay in control of encrypted messages in transit and at rest.
  • Multiple options for data residency – We have six data centres located in Canada, the US, Mexico, the UK, Ireland and Germany which means our clients can stay compliant to data residency requirements outlined in the GDPR and American privacy legislation. For example, if an organization works in both the EU and US, they can’t have data residency (or third parties) in the US or else they’ll be out of compliance with the GDPR.
  • Automatic inbound encryption – Emails with sensitive information—including protected personal information—are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.
  • Secure statement delivery – Senders can batch and deliver sensitive encrypted messages, like financial statements, directly to recipient inboxes in an encrypted PDF that’s password protected.
  • Natural extensions for Office Message Encryption (OME) – We work alongside Microsoft to take Office 365 to the next level with flexible use cases, branding, audit and tracking capabilities and certificate encryption. This increases existing encryption capabilities and keeps employees comfortable and confident using their existing communication tools—which makes encryption the path of least resistance.

A recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits and a payback period of seven months.

Banks are already doing business in a patchwork of conflicting privacy environments. Why not make it easier with our user-friendly encryption solution?

By: Brian Cole, Senior Manager Security Operations and Support, Echoworx


25 Nov 2019

The Importance of Synchronized Tech: Mergers and Acquisitions that Stick Need to Fit

The ink is dry. The handshakes have been made. Your company has just successfully negotiated a multi-million-mega dollar monster merger or acquisition. And your newest corporate addition has all the promise of taking your business to the next level.

But what’s next? How do you begin integration with your existing IT infrastructure? What sorts of vulnerabilities should your IT department be aware of before marrying your two systems? Is your existing IT infrastructure even set up for marriage? Did your top-brass think of any of this before signing off?

Chances are they didn’t.

And, like cooking a soup on your stovetop, a merger between two organizations only works if all the great ingredients can be mixed, melted and mashed together in one pot. If they can’t, your sweet deal might turn sour in a hurry! Or, worse, if left unattended – burn.

Here are some ways conducting technological due diligence plays a pivotal role before, during and after any merger or acquisition process:

1. A history of breaches – a future of headaches

Conducting conclusive research on a prospective merger or acquisition’s digital history should be a primary first step of your courting process. Asking simple questions like “Have you had a breach?” can vet massive roadblocks further down the merger and acquisitions path. Take the now-infamous 2016 Yahoo!/Verizon merger worth an initial $4.8B, for example. In this instance, since Yahoo! reported two major data breaches of user account data just prior to the sale, Verizon shaved $350M off the final price for the deal. In fact, between 2014 and 2018 alone, there where over 10 major breaches affecting mergers and acquisitions deals, affecting billions of users worldwide.

Since breaches can affect sale prices, stall deals or even cancel them out, careful attention should be paid to poor data hygiene during any merger or acquisitions process. Update your legacy encryption system now.

Common red flags, for example, might be a company not adequately protecting sensitive communications. From legacy encryption systems to not encrypting at all, a company which doesn’t protect is opening another to risk.

With our OneWorld encryption solution, companies can reduce the complexity of legacy systems by consolidating email encryption into a single, scalable cloud-based platform – for a more secure environment for sending sensitive communications. From configurable encryption policies to detailed message reporting, our robust encryption system can help you demonstrate effective risk-mitigating security for any deal

2. Understanding IT infrastructure

When organizations begin to execute elaborate digital transformation plays, any hidden tangled wires, certifications and claims within an existing IT infrastructure suddenly come to the forefront. If left unattended, these tangles can create expensive knots for any merger or acquisition attempts. From obsolete technology lowering a product’s value to legacy systems and processes which simply do not line up.

IT issues need to be top-of-mind throughout any merger or acquisition process. Read more about our certifications.

Proper consultation with your IT department prior to a merger is an effective way to ensure elaborate paper acquisitions play out as planned – especially when you consider that over 50 per cent of initiatives throughout a mergers and acquisitions process, designed to capture synergies, are directly related to IT. A merger or acquisition candidate might claim, for example, that they are SOC2 certified, meaning their security has been vetted and approved by a credible third-party SOC2 evaluator. A member of your IT department can help determine whether this certification is valid or acquired via a third-party.

3. Protecting trade secrets

In order to protect trade secrets, prevent unwanted access and to bring order to your merger or acquisition process, you need to provide protected conduits through which information can be sent, received and replied to.

Mergers and acquisitions can sometimes be periods of organized chaos, as new faces meet new infrastructure and information flies freely from camp A to camp B. Ensure only intended recipients can read your secure message.

In addition to its six flexible secure delivery methods, the OneWorld encryption platform is fully brandable, configurable and features various secure authentication methods. For additional security, OneWorld features a flexible suite of encryption policies which automatically protect any incoming or outbound sensitive data.

4. Sanitizing IT infrastructure

Prior to plugging in to any newly acquired merger or acquisition, be sure to identify any existing vulnerabilities. This ensures that any legacy cybersecurity technology, ageing in-house communications systems and other technological cracks don’t pollute your system once the deal is signed – something 40 per cent of companies fail to do. A thorough audit of a prospect’s digital infrastructure can help mitigate the risk of dealing with expensive interventions further down the line.

Prior to plugging in to any newly acquired merger or acquisition, be sure to identify any existing vulnerabilities. Update your legacy message encryption system.

Moving non-critical systems to the cloud is a simple solution to uncluttering, sanitizing and updating an incompatible legacy system. With Echoworx OneWorld, for example, migrating legacy resource-intensive message encryption service to the cloud is simple. The resulting light, configurable and flexible secure message environment, managed in the cloud, helps organizations consolidate cybersecurity efforts and streamlines the merger and acquisition process.

By Christian Peel, VP Customer Engineering, Echoworx

22 Nov 2019

Still Selling ‘Risk Acceptance’ to Your Customers?

As organizations continue their digital migrations, the list of cyber-threats, risks and vulnerabilities grows exponentially. From a more connected workplace to new laws and regulations governing privacy and data protection, keeping up on our ever-expanding digital world can be challenging and expensive.

One method to confront cyber-risk is to adopt a laissez-faire risk acceptance approach – where the costs of prevention seemingly outweigh the consequences of doing nothing at all. In this scenario, a bank or business takes a gamble that a cyber-security incident won’t happen or that they can just pay a nominal one-time fee if it does. In other words: Instead of protecting customer data, investing in streamlined cybersecurity solutions or sealing off a vulnerability, an organization simply opts to leave the door open with the hope that no one comes knocking.

The economics of risk acceptance in cybersecurity

Is risk acceptance the most-economical mindset in the short run? Assuming an organization is not the target of a particularly devastating attack, they might come out unscathed from the initial breach, with nominal fines or nothing at all. For example, if a cybersecurity solution is going to cost $250,000 to protect a $50,000 problem – it might not make initial sense to invest. But when you factor in brand damage, changes in regulations, emerging technology, and subsequent fines and class action lawsuits there are different angles to consider – especially when something big hits.

During the 2017 Equifax acquisition, for example, when a massive breach compromised the personal information of over 140M Americans, or nearly half the country, the Equifax brand suffered irreparable damage and has been ordered to pay up to $700M in fines. This all stemmed from their “failure to take reasonable steps to secure their network.” This breach is one of the worst to ever have happened in the US and, with 13 major breaches affecting mergers and acquisitions deals between 2014 and 2018, it was hardly the only one.

Do you think it was worth it? We don’t.

Customers won’t buy risk acceptance

Issues of brand damage come to the forefront of any risk acceptance plan once a breach occurs – regardless of size. Any customer-centric organization worth its salt knows that customers care about their personal data and do not reward businesses who do not value it enough to protect it. In fact, according to Echoworx data, 80 per cent of customers consider leaving a brand after a breach.

In a nutshell: You can’t afford to sell risk acceptance to your customers.

Instead of gambling with customer data, a true proactive choice involves taking every precaution to protect them with risk-mitigating defenses. Since digital trust and loyalty of customers is rooted in user experience and demonstrated brand assurance of safety, you need to offer flexible and streamlined cybersecurity solutions that work.

With our OneWorld encryption platform, for example, you can protect customer data in transit without affecting customer experience. With support for 22 languages, multiple branding options and configurable sets of encryption policies, our streamlined encryption experience ensures nothing is left to chance – including your customers.

Start selling risk mitigating encryption now.

Risk acceptance doesn’t cut it across borders

If you are an international brand, with offices all around the world, you might be boxed out of local markets if you can’t protect your customers. But investing in the bare minimum isn’t good enough either. In order to comply with different privacy jurisdictions, avoiding the potential for hammering fines or being excluded from a market completely, an organization needs to invest in flexible, streamlined and easy-to-understand proactive cybersecurity solutions.

Picture this scenario, for example: You are an organization based in the US which does business in the EU and is looking to break into APEC. From Europe’s General Data Protection Regulation (GDPR) to South Korea’s Personal Information Protection Act (PIPA) to California’s Consumer Privacy Act (CCPA) closer to home, for examples, you are now navigating a whole patchwork of privacy laws. How do you exchange your daily flow of sensitive data between offices?

Until recently, a company might be able to fly under the regulatory radar without encrypting sensitive communications. But more severe interpretations of these laws, like those regarding the GDPR in Denmark, now mean you can’t legally do business in some of these countries without an encryption solution flexible enough to accommodate different jurisdictional demands. That throws a pretty major wrench in any international business plan.

Enable your cross-border communications now.

Risk acceptance jeopardizes your digital future

As the saying goes: Ignoring the problem doesn’t make it go away. In the case of cybersecurity, inadequate investment in data-protecting technology can make current vulnerabilities larger, as business grows, or render an organization unable to adequately deal with future issues. And, in the case of mergers and acquisitions, not being flexible enough or set up to move with the technological tide can stall, cancel or, at the very least, lower the value of the deal.

In other words: In a world of every-changing regulations, which are not going away, and new technology, which demands flexibility, if you adopt a culture of risk acceptance, you risk being left in the dust.

As a cloud-based Software-as-a-Service (SaaS) provider, Echoworx provides flexible solutions for organizations looking to update legacy message encryption technology. Many organizations, for example, need to reduce the complexity of their existing legacy solutions, like a legacy PGP system, into a single consolidated cloud-based platform. As a fully managed, infinitely scalable and geo-redundant encryption solution, our OneWorld encryption platform helps organizations get up to speed with secure communications and be prepared for whatever changes are around the corner.

Upgrade your legacy encryption system to the cloud now.

Risk mitigation is simple – yet effective

Investing in comprehensive data-protecting cybersecurity solutions for risk mitigation, as opposed to acceptance, is not a compromise for today’s customer – it’s an expectation. They expect airtight security for their valuable personal data – something they can get with or without your brand. The solution is easy: you don’t gamble with them; you protect them before something happens.

Protecting your secure communications with encryption is an effective way to ensure data in transit stays safe, you can easily adapt to new regulations and you can protect your own valuable company data and secrets. As a tool of risk mitigation, applying encryption to sensitive messages means you do not take chances when it comes to the safety of your data. This is an integral keystone of any merger or acquisition process – something that can affect the ultimate value of your deal.

A path to secure communications with OneWorld

Our OneWorld encryption platform is an important risk-mitigating addition to any customer-centric cybersecurity suite. With multiple flexible delivery methods, available in 22 languages, full reporting and with extensive options to support multiple brands, OneWorld assures your customers that you do indeed value their business and data at every point of their customer journey. And its streamlined user-friendly interface and definable customizable set of encryption policies ensures data protection occupies a central part of any organizational business policy.

Protect your communications now.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx

18 Nov 2019

How to Ensure Only Intended Recipients Can Read Your Secure Message

We’ve all done it: You hit ‘send’ on a message only to notice a mistyped email address. You might reach out to notify the incorrect recipient of your error. You might try to recall the message. Or you might just send the message over to the correct recipient. Not a big deal – these things happen.

But what if the email contained sensitive information, like a bank statement? What if it’s enough to get you reprimanded or, worse, fired?

Even if the unintended recipient offers to delete the message, how can you guarantee they followed through? How do you know they didn’t sneak a peak before deleting your wayward message?

You need to know this won’t happen to you. You need control. OneWorld can help.

Sender-set passwords for encrypted messages

Once a message has been received by a recipient, there is little which can be done to control who sees it. Since even unintended recipients have the potential to view message content, this can pose problems if the message contains confidential sensitive information, like a bank statement or medical information.

With OneWorld, you can set a shared passphrase to access an encrypted email. This encryption password, which can be anything, from a name to a set of numbers, provides effective security for the content you need to protect.

And there are variety of ways to share password information, like password hints or out-of-band options like verbally via telephone, for example. All password options are designed to assure the sender that even if the message is sent to an unintended recipient, access remains protected.

A password that’s both easy and secure

For a password to be effective, it needs to be complex enough not to be guessed but not so difficult as to be confusing for the recipient. Passwords can be based on information already known to the recipient like an account number, for example, or provided by the sender along with a password hint. For added security, complexity requirements can be enforced by the system.

Selecting the shared passphrase and password hint for a message can be done directly through the OneWorld plugin for Microsoft Outlook or the Outlook Web add-in. Passwords can also be set by a subject keyword from any device or email generator application. Any previously set passwords can be retrieved or checked by the sender through their ‘sent’ emails.

System generated passwords for encrypted messages

As another option for assuring an even higher level of protection for sensitive information, a System-Generated Verification Code is another way to set a complex password. With this method, which is available for OneWorld’s Web Portal secure delivery method, a random single-use code is provided to the sender who, as in the case with sender-set passwords, can then communicate this system-generated password to the recipient. Password complexity tends to be increased with this method as the sender is forced to use a unique code for every message and DLP engines can be configured to force this type of encryption delivery.

Other solutions send a One-Time-Password (OTP) to the recipient mailbox immediately following an encrypted message, which is a bit like leaving your keys in the door.

Additional perks of OneWorld password options

Sender-set Passphrases and System-Generated Verification Codes are effective ways for organizations to avoid any type of registration process. From encrypting attachments only to entire messages, OneWorld allows you to communicate securely with your customer base without any additional steps – you just communicate the password and they gain instant access. And, with the option to reply securely, this method of seamless authentication provides a complete customer-centric circuit of secure communication.

Eliminate your registration process for secure mail now.

By Derek Christiansen, Engagement Manager, Echoworx

11 Nov 2019

California’s CCPA – What Banks Need to Know

The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020 and enforcement measures are scheduled to start six months later. Banks that do business with the state of California and its residents need to protect themselves and get compliant with the CCPA, hailed as “America’s answer to the GDPR.”

A quick view of the CCPA

The CCPA establishes data privacy rights for Californians and, starting soon, this law applies to businesses that sell products and services to California residents and collect information about them.

Under the CCPA, California residents have the right to:

  • Know what personal information is collected about them.
  • Know whether their personal information is sold or disclosed and to whom.
  • Opt out of allowing businesses to sell their personal information.
  • Access the personal information collected about them—in the last 12 months—and receive it in a user-friendly format.
  • Equal service and price, no matter what privacy options they choose.
  • Erase personal data collected (in some situations).


This act means Californians can opt out of many secondary uses of their personal information including sales to data brokers, tracking and other uses not directly related to service delivery.

Defining personal information under the CCPA

Section 1798.140, subdivision (o) of the CCPA defines personal information and it’s a long list that includes—but isn’t limited to—identifiers, categories listed in subdivision (e) of Section 1798.80, characteristics of protected classifications, commercial information, biometric information, internet and other electronic network activity, geolocation data, audio, electronic, visual, thermal, olfactory information, professional, employment and education information (that’s not already publicly available) and inferences drawn from information collected.

Call your privacy lawyers and experts because this list is exhaustive; staying in compliance will be complicated and being out of compliance will be costly.

Penalites and fees associated with the CCPA

Like the GDPR, the CCPA has teeth when it comes to penalites. PWC reports that the private right of action damages will be between $100 and $750 per consumer, per breach. And the regulator enforcement penalities will be “up to $2,500 per unintentional violation and $7,500 per intentional violation.”[i]

The impact of the CCPA on banking institutions

As more states institute their own consumer privacy laws, it becomes increasingly complicated for national banks to remain compliant across state borders. Today we’re talking about California but Vermont and South Carolina just passed laws about data collection and breach notification respectively.

Banks must understand privacy laws in all states and countries they do business in and have the processes and products in place to stay compliant with these regulations. They should also expect this trend of patchwork privacy laws to continue and be prepared to adapt to ever-evolving privacy laws.

Any banks that have Eurpean clients are (or should be) GDPR compliant so there’s less work for them to do now as the GDPR and the CCPA have many overlapping requirements. Part of that work includes analyzing data flows, implementing processes to meet the needs of the new regulation and clearly documenting all data and data policies.

Encrypted communications are part of the solution because encryption keeps protected personal information safe at rest and in transit. The Echoworx OneWorld encryption platform makes encryption the path of least resistance which is essential in highly-regulated industries such as banking, financial services and insurance.

How Echoworx OneWorld—a flexible encryption solution—helps banks navigate the CCPA

Encryption is a tool that allows organizations to enhance data protection and breach notification practices.

Encryption is considered[ii]:

  • An appropriate technical and organizational measure for securing personal data when implemented with other appropriate controls to protect the encryption process.
  • An appropriate safeguard for processing personal data for a different purpose than the one it was collected for.


But encryption only works when it’s used. And, in a recent survey of IT professionals and IT decision-makers, we found that although encryption is a priority for most organizations, less than half the organizations with encryption software use it extensively.

That’s because many encryption solutions are difficult for employees and clients to use where encryption becomes an extra step; when security is outside of the regular workflow, people are less likely to use it.

At Echoworx, we built our OneWorld encryption platform to seamlessly integrate into existing workflows and make encryption and secure communications the path of least resistance.

OneWorld features that help banks navigate privacy regulations, including the GDPR and CCPA:

  • Definable policies – This feature allows you to control which communications get encrypted (and how) based on the message content. This is set up during implementation—based on your needs and encryption best practices. Flexible controls for every scenario allow you to create a customizable user experience for senders and recipients and stay in control of encrypted messages in transit and at rest.
  • Automatic inbound encryption – Emails with sensitive information—including protected personal information—are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.
  • Secure statement delivery – Senders can batch and deliver sensitive encrypted messages, like financial statements, direct to recipient inboxes in encrypted PDF format, that’s also password protected.
  • Breach notifications – Senders can leverage OneWorld to deliver encrypted and protected communications and notifications to their customers in the instance of a breach.


Besides making encryption the path of least resistance, a recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits and a payback period of seven months.

The clock is ticking on the California Consumer Privacy Act. Why wait to make our user-friendly encryption solution part of your compliance strategy?

By: Brian Cole, Senior Manager Security Operations and Support, Echoworx



[i] https://www.pwc.com/us/en/services/consulting/cybersecurity/california-consumer-privacy-act.html

[ii] https://www.echoworx.com/project/encryption-in-the-gdpr/


05 Nov 2019

How to Expand Your Tech Stack Responsibly

Contemporary enterprise organizations continue their migration to the cloud to save money, increase flexibility and reduce the burden of keeping experts on staff to manage infrastructure. But, while the benefits of moving to the cloud are real, it’s essential to expand your tech stack responsibly—and that starts with security.

Contemporary security considerations for enterprise-level organizations:


  • Sensitive data leaving the company firewall – Once sensitive data leaves the perimeters of an organizational firewall, it’s vulnerable to malicious actors. Some firewalls protect the enterprise network and users while others protect information in transit between cloud applications. As the workplace marches towards all things cloud-based and digital, it’s essential to protect data both in transit and at rest.
  • Bring-Your-Own-Device (BYOD) and remote work culture – Companies now allow—and even encourage—employees to use their personal cell phones, tablets and laptops for work activities. This is another avenue for organizational information to leave the safety of the company network and once it moves onto personal devices, it’s a security risk. The popularity of the BYOD culture is driven in part by the uptick of remote employees.
  • Breaches, hacks and attacks – According to a recent report, 38 per cent of organizations aren’t equipped to detect a sophisticated breach and in 2017, the average cost of a data breach was $3.62M.[i] A strong cybersecurity infrastructure can mean the difference between shutting down operations and business as usual.
  • Shiny object syndrome – Everyone wants to download the latest and greatest tech gamechanger. And while most third-party SaaS solutions are safe, organizations can’t afford to jump on board (or let their employees do so) before conducting their own cybersecurity due diligence.
  • Shadow IT – Employees may be downloading or using third-party software or apps to exchange sensitive information. Organizations need to make a better effort at making the protection of data the path of least resistance.


Four ways to expand your tech stack responsibly


  1. Lay the foundation with encryption – Encryption converts information or data into a code for the purpose of preventing unauthorized access. Before you do anything else, make sure your data is encrypted in transit and at rest. Encrypting communications secures sensitive data and protects it from nefarious use by malicious agents (including insiders) and from accidental breaches by employees. Choose a user-friendly encryption platform that makes encryption the path of least resistance. With Echoworx’s OneWorld encryption platform, you can turn cybersecurity into a competitive edge, increase digital trust and enjoy a significant return on investment.

For example, a recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits. This same study showed that using the OneWorld platform to replace legacy on-premises encryption solutions could save the software cost of previous solutions and avoid other legacy-related costs for a three-year savings of $793K.

Get the full Forrester Total Economic Impact™ study of OneWorld now.

  1. Apply good governance – Is governance part of your cybersecurity framework? If not, start today. Who oversees and is responsible for managing technological expansion, assessing cyber risks and vulnerabilities and creating a way forward? If the answer isn’t clear, it’s time to make changes and get your board of directors involved too. Did you know that only 40 per cent of corporate boards participate in their organization’s security strategy?[ii]
  1. Assess your current tech stack – In the old days, IT vetted all the tech brought into the business. But in large organizations, tech slips into departments based on team needs, with little regard for the big picture. Many organizations vastly underestimate the amount of software being used across their operations, marketing, sales, human resources, business intelligence and project management teams. When you reveal the real current state, it gives you the information you need to move towards a sensible future state.
  1. Provide the tools your employees need – The biggest culprit of shadow IT are apps and programs designed to streamline employee workflow. You need to provide your employees with the best tools to do their jobs effectively and safely.

Here’s more on how you can minimize your risk of insider threats.

  1. Implement privacy by design – The Privacy by Design framework, developed by privacy expert, Dr. Ann Cavoukian, is based on seven foundational principles. They are proactive not reactive, lead with privacy as the default setting, embed privacy into design, retain full functionality, ensure end-to-end security, maintain visibility and transparency and respect user privacy. If each new item in your tech stack follows these principles, it reduces the risk and costs of taking a reactive approach to data security.

To learn more about Privacy by Design, download our white paper here.

At Echoworx, encryption is all we do. If you’d like to make secure communications easily accessible across your organization, contact us.  We’ll show you how the right encryption technology can differentiate successful digital transformations from the rest.

By: Wen Chen, Senior Manager of IT and Support, Echoworx



[i] EY Global Information Security Survey 2018-19

[ii] 2018 Global State of Information Security Survey (PWC)

29 Oct 2019

Encryption is No Longer a Differentiator — User Experience is

Organizations using encryption to secure private data used to stand out in a crowd – and the technology remains a major building block of digital trust. But encrypted communications alone are hardly what makes an organization stand out of a crowd these days. Customers expect airtight security, but they want an excellent user experience – something you need to deliver.

Many encryption solutions use the same algorithms and specs; almost all modern security products feature 2048-bit RSA encryption, 256-bit AES encryption and SHA2 signatures. But not all encryption solutions are easy for your staff, customers and clients to use—and that’s why user experience is now the encryption differentiator.

Prioritize process over product

We recently surveyed IT professionals and IT decision-makers and found that encryption is a priority for most organizations, but less than half of organizations with encryption software use it extensively. This often comes down to user-friendliness; it’s nearly impossible to roll-out a security feature that doesn’t integrate seamlessly into existing workflows. When searching for an encryption solution, carefully consider the processes that come with the product and let a user-friendly encryption experience differentiate you from the competition.

What makes an encryption solution user-friendly?

A great encryption platform is easy for customers and staff to use and easy for organizations to implement.

User-friendly encryption features for clients and staff:

  • Frictionless user experience – Customers and employees tend to take the path of least resistance. Look for an encryption solution that builds security into that path of least resistance.
  • Multiple language and branding options – For international organizations, excellent customer experience includes on-brand communications in your client’s preferred language. Did you know that 79 per cent of people take less than 30 seconds to evaluate the safety of an email? This means off-brand but legitimate emails from your company can easily be categorized as spam, decreasing your organization’s digital trustworthiness. With Echoworx’s OneWorld encryption platform, you can set language policies to automatically apply to encrypted communications based on sender, brand, locale and receiver attributes.
  • Multiple delivery methods – Look for an encryption platform that can deliver messages through secure PDF, web portal, TLS and encrypted attachments and offers S/MIME and PGP support. If your platform offers multiple secure delivery methods with effective (and automatic) fallback options, encryption never gets in the way of user experience.


User-friendly encryption features for IT decision-makers:

  • Definable policies – Definable policies control which communications get encrypted (and how) based on the message content. This is set up during implementation—based on your needs and encryption best practices. Flexible controls for every scenario allow you to create a customizable user experience for senders and recipients and stay in control of encrypted messages in transit and at rest.
  • Secure access privileges – Risk management for insider threats include building a permissions architecture that gives access based on needs and roles instead of having open access to all data. For example, in a healthcare organization, the executive director wouldn’t have the same permissions as a nurse practitioner.
  • Scalability – Your encryption solution should be able to grow along with your business whether you’ve got 500, 5,000 or 50,000 employees.
  • Positive return on investment – With the right encryption solution, your organization can provide a user-friendly experience—and save money. For example, a recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits and a payback period of seven months. Get the full Forrester Total Economic Impact™ study of OneWorld now.
  • Implementation support – Remember how only half of organizations with encryption use it? At Echoworx, we offer account support because we believe that helping organizations understand how encryption fits into their business model means successful implementation and widespread adoption.


At Echoworx, encryption is all we do. If you’d like to learn more about what user-friendly encryption features are best for your organization, contact us today.

03 Oct 2019

A Sensitive Issue: Secure Message Encryption for Large Healthcare Networks

Large regional health authorities can employ thousands of people and have a volunteer network in the thousands or tens of thousands. And, since health authorities send, receive and store so much personal and medical data, secure communications are essential.

Here’s why healthcare organizations are vulnerable to privacy breaches, the consequences of mishandling patient data and how encryption makes secure communications possible for health authorities with a large staff and volunteer base.

Why healthcare organizations are vulnerable to privacy and security breaches  

According to a recent report[i], 18 per cent of all cybersecurity breaches happen in healthcare. And internal actors—including employees, former employees, contractors and business associates—cause 59 per cent of the breaches in healthcare.[ii]

Here’s why healthcare organizations including health authorities are vulnerable:


  • Lack of training for staff and volunteers – The top two patterns in healthcare breaches relate to miscellaneous errors and privilege misuse. Privilege misuse is about employees peeking into patient records that they have access to but shouldn’t be looking at. Training can help build a culture of privacy and security at healthcare organizations and help staff understand the real consequences of snooping. In 2018, for example, The Ottawa Hospital fired an employee for peeking at 30 patient files and the year before, a student intern was fined $25,000 for accessing the personal health information of 139 people (also in Ontario).


  • Outdated communication tools – Some communication tools simply aren’t secure. This includes old pager systems used to send messages—including patient information, diagnoses and hospital room numbers—over unencrypted radio frequencies. When unencrypted communication methods are the path of least resistance, they’ll continued to be used, despite privacy issues.


  • Inconsistent mandatory reporting – While mandatory reporting of data breaches is standard across most states and Europe, that’s not the case in Canada. Reporting data breaches isn’t yet mandatory in Manitoba, Quebec or British Columbia. Mandatory reporting is positive because it brings breaches into the public eye—which can encourage organizations to act quickly to resolve security issues.


The consequences of mishandling patient data

In Canada, heath information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA). When health authorities mishandle patient data, patients lose trust in them, they come under fire from local privacy watchdogs and they can incur significant costs and fines. For example, at Capital Health in Nova Scotia, one employee improperly accessed the private health records of 105 people over six years—which cost Capital Health a $400K settlement.[iii]

For healthcare organizations with a large employee and volunteer base, encryption reduces the likelihood of mishandled patient data while increasing cybersecurity.

What does encryption do?

Encryption converts data and information into a code to prevent unauthorized access to the data while it’s in transit and at rest. It simply means private information is kept private. When choosing an encryption solution, algorithms aren’t the primary differentiators because almost all contemporary security products feature 2048-bit RSA encryption, 256-bit AES encryption and SHA2 signatures.

Instead, the real encryption differentiator is customer experience—how easy is it for patients, employees and volunteers to use the encryption solution? Our OneWorld encryption platform is user-friendly and seamlessly integrates into existing workflows.

5 ways the OneWorld encryption platform makes secure communications possible for health authorities


  1. Automatic encryption – Policy-based encryption allows you to automatically secure communications based on their content. For example, with Echoworx’s OneWorld encryption platform, emails with sensitive information—including protected health information—are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.


  1. Reporting and monitoring – In cybersecurity, it’s important to be able to identify and investigate irregular communications. For example, you should be able to see who sent any email you’re reviewing, when it was sent and whether it was opened or not. Reporting and monitoring helps you reduce the risk of internal cyber vulnerabilities.


  1. Communications control – With so many employees, volunteers and healthcare partners, it’s easier than ever for sensitive data to leave the safety of your corporate network, either intentionally or accidentally. You can prevent this with communications controls such as preventing email forwarding, setting automatic encryption based on the type of email, keywords, phrases and attachments and enabling a single sign-on solution—to keep sensitive information on your protected network.


  1. Path of least resistance – With a user-friendly encryption platform in place, regional health authorities maintain control over their communications and make security the path of least resistance for their end-users. If an encryption platform makes more work for employees, they won’t adopt it. But when it seamlessly integrates into existing daily tasks, they will. User-friendliness isn’t a nice to have; it’s what makes widespread implementation possible.


  1. Positive return on investment – While encryption is no longer optional, health authorities can save money by investing in the right platform. For example, the Forrester Total Economic Impact™ study revealed that organizations that adopt Echoworx’s OneWorld encryption platform can expect a return on investment of 155 per cent, a payback period of seven months and the unquantified benefits that come with enhanced customer experience and reduced downtime.


If your regional health authority has thousands of employees and volunteers communicating with patients and other healthcare organizations, choosing the right encryption platform is an essential part of your cybersecurity program. Why wait? Reduce the likelihood of mishandled patient data by enabling automaic encryption for thousands of employees. Contact us today.

By: Michael Roberts, VP of Technology, Echoworx



[i] Cyber Security and Healthcare: An Evolving Understanding of Risk (Symantec)

[ii] Verizon’s 2019 Data Breach Investigations Report

[iii] https://www.cbc.ca/news/canada/nova-scotia/capital-health-privacy-breach-proposed-settlement-1.4858784

25 Sep 2019
communications control in healthcare organizations

Maintaining Control Over Sensitive Communications in Healthcare

The healthcare industry is becoming increasingly digital – from its adoption of Electronic Health Record (EHR) technology to various online medical appointment booking and prescription systems. And, since healthcare organizations use, send and receive so much personal and medical data, it’s essential that these digital transformation projects incorporate elements of privacy by design —including secure communications.

Here’s why it’s important to maintain control over secure communications and how healthcare organizations can do that.

What is communications control?

Communications control is about setting up a system that allows your organization to oversee, track and review all digital communications. This is typically done by setting up control policies and permissions and using appropriate tools.

Why is control of secure communications essential in healthcare organizations?

Communications control allows you to protect personal and medical data that you collect, use and share as part of business operations. While it’s easy to agree that protecting client data is the right thing to do, there are many more reasons to implement communications control at your organization.

Five reasons for implementing communications control in healthcare organizations:


  1. Clients expect privacy – An EHR includes the most personal details imaginable, from medication lists to medical conditions, and clients trust that you’ll keep this information private and secure.
  2. Bring-your-own-device (BYOD) and remote work culture – It’s now common for companies to allow employees to use their personal cell phones, tablets and laptops for work activities or to operate on company networks. When this happens, sensitive internal information has the potential to travel outside an organization’s digital perimeters —which presents a security risk. The increase in remote employees is one contributor to the popularity of BYOD.
  3. External threats – According to a recent Symantec report, 18 per cent of cybersecurity breaches happen in healthcare. The average cost for a ransomware incident is $76,000 and the average hacking breach costs $2.4M. That’s about 2.4 million reasons to maintain control over sensitive communications!
  4. Insider threats – It’s an uncomfortable truth that data breaches and cyberattacks are often caused by employees—mostly accidentally but sometimes with malicious intent. Learn more about how insider threats happen here.
  5. Client demand for digital solutions – According to McKinsey & Company, consumers prefer digital solutions for many healthcare activities including appointment scheduling, prescription refills, checking personal health information and paying health insurance bills.


The good news is that healthcare organizations can address all these factors with secure communication controls, a user-friendly encryption platform and creating a culture of security.

Five ways healthcare organizations can maintain control of their secure communications


  1. Encryption, encryption, encryptionEncryption is defined as “the process of converting information or data into a code, especially to prevent unauthorized access.” Communicating without encryption is like leaving your front door and filing cabinets unlocked and wide open.
  2. Set external communications policies (aka controls) – With so many modes of communication, it’s easier than ever for sensitive data to leave the safety of your corporate network, either intentionally or accidentally. Secure communications controls can help prevent this from happening. Examples of communications controls include preventing email forwarding, setting automatic encryption based on the type of email, keywords, phrases and attachments and enabling a single sign-on solution—to help ensure sensitive information stays protected.
  3. Set policies for inbound communications – While you can’t control what people send your organization, you can control how you receive it using preset inbound policies, such as automatic encryption. For example, with Echoworx’s OneWorld encryption platform, emails with sensitive information—including protected health information (PHI)—are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.
  4. Enable reporting and monitoring – While you don’t want to set up a “Big Brother” environment, it’s important to be able to identify and investigate irregular communications. For example, you should be able to see who sent any email you’re reviewing, when it was sent and whether it was opened or not. Learn more about taking pre-emptive measures to reduce internal cyber vulnerabilities here.
  5. Act on irregularities – A proper system allows you to act as soon as you identify suspicious communication behaviour. You should be able to modify user permissions, recall messages and revoke access to encrypted messages (even ones that have left your network).


At Echoworx, encryption is all we do. We’re proud to help healthcare organizations take control of their communications and protect their sensitive data with a user-friendly encryption solution that has a demonstrated return on investment. The Forrester Total Economic Impact™ study revealed that organizations that adopt Echoworx’s OneWorld encryption platform can expect a return on investment of 155 per cent, a payback period of seven months and the unquantified benefits that come with enhanced customer experience and reduced downtime.

Get the full Forrester Total Economic Impact™ study of OneWorld now.

By: Steve Davis, Director of Products, Echoworx


13 Sep 2019
encryption for group collaboration

Mum’s the Word: Encryption for Group Collaboration

The digital world has opened the seas of technology and revolutionized the way in which we conduct business and serve customers. At the click of a mouse we may apply for mortgages, receive a bank loan or read financial statements. The flow of information has never been more streamlined and customer-centric than it is today.

But what happens when the trappings of contemporary technology outpace our ability to control it?

While your customers embrace the instantaneous nature offered by digital communications, a whole minefield of international privacy regulations, like the EU’s General Data Protection Regulation, demand data protection at every step of the way – privacy by design and privacy in practice.

For those operating in highly regulated business environments, like finance, banking or insurance, these contradictory market demands, dictating an excellent user experience with one hand but airtight algorithms with the other, can disrupt workflow, lead to delays and, ultimately, cause a loss in customer base. Not ideal.

Offering streamlined flexible encryption solutions are one puzzle piece of a greater solution. Without effective secure communication between your staff, their clients and their customers, your organization risks being cut off from the digital world. Here are some ways you can leverage encryption to put your customers first and your brand at the forefront – without interrupting your frictionless collaborative work environment:

  1. Keeping secure communications secure

According to Echoworx data, 80 per cent of customers consider leaving a brand after a breach. Despite this, 69 per cent of customers do not think organizations do enough to protect their data. In a nutshell: You cannot afford to have bad data practices when it comes to exchanging personal data of your customers – even internally.

With five flexible secure methods to send encrypted messages, Echoworx’s OneWorld ensures no sensitive correspondence goes out in the clear. Depending where your colleagues are located, for example, they might favour a more mobile-friendly method of encrypted communication – like sending via secure web portal.

Learn more about OneWorld’s different secure delivery methods.

  1. Offering a consistent user experience

Do your employees work primarily via their mobile devices? Are TLS connections available with your clients? Do your encrypted messages need to be available at-rest for offline working environments? How tech-savvy are your users – both internal and external?

Questions like the above can help you determine an encryption solution which works for your organizational work environment. According to Echoworx research, over half of IT professionals and decision-makers value encryption technology as very important – and yet just 40 per cent say their organizations employ data privacy technology extensively. These figures suggest their current cybersecurity solutions are not applicable to their encryption needs or perhaps offer a poor user experience.

With OneWorld you can make encryption your path of least resistance for your organization. With multiple flexible ways in which to send an encrypted message, and different ways to read and interact with it, you can streamline your collaborative workflow regardless of where users are located.

Learn more about choosing an encryption delivery method which works.

  1. Faster turnaround on important documents

From onboarding a new client to putting something out for deadline, the business world doesn’t forgive cumbersome time-consuming processes. If an important document takes too long, the process is confusing or a deadline is missed, you might lose a customer or, at the very least, make a bad digital impression. The right type of secure document delivery can eliminate these types of snags in favour of a frictionless business process.

In addition to its other flexible delivery methods, OneWorld features the ability to append password-protected encrypted attachments to otherwise normal digital correspondences. This not only allows users to work on a document in its native format, but also eliminates the need for an entire messages to be encrypted. This can improve turnaround on important sensitive documents and streamline collaborative working environments as digital messages can be exchanged in real time.

Learn more about our other secure encryption delivery methods.

  1. Stay compliant, avoid the fines

At the end of the day, the whole point of adopting an encryption strategy is to beef up cyber-defences and avoid costly non-compliance fines. If your organization does not offer a flexible, frictionless and seamless encryption experience, your customers and clients won’t like it and your employees won’t use it. For a collaborative work environment, this presents considerable internal risk for even the most mundane day-to-day workflow.

Learn more about choosing an encryption method which works.

  1. Natural extensions to existing email infrastructure

Our OneWorld encryption platform works seamlessly with existing email infrastructure, like Microsoft Office 365, to offer additional secure delivery methods. These additional options for sending encrypted communications perfectly compliment Office 365 to take your encryption strategy to the next level. From OneWorld’s ability to brand encrypted messages to something as simple, and useful, as being able to track message progress via detailed reports to additional password options, OneWorld helps your organization enhance user experience, add more security and increase work productivity.

Learn more about OneWorld’s natural extensions for OME.

By Michael Roberts, VP Technology at Echoworx

10 Sep 2019

The Risks of Cloud Computing

Cloud computing brings many benefits to enterprise-level organizations but it’s not risk-free. Here’s a quick primer of what cloud computing is, the risks involved and how organizations can minimize the risks of cloud computing.

What is cloud computing?

Simply put: Cloud computing is moving your computing service to the internet using a third-party provider. There are three options: infrastructure, platform and software as a service. The infrastructure option means your organization has the servers onsite, but your provider manages your network virtually. A platform as a service provides infrastructure tools for development that you don’t manage yourself and software as a service (SaaS) is software managed externally. With SaaS, you employ a team of third-party experts to run and manage the solution instead of building in-house. SaaS examples include Echoworx’s OneWorld encryption solution, Office 365 or Salesforce.

The benefits of cloud computing

Using a cloud service lets you rely on your service provider to protect your data from breaches and gives you global access to your data through the internet. Many organizations use cloud computing because they don’t have the expertise to manage the risks and ongoing vulnerability mitigations and resolutions associated with local storage and security.

According to a recent EY Global Information Security Survey, only 8 per cent of organizations have information security functions that fully meet their needs. This same report indicates that 52 per cent of organizations are prioritizing cloud computing for their cybersecurity spending this year.

What are the risks of uploading to the cloud?

There’s a financial risk to uploading data to the cloud when it comes to privacy regulations and breach outcomes. For example, under the General Data Protection Regulation (GDPR), fines for exposing citizen data are hefty—up to €20M or4 per cent of your annual revenue! If your company exposes credit card or other personal information, your entire business could be at risk due to lost consumer trust.

How has the cloud evolved?

Initially, when untested cloud services emerged on the scene, many organizations continued to retain their computer service in-house over security concerns. But, over the last decade, cloud services have evolved into proven and secure platforms – providing effective protection for sensitive data.

Organizations are now comfortable with the cloud infrastructure from a security perspective because certified cloud providers treat data with integrity through privacy, data access controls and auditing.

How can an organization insulate itself from cloud risks?

Although cloud security mostly depends on your service provider, you can minimize risk in two ways. First, select a cloud service which provides management and risk management for you. Make sure any cloud service is audited and certified – with certifications like SOC2 and PCI.

The second way to minimize risk comes from within your organization. You need experts that understand cloud solution architecture and risk management processes and procedures. These experts can help you understand the risk and protect your organization by choosing the right cloud service provider. They can also help you understand whether your cloud computing investment has ROI potential. For example, a recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with $793K in avoided costs of legacy on-premises solutions. Get the full Forrester Total Economic Impact™ study of OneWorld now.

By: Alex Loo, VP Operations, Echoworx


09 Sep 2019
Capital One Breach

A Lesson in Cybersecurity Simplicity from the Capital One Breach

The lesson from the recent Capital One data breach can be summed up with the KISS principle. Simplicity is hard to beat, even in cybersecurity. Let’s look at why this breach happened and what organizations can do to shore up their cybersecurity defenses with seemingly simple solutions.

Peeking behind the Capital One headlines

The headlines about the Capital One data breach emphasize impact: more than six million Canadians were compromised in this data breach. Over a million Social Insurance Numbers (SIN) were exposed. Victims can receive free credit monitoring and identity theft insurance to reduce the sting of their private information being stolen from their trusted provider.

This is scary stuff, but the most chilling part of the story isn’t even covered in some of these reports: The data was breached due to a vulnerability caused by a misconfigured server. Those two words—misconfigured server—left chief technology officers and chief information security officers around the globe trembling. Server configuration is part of the basic line of defense in cybersecurity.

The lesson from Capital One is about simplicity. Good cybersecurity hygiene matters and it’s the first and best defense against data security breaches. To manage this ongoing and increasing threat, enterprise-level organizations must get serious about mastering the basics.

Getting back to basics: 5 simple ways to boost cybersecurity in your organization


  1. Resource your IT department appropriately – According to the EY Global Information Security Survey,[i] 87 per cent of organizations don’t have enough money in their IT budgets to fund the cybersecurity and resiliency programs they want to implement. And, as we saw with Capital One, missing a basic security protocol can lead to costly and embarrassing outcomes. Dr. Ann Cavoukian, Executive Director of the Privacy by Design Centre for Excellence, told the CBC, “Companies are simply under-resourced. They’re not devoting the resources required for strong security.”[1] Having enough properly trained IT resources means your team can dedicate time to testing and uncovering vulnerabilities and mistakes before it’s too late.


  1. Encrypt your data – Encryption protects private data in transit (such as in email and other communications) and at rest (on your network). It’s important to have a scalable encryption solution that offers multiple delivery options, is easy for employees and clients to use, lets users recall encrypted messages even after they’re opened and is easily integrated with solutions you already use, such as Office 365. In a recent Echoworx survey, 53 per cent of the IT professionals and decision-makers surveyed said encryption technology was very important or critical to their organizations. And yet, only 40 per cent of respondents said their organizations are using data privacy technology extensively. Again, here’s where simplicity triumphs: an encryption solution can only be effective when it’s used.


There are also financial incentives for using encryption. A recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits.

Get the full Forrester Total Economic Impact™ study of OneWorld now.


  1. Know your risks and assets – Cybersecurity efforts are more effective when they’re based on a strategic framework, instead of piecemeal solutions. It’s important to identify (and address) risks such as outdated security protocols, data protection, careless employee behaviour, identity and access management, etc. Identifying key assets and data—and increasing security around them—is another essential part of a strategic cybersecurity infrastructure. Increase support for cybersecurity initiatives by helping your board of directors understand the real risks companies face with inadequate cybersecurity programs and resources.


  1. Use a privacy by design approach – With so many organizations pursuing digital transformation, there’s a perceived need for speed. What’s even more essential is building privacy and data protection into new digital programs and processes. Frédéric Virmont, a cybersecurity industry expert, says, “Security is like quality; it must be from the beginning to the end of the life cycle. If you wait until the end of the product, it’s too late. Once the house is built, it’s too late to add emergency exits.”

Learn more about mitigating internal vulnerabilities.


  1. Train your staff on cybersecurity – A recent PwC reportfound that 32 per cent of respondents consider insider threats more costly and damaging than external incidents. Insider threats can be accidental or intentional, so education and proper security protocols are the first line of defense against them. Educate employees about the importance of using security programs and processes and how to identify and report suspicious incidents. And by choosing effective cybersecurity platforms –encryption for example—that are also easy to use, you make data protection the path of least resistance. Cybercrime, including social engineering and spear phishing, is more sophisticated than ever; wise companies create informed workforces capable of identifying these cyber threats.


With the average cost of data breaches at $141 per breached record (and more than double that for healthcare organizations),[ii] isn’t it time for organizations to keep it simple and master the basics of cybersecurity?

By: Brian Au, IT Specialist, Echoworx



[1] https://www.cbc.ca/news/business/capital-one-data-breach-1.5232952

[i] https://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/advisory/GISS-2018-19-low-res.pdf

[ii] https://www.ibm.com/downloads/cas/ZYKLN2E3


25 Jul 2019
Compliance challenges inside and outside of marketing departments are real

Communications Compliance: Why is it Important for Your Marketing Compliance Plan?

Corporate communications, including marketing communications, are subject to enough external regulations and internal controls to make even the most unflappable CCO shudder. Here, we’ll talk about what communications compliance is, the challenges surrounding it and why encryption is now a marketing compliance solution.

What is communications compliance?

Communications compliance is simply ensuring all internal and external communications, including social media postings, meet legal and regulatory standards that govern your industry. These standards are to protect client information and ensure your communications don’t mislead consumers. This is easy to say but gets complicated quickly due to the number of standards your communications must comply with.

For example, regulations and governing bodies that affect corporate communications include:

  • The General Data Protection Regulation (GDPR).
  • The Payment Card Industry Data Security Standard (PCI-DSS).
  • The Financial Industry Regulatory Authority (FINRA).
  • The Securities and Exchange Commission (SEC).
  • The Investment Industry Regulatory Organization of Canada (IIROC).
  • The Markets in Financial Instruments Directive (MiFID II).
  • The Health Insurance Portability and Accountability Act (HIPAA).
  • The Sarbanes-Oxley Act (SOX).


And the following bodies also have additional guidelines for social media postings:

  • The Food and Drug Administration (FDA).
  • The Federal Financial Institutions Examination Council (FFIEC).
  • The Federal Trade Commission (FTC).
  • The American Bankers Association (ABA).
  • FINRA and SEC, as above.


In social media compliance circles, we’re seeing discussion around professionals who inadvertently violate regulatory agreements on social media. For example, in some jurisdictions, a real estate agent who tweets another agent’s listing may be out of compliance because that tweet suggests an inconsistency with an exclusive-representation agreement. Whatever industry you’re in, you must address compliance issues, and this takes extra diligence in heavily regulated industries like financial services and healthcare.

What are the challenges of communications compliance?

The challenges of communications compliance include:

  • Compliance is a moving target – With multiple regulatory bodies and guidelines to incorporate, plus the expanding role of compliance management professionals, compliance is continually evolving which makes staying ahead of the game difficult.


  • Audit requirements – It’s essential that your company can audit your electronic communications which means original copies must be stored properly for the right amount of time. On the other hand, this “paper trail” also highlights any compliance violations which puts you at risk for fines and even class action lawsuits. For example, there’s a class action lawsuit against Bell Canada for its Relevant Advertising Program (RAP) that tracked customer activity to build profiles for third-party advertisers.


  • So many communications! – Add marketing messages to customer and vendor communications and it’s easy to get overwhelmed by the sheer number of messages that leave your organization each year. Plus, with different types of messages requiring different approaches and protection, compliance gets complicated—especially if the right staff aren’t aware of the regulatory rules.


  • Solutions reside across multiple business units – Compliance doesn’t belong to the compliance office; instead it resides across the entire business which can make governance more difficult and complex. For example, we see more marketing teams pursuing encryptions solutions for compliance—even though encryption is historically under IT’s purview.


Why compliance matters in marketing

Marketing is on the frontline of consumer protection. Compliance in marketing governs how businesses communicate with clients and prospects, protects personal data from misuse and ensures the principle of honesty in advertising is upheld.

Compliance challenges inside and outside of marketing departments are real, but organizations that address them holistically and consistently stay on the right side of regulations. One piece of the compliance equation is encryption.

Four reasons encryption is a marketing compliance solution:


  1. Data security – Encryption protects personal information used in marketing communications while it’s in transit to and from your customers and partners and while it’s stored on your own network. For example, PCI DIS requires that emails containing cardholder data are encrypted during transmission and protected in storage. This means that sensitive or personal information such as credit card numbers can only be saved on your network if they’re encrypted.


  1. Secure bulk delivery – Sending mass personalized communications securely is essential in many industries including insurance, government and healthcare. For example, if there’s a proposal for natural gas drilling in a specific area, a government might need to send a personalized message about this sensitive topic to all citizens residing in that geographical area. Our Secure Bulk Mail (SBM) delivery method makes this possible.Learn more about SBM.


  1. Digital trust – In digital customer relationships, trust is easy to get but nearly impossible to get back once it’s been lost. Using encryption to secure your client communications protects clients and shows them your organization takes their privacy and security seriously. With our OneWorld encryption platform, you can set language policies or branding attributes to automatically apply to encrypted communications based on sender, brand, locale and receiver attributes which creates a consistent and trustworthy user-experience.Learn more about building digital trust using encryption.


  1. Positive return on investment – Encryption is a compliance tool that saves organizations money. For example, a recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits and a payback period of seven months. Get the full Forrester Total Economic Impact™ study of OneWorld now.


Whether you’re a marketing, IT or compliance professional, encryption can help your organization reduce compliance risks while protecting personal information and securing customer trust. So why wait to integrate encryption into your communications compliance strategy?

By Neyson Lins, Campaign Manager at Echoworx

18 Jul 2019
Accountants play a role in cybersecurity

Integrating Cybersecurity with Business Strategy

A common problem faced by a growing number of organizations is how to seamlessly integrate cybersecurity into their overall business strategy. As industry and commerce prepare for the next level of cyber-attacks, businesses are increasingly looking to finance professionals for help in developing risk-mitigating cybersecurity strategies that align with the organization’s mission and vision.

Identifying cyber-vulnerabilities starts with getting to know your intangibles

How well do you know your intangibles? This on the face of it seems like a strange question to be putting to an accountant, but it is a very real issue. Intangibles in the accounting world have been grouped as a separate asset class, a kind of catch all for anything that meets the asset definition (a resource that a company controls, and which is expected to produce a future economic benefit), but is not physical in nature.  Traditionally, accounting practices only record what things cost, or the resale value if possible. But, based on the difference between reported book and stock values, intangible assets now make up between 60 to 80 per cent of global corporate worth.

The lack of clear definition in identifying the business’s intangible strategic assets, and more importantly the difficulty in assigning an appropriate monetary value to the intangibles, such as intellectual property, internal software upgrades, staff and managerial expertise, customer data insights to name a few, has left organizations exposed to cyber threats, if you haven’t identified the intangible as a strategic asset, then why would you spend resources protecting it. Every business will have its own nuanced set of strategic intangibles. It is predominately these intangibles that a cyber security investment will be safeguarding. Not identifying your intangibles, or not knowing the real value of the intangibles to an organization makes it less likely that an appropriate cyber security defense strategy will be put in place to protect these intangibles.  So, get to know all your intangibles!

The second fundamental challenge deals with the ambiguous complexity of cyber threats and understanding the nuances of the different types of current cyber threats posed to their strategic intangible assets. Threats come in all forms and sizes, and not being cognizant on what the current threat landscape looks like in their own industry sector is extremely risky. The goal should not be to create a strategy to overcome a security crisis, although in too many instances it requires a breach for a company to initiate an action. Rather, the goal should be to have a cohesive integrated cyber strategy that protects against current threats and has the flexibility to adapt to future threats.

Understand the underlying prevalent cyber threats that reside in your industry.

Accountants play a role in cybersecurity

Accounting and finance professionals are uniquely placed to help a business develop an appropriate cybersecurity strategy.  Finance teams, with their knowledge of an organization’s intangible strategic assets, and expertise in implementing risk management strategies, are well-equipped to identify cyber vulnerabilities, and accountants can be pivotal in closing any security gaps by exploring, evaluating and implementing better tailored security solutions.

There is most definitely not a one-size-fits-all solution when it comes to cybersecurity. In fact, it is very unlikely you find any two large enterprise organizations having similar solutions. Even strategic business units within the same organization often have very different security programs.  By thoroughly knowing your intangibles and being versed on the ambiguous complexity of the cyber threats, coupled with knowledge of risk management techniques, accountants can take a leadership role in delivering effective and efficient cyber security strategies. The cyber security strategy within an organization ultimately becomes a competitive advantage to that organization in its own right.

Understanding total economic impact of cybersecurity

Forrester Research recently published a study identifying the challenges of choosing an email encryption solution for enterprise-level organizations – where, without the right support and processes, running an encryption platform became an onerous activity.

The study, entitled “The Total Economic Impact of Echoworx OneWorld Encryption,” is written in a style and language that will be familiar to finance professionals. Both quantified and unquantified benefits of the solution are identified, and the analysis is presented in the form of a post audit investment appraisal using techniques like ROI, NPV and payback.

I recommend CPAs read this report because it demonstrates the holistic view that needs to be considered when undertaking a strategic cybersecurity investment.

See the full Forrester TEI study here.

Finance Director, Echoworx Corporation

10 Jul 2019
presenting to the board

Is Your Company Board of Directors On-Board with Cybersecurity?

Cybersecurity is no longer just an IT issue. Cybersecurity is no longer measured by who has a taller firewall. Cybersecurity is no longer an out-of-the-box one-size-fits-all installable solution. Instead, cybersecurity is now a complex mosaic of solutions, ideas and mindsets which permeates throughout the entire organizational structure of a company – from warehouse to boardroom.

So, at the end of the day, who is responsible for instigating organization-wide cybersecurity initiatives?

While C-suite executives, from CEO to CISO, might be responsible for spurring action toward shoring cyber-defences, an IT department is generally responsible for the implementation and maintenance of new security solutions with existing infrastructure. But, at the end of the day, it is the organizational board of directors who need to be won over. This carefully selected group of individuals, chosen to reflect the interests of company stakeholders in overseeing organizational management, are who even a CEO must answer to – including on issues concerning budget.

For a CISO intent on spending more on cybersecurity solutions, convincing their board of directors can be difficult. And, due to the intangible nature of cybersecurity, with no visible physical benefits, at least initially, emphasizing the importance of investing in said technology is paramount.

Here are some simple probing informational conversations you need to have to convince your board of directors to pay attention to cybersecurity solutions:

  1. How much does your board of directors know about cybersecurity?

Before you launch into the meat and potatoes of your cybersecurity proposal, you need to gage how deep the knowledge base of your board of directors is when comes to this subject matter. Unless they have clear backgrounds in technology or security, it is unlikely they have a deep understanding of how exactly cybersecurity works.

You need to explain what cybersecurity is, in layman’s terms, why it is important and why cybersecurity is no longer just an IT problem – but rather one of organization-wide significance. You might consider throwing out some statistics regarding the negative impact of a data breach – like last year’s massive data breach affecting the healthcare system of the Canadian province of Ontario, for example, which saw the theft of 80,000 unencrypted electronic health records.

Learn about making a business case for encryption here.

  1. How accountable is your board of directors for data protection?

When a data breach occurs within an organization, its devasting effects are felt company-wide – including at the board-level. Aside from the potential for soul-crushing fines from regulatory bodies, like those dished out to violators of the EU’s General Data Protection Regulation (GDPR), for example, mishandling personal data hurts a brand as a whole – with Echoworx data showing 80 per cent of customers consider leaving a brand after a breach.

As the directors of organizational tack, brand reputation is a crucial focus for boards aiming for business success. Investing in cybersecurity solutions, like encryption for communications, is an important step to preserving brand – with some solutions, like encryption, even mandatory to conduct business in some parts of the world.

  1. Emphasizing the monetary advantages of cybersecurity investment

From regulatory fines to brand damage to just cleaning up the mess, data breaches can be like termites into an organization’s finances. Investing in cybersecurity solutions insulates your organization from the detrimental effects both before and after malicious cyber-events – and can even help save money in other supplementary categories.

Take our OneWorld encryption platform, for example. According to a recent Total Economic Impact™ study from Forrester Research, OneWorld shows a return on investment (ROI) of 155 per cent – and upwards of $2.7M in cost-mitigating benefits. These cost-mitigating benefits do not account for the hundreds of thousands (or even millions) of dollars saved by the risk-mitigating features of this flexible encryption platform – offering five different ways to communicate securely with your customer base.

Get the full TEI study of OneWorld by Forrester Research here.

  1. How important is digital trust?

Every business wants their customers to trust them – a trend which transcends the digital world. But gaining digital trust online is different from doing so at brick-and-mortar stores. Unlike their offline counterparts, where brand trust is gained over years (and even generations), digital trust is fairly easy to get. But digital trust is even easier to lose – and impossible to get back.

So a board of directors needs to understand the brand value of protecting customer data as a tool for building digital trust. Nobody wants to work with a company which doesn’t protect their data. And cybersecurity investment is an excellent marketing tool for reassuring customers that your brand does. In today’s customer-centric world, with so many other options online, you simply can’t afford not to put your customers first – and your board needs to understand that.

Learn more about building digital trust with encryption.

By Michael Roberts, VP Technology at Echoworx