Category: Cybersecurity

25 Oct 2018
Moving PGP to the cloud

Moving Your PGP to the Cloud? Here’s What You Need to Know

Is PGP encryption part of your secure messaging strategy? Are you currently hosting this system on-premise? Ever thought about moving your PGP email encryption to the cloud? It may sound daunting, but, with the right tools and services, moving to the cloud is an investment to consider for you and your customers.

An on-premise PGP system is resource intensive, and requires software installed on your workstation and servers. The demand on your IT department can be considerable – migrating it to the cloud can take a lot of strain off your staff.

Here are a few points to consider if you are thinking of making the move:

Email encryption should be more than just adequate

We have a responsibility to protect the sensitive messages that we send, and we need to do it in a way that doesn’t get in the way of doing business.

An effective email encryption solution has five main qualities:

  • It is easy to implement
  • It can scale to keep up with growing demands and sudden bursts in email volumes
  • It is feature rich, standards-based and current, supporting encryption technologies widely used today
  • It is jurisdictionally aware, so messages sent from the EU, for example, aren’t stored in or sent through the U.S. or other jurisdictions which might compromise compliance with GDPR rules
  • It is operated securely by a trusted vendor which is dedicated to security

Legacy systems shouldn’t stop you moving to the cloud

Moving an on-premise PGP system to the cloud is not only possible, these legacy systems can actually be migrated without disruption, a critical business consideration if your organization sends large numbers of secure messages daily. And you gain access to additional secure delivery methods, like the ability to send messages via web portal, and additional features, like the ability to custom brand encrypted messages.

Key management without the management

According to the thirteenth encryption study commissioned by Thales to the Ponemon Institute, key management continues to be a major pain-point for 57 per cent of organizations. And many of these organizations report they continue to manually manage their key process. This is not a new stat. In fact, key management has remained a consistent pain-point year over year! Moving to the cloud allows you to simplify your key management process – and automate it.

Why use Security as a Service?

In today’s climate, businesses must scale quickly to meet everchanging demands. Security threats are always evolving, and technology continues to transform at a rapid pace. New developments such as mobile computing, the Internet of Things, Software as a Service and Infrastructure as a Service are leading to fundamental changes in the way businesses operate.

Working with a cloud Security as a Service provider can bring many benefits. Sheila Jordan, CIO at Symantec, for example, points out that while IT and technology investments can be used to operate and grow a company, the list of tasks to be performed will always be greater than the resources and funds available. IT is often seen as an easy place to cut costs, and in response, CIOs “must prioritize the demands that most directly affect the profitability and financial goals of the company.” CIOs are responsible not only for protecting data, but also for helping companies use that data to generate actionable insights. Moving to the cloud lets organizations track and report in real time.[1]

Thinking about Security as a Service? Here are some questions to consider:

  • What is your risk profile?
  • Is there a specific crisis you’re responding to?
  • Do you have a clear plan in place?

 

Once the decision to move to the cloud has been made, choose your vendor carefully. Don’t look for a single point solution: if you do, you might find that the solution you’ve chosen has quickly become obsolete or is not the sole focus of a bigger product. Look to your new partner to educate and train your teams and guide your company through the process. Most importantly, get to know the team you’ll be working with, as good relationships can make the difference when dealing with a crisis.

Sheila Jordan from Symantec puts it best: “When you work with a partner that understands your business and where you are headed, they can offer global support and solutions that will grow with your organization. The right partners will always be customer-focused, doing everything in their power to drive your company forward.”

See how easy it is to migrate your PGP to the cloud.

By Christian Peel, VP Engineering, Echoworx

———

[1] Sheila Jordan, “Security as a Service,” in Canadian Cybersecurity 2018: An Anthology of CIO/CISO Enterprise-Level Perspectives, ed. Ajay K. Sood (Toronto: CLX Forum, 2018), 23-45.

27 Sep 2018
cybersecurity audits

Why Are Cybersecurity Audits Important?

The cybersecurity environment is changing. Rates of malicious email and malware continue to rise, and new threats are emerging. Meanwhile, ransomware attacks have become so common that targeted attack groups are now using them as decoys to provide cover for more serious forms of attack.

In a sea of constantly-evolving cyber threats, can your company stay afloat?

If you think a firewall is all you need to consider when assessing the cybersecurity of your digital perimeter – probably not. After all, cyber attacks are now a question of when, not if, and no one solution is going to solve all the problems. This is where having a second opinion can go a long way in understanding the contemporary cybersecurity landscape of threats, available defenses, third-party risk and new regulations.

Enter the cybersecurity audit.

Why conduct cybersecurity audits?

Cybersecurity is a complex web of systems and processes that must evolve in response to threats. And third-party cybersecurity audits help bring clarity and insight. In some organizations, there may be a lack of awareness of how often security policies should be reviewed, and why. IT departments may not have the tools they need to ensure systems are secure. Worse, they might not realize this! And even when cybersecurity is a key element of organizational culture, focus on business scorecards and metrics can keep attention on the past, on threats already faced. Instead, companies must look to the future, to anticipate the threats that have not yet emerged – taking the proactive cybersecurity measures of privacy by design.

How will cybersecurity audits help you?

There are four main reasons why your company will benefit from cybersecurity audits.

  1. They provide knowledge and validation. Audit providers have extensive experience and offer best practices to strengthen company programs. Auditors have training in new regulations (such as the GDPR). They can ensure systems and processes meet current regulatory standards. Auditors can also flag potential issues and suggest improvements.
  2. They offer neutral and objective evaluations of programs. Objective assessments also provide the best picture of how attractive a company might be to hackers.
  3. Third party audits can be more accurate. Because auditors are not directly associated with the company, they may have a more precise view of the entire organizational structure, including BYOD and mobile devices that might not be an official part of an organization’s workflow.
  4. They help validate your privacy policies to prospective third-party partners. And vice-versa.

What does a cybersecurity audit look for?

Assessment of cybersecurity requires specific technical skills. Auditors must examine server configurations, conduct penetration testing and review security event management rule sets.[1] Not every IT department has individuals with the skills and knowledge to perform these tasks.

In addition, there are complex regulations regarding data protections and privacy, and your organization must follow these regulations in every jurisdiction in which it does business. The recently-passed GDPR, for example, requires that data breaches involving data from EU residents to be publicly disclosed within 72 hours. Will your company recognize that such a breach has occurred? How well does your company keep personally identifiable information (PII) secure? Your company collects data – is it accessible to your partners, suppliers, or customers? Do your contracts specify how vendors and distributors will handle this data? Do these organizations have systems in place to keep your data secure?

Why are cybersecurity audits important?

A recent PWC report says 87 per cent of global CEOs believe investing in cybersecurity is important for building trust with customers. Yet less than half of businesses worldwide are conducting audits of the third-parties which handle their collected personal data. In other words, there is a 54 per cent chance an organization collecting personal data is not sure whether this data is being adequately protected – despite their CEOs expressing the importance of doing so.

If a company believes in protecting personal data, or, in the very least, wants to avoid an expensive data breach, they must do their due diligence when choosing third-party providers. This is why conducting cybersecurity audits is so important. An organization needs to know where and how their data is stored because, at the end of the day, any organization which collects personal data is ultimately responsible for any data protection claims – claims which transfer to third-parties.

We practice what we preach!

At Echoworx, we breathe encryption and work every day to help enterprise organizations protect their sensitive data in transit. It only makes sense that we’d invest in the highest levels of cybersecurity. That’s why our entire organization, top to bottom, is scrutinized by third-party auditors regularly to ensure airtight data protection – and we’re proud of our SOC2 and Web Trust certifications!

See our cybersecurity qualifications for yourself!

By Alex Loo, VP of Operations, Echoworx

———

[1] http://www.isaca.org/Knowledge-Center/Research/Documents/Auditing-Cyber-Security_whp_eng_0217.pdf?regnum=463832

14 Sep 2018
Is your business vulnerable to cybersecurity threats?

Is Your Business Vulnerable to Cybersecurity Threats?

In 2017, Deloitte was ranked the best cybersecurity consultant in the world for the fifth year in a row. But later that year, news emerged that Deloitte itself was the victim of an ongoing hack that had lasted nearly a full year.[1]

How could this dramatic reversal have happened so quickly?

Any enterprise is vulnerable to cyberattack. The bigger the company, the bigger the target. For most companies it’s only a matter of time.

Hackers aim to steal sensitive data such as corporate secrets, personal data and intellectual property. Hackers also launch sabotage attacks. The financial damage to the global economy exceeds $575 billion annually—more than the GDP of many countries.

How vulnerable is your business?

Cybersecurity = constant vigilance

Here are some cybersecurity vulnerabilities to watch for:

  • Security misconfiguration. This is the most common and dangerous flaw because it relies on exploiting some simple computing errors, such as running outdated software, using factory default settings and passwords, and using default accounts.
  • Buffer overflows. When an application attempts to put more data into a buffer than it can hold, the buffer overflows. This can let an attacker overwrite memory blocks to corrupt data, crash programs, or install malicious code. These attacks are common and hard to uncover, but are also more difficult to exploit than an injection vulnerability attack.
  • Sensitive data exposure. This refers to any instance of a hacker gaining access to sensitive data, either directly from a system, or as it is in transit between a user and a server. The most direct flaw that can be exploited is a lack of encryption, or encryption that is compromised by weak passwords or lack of multi-factor authentication. Every organization that manages sensitive data may be vulnerable to this type of attack.
  • Broken authentication and session management. Exposed accounts, passwords, or session IDs represent leaks or flaws in authentication procedures. Hackers use these to take over accounts and impersonate legitimate users.
  • Outdated security software or infrastructure. Older equipment doesn’t readily support modern applications, and it isn’t easily protected against current threats.

 

The threat from hackers is only growing as sophisticated techniques become more widespread. The most recent breach level report  shows that an average of over seven million records were lost or stolen every day in 2017 – that’s 82 records a second! And of these hundreds of millions of cybersecurity incidents, only four per cent are considered ‘secure breaches,’ meaning the data stolen was protected with encryption. Over a quarter of these breaches occurred in healthcare.

The newest form of cyberattack is crypto-jacking. Also known as coin-mining, this is the unauthorized use of computers to mine cryptocurrency. Hackers plant code on a target computer using malicious links in emails or infected websites. Symantec reports that coin-mining activity increased by 34,000% during 2017, and that detection of coin miners increased by 8,500%. At the end of 2017 coin-mining activity was also detected on mobile devices, and it will likely grow in this space as well.

Defending your business

While no system is 100% safe from attack, strong encryption is an effective defense tool against hacking.

Keep these tips in mind:

  • Encrypt all sensitive information that hackers or cybercriminals could access.
  • Keep login credentials confidential and protected with passwords.
  • Use multi-factor authentication whenever possible.
  • Practicing strong password hashing.


We use the cloud. That’s safe, right?

Cloud computing doesn’t protect you from risk. As Sandra Liepkalns, CISO at LoyaltyOne points out, data still must be stored physically, and “the cloud” just means that you’re using off-site servers. Do you know where those servers are? If your servers are in the United States, do they have the proper credentials to handle GDPR-protected information from Europe? And what about physical threats? Are the servers located in areas prone to flooding or forest fires? What about hurricanes? Or earthquakes?

At the end of the day, every organization is responsible for protecting customer data. After all, it’s not a matter of if your organization will be breached, but when. Don’t be caught unprepared! Minimize the risks and make security integral to all your systems and processes.

By Randy Yu, Manager of Deployment at Echoworx

———–

[1] https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails

25 Jan 2018
Echoworx | Email Encryption Solutions | How bad is bad? Mexico's threat landscape

How bad is bad? Mexico’s threat landscape

Mexico is one of the fastest growing economies in the world, focused in employing technology to spur businesses forward. But this dependency on technology comes with a dark side – businesses are significantly more vulnerable to cyber threats and data breaches.

Mexico has been attracting the attention of malicious cyber threat performers. The attraction is largely thanks to its growing regional and global geo-strategic significance, coupled with the nation’s increasing economic and financial wealth.

According to recent studies, Mexican organizations are facing similar threats to those operating in the world’s most developed economies. Mexico ranks second in Latin America – just behind Brazil – for the most cyberattacks, with the banking, retail, and telecommunications sectors targeted most.

Serious time of reckoning

The occurrence of cybercriminal activity in Mexico, the diversity of financial institutions, and the sector’s growing capital value are all targeting factors. Criminal groups, clearly capable, besieged the Mexican financial sector by compromising ATMs and defrauding bank customers on a significant scale. Less sophisticated attacks, such as the use of banking Trojans, ransomware, and POS malware, are widespread and pose a significant threat.

Key vulnerabilities observed in Mexico’s cyber landscape are a lack of a cybersecurity culture, old-fashioned system configurations, and obsolete versions of software applications. The right to privacy along with protection of personal information for both individuals and corporations is an extremely relevant issue for international organizations and the public sector. If cybersecurity is not strengthened, more businesses in Mexico will become exposed.

If Mexico wants to be a pioneer of data rights, the new infrastructure must effectively adapt to changes in the way information is transmitted around the world and they must comply not just with national and regional directives, but with international protection of information practices.

The question arises

Is your business at crossroads? Shoulder the costs of increasing defenses or become increasingly susceptible to the risk of attacks!

Sound choice would be to migrate towards a proactive model by incorporating security checkpoints opposed to a reactive model. Having the right security measures in place could prove to be a differentiator in edging out competitors.

A positive drift

According to PwC Mexico, “91% of Mexican companies have prioritized cybersecurity in their organizations and Mexico is the country with the most investment in cybersecurity in Latin America.” The financial sector has led the way in this area, followed by telecommunications, both of which are Mexico’s most globalized economic sectors.

Here is where the Government of Mexico should work closely in conjunction with private firms. The benefits of furthering research on the issue of data protection would be mutually beneficial, keeping the focus on creating a sustainable and securely growing economy.

Echoworx has responded to Mexico’s data security demands by setting up our advanced encryption platform OneWorld within a local data center near Mexico City. This expansion has been fueled by the increasing demand from multinational enterprises operating in Mexico to process and protect their sensitive information locally.

With our agile email encryption platform, it’s easier than ever for organizations to be compliant, maintain brand reputation, build customer trust, and gain a competitive edge – while maximizing the protection of their confidential communications, intellectual property, and other sensitive data.

Mexico is touted to be among the global leaders in digital transactions, and with security being of paramount concern safeguarding communications must be a top priority. As a leader in email encryption, Echoworx is focused on strengthening cybersecurity by collaborating with various equally passionate stakeholders to safeguard the collaboration and communication of sensitive information throughout Mexico.

Let’s connect
Our team will be at InfoSecurity Mexico at the Centro Citibanamex in Mexico this May. If you plan to be in town, you’ll find the Echoworx team in booth #209We will be presenting real use cases of how organizations are gaining value by integrating encryption into their business processes, while securing communications. Stop by, join us for a chat!

By Christian Peel, ‎VP Customer Engineering, Echoworx

05 Jan 2018
Echoworx | Email Encryption Solutions | Spectre and Meltdown attacks, think the sky is falling?

Spectre and Meltdown attacks, think the sky is falling?

Like most companies, Echoworx is aware of the recently announced vulnerabilities impacting most modern microprocessors.  We wanted to take a minute to provide the following guidance on the Spectre and Meltdown attacks to ensure awareness of the issues and to inform you on the steps that Echoworx is taking to address them.

What are these attacks?

Spectre is actually two different vulnerabilities, and Meltdown is one.  Both of these attacks exploit features of ‘modern’ microprocessors called ‘speculative execution’.   Speculative Execution is a technique of prefetching data and pre-executing instructions in case they are needed.   Basically if they are not needed, there are still remnants of the data in memory which can be read by other processes.

The Meltdown attack is the worst of the two in that it can reveal all of the computers memory, not just a few bits and pieces of it.  Meltdown is also easier to exploit.  Fortunately Meltdown is also easier to patch against.  Spectre on the other hand is harder to exploit, reveals less, but is harder to address through patches.  There are patches out for specific known exploits.

What is affected by these attacks?

“Modern” isn’t so modern… at least not in computer terms.   Basically any Intel processor built since about 1995 would be impacted.  Intel, AMD, ARM, processors and others are also impacted to varying extents.  There are some reports that certain processors are not exposed to all of the vulnerabilities, but it is unclear if this is proven to be so, or just hasn’t been accomplished yet. It would be best to err on the side of caution.

What should you as an individual do on your personal devices?

You should always keep up to date with patches, and this case is no different.   There are patches for Linux, Microsoft (Windows, Edge, IE), Apple (MacOS, iOS, tvOS, Safari), Android, Firefox, Chrome, and likely many other applications.  Applying these will help to protect you.

You should also make sure that your Anti-Virus/Internet Security software is up to date.   Microsoft has announced that their fixes might have compatibility issues with some anti-virus software.   The patch for windows will not install if you have an outdated AV or one that is incompatible.  I would update the AV software first, and then apply the MS patch.

Be aware that some of the fixes to this issue could cause a performance impact.  There are some pretty wild estimates of how bad of an impact there could be, but the vendors I have seen have so far reported minimal impacts.  For example, Apple reports a maximum of 2.5% against 1 benchmark for these fixes.

By David Broad CISSP, Information Security and Audit Lead, Echoworx

04 Oct 2017
Safe Communications

Is Your Company Practicing Safe … Relationships?

Thank you to all the media who helped us spread the important message of practicing safe communications! They didn’t have to. They had a choice of hundreds to cover but they chose our story. When Trust Matters – Security is Critical.

Getting Personal: In the News

Media Post | Oct 5, 2017 |
People Are More Likely To Share Info In Emails Than On Dates: Study

LittleThings Oct 3, 2017 |
Study Shows That Americans Trust Computers With Personal Information More Than New People

MensHealth | Sept 28, 2017 | 
You Probably Trust Your Computer Way More Than You Trust Your Girlfriend

EBL News | Sept 28, 2017 | 
We trust the internet more than new lovers

Yahoo News | Sept 27, 2017 |
We Reveal More On Social Media Than On A Date

USA Today | Sept 27, 2017 |
We trust the internet more than new lovers

New York Post | Sept 26, 2017 |
Americans trust the internet more than new lovers

MSN Sept 26, 2017 |
Americans trust the internet more than new lovers

InfoSecurity Nov 28, 2016 | 
What Role Does Privacy Play in Your Digital Transformation Strategy?

08 Sep 2017
Echoworx | Email Encryption Solutions | Privacy by Design - or by Disaster?

Privacy by Design – or by Disaster?

Got any European business? If you do, the GDPR could trigger fines of 20 million euros against you after May 25, 2018, unless you’ve built the highest levels of privacy protections into your systems.

The General Data Protection Regulation (GDPR) protects individuals’ privacy and human rights, and comes into effect in May. It applies to EU-based companies, plus overseas companies doing business in the EU. The scope covers a broad range of personal data, for example, names, email addresses, social media, bank details or computer IP addresses.

For companies that don’t meet the GDPR, there are fines as high as 20 million euros or up to 4 percent of your annual worldwide profits – a big bite out of your bottom line. The good news is that there is a directive to guide you, known as Privacy by Design, or “PbD”.

Privacy by Design
Meeting GDPR means following the seven PbD principles that are included almost verbatim in the regulation.

  1. Proactive not reactive; preventative not remedial Think of this as “privacy by design or disaster.” If you build appropriate privacy, encryption and overall cybersecurity into your products and services, you’re less likely to have the disaster-side breach that means fines, class-action lawsuits, and damage to your reputation.
  1. Privacy as the default setting Most people don’t read EULAs or the lengthy legal documents from financial institutions. Make your offerings easier to use by defaulting to the highest levels of privacy and encryption, and ask clearly for specific permission to use the customer’s data for anything other than what they intend. For example, keep opt-in boxes empty so the distracted end-user doesn’t give permission by accident.
  1. Privacy embedded into design How well are your apps and data-management systems encrypted? This needs to be a default, no-choice, built-in fact of all of your data architecture.
  1. Full functionality – positive-sum, not zero-sum There’s an argument that full security and full privacy are not compatible, but it’s wrong – strong encryption lets you have both. What’s more, when your clients and customers know you’re using it, they’ll have a higher level of trust for you, and be more willing to share their data.
  1. End-to-end security – full lifecycle protection With your system designed to respect and maintain privacy at every touch, what happens when you’re done with the data? From the moment a customer gives their name, to the closing of the account, you need to ensure their data is securely managed, and eventually, destroyed.
  1. Visibility and transparency – keep it open Be able to demonstrate that you are using the data as it’s intended at every step. But you also need to be willing to share all the data you’ve collected about someone with that individual, because the data belongs to them. And being able to see it means they can correct inaccuracies, making it much more useful to you.
  1. Respect for user privacy – keep it user-centric Being user-centric means that your company and data architects are proactive about protecting customer privacy. But incorporating strong data encryption and overall cybersecurity isn’t just about being safe. The investment in these technologies and practices will foster the respect and trust of your customers, which is a good thing no matter where you do business.

Still have questions? Watch our webinar, along with Privacy by Design creator Dr. Ann Cavoukian, for an in-depth understanding on how to prepare for the GDPR. 

 By Alex Loo, VP Operations, Echoworx

19 Jul 2017
Echoworx | Email Encryption Solutions | Prime Targets for Cyber Criminals

Prime Targets for Cyber Criminals

Today’s cyber criminals now have access to advanced tools and sophisticated strategies. Arguably though, their most powerful weapons are patience and persistence to mount a sustained attack on your organization if you end up in their crosshairs. If they want to access the data in your network, they will find a way. Their motivation, in most cases, is the revenue they can generate from your sensitive information. But who are their prime targets and what makes them so appealing to cyber criminals?

Conversations That Matter features Dominic Vogel
“Hackers go where the money is, they focus their attention on the top five applications in use.”
According to Vogel, the #1 program under threat is email.

Three common targets for cyber crime are: Law Firms, Financial Services and Brick-and-Mortar Businesses. Within each of these categories, here is what cyber criminals are after:

LAW FIRMS
Cyber criminals are looking for valuable, juicy details hidden inside client files. If they find their way into the network of a law firm, they are not going to be disappointed. They will obtain data that they can directly monetize or that can be used for a broader social engineering campaign later. Law firms have all kinds of sensitive financial information (account numbers & other sensitive account information, credit card information), personal information about themselves and their clients and business insider information. Cyber criminals can find out about a pending business deal and then: a) impersonate a party in a deal to another party or b) blackmail an individual or company with that information. Cyber criminals can monetize any sensitive data either directly or indirectly in a targeted fashion.

FINANCIAL SERVICES PROVIDERS
It almost goes without saying (but we’re taking it upon ourselves to say it) that when clients of financial service providers give their personal details to their advisors, they expect that information to be safeguarded to the highest degree. Who among us would not insist on the highest standard of cyber security for their private investment or bank account information? Professional services are given financial information, social security numbers, sensitive businesses information and private family and health information. Cyber criminals can directly monetize this information if they sell it on the black market or if they gain access to those accounts. Alternatively, they can send out phishing emails impersonating financial institutions and investment management companies saying that they need to ‘reset their password.’ Now cybercriminals have access to your account. In a less direct manor, the information can be aggregated to tell more about a person and that information can subsequently be used in an attack. There’s no end to how creative a determined adversary can be in getting their hands on your valuable information, whether directly or indirectly.

BRICK & MORTAR BUSINESSES
Particularly of interest to cyber criminals that target Brick-and-Mortar businesses are things like the financial information of their customers, customer lists, company account information, business processes and plans, lists of company suppliers, and intellectual property. Vendors and business partners can have login credentials into your networks which can open up a significant entry point for a carefully crafted cyber attack. Even seemingly innocuous data can be used against the company. These professional cyber attackers scan for something they can use in a phishing attack to make the attack sound more legitimate and then, after getting into an organization’s network, they will monetize the data indirectly.

The three categories we have explored in this article are just the tip of the iceberg. The list of professional services, from mortgage brokers to business consultants, is extensive. Accounting firms, for example, have extensive business and personal financial records and hold similar information to law firms. Brick-and-Mortar business is another broad category which could be anything from restaurant chains to manufacturers to retail stores. From hotels to insurance brokerages, the list of prime targets for cyber criminals is long with many subcategories. We will be diving deeper into these and other key cyber targets in future articles and videos.

PRACTICAL ADVICE
If you are concerned about the possibility of a cyber attack on your organization, here are six fundamentally important steps you can take:

  1. Do an inventory of all your valuable assets (intangible assets that you need to protect)
  2. Create your risk register
  3. Select which risks should be treated and in what order the risks should be treated in
  4. Select risk treatment options (controls) for each risk in the following categories:
    a. People
    b. Processes
    c. Technology
  5. Implement the controls
  6. Regularly monitor and review the effectiveness of your controls

Completing these action items with get you started on building your cyber risk management framework and hardening your cyber security posture. In order to successfully manage your cyber threats, you need to do the basics well.

“Prime Targets for Cyber Criminals” is a guest post by Dominic Vogel 

07 Jun 2017
Echoworx | Email Encryption Solutions | Defining the Future of Cybersecurity, Together

Defining the Future of Cybersecurity, Together

Cybersecurity is one of the biggest issues that companies face in today’s e-environment. In all of its facets, cybercrime continues to increase, and emails are, and are expected to remain a #1 target for cybercriminals. Many organizations focus cyber security on guarding against external attacks but ignore potential threats to emails and through emails – which can be significantly more destructive.

Theft of confidential data for corporate espionage, the disclosure of trade secrets to a competitor and/or the release of private health information to the public can all be gained from email. It is estimated that by 2019, corporate email accounts worldwide will exceed 1.3 billion. With the huge volume of emails going in and out of the company, the risk of breaches that organizations must mitigate for are great. Moreover, according to research done by Echoworx, highly regulated industries, like oil and gas, healthcare, and finance are prime targets for email security threats.

There is an urgent need for corporate decision makers to adopt a mindset which takes into account the reality of email vulnerabilities… or face the potential consequences.

Take the DNC hack for example. If email encryption was used and policies effectively enforced to trigger secure messaging, the severity of the breach could have been minimized. There was a time when email encryption was very complicated for a company to implement throughout their organization. But, times have changed.

Through email encryption, businesses can now:

  • Secure digital communications while growing your corporate brand
  • Improve customer service
  • Increase efficiencies and lower operating costs
  • Increase speed, performance, function
  • Enforce regulatory compliance
  • Prevent data loss, mitigate risk

Taking a Look Back: Cybercon 2016

Echoworx, being a strong believer of world-class email encryption participated in Cybercon 2016, which was held in the City of Atlanta, to discuss the evolving issues affecting cybersecurity and the role we all play in data security.

In fact, Echoworx was one of twelve companies selected from across the world to participate in an invitation-only product pitch session during Cybercon 2016.

“We are delighted to have such a strong and diverse group of both foreign and domestic cybersecurity companies participating in this unique opportunity to tell their stories to leading professionals in the security industry,” said Justin Daniels, the head of Baker Donelson’s Atlanta Emerging Companies Group and the Baker Donelson Cybersecurity Accelerator. “With most of the presenting companies coming from outside the U.S., this is truly an international event and highlights international recognition of the robust cybersecurity ecosystem of the Metro Atlanta area.”

I’m looking forward to Cybercon 2017 which is scheduled for October this year as part of Atlanta Cyber Week.  You can get the details here:  http://www.cybercon.us

By Kael Harden, Territory Director – East, Echoworx

19 May 2017
Echoworx | Email Encryption Solutions | WannaCry: Threat remains, privacy versus security is over

WannaCry: Threat remains, privacy versus security is over

For anyone using computers in their business or organization, consider May 12, 2017 your wake-up call. That’s when, what is believed to be, the largest cyberattack in history occurred, affecting computers in 150 countries around the world. WannaCry, a malicious software, spread through an email link and encrypted local files, demanding $300 US ransom in Bitcoin to release the files.

The cyber attackers used a stolen hack the United States’ National Security Agency (NSA) had developed to gather intelligence, using a flaw in Microsoft’s Windows software.

Jacob Ginsberg, senior director of products for Echoworx, has this advice to offer about how the risk of similar attacks can be minimized or mitigated.

What shortcomings in government and business approaches did this attack expose?

This is a direct result of policy we’ve seen carried out and it’s time that policy changed. The relationships between government and the private sector have been adversarial and they have not worked collaboratively.

The United States government hoards vulnerabilities and chooses to exploit them, rather than reporting them to manufacturers (the NSA informed Microsoft of the flaw only after the hack was stolen). These hacks are weapons. Government and intelligence agencies are playing a risky game. They’re betting that the value in keeping these vulnerabilities exposed – so they can spy and attack who they want – outweighs the risks of keeping their citizens and infrastructure in harm’s way – but it’s a game they are not going to win every time.

We need to recognize that the narrative of privacy versus security is over. We need more cooperation between the public and private sectors. The security community has good advice to offer. In the WannaCry case, the intelligence community, the security community and Microsoft did the right thing. Everyone descended on the problem and worked together to fix it and mitigate the damage.

There is a tie between technology and society and things we rely on. People can get seriously hurt due to cyber threats. Because of this attack, for instance, patients in England had operations cancelled. We need to work together to secure our countries and infrastructure. There needs to be a different relationship between public and private interests.

How can I protect my organization from attacks like this?

The WannaCry attack is something an organization could have prevented. Out-of-date software was the issue.  Having updated software and the latest fixes is important advice.

While it’s tempting to ignore notices that ask you to update your software and operating system, don’t do that. Although Microsoft offered a patch in March that dealt with the vulnerability behind WannaCry, many organizations didn’t use it, hadn’t updated their software, or had operating systems that were old and no longer supported. Microsoft did issue a patch for older systems in this case, but that rarely happens and may not again.

Use encryption software to ensure your data is protected and educate staff about proper email procedure. The old arguments that encryption software is difficult to use or slows things down no longer apply.

Have clear policies regarding access and authorization to information. This is for everyone from large Fortune 500 companies to the average Joe.

Is the threat over for now?

We’re kidding ourselves if we think won’t happen again. Technology is infiltrating every aspect of society. We all bank online, for example.  If things like this hack persist in the wild, they can be used by terrorist groups or organized crime.

We had better learn from this because you better believe they (cyber attackers) are. It’s a constant cat and mouse game and the bad guys are taking notice. Consider this your wake-up call!

By Lorena Magee, VP Marketing, Echoworx

15 May 2017
Echoworx | Email Encryption Solutions | Cyberattack Impacts, Deeper and Less Visible Than You Suspect

Cyberattack Impacts, Deeper and Less Visible Than You Suspect

Cybersecurity is one of the most debated issues in any organization. Although the need to immunize your company from all kinds of cyberattacks remains urgent, the full impact of a cyber incident is still largely unproven.

Recently I read an article by Deloitte which talked about how difficult it is for executives to gauge the impact of cyberattacks on their companies because they aren’t really aware of the work and effort that’s put into making a company cyber secure, or of the consequences of not doing so until it’s too late.

The DNC hack was the biggest election hack in the US history. Every other day WikiLeaks is busy making public the “private” conversations that took place within the DNC networks. These private conversations spread like wildfire on social media. Cyberattacks such as the one against the DNC are not uncommon. Every day, there is another breach, just look at the Yahoo data breach, Anthem medical records breach, WannaCry ransomeware, and so on.

Emails are used for corporate communications, including classified communications, every day. Sadly, even after all these widely public incidents and demonstrated lessons, a lot of companies still shy away from using encryption. The reasons range from the complexity of the software to overconfidence in the minimal probability of a cyberattack against them. But guess what? No one is secure. No matter how big or how small a company is.

The costs and impacts of a data breach and cyberattacks include:

  • Notification costs: All necessary activities required to report the breach to appropriate personnel within a specified period.
  • Breach response costs: All activities required to notify data subjects with a letter, telephone call, email or general notice that personal information was lost or stolen.
  • The cost of providing credit-monitoring services for at least a year.
  • Reputational damage.
  • Loss of business.
  • Negative publicity: Extensive media coverage, further damaging the organization’s reputation.
  • Attorney fees and litigation.
  • Increase in insurance premiums.
  • Loss of intellectual property (IP).

It’s in your hands to protect your company’s data privacy. And the time to act is now.

If you would like to find out more about the most significant cybersecurity risks and sure ways encryption can mitigate them, the additional content listed below may be of interest.

By Will Nathan, Echoworx

14 May 2017
Echoworx | Email Encryption Solutions | You Can’t Stop the Clicks!

You Can’t Stop the Clicks!

Ask the average person on the street what the biggest threat is to enterprise security, and they’ll develop a long list of foreign hackers, corporate espionage, and all types of James Bond-type scenarios. Ask a security professional the same question and you’ll get a much simpler answer: People. Namely, employees. That’s right, the “human factor” trumps all other security risks that enterprises face. Many of the security breaches we read about in the headlines have some sort of human element involved, whether that be falling for a simple social engineering ploy and unknowingly granting access to a hacker or something more devious devised by a disgruntled employee.

According to the Identify Theft Resource Center, in 2016 U.S. companies and government agencies suffered more than 1,000 breaches, a 40 percent increase from 2015, hitting an all-time record high! In 2016, hacking incidents reached an all time high—nearly 55.5 percent of all breaches—an increase of 17.7 percent over 2015. Breaches involving email exposure of information at 9.2 percent followed by employee error/negligence category at 8.7 percent. While certain types of data breaches are in general decline as a proportion of the total, data loss from hacking and phishing are growing rapidly.

According to a recent Data Breach Digest report from Verizon, social engineering attacks are so successful because threat actors know that humans are the weakest link in any information security strategy. They prey on people’s natural curiosity, fears, pride and other factors of the human psyche to gain access to sensitive data. This usually involves something as simple as clicking a link or opening an attachment within an email that appears to come from a trusted source. The Verizon report shows how simple this can be:

  • An employee getting a congratulatory email purportedly from the company’s CIO for a job well done: “Click here for your achievement award.” Result: Attempted wire transfers totaling more than $5 million.
  • A chief engineer looking for a job on company time gets an email from a recruiter with promising job opportunities: “Current openings are in the attached file.” Result: Stolen plans used by a competitor to enter the market more quickly.

Think your employees are too smart for this? Think again.

Employees aren’t dumb—they’ve been warned about the dangers of clicking links and opening attachment for years. Many laugh over the water cooler about the emails from banks in foreign countries declaring they’ve inherited $20 million from a deceased relative, or the bogus emails from PayPal or Apple that just want to “confirm” their account. But hackers have become increasingly astute at understanding what motivates humans to take an action and are creating clever ways to take advantage of that. These types of targets can be general, such as gaining access to all of a healthcare company’s records, or they can be specific, such as gaining access to plans for a company’s new product, as described above.

Unfortunately, even though employees are aware that these schemes exist, it’s not changing their behavior—or the behavior of enterprises as a whole to provide better training. According to a recent report from Osterman Research, “employees need to be constantly sensitized and trained through security awareness programs in order to be extra vigilant regarding their actions.” The report cites alarming statistics from recent survey of respondents that are involved in managing security capabilities for their midsize or large organization. In that survey, only 31 percent of respondents considered “measuring the security readiness of our employees” a method used significantly or extensively to measure the effectiveness of their information security spend. This is compared with 49 percent who put a high priority on measuring for compliance with regulatory obligations.

The study also showed a significant gap between the importance of preventing data breaches between senior-level employees and middle management and “average” workers. While, 77 percent of respondents felt their organization was very well or reasonably well prepared to deal with the consequences of a significant data breach, the priority given to preventing data breaches varied significantly according to role within an organization. For example, 71 percent of senior IT management placed a high priority on preventing a breach, while only 21 percent of “average” employees did. Line of business middle management (43 percent) and C-level line of business management (55 percent) were also alarmingly low in terms of placing a high priority on preventing data breaches.

The bottom line

Enterprise security may be a high priority for senior level management, but that urgency is not trickling down to the employees who are putting the enterprise’s sensitive data—whatever form it takes—at risk. When security is a simple checkbox, the blame falls on the enterprise when human mistakes are made. Removing them from the equation as much as possible by using technology that prevents them from making simple “human” mistakes is critical to the security of the enterprise going forward.

If you would like to find out how to ensure your sensitive information is protected from the “people” factor, the content listed below may be of interest:

By Greg Aligiannis, Senior Director Security, Echoworx

12 May 2017
Echoworx | Email Encryption Solutions | Combating Insider Threats

Combating Insider Threats

When Edward Snowden leaked NSA’s classified documents of their surveillance program, it sent a message out and loud to companies; if an employee can steal sensitive documents from the NSA, an employee can do that with anyone.  The authorized access of employees to a company’s confidential data poses a self-evident risk to its cyber & financial security because such data can be used to exploit the company.

The motivation behind such treasons? It could range from a fraudulent opportunity dangled in front of an employee to resentment harbored by them which foments into action. It may be because of deeply held morals or beliefs of an employee or in fact, the financial gain. Access to the company’s best kept secrets and inside knowledge of its security weaknesses, always gives the culprits an upper-hand.

Intentional theft isn’t the only insider threat.

Imagine your company, now imagine an employee in your company sending a confidential document to a customer. Maybe he is in a rush, or he is groggy or he is sending the email before his caffeine kicks in and he sends the confidential document without encrypting it. The hacker is waiting at the end-point to find a vulnerability, and guess what, your employee of the month just handed your company’s security to him on a silver platter. In 2015 over 116 billion business messages were sent a day. That’s 116 billion chances for sensitive information to be intercepted – either with malicious intent or accidentally.

The amount of data which circulates within business networks everyday can be staggering and much of it is deemed to be confidential. Companies in highly regulated industries hold large amounts of confidential data- information which includes biometrics, health records, financial transactions & inventory tracking. Simply the chance of getting hands on a wealth of highly confidential info in a single hit, makes highly regulated industries a top target.

Since many companies are favoring firewalls and server security, and shying away from email encryption- they are leaving a huge loophole for message interception and are putting information at risk. Policy-based email encryption is a key to combating cybercriminals who are dedicating even more effort to breaching corporate email data.

Email encryption solutions, which can be configured to recognize and encrypt specified email based on a company’s preset policies, provides a user-friendly experience for employees and peace of mind for IT management. But will your workforce reliably use it? Case after case has shown us that companies and even entire industries have neglected to ask the question.

If email security solutions – or any other technologies for that matter – are too complicated, employees will almost certainly find easier means to complete a task. In this scenario, security is the ball that is dropped. Insider threats continue to keep senior business leaders awake at night. A recent PwC report in the US found that 32 per cent of respondents consider insider threats to be costlier and more damaging than external incidents.

Encryption is crucial to ensuring that this confidential information remains private and secure – while emails are in transit and at rest. If you would like to find out more about how email encryption can help your business and your employees protect sensitive data, the report listed below may be of interest.

By Sam Elsharif, VP Software Development, Echoworx

28 Apr 2017
Echoworx | Email Encryption Solutions | How to Protect Company Email From Attacks

How to Protect Company Email From Attacks

Email is one of the most common ways attackers use to infiltrate an organization’s systems and gain access to sensitive data. Email is built into smart phones, tablets, gaming devices and desktop computers … yet not designed to protect privacy or security.

Without protections in place, “email is a postcard, not a sealed letter,” cautions Jacob Ginsberg, senior director of products for Echoworx. He says people often don’t understand the permanence of data and how it can exist on servers long after they’ve forgotten about it.

“Email is one of the most common ways hackers infiltrate a company’s system,” says Sam Elsharif, vice president of software development at Echoworx. “They often use phishing scams, sending out emails that appear to come from a legitimate source that ask recipients to click on a link that directs them to provide credit card or password information.”

How can you protect your email communications?
Ginsberg says encryption is a logical solution and provides effective protection. Even small and medium size businesses should consider encryption, especially if they deal with data such as intellectual property and customer credit card information.

“There are old holdover misconceptions about encryption – it must be difficult to use, only IT experts can understand it, it slow things down – but those are no longer valid,” says Ginsberg. “The tools are simple to use and I strongly encourage encryption.”

Ginsberg says with encryption only users and intended recipients can see the data. For added security – and a tool that addresses phishing – users might want to add a digital signature (a coded message associated with a specific person).

Educating staff about email use is critical.
Hold regular training to make employees aware of the rules and practices surrounding email, suggests Elsharif. Do your due diligence: research threats and solutions, and review how your organization stores data, how you email data and how you deal with credit card information. Ensure your company is complying with current regulations.

Elsharif says to consult more than one vendor, depending on your needs. “Everyone needs firewalls and anti-virus software. Do you allow employees to access your network from the outside? You may have to look at a VPN (Virtual Private Network). Don’t be afraid to check with multiple providers. No one company can do it all.”

Technology can be effective in mitigating email threats, but don’t rely solely on it.

“Nothing beats human common sense,” Elsharif says. “As a user, try to follow best practices and don’t be sloppy when dealing with your data.”

Seeing is Believing
See for yourself how our latest encryption technology is easy to install, highly customizable and, most essential, simple for anyone to use.

By Greg Aligiannis, Senior Director Security, Echoworx

12 Apr 2017
Echoworx | Email Encryption Solutions | Encrypt, Educate and Empower to Minimize Attack Risk

Encrypt, Educate and Empower to Minimize Attack Risk

Encryption is critical to protect your organization’s valuable data and ensure your operations run smoothly. But with the threat landscape constantly evolving, your company can still be vulnerable to attacks or data theft.

How can you ensure your organization’s encryption solution stays ahead of attackers and that your systems won’t be breached?

“You have to raise the walls on all fronts,” says Jacob Ginsberg, senior director of products for Echoworx.

“A lot of times, you don’t know if your system is breached,” adds Sam Elsharif, vice president of software development for Echoworx. “If you’re a system administrator, make sure you’re using the best tools to protect your system, including the latest patches and fixes given by your service providers. Always make sure your systems are up to date and run scans, monitor your network and follow your best practices.”

Follow Best Practices 

Best practices include following compliance rules, knowing how to properly dispose of and store data, determining who can have access to the network and learning how to detect breaches. Elsharif advises consulting with vendors to be aware of the latest advances in encryption software, keeping updated about networking and security, and reading the news to learn about what new areas hackers are targeting.

Minimize Risk of Attack

Ginsberg suggests these to help an organization minimize risk of attack: “First of all, educate users about proper habits for using email. Next, empower your own IT and security personnel. Empower your experts internally or collaborate with outside experts. It’s a fulltime job to stay on top of the changes that are constantly happening.”

IT personnel should evaluate the security health of the network, the tools deployed and look at the practices of people in the organization, suggests Ginsberg. If user habits are putting data at risk, “it’s a difficult conversation to have, but this can’t be brushed off anymore.”

He says often people get frustrated with tools or procedures and look for a way to circumvent them. For example, they may send emails from their personal cell phones or use their home computers to log on to a company network, which creates risk.

Advanced Encryption is a Logical Solution

While some companies and users may be reluctant to embrace encryption because it used to be difficult to use and slowed communication transfer, that’s no longer a valid excuse. Ginsberg says encryption technology has evolved so it easy for anyone to use it and it works quickly and seamlessly in the background, making it simple to protect sensitive communications.

Seeing is Believing
Join us for a live demo of our email encryption platform – OneWorld. See for yourself how our advanced encryption technology is easy to install, highly customizable and, most essential, simple for anyone to use.

By Greg Aligiannis, Senior Director Security, Echoworx