Category: Cybersecurity

15 Feb 2019
cyber security your competitive advantage

Can cybersecurity be a competitive edge?

In the old days, before organizations became customer-obsessed and held off-site leadership events to drill down on their value proposition, information security was simple. There was the CIO and a few stewards of the air-conditioned server room which was invisible to the non-IT eye. Back then, cybersecurity operated in the shadows and it worked just fine … until it didn’t.

Fast forward to today when cyber security is front and centre for senior leadership, boards, customers and partners. All these stakeholders can tell you what Target is now famous for: a customer data breach that cost the company over $200 million[i] to resolve.

And in an increasingly-competitive business landscape, forward-thinking organizations are integrating information security into business processes to avoid becoming the next cautionary tale on the six o’clock news.

Enough to make organizations WannaCry: Evolving cybersecurity threats

The continuously evolving cybersecurity threats organizations face include malicious security breaches and attacks, accidental breaches initiated from well-intentioned employees and known governmental surveillance. Ironically, as businesses benefit from connected infrastructure networks (think of advances in supply chain management, for example), that connectedness also increases the risk of security threats—because attacks can spread across connected networks so quickly.

CIOs and chief security officers are no longer alone at the table advocating for better privacy and data security measures but there’s still room for improvement. The 2018 Global State of Information Security Survey report found that only 40 per cent of corporate boards participate in their organization’s security strategy.[ii]

But perhaps the biggest threat of all is a lingering notion that cyber security is an IT problem. It’s not an IT problem. It’s a business problem. Unfortunately, most business leaders don’t understand the nuts and bolts of data security and digital threats which can make it more difficult to address the issue.

Security specialists may get more traction at the leadership and board level by framing cybersecurity as a competitive edge. That’s not finessing the facts considering that 92 per cent of organizations surveyed through the EY 2018-19 Global Information Security Survey called their information security insufficient.[iii] 92 per cent!

Four ways cyber security investment helps organizations gain a competitive edge:

  1.  Reduces compliance risks and fines – Legislation such as the GDPR, HIPAA and PIPEDA affects the way companies do business and fines can be substantial. Did you know that GDPR violations can cost up to $20 million or four per cent annual turnover (whichever is greater)?[iv] Since EU citizens are covered under the GDPR even when they’re out of the EU, international companies can stay on the right side of compliance by using proactive policy-based email encryption measures that automatically apply protection to predetermined groups of users (e.g., EU citizens).
  1. Reduces unnecessary cost – The average cost of a single data breach is $3.6 million (USD).[v] But Target’s breach cost 55 times that much which is why a cybersecurity strategy that protects the downside is so valuable. For example, investing in a flexible encryption platform means encryption can be automated to accommodate any business situation and keep data secure—without any hassle.
  1. Protects the company brand – Inadvertently allowing malicious entities or hackers to access your customers’ personal information is a quick way to reduce or eliminate their trust in you. Imagine how long it will take Equifax to win back the trust of 147 million Americans after the 2017 breach. Investing in proactive cybersecurity measures, like encryption, helps you preserve the fragile relationship that is the reality of digital trust.


  1. Delivers a value proposition for your customers – Your customers may not be able to keep up with the ever-evolving world of cybersecurity, but they expect protection to be a built-in feature of doing business with you. Proactive cybersecurity measures make conducting online business safer and more reliable which saves customers time, streamlines their experience and delivers real value to them.


Quick tip: Make your competitive edge easy to use

An information security program likely has multiple lines of defense, including encryption, authorization and data integrity measures, but these systems and processes only work if people use them. We encourage you to implement cybersecurity systems and processes that are easy for employees and customers to use. Because even when cybersecurity is top of mind, most employees and customers won’t be inconvenienced for the sake of security.

By Alex Loo, VP of Operations at Echoworx







28 Dec 2018

New Year? New Information Security Challenges!

As we head into the New Year, we reflect on the trials, tribulations and challenges faced over the past year – before outlining specific resolutions to these problems. In the world of information security, these improvements are usually within the realms of identifying threats, preventing cybersecurity issues and staying on top of the latest and greatest in data protection technology.

And what a busy year it’s been! From the introduction of new privacy-building legislature, like the GDPR or California’s AB 375, to new privacy-destroying laws, like Australia’s new encryption laws calling for data backdoors, it’s been quite the rollercoaster. We’ve also seen data breaches and instances of ransomware bring even the massive corporate conglomerates, like Marriot, to their knees.

So what is to be done in 2019?

The unfortunate reality of the world of information security is that new threats, new scams and new malicious actors to worry about seem to pop up every day. Staying atop this constant morphing information is enough to drive someone nuts. And the consequences of falling behind can be detrimental to your business, your reputation and, ultimately, your customers.

This past year, our Distinguished Software Engineer at Echoworx, Slava Ivanov, has made it his mission to gather and coagulate the latest cybersecurity tricks and tips into a concise serial 101 document of definitions. From lighter topics, like the newly emerged Japanese ‘posterior authentication’ technology, which grants access to a system or machine via ‘butt prints,’ to more serious information security issues, like spearfishing, to data protection issues, like blowfish cryptography used in encryption, Slava’s index of terms offers an excellent primer to anyone starting research on a term.

So, before you formalize your organization’s New Years resolutions this year, consider a quick glance at Slava’s ‘Information Security 101’ to see if there is something you missed in 2018!

Click here to browse last year’s top trending information security terms and definitions.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx

11 Dec 2018
Australia demands encryption backdoors

Trouble in Oz: Australia’s New Controversial Data Backdoors

Dangerous privacy precedents are now being set in Australia – a nation traditionally known for its dedication to Commonwealth democratic stability. As of December 2018, Australia has newly-minted legislature under its belt which allows their intelligence and law enforcement to demand backdoor access into the sensitive encrypted data of target organizations.

As other friendly governments take note of this new development, this legislature might signal the beginning of dark times for digital privacy and the way we store and share sensitive information.

But first – a little background:

Since their inception, members of the so-called ‘Five Eyes,’ a collective body of intelligence and law enforcement organizations hailing from the UK, the US, Canada, New Zealand and Australia, have been lobbying for more access to their citizens for years. Gaining access to private citizen data represented a unique opportunity to not only keep an eye on those few amongst us with malicious intent – but also represented another opportunity to control and manage their populaces.

In recent history, this has manifested itself in digital ways – from legislature, like the US Government’s PATRIOT Act or the UK’s more-recent Investigatory Powers Act, to the use of dangerous euphemisms, like “responsible encryption.” Sensitive digital data is a treasure trove to the Five Eyes and they have been salivating for years at the prospect of getting in.

Backdoors are still doors

In layman’s terms, the new privacy legislature passed by in Australian Parliament demands that third-party digital service providers create backdoors through which state organizations may access end-to-end encrypted information when prompted. While they can make these requests formally to an organization, it’s worth noting they also now have the power to demand individuals at target organizations, from Sally the CEO to Bill in IT, provide this backdoor access upon request.

And these demands have serious teeth.

If an organization refuses a request by an Australian Government body, like a law enforcement agency, they face millions of dollars in fines. Individuals who fail to comply face jail time.

Sound scary?

It gets worse.

There’s a global impact of these new privacy laws

As a member of the Five Eyes, Australia is a major player in the global intelligence community. Not only does this country, and their legislature, help set a considerable part of the bar of what is acceptable for government intelligence agencies to do – but they also have created a dangerous precedent which might spread other members of the Five Eyes collective.

The danger of testing the depth of a river with both feet

An unintended consequence of creating these backdoors is the new potential vulnerabilities they pose to the Australian Government organizations who demanded them. While they claim to have solved major issues of national security, with their new ability to spy on their own citizens, the Australian Government has ironically created dangerous vulnerabilities in their own systems available for exploitation by malicious agents.

What can be done?

At Echoworx, and throughout the cybersecurity community, we firmly believe in the protection of encrypted data. Without the ability to send and receive confidential data via digital platforms, everyone’s privacy is at risk, and what’s worse, we could be opening doors to the very criminals we’re trying to stop.

By Derek Christiansen, Engagement Manager, Echoworx

25 Oct 2018
Moving PGP to the cloud

Moving Your PGP to the Cloud? Here’s What You Need to Know

Is PGP encryption part of your secure messaging strategy? Are you currently hosting this system on-premise? Ever thought about moving your PGP email encryption to the cloud? It may sound daunting, but, with the right tools and services, moving to the cloud is an investment to consider for you and your customers.

An on-premise PGP system is resource intensive, and requires software installed on your workstation and servers. The demand on your IT department can be considerable – migrating it to the cloud can take a lot of strain off your staff.

Here are a few points to consider if you are thinking of making the move:

Email encryption should be more than just adequate

We have a responsibility to protect the sensitive messages that we send, and we need to do it in a way that doesn’t get in the way of doing business.

An effective email encryption solution has five main qualities:

  • It is easy to implement
  • It can scale to keep up with growing demands and sudden bursts in email volumes
  • It is feature rich, standards-based and current, supporting encryption technologies widely used today
  • It is jurisdictionally aware, so messages sent from the EU, for example, aren’t stored in or sent through the U.S. or other jurisdictions which might compromise compliance with GDPR rules
  • It is operated securely by a trusted vendor which is dedicated to security

Legacy systems shouldn’t stop you moving to the cloud

Moving an on-premise PGP system to the cloud is not only possible, these legacy systems can actually be migrated without disruption, a critical business consideration if your organization sends large numbers of secure messages daily. And you gain access to additional secure delivery methods, like the ability to send messages via web portal, and additional features, like the ability to custom brand encrypted messages.

Key management without the management

According to the thirteenth encryption study commissioned by Thales to the Ponemon Institute, key management continues to be a major pain-point for 57 per cent of organizations. And many of these organizations report they continue to manually manage their key process. This is not a new stat. In fact, key management has remained a consistent pain-point year over year! Moving to the cloud allows you to simplify your key management process – and automate it.

Why use Security as a Service?

In today’s climate, businesses must scale quickly to meet everchanging demands. Security threats are always evolving, and technology continues to transform at a rapid pace. New developments such as mobile computing, the Internet of Things, Software as a Service and Infrastructure as a Service are leading to fundamental changes in the way businesses operate.

Working with a cloud Security as a Service provider can bring many benefits. Sheila Jordan, CIO at Symantec, for example, points out that while IT and technology investments can be used to operate and grow a company, the list of tasks to be performed will always be greater than the resources and funds available. IT is often seen as an easy place to cut costs, and in response, CIOs “must prioritize the demands that most directly affect the profitability and financial goals of the company.” CIOs are responsible not only for protecting data, but also for helping companies use that data to generate actionable insights. Moving to the cloud lets organizations track and report in real time.[1]

Thinking about Security as a Service? Here are some questions to consider:

  • What is your risk profile?
  • Is there a specific crisis you’re responding to?
  • Do you have a clear plan in place?


Once the decision to move to the cloud has been made, choose your vendor carefully. Don’t look for a single point solution: if you do, you might find that the solution you’ve chosen has quickly become obsolete or is not the sole focus of a bigger product. Look to your new partner to educate and train your teams and guide your company through the process. Most importantly, get to know the team you’ll be working with, as good relationships can make the difference when dealing with a crisis.

Sheila Jordan from Symantec puts it best: “When you work with a partner that understands your business and where you are headed, they can offer global support and solutions that will grow with your organization. The right partners will always be customer-focused, doing everything in their power to drive your company forward.”

See how easy it is to migrate your PGP to the cloud.

By Christian Peel, VP Engineering, Echoworx


[1] Sheila Jordan, “Security as a Service,” in Canadian Cybersecurity 2018: An Anthology of CIO/CISO Enterprise-Level Perspectives, ed. Ajay K. Sood (Toronto: CLX Forum, 2018), 23-45.

27 Sep 2018
cybersecurity audits

Why Are Cybersecurity Audits Important?

The cybersecurity environment is changing. Rates of malicious email and malware continue to rise, and new threats are emerging. Meanwhile, ransomware attacks have become so common that targeted attack groups are now using them as decoys to provide cover for more serious forms of attack.

In a sea of constantly-evolving cyber threats, can your company stay afloat?

If you think a firewall is all you need to consider when assessing the cybersecurity of your digital perimeter – probably not. After all, cyber attacks are now a question of when, not if, and no one solution is going to solve all the problems. This is where having a second opinion can go a long way in understanding the contemporary cybersecurity landscape of threats, available defenses, third-party risk and new regulations.

Enter the cybersecurity audit.

Why conduct cybersecurity audits?

Cybersecurity is a complex web of systems and processes that must evolve in response to threats. And third-party cybersecurity audits help bring clarity and insight. In some organizations, there may be a lack of awareness of how often security policies should be reviewed, and why. IT departments may not have the tools they need to ensure systems are secure. Worse, they might not realize this! And even when cybersecurity is a key element of organizational culture, focus on business scorecards and metrics can keep attention on the past, on threats already faced. Instead, companies must look to the future, to anticipate the threats that have not yet emerged – taking the proactive cybersecurity measures of privacy by design.

How will cybersecurity audits help you?

There are four main reasons why your company will benefit from cybersecurity audits.

  1. They provide knowledge and validation. Audit providers have extensive experience and offer best practices to strengthen company programs. Auditors have training in new regulations (such as the GDPR). They can ensure systems and processes meet current regulatory standards. Auditors can also flag potential issues and suggest improvements.
  2. They offer neutral and objective evaluations of programs. Objective assessments also provide the best picture of how attractive a company might be to hackers.
  3. Third party audits can be more accurate. Because auditors are not directly associated with the company, they may have a more precise view of the entire organizational structure, including BYOD and mobile devices that might not be an official part of an organization’s workflow.
  4. They help validate your privacy policies to prospective third-party partners. And vice-versa.

What does a cybersecurity audit look for?

Assessment of cybersecurity requires specific technical skills. Auditors must examine server configurations, conduct penetration testing and review security event management rule sets.[1] Not every IT department has individuals with the skills and knowledge to perform these tasks.

In addition, there are complex regulations regarding data protections and privacy, and your organization must follow these regulations in every jurisdiction in which it does business. The recently-passed GDPR, for example, requires that data breaches involving data from EU residents to be publicly disclosed within 72 hours. Will your company recognize that such a breach has occurred? How well does your company keep personally identifiable information (PII) secure? Your company collects data – is it accessible to your partners, suppliers, or customers? Do your contracts specify how vendors and distributors will handle this data? Do these organizations have systems in place to keep your data secure?

Why are cybersecurity audits important?

A recent PWC report says 87 per cent of global CEOs believe investing in cybersecurity is important for building trust with customers. Yet less than half of businesses worldwide are conducting audits of the third-parties which handle their collected personal data. In other words, there is a 54 per cent chance an organization collecting personal data is not sure whether this data is being adequately protected – despite their CEOs expressing the importance of doing so.

If a company believes in protecting personal data, or, in the very least, wants to avoid an expensive data breach, they must do their due diligence when choosing third-party providers. This is why conducting cybersecurity audits is so important. An organization needs to know where and how their data is stored because, at the end of the day, any organization which collects personal data is ultimately responsible for any data protection claims – claims which transfer to third-parties.

We practice what we preach!

At Echoworx, we breathe encryption and work every day to help enterprise organizations protect their sensitive data in transit. It only makes sense that we’d invest in the highest levels of cybersecurity. That’s why our entire organization, top to bottom, is scrutinized by third-party auditors regularly to ensure airtight data protection – and we’re proud of our SOC2 and Web Trust certifications!

See our cybersecurity qualifications for yourself!

By Alex Loo, VP of Operations, Echoworx



14 Sep 2018
Is your business vulnerable to cybersecurity threats?

Is Your Business Vulnerable to Cybersecurity Threats?

In 2017, Deloitte was ranked the best cybersecurity consultant in the world for the fifth year in a row. But later that year, news emerged that Deloitte itself was the victim of an ongoing hack that had lasted nearly a full year.[1]

How could this dramatic reversal have happened so quickly?

Any enterprise is vulnerable to cyberattack. The bigger the company, the bigger the target. For most companies it’s only a matter of time.

Hackers aim to steal sensitive data such as corporate secrets, personal data and intellectual property. Hackers also launch sabotage attacks. The financial damage to the global economy exceeds $575 billion annually—more than the GDP of many countries.

How vulnerable is your business?

Cybersecurity = constant vigilance

Here are some cybersecurity vulnerabilities to watch for:

  • Security misconfiguration. This is the most common and dangerous flaw because it relies on exploiting some simple computing errors, such as running outdated software, using factory default settings and passwords, and using default accounts.
  • Buffer overflows. When an application attempts to put more data into a buffer than it can hold, the buffer overflows. This can let an attacker overwrite memory blocks to corrupt data, crash programs, or install malicious code. These attacks are common and hard to uncover, but are also more difficult to exploit than an injection vulnerability attack.
  • Sensitive data exposure. This refers to any instance of a hacker gaining access to sensitive data, either directly from a system, or as it is in transit between a user and a server. The most direct flaw that can be exploited is a lack of encryption, or encryption that is compromised by weak passwords or lack of multi-factor authentication. Every organization that manages sensitive data may be vulnerable to this type of attack.
  • Broken authentication and session management. Exposed accounts, passwords, or session IDs represent leaks or flaws in authentication procedures. Hackers use these to take over accounts and impersonate legitimate users.
  • Outdated security software or infrastructure. Older equipment doesn’t readily support modern applications, and it isn’t easily protected against current threats.


The threat from hackers is only growing as sophisticated techniques become more widespread. The most recent breach level report  shows that an average of over seven million records were lost or stolen every day in 2017 – that’s 82 records a second! And of these hundreds of millions of cybersecurity incidents, only four per cent are considered ‘secure breaches,’ meaning the data stolen was protected with encryption. Over a quarter of these breaches occurred in healthcare.

The newest form of cyberattack is crypto-jacking. Also known as coin-mining, this is the unauthorized use of computers to mine cryptocurrency. Hackers plant code on a target computer using malicious links in emails or infected websites. Symantec reports that coin-mining activity increased by 34,000% during 2017, and that detection of coin miners increased by 8,500%. At the end of 2017 coin-mining activity was also detected on mobile devices, and it will likely grow in this space as well.

Defending your business

While no system is 100% safe from attack, strong encryption is an effective defense tool against hacking.

Keep these tips in mind:

  • Encrypt all sensitive information that hackers or cybercriminals could access.
  • Keep login credentials confidential and protected with passwords.
  • Use multi-factor authentication whenever possible.
  • Practicing strong password hashing.

We use the cloud. That’s safe, right?

Cloud computing doesn’t protect you from risk. As Sandra Liepkalns, CISO at LoyaltyOne points out, data still must be stored physically, and “the cloud” just means that you’re using off-site servers. Do you know where those servers are? If your servers are in the United States, do they have the proper credentials to handle GDPR-protected information from Europe? And what about physical threats? Are the servers located in areas prone to flooding or forest fires? What about hurricanes? Or earthquakes?

At the end of the day, every organization is responsible for protecting customer data. After all, it’s not a matter of if your organization will be breached, but when. Don’t be caught unprepared! Minimize the risks and make security integral to all your systems and processes.

By Randy Yu, Manager of Deployment at Echoworx



25 Jan 2018
Echoworx | Email Encryption Solutions | How bad is bad? Mexico's threat landscape

How bad is bad? Mexico’s threat landscape

Mexico is one of the fastest growing economies in the world, focused in employing technology to spur businesses forward. But this dependency on technology comes with a dark side – businesses are significantly more vulnerable to cyber threats and data breaches.

Mexico has been attracting the attention of malicious cyber threat performers. The attraction is largely thanks to its growing regional and global geo-strategic significance, coupled with the nation’s increasing economic and financial wealth.

According to recent studies, Mexican organizations are facing similar threats to those operating in the world’s most developed economies. Mexico ranks second in Latin America – just behind Brazil – for the most cyberattacks, with the banking, retail, and telecommunications sectors targeted most.

Serious time of reckoning

The occurrence of cybercriminal activity in Mexico, the diversity of financial institutions, and the sector’s growing capital value are all targeting factors. Criminal groups, clearly capable, besieged the Mexican financial sector by compromising ATMs and defrauding bank customers on a significant scale. Less sophisticated attacks, such as the use of banking Trojans, ransomware, and POS malware, are widespread and pose a significant threat.

Key vulnerabilities observed in Mexico’s cyber landscape are a lack of a cybersecurity culture, old-fashioned system configurations, and obsolete versions of software applications. The right to privacy along with protection of personal information for both individuals and corporations is an extremely relevant issue for international organizations and the public sector. If cybersecurity is not strengthened, more businesses in Mexico will become exposed.

If Mexico wants to be a pioneer of data rights, the new infrastructure must effectively adapt to changes in the way information is transmitted around the world and they must comply not just with national and regional directives, but with international protection of information practices.

The question arises

Is your business at crossroads? Shoulder the costs of increasing defenses or become increasingly susceptible to the risk of attacks!

Sound choice would be to migrate towards a proactive model by incorporating security checkpoints opposed to a reactive model. Having the right security measures in place could prove to be a differentiator in edging out competitors.

A positive drift

According to PwC Mexico, “91% of Mexican companies have prioritized cybersecurity in their organizations and Mexico is the country with the most investment in cybersecurity in Latin America.” The financial sector has led the way in this area, followed by telecommunications, both of which are Mexico’s most globalized economic sectors.

Here is where the Government of Mexico should work closely in conjunction with private firms. The benefits of furthering research on the issue of data protection would be mutually beneficial, keeping the focus on creating a sustainable and securely growing economy.

Echoworx has responded to Mexico’s data security demands by setting up our advanced encryption platform OneWorld within a local data center near Mexico City. This expansion has been fueled by the increasing demand from multinational enterprises operating in Mexico to process and protect their sensitive information locally.

With our agile email encryption platform, it’s easier than ever for organizations to be compliant, maintain brand reputation, build customer trust, and gain a competitive edge – while maximizing the protection of their confidential communications, intellectual property, and other sensitive data.

Mexico is touted to be among the global leaders in digital transactions, and with security being of paramount concern safeguarding communications must be a top priority. As a leader in email encryption, Echoworx is focused on strengthening cybersecurity by collaborating with various equally passionate stakeholders to safeguard the collaboration and communication of sensitive information throughout Mexico.

Let’s connect
Our team will be at InfoSecurity Mexico at the Centro Citibanamex in Mexico this May. If you plan to be in town, you’ll find the Echoworx team in booth #209We will be presenting real use cases of how organizations are gaining value by integrating encryption into their business processes, while securing communications. Stop by, join us for a chat!

By Christian Peel, ‎VP Customer Engineering, Echoworx

05 Jan 2018
Echoworx | Email Encryption Solutions | Spectre and Meltdown attacks, think the sky is falling?

Spectre and Meltdown attacks, think the sky is falling?

Like most companies, Echoworx is aware of the recently announced vulnerabilities impacting most modern microprocessors.  We wanted to take a minute to provide the following guidance on the Spectre and Meltdown attacks to ensure awareness of the issues and to inform you on the steps that Echoworx is taking to address them.

What are these attacks?

Spectre is actually two different vulnerabilities, and Meltdown is one.  Both of these attacks exploit features of ‘modern’ microprocessors called ‘speculative execution’.   Speculative Execution is a technique of prefetching data and pre-executing instructions in case they are needed.   Basically if they are not needed, there are still remnants of the data in memory which can be read by other processes.

The Meltdown attack is the worst of the two in that it can reveal all of the computers memory, not just a few bits and pieces of it.  Meltdown is also easier to exploit.  Fortunately Meltdown is also easier to patch against.  Spectre on the other hand is harder to exploit, reveals less, but is harder to address through patches.  There are patches out for specific known exploits.

What is affected by these attacks?

“Modern” isn’t so modern… at least not in computer terms.   Basically any Intel processor built since about 1995 would be impacted.  Intel, AMD, ARM, processors and others are also impacted to varying extents.  There are some reports that certain processors are not exposed to all of the vulnerabilities, but it is unclear if this is proven to be so, or just hasn’t been accomplished yet. It would be best to err on the side of caution.

What should you as an individual do on your personal devices?

You should always keep up to date with patches, and this case is no different.   There are patches for Linux, Microsoft (Windows, Edge, IE), Apple (MacOS, iOS, tvOS, Safari), Android, Firefox, Chrome, and likely many other applications.  Applying these will help to protect you.

You should also make sure that your Anti-Virus/Internet Security software is up to date.   Microsoft has announced that their fixes might have compatibility issues with some anti-virus software.   The patch for windows will not install if you have an outdated AV or one that is incompatible.  I would update the AV software first, and then apply the MS patch.

Be aware that some of the fixes to this issue could cause a performance impact.  There are some pretty wild estimates of how bad of an impact there could be, but the vendors I have seen have so far reported minimal impacts.  For example, Apple reports a maximum of 2.5% against 1 benchmark for these fixes.

By David Broad CISSP, Information Security and Audit Lead, Echoworx

04 Oct 2017
Safe Communications

Is Your Company Practicing Safe … Relationships?

Thank you to all the media who helped us spread the important message of practicing safe communications! They didn’t have to. They had a choice of hundreds to cover but they chose our story. When Trust Matters – Security is Critical.

Getting Personal: In the News

Media Post | Oct 5, 2017 |
People Are More Likely To Share Info In Emails Than On Dates: Study

LittleThings Oct 3, 2017 |
Study Shows That Americans Trust Computers With Personal Information More Than New People

MensHealth | Sept 28, 2017 | 
You Probably Trust Your Computer Way More Than You Trust Your Girlfriend

EBL News | Sept 28, 2017 | 
We trust the internet more than new lovers

Yahoo News | Sept 27, 2017 |
We Reveal More On Social Media Than On A Date

USA Today | Sept 27, 2017 |
We trust the internet more than new lovers

New York Post | Sept 26, 2017 |
Americans trust the internet more than new lovers

MSN Sept 26, 2017 |
Americans trust the internet more than new lovers

InfoSecurity Nov 28, 2016 | 
What Role Does Privacy Play in Your Digital Transformation Strategy?

08 Sep 2017
Echoworx | Email Encryption Solutions | Privacy by Design - or by Disaster?

Privacy by Design – or by Disaster?

Got any European business? If you do, the GDPR could trigger fines of 20 million euros against you after May 25, 2018, unless you’ve built the highest levels of privacy protections into your systems.

The General Data Protection Regulation (GDPR) protects individuals’ privacy and human rights, and comes into effect in May. It applies to EU-based companies, plus overseas companies doing business in the EU. The scope covers a broad range of personal data, for example, names, email addresses, social media, bank details or computer IP addresses.

For companies that don’t meet the GDPR, there are fines as high as 20 million euros or up to 4 percent of your annual worldwide profits – a big bite out of your bottom line. The good news is that there is a directive to guide you, known as Privacy by Design, or “PbD”.

Privacy by Design
Meeting GDPR means following the seven PbD principles that are included almost verbatim in the regulation.

  1. Proactive not reactive; preventative not remedial Think of this as “privacy by design or disaster.” If you build appropriate privacy, encryption and overall cybersecurity into your products and services, you’re less likely to have the disaster-side breach that means fines, class-action lawsuits, and damage to your reputation.
  1. Privacy as the default setting Most people don’t read EULAs or the lengthy legal documents from financial institutions. Make your offerings easier to use by defaulting to the highest levels of privacy and encryption, and ask clearly for specific permission to use the customer’s data for anything other than what they intend. For example, keep opt-in boxes empty so the distracted end-user doesn’t give permission by accident.
  1. Privacy embedded into design How well are your apps and data-management systems encrypted? This needs to be a default, no-choice, built-in fact of all of your data architecture.
  1. Full functionality – positive-sum, not zero-sum There’s an argument that full security and full privacy are not compatible, but it’s wrong – strong encryption lets you have both. What’s more, when your clients and customers know you’re using it, they’ll have a higher level of trust for you, and be more willing to share their data.
  1. End-to-end security – full lifecycle protection With your system designed to respect and maintain privacy at every touch, what happens when you’re done with the data? From the moment a customer gives their name, to the closing of the account, you need to ensure their data is securely managed, and eventually, destroyed.
  1. Visibility and transparency – keep it open Be able to demonstrate that you are using the data as it’s intended at every step. But you also need to be willing to share all the data you’ve collected about someone with that individual, because the data belongs to them. And being able to see it means they can correct inaccuracies, making it much more useful to you.
  1. Respect for user privacy – keep it user-centric Being user-centric means that your company and data architects are proactive about protecting customer privacy. But incorporating strong data encryption and overall cybersecurity isn’t just about being safe. The investment in these technologies and practices will foster the respect and trust of your customers, which is a good thing no matter where you do business.

Still have questions? Watch our webinar, along with Privacy by Design creator Dr. Ann Cavoukian, for an in-depth understanding on how to prepare for the GDPR. 

 By Alex Loo, VP Operations, Echoworx

19 Jul 2017
Echoworx | Email Encryption Solutions | Prime Targets for Cyber Criminals

Prime Targets for Cyber Criminals

Today’s cyber criminals now have access to advanced tools and sophisticated strategies. Arguably though, their most powerful weapons are patience and persistence to mount a sustained attack on your organization if you end up in their crosshairs. If they want to access the data in your network, they will find a way. Their motivation, in most cases, is the revenue they can generate from your sensitive information. But who are their prime targets and what makes them so appealing to cyber criminals?

Conversations That Matter features Dominic Vogel
“Hackers go where the money is, they focus their attention on the top five applications in use.”
According to Vogel, the #1 program under threat is email.

Three common targets for cyber crime are: Law Firms, Financial Services and Brick-and-Mortar Businesses. Within each of these categories, here is what cyber criminals are after:

Cyber criminals are looking for valuable, juicy details hidden inside client files. If they find their way into the network of a law firm, they are not going to be disappointed. They will obtain data that they can directly monetize or that can be used for a broader social engineering campaign later. Law firms have all kinds of sensitive financial information (account numbers & other sensitive account information, credit card information), personal information about themselves and their clients and business insider information. Cyber criminals can find out about a pending business deal and then: a) impersonate a party in a deal to another party or b) blackmail an individual or company with that information. Cyber criminals can monetize any sensitive data either directly or indirectly in a targeted fashion.

It almost goes without saying (but we’re taking it upon ourselves to say it) that when clients of financial service providers give their personal details to their advisors, they expect that information to be safeguarded to the highest degree. Who among us would not insist on the highest standard of cyber security for their private investment or bank account information? Professional services are given financial information, social security numbers, sensitive businesses information and private family and health information. Cyber criminals can directly monetize this information if they sell it on the black market or if they gain access to those accounts. Alternatively, they can send out phishing emails impersonating financial institutions and investment management companies saying that they need to ‘reset their password.’ Now cybercriminals have access to your account. In a less direct manor, the information can be aggregated to tell more about a person and that information can subsequently be used in an attack. There’s no end to how creative a determined adversary can be in getting their hands on your valuable information, whether directly or indirectly.

Particularly of interest to cyber criminals that target Brick-and-Mortar businesses are things like the financial information of their customers, customer lists, company account information, business processes and plans, lists of company suppliers, and intellectual property. Vendors and business partners can have login credentials into your networks which can open up a significant entry point for a carefully crafted cyber attack. Even seemingly innocuous data can be used against the company. These professional cyber attackers scan for something they can use in a phishing attack to make the attack sound more legitimate and then, after getting into an organization’s network, they will monetize the data indirectly.

The three categories we have explored in this article are just the tip of the iceberg. The list of professional services, from mortgage brokers to business consultants, is extensive. Accounting firms, for example, have extensive business and personal financial records and hold similar information to law firms. Brick-and-Mortar business is another broad category which could be anything from restaurant chains to manufacturers to retail stores. From hotels to insurance brokerages, the list of prime targets for cyber criminals is long with many subcategories. We will be diving deeper into these and other key cyber targets in future articles and videos.

If you are concerned about the possibility of a cyber attack on your organization, here are six fundamentally important steps you can take:

  1. Do an inventory of all your valuable assets (intangible assets that you need to protect)
  2. Create your risk register
  3. Select which risks should be treated and in what order the risks should be treated in
  4. Select risk treatment options (controls) for each risk in the following categories:
    a. People
    b. Processes
    c. Technology
  5. Implement the controls
  6. Regularly monitor and review the effectiveness of your controls

Completing these action items with get you started on building your cyber risk management framework and hardening your cyber security posture. In order to successfully manage your cyber threats, you need to do the basics well.

“Prime Targets for Cyber Criminals” is a guest post by Dominic Vogel 

07 Jun 2017
Echoworx | Email Encryption Solutions | Defining the Future of Cybersecurity, Together

Defining the Future of Cybersecurity, Together

Cybersecurity is one of the biggest issues that companies face in today’s e-environment. In all of its facets, cybercrime continues to increase, and emails are, and are expected to remain a #1 target for cybercriminals. Many organizations focus cyber security on guarding against external attacks but ignore potential threats to emails and through emails – which can be significantly more destructive.

Theft of confidential data for corporate espionage, the disclosure of trade secrets to a competitor and/or the release of private health information to the public can all be gained from email. It is estimated that by 2019, corporate email accounts worldwide will exceed 1.3 billion. With the huge volume of emails going in and out of the company, the risk of breaches that organizations must mitigate for are great. Moreover, according to research done by Echoworx, highly regulated industries, like oil and gas, healthcare, and finance are prime targets for email security threats.

There is an urgent need for corporate decision makers to adopt a mindset which takes into account the reality of email vulnerabilities… or face the potential consequences.

Take the DNC hack for example. If email encryption was used and policies effectively enforced to trigger secure messaging, the severity of the breach could have been minimized. There was a time when email encryption was very complicated for a company to implement throughout their organization. But, times have changed.

Through email encryption, businesses can now:

  • Secure digital communications while growing your corporate brand
  • Improve customer service
  • Increase efficiencies and lower operating costs
  • Increase speed, performance, function
  • Enforce regulatory compliance
  • Prevent data loss, mitigate risk

Taking a Look Back: Cybercon 2016

Echoworx, being a strong believer of world-class email encryption participated in Cybercon 2016, which was held in the City of Atlanta, to discuss the evolving issues affecting cybersecurity and the role we all play in data security.

In fact, Echoworx was one of twelve companies selected from across the world to participate in an invitation-only product pitch session during Cybercon 2016.

“We are delighted to have such a strong and diverse group of both foreign and domestic cybersecurity companies participating in this unique opportunity to tell their stories to leading professionals in the security industry,” said Justin Daniels, the head of Baker Donelson’s Atlanta Emerging Companies Group and the Baker Donelson Cybersecurity Accelerator. “With most of the presenting companies coming from outside the U.S., this is truly an international event and highlights international recognition of the robust cybersecurity ecosystem of the Metro Atlanta area.”

I’m looking forward to Cybercon 2017 which is scheduled for October this year as part of Atlanta Cyber Week.  You can get the details here:

By Kael Harden, Territory Director – East, Echoworx

19 May 2017
Echoworx | Email Encryption Solutions | WannaCry: Threat remains, privacy versus security is over

WannaCry: Threat remains, privacy versus security is over

For anyone using computers in their business or organization, consider May 12, 2017 your wake-up call. That’s when, what is believed to be, the largest cyberattack in history occurred, affecting computers in 150 countries around the world. WannaCry, a malicious software, spread through an email link and encrypted local files, demanding $300 US ransom in Bitcoin to release the files.

The cyber attackers used a stolen hack the United States’ National Security Agency (NSA) had developed to gather intelligence, using a flaw in Microsoft’s Windows software.

Jacob Ginsberg, senior director of products for Echoworx, has this advice to offer about how the risk of similar attacks can be minimized or mitigated.

What shortcomings in government and business approaches did this attack expose?

This is a direct result of policy we’ve seen carried out and it’s time that policy changed. The relationships between government and the private sector have been adversarial and they have not worked collaboratively.

The United States government hoards vulnerabilities and chooses to exploit them, rather than reporting them to manufacturers (the NSA informed Microsoft of the flaw only after the hack was stolen). These hacks are weapons. Government and intelligence agencies are playing a risky game. They’re betting that the value in keeping these vulnerabilities exposed – so they can spy and attack who they want – outweighs the risks of keeping their citizens and infrastructure in harm’s way – but it’s a game they are not going to win every time.

We need to recognize that the narrative of privacy versus security is over. We need more cooperation between the public and private sectors. The security community has good advice to offer. In the WannaCry case, the intelligence community, the security community and Microsoft did the right thing. Everyone descended on the problem and worked together to fix it and mitigate the damage.

There is a tie between technology and society and things we rely on. People can get seriously hurt due to cyber threats. Because of this attack, for instance, patients in England had operations cancelled. We need to work together to secure our countries and infrastructure. There needs to be a different relationship between public and private interests.

How can I protect my organization from attacks like this?

The WannaCry attack is something an organization could have prevented. Out-of-date software was the issue.  Having updated software and the latest fixes is important advice.

While it’s tempting to ignore notices that ask you to update your software and operating system, don’t do that. Although Microsoft offered a patch in March that dealt with the vulnerability behind WannaCry, many organizations didn’t use it, hadn’t updated their software, or had operating systems that were old and no longer supported. Microsoft did issue a patch for older systems in this case, but that rarely happens and may not again.

Use encryption software to ensure your data is protected and educate staff about proper email procedure. The old arguments that encryption software is difficult to use or slows things down no longer apply.

Have clear policies regarding access and authorization to information. This is for everyone from large Fortune 500 companies to the average Joe.

Is the threat over for now?

We’re kidding ourselves if we think won’t happen again. Technology is infiltrating every aspect of society. We all bank online, for example.  If things like this hack persist in the wild, they can be used by terrorist groups or organized crime.

We had better learn from this because you better believe they (cyber attackers) are. It’s a constant cat and mouse game and the bad guys are taking notice. Consider this your wake-up call!

By Lorena Magee, VP Marketing, Echoworx

15 May 2017
Echoworx | Email Encryption Solutions | Cyberattack Impacts, Deeper and Less Visible Than You Suspect

Cyberattack Impacts, Deeper and Less Visible Than You Suspect

Cybersecurity is one of the most debated issues in any organization. Although the need to immunize your company from all kinds of cyberattacks remains urgent, the full impact of a cyber incident is still largely unproven.

Recently I read an article by Deloitte which talked about how difficult it is for executives to gauge the impact of cyberattacks on their companies because they aren’t really aware of the work and effort that’s put into making a company cyber secure, or of the consequences of not doing so until it’s too late.

The DNC hack was the biggest election hack in the US history. Every other day WikiLeaks is busy making public the “private” conversations that took place within the DNC networks. These private conversations spread like wildfire on social media. Cyberattacks such as the one against the DNC are not uncommon. Every day, there is another breach, just look at the Yahoo data breach, Anthem medical records breach, WannaCry ransomeware, and so on.

Emails are used for corporate communications, including classified communications, every day. Sadly, even after all these widely public incidents and demonstrated lessons, a lot of companies still shy away from using encryption. The reasons range from the complexity of the software to overconfidence in the minimal probability of a cyberattack against them. But guess what? No one is secure. No matter how big or how small a company is.

The costs and impacts of a data breach and cyberattacks include:

  • Notification costs: All necessary activities required to report the breach to appropriate personnel within a specified period.
  • Breach response costs: All activities required to notify data subjects with a letter, telephone call, email or general notice that personal information was lost or stolen.
  • The cost of providing credit-monitoring services for at least a year.
  • Reputational damage.
  • Loss of business.
  • Negative publicity: Extensive media coverage, further damaging the organization’s reputation.
  • Attorney fees and litigation.
  • Increase in insurance premiums.
  • Loss of intellectual property (IP).

It’s in your hands to protect your company’s data privacy. And the time to act is now.

If you would like to find out more about the most significant cybersecurity risks and sure ways encryption can mitigate them, the additional content listed below may be of interest.

By Will Nathan, Echoworx

14 May 2017
Echoworx | Email Encryption Solutions | You Can’t Stop the Clicks!

You Can’t Stop the Clicks!

Ask the average person on the street what the biggest threat is to enterprise security, and they’ll develop a long list of foreign hackers, corporate espionage, and all types of James Bond-type scenarios. Ask a security professional the same question and you’ll get a much simpler answer: People. Namely, employees. That’s right, the “human factor” trumps all other security risks that enterprises face. Many of the security breaches we read about in the headlines have some sort of human element involved, whether that be falling for a simple social engineering ploy and unknowingly granting access to a hacker or something more devious devised by a disgruntled employee.

According to the Identify Theft Resource Center, in 2016 U.S. companies and government agencies suffered more than 1,000 breaches, a 40 percent increase from 2015, hitting an all-time record high! In 2016, hacking incidents reached an all time high—nearly 55.5 percent of all breaches—an increase of 17.7 percent over 2015. Breaches involving email exposure of information at 9.2 percent followed by employee error/negligence category at 8.7 percent. While certain types of data breaches are in general decline as a proportion of the total, data loss from hacking and phishing are growing rapidly.

According to a recent Data Breach Digest report from Verizon, social engineering attacks are so successful because threat actors know that humans are the weakest link in any information security strategy. They prey on people’s natural curiosity, fears, pride and other factors of the human psyche to gain access to sensitive data. This usually involves something as simple as clicking a link or opening an attachment within an email that appears to come from a trusted source. The Verizon report shows how simple this can be:

  • An employee getting a congratulatory email purportedly from the company’s CIO for a job well done: “Click here for your achievement award.” Result: Attempted wire transfers totaling more than $5 million.
  • A chief engineer looking for a job on company time gets an email from a recruiter with promising job opportunities: “Current openings are in the attached file.” Result: Stolen plans used by a competitor to enter the market more quickly.

Think your employees are too smart for this? Think again.

Employees aren’t dumb—they’ve been warned about the dangers of clicking links and opening attachment for years. Many laugh over the water cooler about the emails from banks in foreign countries declaring they’ve inherited $20 million from a deceased relative, or the bogus emails from PayPal or Apple that just want to “confirm” their account. But hackers have become increasingly astute at understanding what motivates humans to take an action and are creating clever ways to take advantage of that. These types of targets can be general, such as gaining access to all of a healthcare company’s records, or they can be specific, such as gaining access to plans for a company’s new product, as described above.

Unfortunately, even though employees are aware that these schemes exist, it’s not changing their behavior—or the behavior of enterprises as a whole to provide better training. According to a recent report from Osterman Research, “employees need to be constantly sensitized and trained through security awareness programs in order to be extra vigilant regarding their actions.” The report cites alarming statistics from recent survey of respondents that are involved in managing security capabilities for their midsize or large organization. In that survey, only 31 percent of respondents considered “measuring the security readiness of our employees” a method used significantly or extensively to measure the effectiveness of their information security spend. This is compared with 49 percent who put a high priority on measuring for compliance with regulatory obligations.

The study also showed a significant gap between the importance of preventing data breaches between senior-level employees and middle management and “average” workers. While, 77 percent of respondents felt their organization was very well or reasonably well prepared to deal with the consequences of a significant data breach, the priority given to preventing data breaches varied significantly according to role within an organization. For example, 71 percent of senior IT management placed a high priority on preventing a breach, while only 21 percent of “average” employees did. Line of business middle management (43 percent) and C-level line of business management (55 percent) were also alarmingly low in terms of placing a high priority on preventing data breaches.

The bottom line

Enterprise security may be a high priority for senior level management, but that urgency is not trickling down to the employees who are putting the enterprise’s sensitive data—whatever form it takes—at risk. When security is a simple checkbox, the blame falls on the enterprise when human mistakes are made. Removing them from the equation as much as possible by using technology that prevents them from making simple “human” mistakes is critical to the security of the enterprise going forward.

If you would like to find out how to ensure your sensitive information is protected from the “people” factor, the content listed below may be of interest:

By Greg Aligiannis, Senior Director Security, Echoworx