Category: Cybersecurity

08 May 2020

New Streamlined Ways of Authenticating People Quickly Proving Their Value

Traditional ways of gaining access to an account or information, think usernames and passwords, remain common, but their shortcomings pose liabilities.

How do you confirm that people requesting access to your system and files are who they say they are? One way is to ask them to confirm their identity multiple times before granting access – otherwise known as Multi-Factor Authentication (MFA). Chastised in the past for awkward or clunky user experiences, new streamlined ways of authenticating people are quickly proving their value.

Bad password habits pose vulnerabilities

As the saying goes: A chain is only as strong as its weakest link. The same mantra may be applied to a cybersecurity program, where a single weak lock can pose a critical vulnerability to an entire company’s network. In the case of authentication, internal employee slipups can render even the strongest digital locks obsolete. Passwords were responsible for 81 per cent of breaches in 2017.

From weak or easy-to-guess passwords, like ‘p@ssword,’ to password reuse across multiple accounts, people cannot be trusted to create keys granting access to digital assets. But if multiple digital locks are created, each requiring a unique authenticating factor to grant access, it is theoretically harder to force access. That is what makes MFA systems so effective at protecting valuable data.

Address inherent vulnerabilities: authenticate beyond username and password

MFA helps mitigate the vulnerabilities presented by weak password habits by requiring additional authenticating ‘factors’ before granting access. These factors can vary in terms of complexity but are usually something unique or known only to the individual. This ensures that if a single factor is compromised, guessed or lost, like a password or PIN, other factors, maybe a birth date, remain to accurately verify the identity of who or what is trying to gain access.

“Imagine somebody is trying to hack an account and they correctly guess a user’s password,” says Chris Peel, VP Customer Engineering at Echoworx. “With MFA, they may try to log in, but the owner of the account gets a pop-up on their mobile device notifying them that someone is attempting to login. Access can then be denied by the person – using this second factor of authentication.”

Advocate for user friendly MFA

There is no ‘one way’ of conducting MFA. The term is loose and can be applied to a variety of authentication systems – from so-called ‘Strong Authentication,’ a variant of Two-Factor Authentication now a requirement for transactions over €30 in Europe, to hard-token MFA, where a physical token is required to gain access. These systems vary in the amount of security they provide – with some even deliberately hindering user experience to emphasize the importance of the access they provide.

“People won’t accept more security than they think they need.” – Google’s Mark Risher

But new digital variants help make MFA a relatively frictionless experience – with little to no impact on user experience. A bank portal, for example, might ask a banking customer for a password as one factor, or way, of authenticating their identity. But, as a second factor of authentication, the bank may also demand a Time-Based One-Time Password (TOTP) – a single-use and time-stamped random code – issued from an app installed on the customer’s mobile phone. This additional verification is completed by the customer without leaving their mobile phone. The key, you must keep it simple. Mark Risher, who manages Google’s identity systems says, “People won’t accept more security than they think they need.”

Adequate authentication, not an option

When it comes to protecting customers and the digital infrastructure of an organization, adequate authentication should not be an option – and it does not have to be. According to a report conducted by the Global Information Assurance Certification (GIAC), 87 per cent of respondents were favourable of having to authenticate themselves after being told what it was for.

The GIAC study illustrates that, while MFA might be initially viewed as security overkill by people, the same people view it favourably once they are made aware of what it is, and the protection benefits it provides them. Today most service organizations got the message: consumers want two-factor. If you do not offer it, they’ll find the service that does.

Authentication is an integral part of digital business

If digital trust is the new currency of customer experience, MFA is one of the locks holding everything in-place. The average user assesses the safety of an email in just 30 seconds before replying with personal information, says Echoworx in a survey they conducted.  Yet, more than three quarters of people will leave a company who mishandles their data. If people cannot be trusted to safeguard access to their own data, organizations need to ensure a single digital slip-up doesn’t enable fraudulent access.

To make sure that right people enter and access the right information, MFA assures organizations that their entire network won’t be compromised by a single person – helping solidify levels of digital trust.

The future does not include more complex passwords

While not uniformly mandatory under any regulation, MFA is quickly becoming a recommended default. For example, as per the European Central Bank (ECB)’s European Payment Services Directive (PSD2), transactions conducted over €30 must feature ‘Strong Authentication,’ to comply with their ‘Strong Customer Authentication (SCA)’ practice. In the wake of this regulatory development, 84 per cent of affected organizations outline MFA as a priority investment. For independent bodies, this trend continues, with certification bodies, like the PCI Security Standards Council, which is responsible for managing PCI DSS, highly recommending MFA for any future developments.

14 Apr 2020

Encryption Expands, but Gaps in Adoption Raise Concern

Global information technology leaders tend to focus too much on senior executives at the expense of other business areas raising concern and vulnerability.

A strong majority of IT leaders are deeply concerned with security and have adopted some level of protections for data being sent through email, a study by industry encryption leader Echoworx has found. However, a distressing 13% of the largest firms [with more than 10,000 employees] were not encrypting their sensitive communications despite the steady rise in attempted security intrusions.

“Cyber criminals, hackers, agents of industrial and government espionage all see unprotected email as an easy target,” said Echoworx Director Market Intelligence, Jacob Ginsberg. “In the first half of last year over 4.1 billion records were compromised as a result of security breaches, with a stunning 70% of those breaches being email related.”

Protection efforts are unevenly focused

In collaboration with Pulse, an online research hub for chief information officers, Echoworx surveyed 100 Chief Information and Chief Technology Officers (CIOs, CTOs) from North America, Europe, the Middle East and Africa.

As a pioneer in email data protection, Echoworx has researched attitudes toward protecting information and files sent using email for two decades. As early as 2004, it found that while 68% of IT executives had concerns about email privacy, fewer than half had developed a strategy using encryption to protect it. By 2016, 63% of firms had developed a strategy. The 2020 study found that 83% have now done so.

The rise in those top-line numbers has been encouraging but further questioning exposed protection efforts are unevenly focused. The tendency to limit encryption to the top of the corporate pyramid, was noted, leaving vulnerabilities to data and files communicated through email in key areas including HR and payroll, product development, finance and more.

Asked how they were prioritizing the use of encryption, IT leaders said they had prioritized high-level internal messages (26%) followed by sensitive third-party data (24%), protected/regulated data such as medical or credit info (16%) and then intellectual property (10%). But when asked where they were prioritizing the access to encryption, IT leaders see Security, IT, and Engineering departments as being most in need of protection.

However, sensitive data and are shared through an entire firm and with third parties, by practically all business lines and departments in emails. The more limited email data protection and security are throughout an enterprise, the more at risk the company is for email breaches. That calls for a more collaborative and holistic approach, where the protection of data is available for all employees who may handle sensitive data.

…when adopting a ‘zero trust’ strategy – for all messages both internal and external – you have to extend protections throughout an organization … to everyone. – Director Market Intelligence, Jacob Ginsberg

Encryption reserved to select few

That’s currently not happening. Respondents said technology solutions for email data protection were often directed toward the top tiers of an enterprise, even though the measures could benefit whole companies. In most firms, respondents said using encryption to protect email was reserved for the “leadership”, “senior executives” and that it was “based on hierarchy.”

“IT leaders tell us they need to change the mindset, that enterprises need to take a more collaborative approach to address the gaps in email data encryption strategies,” said Jacob Ginsberg. “It’s essential to protect top executives’ communications, but when adopting a ‘zero trust’ strategy – for all messages both internal and external – you have to extend protections throughout an organization … to everyone.”

When building a zero-trust security environment, those who make purchasing decisions should evaluate the all network communication taking place in an enterprise, Ginsberg said. But among respondents, 59% said they had dedicated teams that study email security purchases, 31% said such decisions were made based on cross-department consultations, and a surprising 9% said that decisions were made solely by top executives.

Whose making purchasing decisions? A surprising 9% said decisions are made solely by top executives

Procurement missing the mark on zero-trust security

And even when procurement is a team decision, further questioning found it is often by one that doesn’t reflect the businesses diverse activities: 54% of respondents said the purchasing team were from a single department, while only 46% said purchasing team members included several departments.

“When protecting a company’s assets, most in the industry agree that more needs to be done to improve email security,” said Jacob Ginsberg. “Yet, this study shows that more needs to be done to ensure that email security technology decisions are balanced between the requirements of the whole business and the requirements of the security team.”

For the full insights, Echoworx has produced a one-minute white paper on the survey, asking CIOs how they think their encryption strategies stand up against today’s digital reality.

By Lorena Magee, VP Marketing at Echoworx

24 Mar 2020

Creating a Work-from-Home Business Culture Beyond a Lockdown

Vulnerabilities, from poor data hygiene to weak authentication, can be further amplified during times of crisis when some, or even entire workforces, may be working from home. Here are some quick ways to prepare employees for remote working conditions:

Communicate the importance of corporate data

Employees understand the value of personal identifying data, like a credit card number or SIN, but do they view corporate data the same way? According to Gartner, the potential harm of insider threats at banks, for example, can be the same, if not greater than threats of external nature. Organizations need to educate their employees on the importance of practicing adequate data hygiene when operating remotely.

Suspicious emails, even originating from internal users, need to be triaged to ensure their validity – especially when they contain strange attachments or vague context. Cybercriminals can compromise one account to enter a system before going after their actual targets. Known as ‘spearphishing attacks,’ these attacks can even originate via SMS.

To ensure outgoing data or sensitive information remains intact, employees need to be educated on the importance of encryption. Encryption is an effective way to keep the integrity of messages – to make sure only intended recipients have access. Offering a flexible suite of different ways to send securely, or even enforcing encryption via encryption policies, means secure messages are never rendered undeliverable or, worse, be sent in the clear.

Do they know how to use the video conference? Can they share files remotely? Do they know how to create a group discussion with their teammates? What if their laptop fails – is there a help number they can call? – President of Global Workplace Analytics

Teach the security basics 

As more workplaces move to employees’ homes, so does the business which they conduct. With the recent Coronavirus Disease 2019 (COVID-19), for example, businesses across the planet saw an immediate need for overnight digitization to nearly every business line. For Aviva UK, this meant pushing more of its customer service options online to take the strain off its call centres. The UK insurance giant explains on their website that following their government’s decision to encourage its citizens to work from home, they now encourage more customers to manage their accounts online via their app or by email as an alternative to calling.

But, from exchanging sensitive business agreements to delivering a tax return to something as simple as answering a customer query, there is going to be a lot of important data changing hands. Employees working from remote locations need to understand the importance of communicating this information clearly, safely and seamlessly with customers.

According to Kate Lister, the president of Global Workplace Analytics, as reported by The Washington Post, organizations pushing remote workplaces need to teach their employees everything down to the basics to ensure they follow proper organizational protocol. “Do they know how to use the video conference? Can they share files remotely? Do they know how to create a group discussion with their teammates? What if their laptop fails – is there a help number they can call?” said Lister.

90 per cent of all cyber threats originate with email – Gartner

Warn users of suspicious links

From strange pop-ups to emails originating from unknown senders containing links to malicious sites, phishing is a chameleon crime which can assume all shapes and sizes. And, according to a recent Gartner report, 90 per cent of all cyber threats originate with email – making phishing one of the most significant threats affecting contemporary digital business.

Any employee working remotely needs to understand the real threat phishing poses. Whenever they are working remotely, an employee should always question any suspicious link, even from their personal email if they are working on a personal computer. Encryption should always be applied to any outgoing messages containing sensitive information.

According to Nicole Coughlin Raimundo, the CIO for the Town of Cary, a tech hub in North Carolina, as reported by CNBC, on account of the COVID-19, whose initial outbreak forced the majority of American firms to immediately explore digital alternatives to physical workplaces, she’s seen an uptick in phishing campaigns targeting remote employees. “As part of our work-from-home guidance, we’re continuing to encourage staff to be vigilant and exercise extreme caution when clicking on outbound links,” Raimundo said.

Use strong authentication and passwords

While complex passwords, paired with usernames, are a common go-to for organizational authentication, they are quickly becoming obsolete. To combat this growing issue of authentication, organizations are now demanding established and tested Multi-Factor Authentication (MFA) methods for verifying users are who they say they are.

In addition to educating employees on the importance of password complexity, organizations need to ensure adequate MFA systems are protecting their digital gates. Echoworx, for example, can employ policy-based MFA to ensure recipients are who they say they are before they are granted access to an encrypted message. In an age of zero trust, where anyone connecting to a digital system needs to be verified, MFA is an adequate safeguard.

Passwords can be weak and security questions such as “what is your mother’s maiden name?” – can be easily cracked.

Secure connections to prevent eavesdropping

A public wi-fi network can be a honeypot for employees working remotely. Whether they are installing themselves at a local coffee shop or just quickly checking their email on their mobile device, there are various reasons for connecting to a public wi-fi. While most public wi-fi connections may be perfectly safe, they should be avoided for the mere reason that they are easy to monitor – and may even be set up by malicious actors to collect information, from logins to personal data.

In addition to only working on trusted networks, employees should be connecting to a company-instigated Virtual Private Network (VPN). A VPN works to route a device through a private server, so that any data transmitted is sent via the VPN rather than from their personal device.

Build strong firewalls and update security software

As a first line of security, a firewall paired with up-to-date security software, protocols and other preventative measures is a must for employees operating remotely. In addition to repelling attacks, or at least discouraging them, providing employees with the tools they need to practice proper data hygiene can enable them to identify and prevent security issues from becoming vulnerabilities for an organization.

Implement a BYOD policy

The Bring-Your-Own-Device (BYOD) culture is an inevitable feature of digital business. As more employees work remotely, there is an increased demand for them to use their own machines. But before they connect to company networks, and access company data, their devices need to be vetted, updated and secured by IT departments. This ensures that the computers, smartphones and tablets they use to connect to an organization are not going to pose vulnerabilities.

By Wen Chen, Senior Manager IT and Customer Support at Echoworx

26 Feb 2020

Nordic Countries Score Huge Tech Successes, but Worries About Cybersecurity Mount

The Nordics have become a hot spot for innovation, producing technologies that have reshaped global industries, but governments and industry groups have been cautioning that the region’s phenomenal success could be threatened by weak cybersecurity

When people think of Nordics, they may visualize lands of elk and reindeer, but perhaps they should also be imagining “unicorns,” those rare start-ups that attain a valuation of US$1 billion. With just over 27 million people, the Nordics of have been punching above their weight when it comes to producing innovative tech firms.

The Nordics – comprised of Denmark, Finland, Iceland, Norway, and Sweden – was already home to some of Europe’s largest legacy technology firms, including Ericsson, Nokia and Telenor. This has provided a foundation for start-ups that are relatively small, nimble, entrepreneurial, and with high growth potential.

Although most Nordic unicorns are unfamiliar to the public – with firms in areas like FinTech gaining large market share without much global attention – others have become household names. Skype helped make long-distance charges a thing of the past. Spotify shattered the dominance of Apple’s iTunes. Rovio Entertainment, creator of Angry Birds, boasts more than 4.5 billion downloads of its apps.

It’s been said jokingly that the region’s long winters have encouraged technology development as people don’t want to go outside, but more important factors are those that it shares with other innovation hotbeds – such as Silicon Valley, Singapore and Israel. These include open economies, a global outlook, regulatory support, high personal incomes, and highly educated populations.

The World Economic Forum’s most recent Global IT report ranked Finland, Sweden and Norway among the top five countries in terms of “network readiness” – sandwiched between number one Singapore and the U.S. at number five. That makes them among the world’s top locations in terms of the overall environment for technology use and creation, infrastructure, affordability, skills and technology adoption.

We’ve invested in multiple high-growth countries and regions globally, but few have as many advantages or inspire as much confidence as the Nordics – Echoworx Senior Director Market Intelligence Jacob Ginsberg

“The dynamism of Nordic companies is just exceptional, and the talent in the region is amazing,” said Jacob Ginsberg, Senior Director Market Intelligence of global email data protection leader Echoworx, which recently introduced Nordic languages to its message encryption platform and support network. “We’ve invested in multiple high-growth countries and regions globally, but few have as many advantages or inspire as much confidence as the Nordics.”

Success attracts Cybercrime

As could be expected, the success of the Nordic tech firms has made them a tempting target for cybercriminals, industrial espionage, and even hostile foreign governments.

Nordic firms are acutely aware of the risk of lax cybersecurity. In KPMG’s 2019 CEO survey, 21 per cent of Nordic CEOs rated cybersecurity risks as the top threat to their business while another 19 per cent said their top risks stemmed from emerging and disruptive technology.

The consultancy also found that 65 per cent of Nordic CEOs believe that becoming a victim of a cyber-attack is a case of “when,” not “if” and that 72 per cent view information security as being of strategic and competitive importance.

KPMG’s 2019 Global CEO Outlook | Nordic Executive Summary


Recognizing the threat, business organizations and governments have launched multiple initiatives to help enterprises’ technical and financial barriers that may hamper critical data security and business integrity. However, both industry and government say there is still some way to go.

The Danish Business Authority (DBA), for instance, has identified cost as the single biggest factor impeding firms from strengthening their IT security defences. The industry group estimates that as many as 30 per cent of all small to medium-sized enterprises (SMEs) are “acutely vulnerable” to malicious malware attacks.

Meanwhile in Norway, a YouGov survey for the Oslo-headquartered Norwegian Center for Information Security (NorSIS) found that complacency and over-confidence are a major concern, describing the finding as “deeply troublesome.”

… so few Norwegian companies seem to recognize the actual extent of the risk they face from cyber space – NorSIS director general Peggy Heie

“What is extremely worrying from the survey is that so few Norwegian companies seem to recognize the actual extent of the risk they face from cyber space,” NorSIS director general Peggy Heie, told the media.“Company leaders cannot expect partners and authorities to take all the responsibility for the protection against cybercrime.”

Part of the issue is that while Nordic organizations have a high level of digital maturity, the regions Chief Information Officers (CIOs) have tended to focus on optimizing their existing business processes.

In back-to-back annual surveys of Nordic CIOs, global research and advisory firm Gartner found that while they are well positioned with streamlining internal processes, they tend to be back-office focused. As they lack strong relationships with external customers or stakeholders, they are less likely than their international peers to recognize external disruptive factors.

But this tendency toward complacency may be changing quickly. Tech consultancy IDC has forecast that Nordic IT services spending will grow from $24.4B in 2018 to $29.5B in 2023. However, in spite of forecast growth, the consultancy noted that international vendors seeking to enter the market will still need to up their game and deliver tailored advice and hands-on project services.

“Our experience on the ground is very much in line with the IDC forecasts and recommendations” says Echoworx’s Ginsberg. “Even though there is growing demand, Nordic CIOs want services tailored for their needs, including things like true local-language functionality and support services, as well as solutions that can scale to suit everything from two-person startups to ten-thousand-employee conglomerates.”

Echoworx this month announced the expansion of its European footprint with Nordic language support.

By Lorena Magee, VP Marketing at Echoworx

20 Jan 2020

How a Choppy Merger Can Hurt Your Acquisition

Adequate preparation, due diligence and stable execution are necessary for smooth mergers and acquisitions. Failure to do so can result in a choppy path – with potential to hold back, delay and hurt any resulting M&A deal. Often overlooked in the M&A process, issues surrounding digital synchronization and cyber security can be major contributors for a bumpy transition. Here are some digital reasons why an M&A deal might go sour:

A lack of digital protection increases digital risk

Despite their devastating effects on almost every facet of business, even some of the biggest data breaches continue to go undetected throughout high profile M&A deals. In addition to their immediate damage to a deal’s value, an unnoticed data breach can literally poison another organization’s digital infrastructure upon integration. And the longer these breaches go unnoticed the more pronounced (and expensive) their effects.

Take the now-infamous Verizon/Yahoo! acquisition, for example. In 2017, Verizon acquired Yahoo! before realizing their new addition had suffered several breaches just a few years prior. Aside from nearly derailing the entire deal, the result saw a $350M reduction in purchase price, a $35M penalty dished to Yahoo! from the U.S. Securities and Exchange Commission (SEC) and a subsequent $80M paid out through lawsuits to disgruntled shareholders and customers.

But hunting for a history of data breaches is more than just Googling the name of a target organization and hoping nothing comes up. You must go deeper, and you must think outside of the box. In addition to looking for an actual breach, you need to consider potential for a breach and how a lack of comprehensive cyber security safeguards might put your data at risk during a tentative integration process.

For sensitive M&A communications, for example, you need to ensure any valuable information being exchanged, from trade secrets to internal agreement documents, is protected with adequate email encryption safeguards. To help insulate your organization from risk during the M&A process, Echoworx offers an encryption solution with six flexible delivery methods and additional security tools, like message recall.

Why take a chance with your most-valuable company data. Can you ensure that any sensitive email sent, for a wide range of reasons, never goes to a recipient unencrypted?  

Legacy technology slows M&A deals

Unanticipated delays brought by poor synchronization with legacy digital equipment during an M&A affects your bottom line, your customer experience and exposes your system to vulnerabilities. Before signing the dotted line in your M&A deal, consult your IT department to anticipate any possible digital snags. This ensures when it’s time to integrate, there won’t be any major digital holdups or service interruptions for your customers.

If you do find outdated technology, or incompatible technology, third-party cloud-service providers can help bridge the gap. You might, for example, be a bank with customers in Denmark, where encryption is mandatory under the General Data Protection Regulation (GDPR) to conduct business. You cannot take a chance on a target organization with a legacy on-premises encryption platform. But what if you lack the time or resources to upgrade and upload their email infrastructure to your cloud?

OneWorld encryption platform easily migrates any legacy message encryption process to the cloud. As a Software-as-a-Service (SaaS) provider, our dedicated team of encryption professionals do all the heavy lifting – so you don’t have to. A problem which might have taken your IT department time, money and resources to solve is literally done at the click of a button.

Here’s how it works:

Simplifying Post-Merger On Premises Encryption | Watch Now

Non-compliance is closing business doors

You might know the rules of your market and you know the potential value of acquiring or merging with a target organization. But how much do you know about their industry? Are they prepared for and working within the rules of the laws and regulations which affect their industry or geographical area? Or, alternatively, if they do not protect data in their jurisdiction, do you really want to risk trade secrets being intercepted?

In the United States, for example, you might be looking to expand your bank across the country by acquiring established financial hubs in each of your target states. But is your target organization in California prepared for the recent California Consumer Privacy Act (CCPA), which came into effect January 1, 2020?

To keep data safe and compliant in transit under various rules, privacy laws and regulations, you need a flexible encryption solution which can quickly to any regulatory environment. Even if there are no rules, or your target cannot support encryption, there are delivery options to accommodate.

Human error is an M&A liability

From unintentional attacks by inadvertent threat actors to deliberate internal sabotage, human error continues to play a part in 95 per cent of all security incidents, according to research by IBM. And users of webmail services continue to be primary culprits contributing to this problem – sometimes without even realizing it. But human error is hard to anticipate, near impossible to fix and can happen to anyone.

Take the United States Marine Corps, for example. In 2018, this elite military organization, with all its defenses and vigilant staff, still managed to leak the information of about 21,500 marines, sailors and staff by inadvertently sending a non-encrypted email to an incorrect distribution list. You might dismiss this digital slip as a fluke, but, according to the Information Commissioner’s Office (ICO), an independent UK privacy watchdog, incidents of incorrect address information are actually quite common, accounting for 12 per cent of reported data security incidents alone in Q4 of the 2018/2019 year.

Sending a sensitive document doesn’t always have to be a complex process – one involving registration, more information, and additional authentication.

For an M&A process, where hundreds of back-and-forth emails between multiple parties and stakeholders contain sensitive information, from trade secrets to insider deal information, nothing can be left to chance. Since a single slip-up can mean the difference between a deal-signing handshake and a trip back to the negotiation table, organizations need to insulate themselves from human error.

A simple way to rectify human error for sensitive communications is to encrypt them – with secure vetted methods ensuring only intended recipients can view data or a message. But any encryption solution also needs to be flexible enough for day-to-day use. With our OneWorld encryption platform, for example, encryption can be made to fit any business case, from simple ‘Encrypt’ buttons to automatic encryption for certain message, recipient or attachment types.

By Jacob Ginsberg, Senior Director Market Intelligence, Echoworx

27 Dec 2019

Shadow IT: The Danger of Open Tech Stacks in Banking

Banking, financial services and insurance companies are in danger—and this danger is lurking at employees’ fingertips. Employees, clients and vendors are wooed daily by unvetted third-party apps that promise to make workflows easier—and if financial organizations don’t put a stop to these shadow IT environments, they could pay a hefty price. Let’s dive into what shadow IT environments are, why they happen, why they’re dangerous and how a user-friendly encryption solution helps organizations eradicate them.

What are shadow IT environments?

Shadow IT refers to third-party software your employees use that are outside the control of your IT department and network. They become part of your unofficial tech stack and leave your organization vulnerable to malicious actors. Security professionals consider unapproved third-party software and apps unwelcome additions to an organization’s network—and yet, employees continue to indulge in them.

What causes shadow IT environments?

It’s easy to blame shadow IT environments on negligent, malicious or clueless employees. But organizations in banking, financial services and insurance must be accountable for what goes on in their organizational networks.

Shadow IT environments happen for three main reasons: clunky existing tools, lack of employee education about security and insufficient IT controls to disallow rogue downloads and network access. When your organizational tools aren’t as easy to use as third-party tools, employees find easier ways to get the job done. If you don’t train employees on security threats, they won’t understand how seemingly-innocent behaviour can put the company at risk—and they’ll keep flipping company information through Gmail and using unsecure apps on free WiFi at their favourite coffee shops on work-from-home days. And without sufficient controls, you’ll miss catching aberrant behaviour that slips through even after you put user-friendly, secure options and employee training in place.

Why are shadow IT environments dangerous?

Shadow IT environments are dangerous because they allow company information to leave the security of your network and they can allow nefarious agents access to your secured network. And in many cases, staff don’t realize they put company information at risk. For example, an employee talking to a client on a cell phone might believe it’s safe to send the client some documentation through third party instant messaging apps, like WhatsApp (it’s encrypted, right?), Facebook Messenger, DropBox or their personal Gmail account.

To illustrate the problem with these third-party scenarios, let’s say you have an employee who sends confidential European data from your company through Gmail, for example. As soon as they click ‘Send,’ this sensitive information, which might include sensitive customer data, enters Google servers in the United States and can be re-purposed for other uses, like for third-party ads hosted through AdWords. In this instance, the subsequent lack of control over this sensitive data and its presence in the US can cause problems with the GDPR.

Then there’s malware and privacy backdoors that accompany third-party apps. The AV-TEST Institute, an independent German research institute for IT security, found that malware has almost doubled since 2015.

And according to a paper called 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System, researchers studied 88, 113 Android apps and identified five types of side and covert channels they use to access private data—without permission.

The bottom line is when banking organizations haphazardly allow third party software into their tech stacks, they put client privacy and organizational security at risk.

What can be done to eradicate shadow IT environments?

To eradicate shadow IT environments, organizations must address the issues that cause them by:

  • Replacing cumbersome communication tools with user-friendly solutions that integrate so well into work flows that employees want to use them.
  • Implementing effective and ongoing training for all employees on information security, cybersecurity and data privacy.
  • Putting controls in place to prevent and/or discourage use of unvetted apps and software for company business and on company devices.


Echoworx OneWorld is a user-friendly and customer-centric encryption solution that helps banking, financial services and insurance companies secure client communications in transit and at rest. Because it’s so easy to securely transmit information, employees don’t need to search for third-party options that fit into their workflow.

Echoworx OneWorld features that help organizations eradicate shadow IT environments:

  • Easy and frictionless user experience – In a recent Echoworx survey, we found that 53 per cent of organizations with encryption found it “too difficult to use.” An encryption solution can’t protect client and organizational data if nobody uses it! OneWorld makes it easy for employees and customers to use and makes inbound and outbound encryption the path of least resistance.
  • Definable policies – Automatically control which communications get encrypted (and how) based on the message content, subject lines and key words. Flexible controls for every scenario means you stay in control of encrypted messages while they’re in transit and at rest.
  • Enable inbound encryption – While you can’t control what type of information clients and vendors send you via email, you can control how you receive and secure it. Emails with sensitive information are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.
  • No registration process – Encryption solutions that require recipients to register before reading encrypted emails make secure communication cumbersome. OneWorld eliminates the registration process and allows the sender to share a secret phrase—also known as a passphrase—with the recipient. To open the encrypted email, the recipient simply types in the passphrase.

Not only does Echoworx OneWorld help banks eradicate shadow IT environments, it also helps them save money. A recent Forrester Total Economic Impact™ study showed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits and a payback period of only seven months.

By: Brian Au, IT Specialist, Echoworx

22 Nov 2019

Still Selling ‘Risk Acceptance’ to Your Customers?

As organizations continue their digital migrations, the list of cyber-threats, risks and vulnerabilities grows exponentially. From a more connected workplace to new laws and regulations governing privacy and data protection, keeping up on our ever-expanding digital world can be challenging and expensive.

One method to confront cyber-risk is to adopt a laissez-faire risk acceptance approach – where the costs of prevention seemingly outweigh the consequences of doing nothing at all. In this scenario, a bank or business takes a gamble that a cyber-security incident won’t happen or that they can just pay a nominal one-time fee if it does. In other words: Instead of protecting customer data, investing in streamlined cybersecurity solutions or sealing off a vulnerability, an organization simply opts to leave the door open with the hope that no one comes knocking.

The economics of risk acceptance in cybersecurity

Is risk acceptance the most-economical mindset in the short run? Assuming an organization is not the target of a particularly devastating attack, they might come out unscathed from the initial breach, with nominal fines or nothing at all. For example, if a cybersecurity solution is going to cost $250,000 to protect a $50,000 problem – it might not make initial sense to invest. But when you factor in brand damage, changes in regulations, emerging technology, and subsequent fines and class action lawsuits there are different angles to consider – especially when something big hits.

During the 2017 Equifax acquisition, for example, when a massive breach compromised the personal information of over 140M Americans, or nearly half the country, the Equifax brand suffered irreparable damage and has been ordered to pay up to $700M in fines. This all stemmed from their “failure to take reasonable steps to secure their network.” This breach is one of the worst to ever have happened in the US and, with 13 major breaches affecting mergers and acquisitions deals between 2014 and 2018, it was hardly the only one.

Do you think it was worth it? We don’t.

Customers won’t buy risk acceptance

Issues of brand damage come to the forefront of any risk acceptance plan once a breach occurs – regardless of size. Any customer-centric organization worth its salt knows that customers care about their personal data and do not reward businesses who do not value it enough to protect it. In fact, according to Echoworx data, 80 per cent of customers consider leaving a brand after a breach.

In a nutshell: You can’t afford to sell risk acceptance to your customers.

Instead of gambling with customer data, a true proactive choice involves taking every precaution to protect them with risk-mitigating defenses. Since digital trust and loyalty of customers is rooted in user experience and demonstrated brand assurance of safety, you need to offer flexible and streamlined cybersecurity solutions that work.

With our OneWorld encryption platform, for example, you can protect customer data in transit without affecting customer experience. With support for 22 languages, multiple branding options and configurable sets of encryption policies, our streamlined encryption experience ensures nothing is left to chance – including your customers.

Start selling risk mitigating encryption now.

Risk acceptance doesn’t cut it across borders

If you are an international brand, with offices all around the world, you might be boxed out of local markets if you can’t protect your customers. But investing in the bare minimum isn’t good enough either. In order to comply with different privacy jurisdictions, avoiding the potential for hammering fines or being excluded from a market completely, an organization needs to invest in flexible, streamlined and easy-to-understand proactive cybersecurity solutions.

Picture this scenario, for example: You are an organization based in the US which does business in the EU and is looking to break into APEC. From Europe’s General Data Protection Regulation (GDPR) to South Korea’s Personal Information Protection Act (PIPA) to California’s Consumer Privacy Act (CCPA) closer to home, for examples, you are now navigating a whole patchwork of privacy laws. How do you exchange your daily flow of sensitive data between offices?

Until recently, a company might be able to fly under the regulatory radar without encrypting sensitive communications. But more severe interpretations of these laws, like those regarding the GDPR in Denmark, now mean you can’t legally do business in some of these countries without an encryption solution flexible enough to accommodate different jurisdictional demands. That throws a pretty major wrench in any international business plan.

Enable your cross-border communications now.

Risk acceptance jeopardizes your digital future

As the saying goes: Ignoring the problem doesn’t make it go away. In the case of cybersecurity, inadequate investment in data-protecting technology can make current vulnerabilities larger, as business grows, or render an organization unable to adequately deal with future issues. And, in the case of mergers and acquisitions, not being flexible enough or set up to move with the technological tide can stall, cancel or, at the very least, lower the value of the deal.

In other words: In a world of every-changing regulations, which are not going away, and new technology, which demands flexibility, if you adopt a culture of risk acceptance, you risk being left in the dust.

As a cloud-based Software-as-a-Service (SaaS) provider, Echoworx provides flexible solutions for organizations looking to update legacy message encryption technology. Many organizations, for example, need to reduce the complexity of their existing legacy solutions, like a legacy PGP system, into a single consolidated cloud-based platform. As a fully managed, infinitely scalable and geo-redundant encryption solution, our OneWorld encryption platform helps organizations get up to speed with secure communications and be prepared for whatever changes are around the corner.

Upgrade your legacy encryption system to the cloud now.

Risk mitigation is simple – yet effective

Investing in comprehensive data-protecting cybersecurity solutions for risk mitigation, as opposed to acceptance, is not a compromise for today’s customer – it’s an expectation. They expect airtight security for their valuable personal data – something they can get with or without your brand. The solution is easy: you don’t gamble with them; you protect them before something happens.

Protecting your secure communications with encryption is an effective way to ensure data in transit stays safe, you can easily adapt to new regulations and you can protect your own valuable company data and secrets. As a tool of risk mitigation, applying encryption to sensitive messages means you do not take chances when it comes to the safety of your data. This is an integral keystone of any merger or acquisition process – something that can affect the ultimate value of your deal.

A path to secure communications with OneWorld

Our OneWorld encryption platform is an important risk-mitigating addition to any customer-centric cybersecurity suite. With multiple flexible delivery methods, available in 22 languages, full reporting and with extensive options to support multiple brands, OneWorld assures your customers that you do indeed value their business and data at every point of their customer journey. And its streamlined user-friendly interface and definable customizable set of encryption policies ensures data protection occupies a central part of any organizational business policy.

Protect your communications now.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx

05 Nov 2019

How to Expand Your Tech Stack Responsibly

Contemporary enterprise organizations continue their migration to the cloud to save money, increase flexibility and reduce the burden of keeping experts on staff to manage infrastructure. But, while the benefits of moving to the cloud are real, it’s essential to expand your tech stack responsibly—and that starts with security.

Contemporary security considerations for enterprise-level organizations:


  • Sensitive data leaving the company firewall – Once sensitive data leaves the perimeters of an organizational firewall, it’s vulnerable to malicious actors. Some firewalls protect the enterprise network and users while others protect information in transit between cloud applications. As the workplace marches towards all things cloud-based and digital, it’s essential to protect data both in transit and at rest.
  • Bring-Your-Own-Device (BYOD) and remote work culture – Companies now allow—and even encourage—employees to use their personal cell phones, tablets and laptops for work activities. This is another avenue for organizational information to leave the safety of the company network and once it moves onto personal devices, it’s a security risk. The popularity of the BYOD culture is driven in part by the uptick of remote employees.
  • Breaches, hacks and attacks – According to a recent report, 38 per cent of organizations aren’t equipped to detect a sophisticated breach and in 2017, the average cost of a data breach was $3.62M.[i] A strong cybersecurity infrastructure can mean the difference between shutting down operations and business as usual.
  • Shiny object syndrome – Everyone wants to download the latest and greatest tech gamechanger. And while most third-party SaaS solutions are safe, organizations can’t afford to jump on board (or let their employees do so) before conducting their own cybersecurity due diligence.
  • Shadow IT – Employees may be downloading or using third-party software or apps to exchange sensitive information. Organizations need to make a better effort at making the protection of data the path of least resistance.


Four ways to expand your tech stack responsibly


  1. Lay the foundation with encryption – Encryption converts information or data into a code for the purpose of preventing unauthorized access. Before you do anything else, make sure your data is encrypted in transit and at rest. Encrypting communications secures sensitive data and protects it from nefarious use by malicious agents (including insiders) and from accidental breaches by employees. Choose a user-friendly encryption platform that makes encryption the path of least resistance. With Echoworx’s OneWorld encryption platform, you can turn cybersecurity into a competitive edge, increase digital trust and enjoy a significant return on investment.

For example, a recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits. This same study showed that using the OneWorld platform to replace legacy on-premises encryption solutions could save the software cost of previous solutions and avoid other legacy-related costs for a three-year savings of $793K.

Get the full Forrester Total Economic Impact™ study of OneWorld now.

  1. Apply good governance – Is governance part of your cybersecurity framework? If not, start today. Who oversees and is responsible for managing technological expansion, assessing cyber risks and vulnerabilities and creating a way forward? If the answer isn’t clear, it’s time to make changes and get your board of directors involved too. Did you know that only 40 per cent of corporate boards participate in their organization’s security strategy?[ii]
  1. Assess your current tech stack – In the old days, IT vetted all the tech brought into the business. But in large organizations, tech slips into departments based on team needs, with little regard for the big picture. Many organizations vastly underestimate the amount of software being used across their operations, marketing, sales, human resources, business intelligence and project management teams. When you reveal the real current state, it gives you the information you need to move towards a sensible future state.
  1. Provide the tools your employees need – The biggest culprit of shadow IT are apps and programs designed to streamline employee workflow. You need to provide your employees with the best tools to do their jobs effectively and safely.

Here’s more on how you can minimize your risk of insider threats.

  1. Implement privacy by design – The Privacy by Design framework, developed by privacy expert, Dr. Ann Cavoukian, is based on seven foundational principles. They are proactive not reactive, lead with privacy as the default setting, embed privacy into design, retain full functionality, ensure end-to-end security, maintain visibility and transparency and respect user privacy. If each new item in your tech stack follows these principles, it reduces the risk and costs of taking a reactive approach to data security.

To learn more about Privacy by Design, download our white paper here.

At Echoworx, encryption is all we do. If you’d like to make secure communications easily accessible across your organization, contact us.  We’ll show you how the right encryption technology can differentiate successful digital transformations from the rest.

By: Wen Chen, Senior Manager of IT and Support, Echoworx



[i] EY Global Information Security Survey 2018-19

[ii] 2018 Global State of Information Security Survey (PWC)

10 Sep 2019

The Risks of Cloud Computing

Cloud computing brings many benefits to enterprise-level organizations but it’s not risk-free. Here’s a quick primer of what cloud computing is, the risks involved and how organizations can minimize the risks of cloud computing.

What is cloud computing?

Simply put: Cloud computing is moving your computing service to the internet using a third-party provider. There are three options: infrastructure, platform and software as a service. The infrastructure option means your organization has the servers onsite, but your provider manages your network virtually. A platform as a service provides infrastructure tools for development that you don’t manage yourself and software as a service (SaaS) is software managed externally. With SaaS, you employ a team of third-party experts to run and manage the solution instead of building in-house. SaaS examples include Echoworx’s OneWorld encryption solution, Office 365 or Salesforce.

The benefits of cloud computing

Using a cloud service lets you rely on your service provider to protect your data from breaches and gives you global access to your data through the internet. Many organizations use cloud computing because they don’t have the expertise to manage the risks and ongoing vulnerability mitigations and resolutions associated with local storage and security.

According to a recent EY Global Information Security Survey, only 8 per cent of organizations have information security functions that fully meet their needs. This same report indicates that 52 per cent of organizations are prioritizing cloud computing for their cybersecurity spending this year.

What are the risks of uploading to the cloud?

There’s a financial risk to uploading data to the cloud when it comes to privacy regulations and breach outcomes. For example, under the General Data Protection Regulation (GDPR), fines for exposing citizen data are hefty—up to €20M or4 per cent of your annual revenue! If your company exposes credit card or other personal information, your entire business could be at risk due to lost consumer trust.

How has the cloud evolved?

Initially, when untested cloud services emerged on the scene, many organizations continued to retain their computer service in-house over security concerns. But, over the last decade, cloud services have evolved into proven and secure platforms – providing effective protection for sensitive data.

Organizations are now comfortable with the cloud infrastructure from a security perspective because certified cloud providers treat data with integrity through privacy, data access controls and auditing.

How can an organization insulate itself from cloud risks?

Although cloud security mostly depends on your service provider, you can minimize risk in two ways. First, select a cloud service which provides management and risk management for you. Make sure any cloud service is audited and certified – with certifications like SOC2 and PCI.

The second way to minimize risk comes from within your organization. You need experts that understand cloud solution architecture and risk management processes and procedures. These experts can help you understand the risk and protect your organization by choosing the right cloud service provider. They can also help you understand whether your cloud computing investment has ROI potential. For example, a recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with $793K in avoided costs of legacy on-premises solutions. Get the full Forrester Total Economic Impact™ study of OneWorld now.

By: Alex Loo, VP Operations, Echoworx


09 Sep 2019
Capital One Breach

A Lesson in Cybersecurity Simplicity from the Capital One Breach

The lesson from the recent Capital One data breach can be summed up with the KISS principle. Simplicity is hard to beat, even in cybersecurity. Let’s look at why this breach happened and what organizations can do to shore up their cybersecurity defenses with seemingly simple solutions.

Peeking behind the Capital One headlines

The headlines about the Capital One data breach emphasize impact: more than six million Canadians were compromised in this data breach. Over a million Social Insurance Numbers (SIN) were exposed. Victims can receive free credit monitoring and identity theft insurance to reduce the sting of their private information being stolen from their trusted provider.

This is scary stuff, but the most chilling part of the story isn’t even covered in some of these reports: The data was breached due to a vulnerability caused by a misconfigured server. Those two words—misconfigured server—left chief technology officers and chief information security officers around the globe trembling. Server configuration is part of the basic line of defense in cybersecurity.

The lesson from Capital One is about simplicity. Good cybersecurity hygiene matters and it’s the first and best defense against data security breaches. To manage this ongoing and increasing threat, enterprise-level organizations must get serious about mastering the basics.

Getting back to basics: 5 simple ways to boost cybersecurity in your organization


  1. Resource your IT department appropriately – According to the EY Global Information Security Survey,[i] 87 per cent of organizations don’t have enough money in their IT budgets to fund the cybersecurity and resiliency programs they want to implement. And, as we saw with Capital One, missing a basic security protocol can lead to costly and embarrassing outcomes. Dr. Ann Cavoukian, Executive Director of the Privacy by Design Centre for Excellence, told the CBC, “Companies are simply under-resourced. They’re not devoting the resources required for strong security.”[1] Having enough properly trained IT resources means your team can dedicate time to testing and uncovering vulnerabilities and mistakes before it’s too late.


  1. Encrypt your data – Encryption protects private data in transit (such as in email and other communications) and at rest (on your network). It’s important to have a scalable encryption solution that offers multiple delivery options, is easy for employees and clients to use, lets users recall encrypted messages even after they’re opened and is easily integrated with solutions you already use, such as Office 365. In a recent Echoworx survey, 53 per cent of the IT professionals and decision-makers surveyed said encryption technology was very important or critical to their organizations. And yet, only 40 per cent of respondents said their organizations are using data privacy technology extensively. Again, here’s where simplicity triumphs: an encryption solution can only be effective when it’s used.


There are also financial incentives for using encryption. A recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits.

Get the full Forrester Total Economic Impact™ study of OneWorld now.


  1. Know your risks and assets – Cybersecurity efforts are more effective when they’re based on a strategic framework, instead of piecemeal solutions. It’s important to identify (and address) risks such as outdated security protocols, data protection, careless employee behaviour, identity and access management, etc. Identifying key assets and data—and increasing security around them—is another essential part of a strategic cybersecurity infrastructure. Increase support for cybersecurity initiatives by helping your board of directors understand the real risks companies face with inadequate cybersecurity programs and resources.


  1. Use a privacy by design approach – With so many organizations pursuing digital transformation, there’s a perceived need for speed. What’s even more essential is building privacy and data protection into new digital programs and processes. Frédéric Virmont, a cybersecurity industry expert, says, “Security is like quality; it must be from the beginning to the end of the life cycle. If you wait until the end of the product, it’s too late. Once the house is built, it’s too late to add emergency exits.”

Learn more about mitigating internal vulnerabilities.


  1. Train your staff on cybersecurity – A recent PwC reportfound that 32 per cent of respondents consider insider threats more costly and damaging than external incidents. Insider threats can be accidental or intentional, so education and proper security protocols are the first line of defense against them. Educate employees about the importance of using security programs and processes and how to identify and report suspicious incidents. And by choosing effective cybersecurity platforms –encryption for example—that are also easy to use, you make data protection the path of least resistance. Cybercrime, including social engineering and spear phishing, is more sophisticated than ever; wise companies create informed workforces capable of identifying these cyber threats.


With the average cost of data breaches at $141 per breached record (and more than double that for healthcare organizations),[ii] isn’t it time for organizations to keep it simple and master the basics of cybersecurity?

By: Brian Au, IT Specialist, Echoworx







18 Jul 2019
Accountants play a role in cybersecurity

Integrating Cybersecurity with Business Strategy

A common problem faced by a growing number of organizations is how to seamlessly integrate cybersecurity into their overall business strategy. As industry and commerce prepare for the next level of cyber-attacks, businesses are increasingly looking to finance professionals for help in developing risk-mitigating cybersecurity strategies that align with the organization’s mission and vision.

Identifying cyber-vulnerabilities starts with getting to know your intangibles

How well do you know your intangibles? This on the face of it seems like a strange question to be putting to an accountant, but it is a very real issue. Intangibles in the accounting world have been grouped as a separate asset class, a kind of catch all for anything that meets the asset definition (a resource that a company controls, and which is expected to produce a future economic benefit), but is not physical in nature.  Traditionally, accounting practices only record what things cost, or the resale value if possible. But, based on the difference between reported book and stock values, intangible assets now make up between 60 to 80 per cent of global corporate worth.

The lack of clear definition in identifying the business’s intangible strategic assets, and more importantly the difficulty in assigning an appropriate monetary value to the intangibles, such as intellectual property, internal software upgrades, staff and managerial expertise, customer data insights to name a few, has left organizations exposed to cyber threats, if you haven’t identified the intangible as a strategic asset, then why would you spend resources protecting it. Every business will have its own nuanced set of strategic intangibles. It is predominately these intangibles that a cyber security investment will be safeguarding. Not identifying your intangibles, or not knowing the real value of the intangibles to an organization makes it less likely that an appropriate cyber security defense strategy will be put in place to protect these intangibles.  So, get to know all your intangibles!

The second fundamental challenge deals with the ambiguous complexity of cyber threats and understanding the nuances of the different types of current cyber threats posed to their strategic intangible assets. Threats come in all forms and sizes, and not being cognizant on what the current threat landscape looks like in their own industry sector is extremely risky. The goal should not be to create a strategy to overcome a security crisis, although in too many instances it requires a breach for a company to initiate an action. Rather, the goal should be to have a cohesive integrated cyber strategy that protects against current threats and has the flexibility to adapt to future threats.

Understand the underlying prevalent cyber threats that reside in your industry.

Accountants play a role in cybersecurity

Accounting and finance professionals are uniquely placed to help a business develop an appropriate cybersecurity strategy.  Finance teams, with their knowledge of an organization’s intangible strategic assets, and expertise in implementing risk management strategies, are well-equipped to identify cyber vulnerabilities, and accountants can be pivotal in closing any security gaps by exploring, evaluating and implementing better tailored security solutions.

There is most definitely not a one-size-fits-all solution when it comes to cybersecurity. In fact, it is very unlikely you find any two large enterprise organizations having similar solutions. Even strategic business units within the same organization often have very different security programs.  By thoroughly knowing your intangibles and being versed on the ambiguous complexity of the cyber threats, coupled with knowledge of risk management techniques, accountants can take a leadership role in delivering effective and efficient cyber security strategies. The cyber security strategy within an organization ultimately becomes a competitive advantage to that organization in its own right.

Understanding total economic impact of cybersecurity

Forrester Research recently published a study identifying the challenges of choosing an email encryption solution for enterprise-level organizations – where, without the right support and processes, running an encryption platform became an onerous activity.

The study, entitled “The Total Economic Impact of Echoworx OneWorld Encryption,” is written in a style and language that will be familiar to finance professionals. Both quantified and unquantified benefits of the solution are identified, and the analysis is presented in the form of a post audit investment appraisal using techniques like ROI, NPV and payback.

I recommend CPAs read this report because it demonstrates the holistic view that needs to be considered when undertaking a strategic cybersecurity investment.

See the full Forrester TEI study here.

Finance Director, Echoworx Corporation

10 Jul 2019
presenting to the board

Is Your Company Board of Directors On-Board with Cybersecurity?

Cybersecurity is no longer just an IT issue. Cybersecurity is no longer measured by who has a taller firewall. Cybersecurity is no longer an out-of-the-box one-size-fits-all installable solution. Instead, cybersecurity is now a complex mosaic of solutions, ideas and mindsets which permeates throughout the entire organizational structure of a company – from warehouse to boardroom.

So, at the end of the day, who is responsible for instigating organization-wide cybersecurity initiatives?

While C-suite executives, from CEO to CISO, might be responsible for spurring action toward shoring cyber-defences, an IT department is generally responsible for the implementation and maintenance of new security solutions with existing infrastructure. But, at the end of the day, it is the organizational board of directors who need to be won over. This carefully selected group of individuals, chosen to reflect the interests of company stakeholders in overseeing organizational management, are who even a CEO must answer to – including on issues concerning budget.

For a CISO intent on spending more on cybersecurity solutions, convincing their board of directors can be difficult. And, due to the intangible nature of cybersecurity, with no visible physical benefits, at least initially, emphasizing the importance of investing in said technology is paramount.

Here are some simple probing informational conversations you need to have to convince your board of directors to pay attention to cybersecurity solutions:

  1. How much does your board of directors know about cybersecurity?

Before you launch into the meat and potatoes of your cybersecurity proposal, you need to gage how deep the knowledge base of your board of directors is when comes to this subject matter. Unless they have clear backgrounds in technology or security, it is unlikely they have a deep understanding of how exactly cybersecurity works.

You need to explain what cybersecurity is, in layman’s terms, why it is important and why cybersecurity is no longer just an IT problem – but rather one of organization-wide significance. You might consider throwing out some statistics regarding the negative impact of a data breach – like last year’s massive data breach affecting the healthcare system of the Canadian province of Ontario, for example, which saw the theft of 80,000 unencrypted electronic health records.

Learn about making a business case for encryption here.

  1. How accountable is your board of directors for data protection?

When a data breach occurs within an organization, its devasting effects are felt company-wide – including at the board-level. Aside from the potential for soul-crushing fines from regulatory bodies, like those dished out to violators of the EU’s General Data Protection Regulation (GDPR), for example, mishandling personal data hurts a brand as a whole – with Echoworx data showing 80 per cent of customers consider leaving a brand after a breach.

As the directors of organizational tack, brand reputation is a crucial focus for boards aiming for business success. Investing in cybersecurity solutions, like encryption for communications, is an important step to preserving brand – with some solutions, like encryption, even mandatory to conduct business in some parts of the world.

  1. Emphasizing the monetary advantages of cybersecurity investment

From regulatory fines to brand damage to just cleaning up the mess, data breaches can be like termites into an organization’s finances. Investing in cybersecurity solutions insulates your organization from the detrimental effects both before and after malicious cyber-events – and can even help save money in other supplementary categories.

Take our OneWorld encryption platform, for example. According to a recent Total Economic Impact™ study from Forrester Research, OneWorld shows a return on investment (ROI) of 155 per cent – and upwards of $2.7M in cost-mitigating benefits. These cost-mitigating benefits do not account for the hundreds of thousands (or even millions) of dollars saved by the risk-mitigating features of this flexible encryption platform – offering five different ways to communicate securely with your customer base.

Get the full TEI study of OneWorld by Forrester Research here.

  1. How important is digital trust?

Every business wants their customers to trust them – a trend which transcends the digital world. But gaining digital trust online is different from doing so at brick-and-mortar stores. Unlike their offline counterparts, where brand trust is gained over years (and even generations), digital trust is fairly easy to get. But digital trust is even easier to lose – and impossible to get back.

So a board of directors needs to understand the brand value of protecting customer data as a tool for building digital trust. Nobody wants to work with a company which doesn’t protect their data. And cybersecurity investment is an excellent marketing tool for reassuring customers that your brand does. In today’s customer-centric world, with so many other options online, you simply can’t afford not to put your customers first – and your board needs to understand that.

Learn more about building digital trust with encryption.

By Michael Roberts, VP Technology at Echoworx

14 Jun 2019

Thinking Inside the Box: Addressing Internal Cyber Vulnerabilities

In cybersecurity, it’s easy to become obsessed over external malicious factors and lose sight of the whole picture which includes internal vulnerabilities. When it comes to cybersecurity, the best defense includes shoring up your internal defenses because many critical vulnerabilities are too close to home for comfort.

What is an internal cyber vulnerability?

A vulnerability is a flaw in a system that exposes the system to risk of attack. In cybersecurity, these vulnerabilities can be related to the computer systems and processes and procedures you use. While you may know famous software vulnerabilities like Heartbleed and WannaCry, internal vulnerabilities can be much more mundane. For example, someone leaving the default password on a router or assuming your employees know how to recognize spear phishing attacks can lead to a lot of heartache for a chief information security officer.

As they say in sports, “The best defense is a good offense.” In this case, a good offense includes taking a proactive approach to identifying and fixing vulnerabilities, which we’ll cover next.

How to identify cyber vulnerabilities in enterprise-level organizations

Before you can identify cyber vulnerabilities, you must have a clear idea of your organizational assets, including intellectual property. Frédéric Virmont, a seasoned cybersecurity expert, says, “You have to identify what’s critical for the business: servers, applications, everything. Once you identify those critical assets, then you can make a plan to secure them and ensure they’re maintained with security patches.”

After identifying your critical business assets, you can expose and triage any vulnerabilities through various security tools—and then patch them up.

Put staff on your list of organizational assets as cyber vulnerabilities include accidental and intentional insider attacks by employees.

Six ways to reduce internal cyber vulnerabilities with pre-emptive measures

1) Encrypt data and communications – Protect your data while it’s in transit and at rest with a user-friendly encryption solution. Billions of emails are sent every day and without encryption each one represents a security risk. And in 2018, 4.8 billion records were stolen during breaches and less than three per cent of those records were encrypted.

2) Teach employees about cybersecurity – A recent PwC report in the US found that 32 percent of respondents consider insider threats more costly and damaging than external incidents. Because employees are on the frontline of cybersecurity, it’s essential to educate them about the importance of using security programs and processes and how to identify and report suspicious incidents. Cybercrime is increasingly sophisticated—especially social engineering and spear phishing—which is why regular and effective cybersecurity training is necessary for all staff.

3) Beef up your security policies – Make sure your policies support your security efforts. Some of the best practices include:

  • Limiting user access through assigning appropriate permissions to non-IT employees
  • Setting appropriate guidelines for creating strong passwords or enforcing two-factor authentication
  • Limiting Internet usage by defining or controlling what type of content can be viewed
  • Defining file storage locations for employees and denying usage of USB drives or personal cloud storage
  • Choosing policy-based encryption with flexible delivery methods for communications
  • Effective vetting of third-party vendors


4) Have an up-to-date disaster recovery plan – A disaster recovery plan allows all staff to act swiftly—using prepared strategy—when disaster strikes. This way, organizational efforts can go towards closing the vulnerability and monitoring it, rather than trying to figure out what to do in the middle of a crisis.

5) Don’t migrate vulnerabilities to the cloud – While there are many benefits to offloading on-premise servers and applications to the cloud, organizations must avoid bringing along existing vulnerabilities with them. Implementing security tools prior to cloud migration is essential.

6) Communicate effectively with the board – Since they may not always understand the technical assets, many boards shy away from cybersecurity risk management. Instead of communicating about tech specs, talk to the board about the cost of not implementing security measures, return on investment trends and reputation management with clients. Raphael Narezzi suggests talking to the board of directors like this, “It can be a cost today, but I guarantee you, the scenario we see when a board acts before an event, is a completely different scenario than when they don’t act at all.”

The benefits of closing internal vulnerabilities

Closing internal vulnerabilities takes time, resources and expertise and is now part of the cost of doing business. But there are benefits. As mentioned above, data security results in customer-centric benefits such as building reputation and digital trust and helps pave the way for competitive differentiators.

Closing internal vulnerabilities takes time, resources and expertise and is now part of the cost of doing business. But there are benefits with a solid return on investment. A recent Forrester Total Economic Impact™ study, for example, revealed that a typical enterprise-level organization can expect a seven-month payback period and slash $2.7M off their bottom line by employing our flexible OneWorld encryption solution. Get the full Forrester Total Economic Impact™ study of OneWorld now.

With so much at risk, isn’t it time to shore up your vulnerabilities?

At Echoworx, encryption is all we do. Our OneWorld encryption platform and cloud security services are a natural extension to existing security programs and offer a wide range of flexible options for secure message delivery. You can learn more about the ROI of Echoworx OneWorld encryption here.

By: Randy Yu, Senior Manager Technical Operations & Support, Echoworx

04 Jun 2019

Encryption Mosaic: The New Diverse World of Secure Communications

Dial back the clock several million years and you find a crowded ocean of creatures surrounding lush green lands devoid of any vertebrate activity. Then one fish walked out of the sea and changed our terrestrial course forever. But did this ambitious fish have revolutionary intent? Certainly not – instead focusing on more immediate needs of food and new territory.

The same can be said about contemporary demands for secure digital communications. While digital communications enable transcendence from the world of paper mail, making the sending and receiving of information instantaneous, they inadvertently make our most-precious personal details more exposed and more open. And, with no way to turn back the clock, the case for encryption protection of sensitive information grows – and evolves.

But, as more and more industries migrate online, we are beginning to see that this brave new digital world is not one-size-fits-all – especially when it comes to secure digital communications. From different customers to different jurisdictional regulations protecting them, an encryption solution needs to be as flexible as the diverse array of organizations it serves.

Here are key points to consider in determining the factors affecting secure communications, why needs are so diverse and where exactly you might start placing your organization in the encryption mosaic:

1) Regulatory fines with sharp-teeth

Where an organization is located can influence how much they are expected to protect their data. In Denmark, for example, encryption is now mandatory for all communications containing the personal data of Danish citizens under its jurisdiction, according to its own interpretation of the General Data Protection Regulation (GDPR) affecting EU country members. Failure to comply with the GDPR, and other similar regulatory bodies or laws, like Canada’s recently-updated Personal Information Protection and Electronic Documents Act (PIPEDA), for example, can lead to devastating fines and even more devasting brand damage.

Echoworx recognizes that not all countries protect the personal data and the privacy of their citizens the same. To help prevent prying bureaucratic eyes or to avoid non-compliance with jurisdictional regulations, Echoworx’s cloud-based encryption solutions are available on AWS Cloud in 13 countries. We also have SOC2 and ICO-certified data centres in the US, UK, Germany, Ireland, Mexico and Canada, ensuring all sensitive data stays close to home.

2) Different industries – different business cases

While organizations operating in the banks, financial services and insurance (BFSI) realm were the first wholesale adopters of encrypted communications, the technology is exponentially permeating through to other industries. According to a recent Ponemon study, for example, manufacturing and services organizations are beginning to crack into the encryption market – accounting for 12 and 11 per cent respectively.

And, as new industries begin to implement encrypted secure communications, so does demand rise for a flexible encryption solution to adapt to different business use cases. At Echoworx, for example, we offer a cloud-based scalable encryption solution featuring multiple secure user-friendly delivery methods to fit any business process.

Learn more about the different ways you can send secure information with Echoworx.

3) Users are changing

From mobile banking to Generation Z, how users send information and what exactly they are willing to send is changing at a rapid clip. Today’s users are tech-savvy and quick to provide personal details but even quicker to move on if an organization mishandles their data. They demand instantaneous communication and a streamlined user experience with organizations they work with. To avoid going the way of the dodo bird, you need to go above and beyond to make sure they come first – all while ensuring that their sensitive personal data is protected.

With Echoworx, you can tailor every aspect of your encryption experience to put your customers first – from the way they access a secure message to something as simple as the ability to brand. And, to further avoid any negating situations affecting user experience, Echoworx offers services in 22 languages for all our flexible delivery methods – ensuring nothing is lost in translation.

Explore these different delivery methods here.

4) Encryption isn’t just an IT issue anymore

From headline-grabbing data breaches to something as simple as customer experience, encryption is no longer a backroom IT issue – it’s a business issue. But implementing an encryption program isn’t as simple as adopting a solution and flipping a switch. There needs to be a universal internal change of culture at most organizations. For example, while 50 per cent of CEOs are concerned most about possible detrimental impacts to user experience when adopting a security solution, 88 per cent of IT professionals view encryption as costly, difficult and a constraint on business productivity.

Echoworx works with companies to ensure encryption solutions are as non-intrusive and as streamlined as possible – from deployment to the end user. In our capacity as a third-party encryption provider, we support our clients, reducing the additional strain of user help queries, and, with nearly two-decades’ worth experience in the encryption market, we can adapt to any business case.

Learn more about working with Echoworx.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx


  • Ponemon Global Encryption Trends Study – April 2018
03 May 2019
how to make a business case for encryption

How to Make a Business Case for Encryption

Worldwide, more than 290 billion emails are sent every day. In enterprise-level organizations, digital communication is a competitive advantage over snail mail because it’s faster, cheaper and easier to deploy. But cost savings can disappear the instant an organization experiences a data or privacy breach, which is all too common. In 2018, 4.8 billion records were stolen during breaches—that’s more than 9,000 per minute—and less than three per cent of those records were encrypted.

Today, we’ll do a quick review of two reasons email encryption is business-critical and what to look for in an encryption provider if your organization would like to minimize risks and costs associated with keeping email secure.

Why email encryption is critical in business: the high cost of losing trust

If your organization collects, manages and disperses personal information, it’s essential to deploy user-friendly encryption to secure that data as it flows through email. Of course, it’s the right thing to do, but it’s also what customers want and expect. For example, 87 per cent of CEOs invest in cybersecurity specifically to build customer trust—because once you lose trust, you lose the customer. When customer trust and satisfaction is tied into data security, it’s easy to see how email encryption no longer fits into the nice-to-have category. It’s now essential.

Why email encryption is critical in business: compliance & avoiding fines

Implementing an encryption solution also helps you keep government hands—mandated by legislation—out of your pockets.

If your organization doesn’t protect data from being intercepted on route, the fines can be substantial. Just one year in after launch of the General Data Protection Regulation (GDPR) in the EU, for example, and we are already seeing massive fines – like the €50M fine Google was ordered to pay at the beginning of 2018 for GDPR violations.

In Canada, under the newly-updated Personal Information Protection and Electronic Documents Act (PIPEDA), it’s now mandatory to report data breaches, with non-compliance fines going as high as $100,000.

With privacy legislation expanding—California, New York and even Qatar, among many others, have created their own guidelines—organizations can no longer afford to ignore email encryption for private data. Privacy legislation now has teeth and the fines are steep.

There’s no question that taking care of your business means encryption. The next thing to do is work with an encryption provider who understands your needs and addresses them effectively.

Finding an encryption provider that works for you

Global information security spending, as a whole, is set to exceed $124B in 2019, according to a recent Gartner report —which means your organization has a lot of choice when it comes to encryption solutions. This choice is good but can also lead to overwhelm and poor decisions. For example, if an organization has an encryption solution in place, but it’s not widely used, it can mean they didn’t choose an encryption provider that could meet their needs and guide them through the process. We don’t want that to happen to you, so we put together a list of things to look for in an email encryption provider.

Seven things to look for in an enterprise-level encryption provider:

  1. Proven track record – Ask how long the provider has been working in encryption. At Echoworx, for example, we understand the risks of email management because we’ve been providing encryption solutions for almost two decades.
  2. Solutions that go beyond out-of-the-box encryption – While out-of-the-box encryption is much better than zero encryption, look for a provider that can counsel you on solutions based on your needs. Many enterprise-level organizations require flexible delivery and policy-based encryption options—which go beyond the box.
  3. Cloud solutions that reduce overhead – Sending encrypted messages simply costs more when you run a legacy on-premise encryption solution. Costs include hardware and physical on-premise servers and staff to run them. Look for a third-party encryption provider that allows you to upload your secure communications to the cloud, offload support queries, gain access to encryption experts, save money and put less burden on your IT resources.
  4. Data centres around the world – Worldwide data centres allow users to deploy communications within their jurisdictions and within regulatory compliance. For example, at Echoworx, we have data centres in six countries: Germany, Ireland, the United Kingdom, Canada, Mexico and the United States. This helps cut costs, maintain compliance and cuts down on deployment time.
  5. Reputation management – Every time a piece of sensitive information leaves an organization’s digital perimeter, it puts a company’s reputation at-risk. An encryption provider should understand this risk and offer solutions like full brand alignment in multiple languages to support a seamless end-user experience.
  6. Systems that support dynamic scaling – Can your provider’s encryption solution scale dynamically as email demand on the system fluctuates from day to day or even hour to hour—and accommodate increased demand without delay? Is your system available in AWS Cloud in 13 countries?
  7. Vetted partners for peace of mind – Do you trust your provider to handle your data securely and responsibly? At Echoworx, we subject our business to regular audits. We are proud to be: SOC2 Certified, Web Trust Certified, a Microsoft Root Certificate Member and an Apple Root Certificate Member.

One last thing to look for in an encryption provider: a track record of positive return on investment (ROI).

A recent Forrester Total Economic Impact™ study, for example, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits. This same study showed that using OneWorld’s self-service support options—like automatic password resets—increases call centre productivity, removes the need for additional overhead and can save enterprise-level organizations almost $320K over three years.

Get the full Forrester Total Economic Impact™ study of OneWorld now.

As you can see, the cost of unencrypted email communications is high and the risk too great. Isn’t it time you found a trusted encryption provider that can meet the needs of your business and customers?

By: Beverly Barrett, Director, Channel Management, Echoworx