Category: Cybersecurity

10 Sep 2019

The Risks of Cloud Computing

Cloud computing brings many benefits to enterprise-level organizations but it’s not risk-free. Here’s a quick primer of what cloud computing is, the risks involved and how organizations can minimize the risks of cloud computing.

What is cloud computing?

Simply put: Cloud computing is moving your computing service to the internet using a third-party provider. There are three options: infrastructure, platform and software as a service. The infrastructure option means your organization has the servers onsite, but your provider manages your network virtually. A platform as a service provides infrastructure tools for development that you don’t manage yourself and software as a service (SaaS) is software managed externally. With SaaS, you employ a team of third-party experts to run and manage the solution instead of building in-house. SaaS examples include Echoworx’s OneWorld encryption solution, Office 365 or Salesforce.

The benefits of cloud computing

Using a cloud service lets you rely on your service provider to protect your data from breaches and gives you global access to your data through the internet. Many organizations use cloud computing because they don’t have the expertise to manage the risks and ongoing vulnerability mitigations and resolutions associated with local storage and security.

According to a recent EY Global Information Security Survey, only 8 per cent of organizations have information security functions that fully meet their needs. This same report indicates that 52 per cent of organizations are prioritizing cloud computing for their cybersecurity spending this year.

What are the risks of uploading to the cloud?

There’s a financial risk to uploading data to the cloud when it comes to privacy regulations and breach outcomes. For example, under the General Data Protection Regulation (GDPR), fines for exposing citizen data are hefty—up to €20M or4 per cent of your annual revenue! If your company exposes credit card or other personal information, your entire business could be at risk due to lost consumer trust.

How has the cloud evolved?

Initially, when untested cloud services emerged on the scene, many organizations continued to retain their computer service in-house over security concerns. But, over the last decade, cloud services have evolved into proven and secure platforms – providing effective protection for sensitive data.

Organizations are now comfortable with the cloud infrastructure from a security perspective because certified cloud providers treat data with integrity through privacy, data access controls and auditing.

How can an organization insulate itself from cloud risks?

Although cloud security mostly depends on your service provider, you can minimize risk in two ways. First, select a cloud service which provides management and risk management for you. Make sure any cloud service is audited and certified – with certifications like SOC2 and PCI.

The second way to minimize risk comes from within your organization. You need experts that understand cloud solution architecture and risk management processes and procedures. These experts can help you understand the risk and protect your organization by choosing the right cloud service provider. They can also help you understand whether your cloud computing investment has ROI potential. For example, a recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with $793K in avoided costs of legacy on-premises solutions. Get the full Forrester Total Economic Impact™ study of OneWorld now.

By: Alex Loo, VP Operations, Echoworx

 

09 Sep 2019
Capital One Breach

A Lesson in Cybersecurity Simplicity from the Capital One Breach

The lesson from the recent Capital One data breach can be summed up with the KISS principle. Simplicity is hard to beat, even in cybersecurity. Let’s look at why this breach happened and what organizations can do to shore up their cybersecurity defenses with seemingly simple solutions.

Peeking behind the Capital One headlines

The headlines about the Capital One data breach emphasize impact: more than six million Canadians were compromised in this data breach. Over a million Social Insurance Numbers (SIN) were exposed. Victims can receive free credit monitoring and identity theft insurance to reduce the sting of their private information being stolen from their trusted provider.

This is scary stuff, but the most chilling part of the story isn’t even covered in some of these reports: The data was breached due to a vulnerability caused by a misconfigured server. Those two words—misconfigured server—left chief technology officers and chief information security officers around the globe trembling. Server configuration is part of the basic line of defense in cybersecurity.

The lesson from Capital One is about simplicity. Good cybersecurity hygiene matters and it’s the first and best defense against data security breaches. To manage this ongoing and increasing threat, enterprise-level organizations must get serious about mastering the basics.

Getting back to basics: 5 simple ways to boost cybersecurity in your organization

 

  1. Resource your IT department appropriately – According to the EY Global Information Security Survey,[i] 87 per cent of organizations don’t have enough money in their IT budgets to fund the cybersecurity and resiliency programs they want to implement. And, as we saw with Capital One, missing a basic security protocol can lead to costly and embarrassing outcomes. Dr. Ann Cavoukian, Executive Director of the Privacy by Design Centre for Excellence, told the CBC, “Companies are simply under-resourced. They’re not devoting the resources required for strong security.”[1] Having enough properly trained IT resources means your team can dedicate time to testing and uncovering vulnerabilities and mistakes before it’s too late.

 

  1. Encrypt your data – Encryption protects private data in transit (such as in email and other communications) and at rest (on your network). It’s important to have a scalable encryption solution that offers multiple delivery options, is easy for employees and clients to use, lets users recall encrypted messages even after they’re opened and is easily integrated with solutions you already use, such as Office 365. In a recent Echoworx survey, 53 per cent of the IT professionals and decision-makers surveyed said encryption technology was very important or critical to their organizations. And yet, only 40 per cent of respondents said their organizations are using data privacy technology extensively. Again, here’s where simplicity triumphs: an encryption solution can only be effective when it’s used.

 

There are also financial incentives for using encryption. A recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits.

Get the full Forrester Total Economic Impact™ study of OneWorld now.

 

  1. Know your risks and assets – Cybersecurity efforts are more effective when they’re based on a strategic framework, instead of piecemeal solutions. It’s important to identify (and address) risks such as outdated security protocols, data protection, careless employee behaviour, identity and access management, etc. Identifying key assets and data—and increasing security around them—is another essential part of a strategic cybersecurity infrastructure. Increase support for cybersecurity initiatives by helping your board of directors understand the real risks companies face with inadequate cybersecurity programs and resources.

 

  1. Use a privacy by design approach – With so many organizations pursuing digital transformation, there’s a perceived need for speed. What’s even more essential is building privacy and data protection into new digital programs and processes. Frédéric Virmont, a cybersecurity industry expert, says, “Security is like quality; it must be from the beginning to the end of the life cycle. If you wait until the end of the product, it’s too late. Once the house is built, it’s too late to add emergency exits.”

Learn more about mitigating internal vulnerabilities.

 

  1. Train your staff on cybersecurity – A recent PwC reportfound that 32 per cent of respondents consider insider threats more costly and damaging than external incidents. Insider threats can be accidental or intentional, so education and proper security protocols are the first line of defense against them. Educate employees about the importance of using security programs and processes and how to identify and report suspicious incidents. And by choosing effective cybersecurity platforms –encryption for example—that are also easy to use, you make data protection the path of least resistance. Cybercrime, including social engineering and spear phishing, is more sophisticated than ever; wise companies create informed workforces capable of identifying these cyber threats.

 

With the average cost of data breaches at $141 per breached record (and more than double that for healthcare organizations),[ii] isn’t it time for organizations to keep it simple and master the basics of cybersecurity?

By: Brian Au, IT Specialist, Echoworx

 

Sources:

[1] https://www.cbc.ca/news/business/capital-one-data-breach-1.5232952

[i] https://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/advisory/GISS-2018-19-low-res.pdf

[ii] https://www.ibm.com/downloads/cas/ZYKLN2E3

 

18 Jul 2019
Accountants play a role in cybersecurity

Integrating Cybersecurity with Business Strategy

A common problem faced by a growing number of organizations is how to seamlessly integrate cybersecurity into their overall business strategy. As industry and commerce prepare for the next level of cyber-attacks, businesses are increasingly looking to finance professionals for help in developing risk-mitigating cybersecurity strategies that align with the organization’s mission and vision.

Identifying cyber-vulnerabilities starts with getting to know your intangibles

How well do you know your intangibles? This on the face of it seems like a strange question to be putting to an accountant, but it is a very real issue. Intangibles in the accounting world have been grouped as a separate asset class, a kind of catch all for anything that meets the asset definition (a resource that a company controls, and which is expected to produce a future economic benefit), but is not physical in nature.  Traditionally, accounting practices only record what things cost, or the resale value if possible. But, based on the difference between reported book and stock values, intangible assets now make up between 60 to 80 per cent of global corporate worth.

The lack of clear definition in identifying the business’s intangible strategic assets, and more importantly the difficulty in assigning an appropriate monetary value to the intangibles, such as intellectual property, internal software upgrades, staff and managerial expertise, customer data insights to name a few, has left organizations exposed to cyber threats, if you haven’t identified the intangible as a strategic asset, then why would you spend resources protecting it. Every business will have its own nuanced set of strategic intangibles. It is predominately these intangibles that a cyber security investment will be safeguarding. Not identifying your intangibles, or not knowing the real value of the intangibles to an organization makes it less likely that an appropriate cyber security defense strategy will be put in place to protect these intangibles.  So, get to know all your intangibles!

The second fundamental challenge deals with the ambiguous complexity of cyber threats and understanding the nuances of the different types of current cyber threats posed to their strategic intangible assets. Threats come in all forms and sizes, and not being cognizant on what the current threat landscape looks like in their own industry sector is extremely risky. The goal should not be to create a strategy to overcome a security crisis, although in too many instances it requires a breach for a company to initiate an action. Rather, the goal should be to have a cohesive integrated cyber strategy that protects against current threats and has the flexibility to adapt to future threats.

Understand the underlying prevalent cyber threats that reside in your industry.

Accountants play a role in cybersecurity

Accounting and finance professionals are uniquely placed to help a business develop an appropriate cybersecurity strategy.  Finance teams, with their knowledge of an organization’s intangible strategic assets, and expertise in implementing risk management strategies, are well-equipped to identify cyber vulnerabilities, and accountants can be pivotal in closing any security gaps by exploring, evaluating and implementing better tailored security solutions.

There is most definitely not a one-size-fits-all solution when it comes to cybersecurity. In fact, it is very unlikely you find any two large enterprise organizations having similar solutions. Even strategic business units within the same organization often have very different security programs.  By thoroughly knowing your intangibles and being versed on the ambiguous complexity of the cyber threats, coupled with knowledge of risk management techniques, accountants can take a leadership role in delivering effective and efficient cyber security strategies. The cyber security strategy within an organization ultimately becomes a competitive advantage to that organization in its own right.

Understanding total economic impact of cybersecurity

Forrester Research recently published a study identifying the challenges of choosing an email encryption solution for enterprise-level organizations – where, without the right support and processes, running an encryption platform became an onerous activity.

The study, entitled “The Total Economic Impact of Echoworx OneWorld Encryption,” is written in a style and language that will be familiar to finance professionals. Both quantified and unquantified benefits of the solution are identified, and the analysis is presented in the form of a post audit investment appraisal using techniques like ROI, NPV and payback.

I recommend CPAs read this report because it demonstrates the holistic view that needs to be considered when undertaking a strategic cybersecurity investment.

See the full Forrester TEI study here.

By Jag Heer CPA, ACMA, CGMA
Finance Director, Echoworx Corporation

10 Jul 2019
presenting to the board

Is Your Company Board of Directors On-Board with Cybersecurity?

Cybersecurity is no longer just an IT issue. Cybersecurity is no longer measured by who has a taller firewall. Cybersecurity is no longer an out-of-the-box one-size-fits-all installable solution. Instead, cybersecurity is now a complex mosaic of solutions, ideas and mindsets which permeates throughout the entire organizational structure of a company – from warehouse to boardroom.

So, at the end of the day, who is responsible for instigating organization-wide cybersecurity initiatives?

While C-suite executives, from CEO to CISO, might be responsible for spurring action toward shoring cyber-defences, an IT department is generally responsible for the implementation and maintenance of new security solutions with existing infrastructure. But, at the end of the day, it is the organizational board of directors who need to be won over. This carefully selected group of individuals, chosen to reflect the interests of company stakeholders in overseeing organizational management, are who even a CEO must answer to – including on issues concerning budget.

For a CISO intent on spending more on cybersecurity solutions, convincing their board of directors can be difficult. And, due to the intangible nature of cybersecurity, with no visible physical benefits, at least initially, emphasizing the importance of investing in said technology is paramount.

Here are some simple probing informational conversations you need to have to convince your board of directors to pay attention to cybersecurity solutions:

  1. How much does your board of directors know about cybersecurity?

Before you launch into the meat and potatoes of your cybersecurity proposal, you need to gage how deep the knowledge base of your board of directors is when comes to this subject matter. Unless they have clear backgrounds in technology or security, it is unlikely they have a deep understanding of how exactly cybersecurity works.

You need to explain what cybersecurity is, in layman’s terms, why it is important and why cybersecurity is no longer just an IT problem – but rather one of organization-wide significance. You might consider throwing out some statistics regarding the negative impact of a data breach – like last year’s massive data breach affecting the healthcare system of the Canadian province of Ontario, for example, which saw the theft of 80,000 unencrypted electronic health records.

Learn about making a business case for encryption here.

  1. How accountable is your board of directors for data protection?

When a data breach occurs within an organization, its devasting effects are felt company-wide – including at the board-level. Aside from the potential for soul-crushing fines from regulatory bodies, like those dished out to violators of the EU’s General Data Protection Regulation (GDPR), for example, mishandling personal data hurts a brand as a whole – with Echoworx data showing 80 per cent of customers consider leaving a brand after a breach.

As the directors of organizational tack, brand reputation is a crucial focus for boards aiming for business success. Investing in cybersecurity solutions, like encryption for communications, is an important step to preserving brand – with some solutions, like encryption, even mandatory to conduct business in some parts of the world.

  1. Emphasizing the monetary advantages of cybersecurity investment

From regulatory fines to brand damage to just cleaning up the mess, data breaches can be like termites into an organization’s finances. Investing in cybersecurity solutions insulates your organization from the detrimental effects both before and after malicious cyber-events – and can even help save money in other supplementary categories.

Take our OneWorld encryption platform, for example. According to a recent Total Economic Impact™ study from Forrester Research, OneWorld shows a return on investment (ROI) of 155 per cent – and upwards of $2.7M in cost-mitigating benefits. These cost-mitigating benefits do not account for the hundreds of thousands (or even millions) of dollars saved by the risk-mitigating features of this flexible encryption platform – offering five different ways to communicate securely with your customer base.

Get the full TEI study of OneWorld by Forrester Research here.

  1. How important is digital trust?

Every business wants their customers to trust them – a trend which transcends the digital world. But gaining digital trust online is different from doing so at brick-and-mortar stores. Unlike their offline counterparts, where brand trust is gained over years (and even generations), digital trust is fairly easy to get. But digital trust is even easier to lose – and impossible to get back.

So a board of directors needs to understand the brand value of protecting customer data as a tool for building digital trust. Nobody wants to work with a company which doesn’t protect their data. And cybersecurity investment is an excellent marketing tool for reassuring customers that your brand does. In today’s customer-centric world, with so many other options online, you simply can’t afford not to put your customers first – and your board needs to understand that.

Learn more about building digital trust with encryption.

By Michael Roberts, VP Technology at Echoworx

14 Jun 2019

Thinking Inside the Box: Addressing Internal Cyber Vulnerabilities

In cybersecurity, it’s easy to become obsessed over external malicious factors and lose sight of the whole picture which includes internal vulnerabilities. When it comes to cybersecurity, the best defense includes shoring up your internal defenses because many critical vulnerabilities are too close to home for comfort.

What is an internal cyber vulnerability?

A vulnerability is a flaw in a system that exposes the system to risk of attack. In cybersecurity, these vulnerabilities can be related to the computer systems and processes and procedures you use. While you may know famous software vulnerabilities like Heartbleed and WannaCry, internal vulnerabilities can be much more mundane. For example, someone leaving the default password on a router or assuming your employees know how to recognize spear phishing attacks can lead to a lot of heartache for a chief information security officer.

As they say in sports, “The best defense is a good offense.” In this case, a good offense includes taking a proactive approach to identifying and fixing vulnerabilities, which we’ll cover next.

How to identify cyber vulnerabilities in enterprise-level organizations

Before you can identify cyber vulnerabilities, you must have a clear idea of your organizational assets, including intellectual property. Frédéric Virmont, a seasoned cybersecurity expert, says, “You have to identify what’s critical for the business: servers, applications, everything. Once you identify those critical assets, then you can make a plan to secure them and ensure they’re maintained with security patches.”

After identifying your critical business assets, you can expose and triage any vulnerabilities through various security tools—and then patch them up.

Put staff on your list of organizational assets as cyber vulnerabilities include accidental and intentional insider attacks by employees.

Six ways to reduce internal cyber vulnerabilities with pre-emptive measures

1) Encrypt data and communications – Protect your data while it’s in transit and at rest with a user-friendly encryption solution. Billions of emails are sent every day and without encryption each one represents a security risk. And in 2018, 4.8 billion records were stolen during breaches and less than three per cent of those records were encrypted.

2) Teach employees about cybersecurity – A recent PwC report in the US found that 32 percent of respondents consider insider threats more costly and damaging than external incidents. Because employees are on the frontline of cybersecurity, it’s essential to educate them about the importance of using security programs and processes and how to identify and report suspicious incidents. Cybercrime is increasingly sophisticated—especially social engineering and spear phishing—which is why regular and effective cybersecurity training is necessary for all staff.

3) Beef up your security policies – Make sure your policies support your security efforts. Some of the best practices include:

  • Limiting user access through assigning appropriate permissions to non-IT employees
  • Setting appropriate guidelines for creating strong passwords or enforcing two-factor authentication
  • Limiting Internet usage by defining or controlling what type of content can be viewed
  • Defining file storage locations for employees and denying usage of USB drives or personal cloud storage
  • Choosing policy-based encryption with flexible delivery methods for communications
  • Effective vetting of third-party vendors

 

4) Have an up-to-date disaster recovery plan – A disaster recovery plan allows all staff to act swiftly—using prepared strategy—when disaster strikes. This way, organizational efforts can go towards closing the vulnerability and monitoring it, rather than trying to figure out what to do in the middle of a crisis.

5) Don’t migrate vulnerabilities to the cloud – While there are many benefits to offloading on-premise servers and applications to the cloud, organizations must avoid bringing along existing vulnerabilities with them. Implementing security tools prior to cloud migration is essential.

6) Communicate effectively with the board – Since they may not always understand the technical assets, many boards shy away from cybersecurity risk management. Instead of communicating about tech specs, talk to the board about the cost of not implementing security measures, return on investment trends and reputation management with clients. Raphael Narezzi suggests talking to the board of directors like this, “It can be a cost today, but I guarantee you, the scenario we see when a board acts before an event, is a completely different scenario than when they don’t act at all.”

The benefits of closing internal vulnerabilities

Closing internal vulnerabilities takes time, resources and expertise and is now part of the cost of doing business. But there are benefits. As mentioned above, data security results in customer-centric benefits such as building reputation and digital trust and helps pave the way for competitive differentiators.

Closing internal vulnerabilities takes time, resources and expertise and is now part of the cost of doing business. But there are benefits with a solid return on investment. A recent Forrester Total Economic Impact™ study, for example, revealed that a typical enterprise-level organization can expect a seven-month payback period and slash $2.7M off their bottom line by employing our flexible OneWorld encryption solution. Get the full Forrester Total Economic Impact™ study of OneWorld now.

With so much at risk, isn’t it time to shore up your vulnerabilities?

At Echoworx, encryption is all we do. Our OneWorld encryption platform and cloud security services are a natural extension to existing security programs and offer a wide range of flexible options for secure message delivery. You can learn more about the ROI of Echoworx OneWorld encryption here.

By: Randy Yu, Senior Manager Technical Operations & Support, Echoworx

04 Jun 2019

Encryption Mosaic: The New Diverse World of Secure Communications

Dial back the clock several million years and you find a crowded ocean of creatures surrounding lush green lands devoid of any vertebrate activity. Then one fish walked out of the sea and changed our terrestrial course forever. But did this ambitious fish have revolutionary intent? Certainly not – instead focusing on more immediate needs of food and new territory.

The same can be said about contemporary demands for secure digital communications. While digital communications enable transcendence from the world of paper mail, making the sending and receiving of information instantaneous, they inadvertently make our most-precious personal details more exposed and more open. And, with no way to turn back the clock, the case for encryption protection of sensitive information grows – and evolves.

But, as more and more industries migrate online, we are beginning to see that this brave new digital world is not one-size-fits-all – especially when it comes to secure digital communications. From different customers to different jurisdictional regulations protecting them, an encryption solution needs to be as flexible as the diverse array of organizations it serves.

Here are key points to consider in determining the factors affecting secure communications, why needs are so diverse and where exactly you might start placing your organization in the encryption mosaic:

1) Regulatory fines with sharp-teeth

Where an organization is located can influence how much they are expected to protect their data. In Denmark, for example, encryption is now mandatory for all communications containing the personal data of Danish citizens under its jurisdiction, according to its own interpretation of the General Data Protection Regulation (GDPR) affecting EU country members. Failure to comply with the GDPR, and other similar regulatory bodies or laws, like Canada’s recently-updated Personal Information Protection and Electronic Documents Act (PIPEDA), for example, can lead to devastating fines and even more devasting brand damage.

Echoworx recognizes that not all countries protect the personal data and the privacy of their citizens the same. To help prevent prying bureaucratic eyes or to avoid non-compliance with jurisdictional regulations, Echoworx’s cloud-based encryption solutions are available on AWS Cloud in 13 countries. We also have SOC2 and ICO-certified data centres in the US, UK, Germany, Ireland, Mexico and Canada, ensuring all sensitive data stays close to home.

2) Different industries – different business cases

While organizations operating in the banks, financial services and insurance (BFSI) realm were the first wholesale adopters of encrypted communications, the technology is exponentially permeating through to other industries. According to a recent Ponemon study, for example, manufacturing and services organizations are beginning to crack into the encryption market – accounting for 12 and 11 per cent respectively.

And, as new industries begin to implement encrypted secure communications, so does demand rise for a flexible encryption solution to adapt to different business use cases. At Echoworx, for example, we offer a cloud-based scalable encryption solution featuring multiple secure user-friendly delivery methods to fit any business process.

Learn more about the different ways you can send secure information with Echoworx.

3) Users are changing

From mobile banking to Generation Z, how users send information and what exactly they are willing to send is changing at a rapid clip. Today’s users are tech-savvy and quick to provide personal details but even quicker to move on if an organization mishandles their data. They demand instantaneous communication and a streamlined user experience with organizations they work with. To avoid going the way of the dodo bird, you need to go above and beyond to make sure they come first – all while ensuring that their sensitive personal data is protected.

With Echoworx, you can tailor every aspect of your encryption experience to put your customers first – from the way they access a secure message to something as simple as the ability to brand. And, to further avoid any negating situations affecting user experience, Echoworx offers services in 22 languages for all our flexible delivery methods – ensuring nothing is lost in translation.

Explore these different delivery methods here.

4) Encryption isn’t just an IT issue anymore

From headline-grabbing data breaches to something as simple as customer experience, encryption is no longer a backroom IT issue – it’s a business issue. But implementing an encryption program isn’t as simple as adopting a solution and flipping a switch. There needs to be a universal internal change of culture at most organizations. For example, while 50 per cent of CEOs are concerned most about possible detrimental impacts to user experience when adopting a security solution, 88 per cent of IT professionals view encryption as costly, difficult and a constraint on business productivity.

Echoworx works with companies to ensure encryption solutions are as non-intrusive and as streamlined as possible – from deployment to the end user. In our capacity as a third-party encryption provider, we support our clients, reducing the additional strain of user help queries, and, with nearly two-decades’ worth experience in the encryption market, we can adapt to any business case.

Learn more about working with Echoworx.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx

Sources:

  • Ponemon Global Encryption Trends Study – April 2018
03 May 2019
how to make a business case for encryption

How to Make a Business Case for Encryption

Worldwide, more than 290 billion emails are sent every day. In enterprise-level organizations, digital communication is a competitive advantage over snail mail because it’s faster, cheaper and easier to deploy. But cost savings can disappear the instant an organization experiences a data or privacy breach, which is all too common. In 2018, 4.8 billion records were stolen during breaches—that’s more than 9,000 per minute—and less than three per cent of those records were encrypted.

Today, we’ll do a quick review of two reasons email encryption is business-critical and what to look for in an encryption provider if your organization would like to minimize risks and costs associated with keeping email secure.

Why email encryption is critical in business: the high cost of losing trust

If your organization collects, manages and disperses personal information, it’s essential to deploy user-friendly encryption to secure that data as it flows through email. Of course, it’s the right thing to do, but it’s also what customers want and expect. For example, 87 per cent of CEOs invest in cybersecurity specifically to build customer trust—because once you lose trust, you lose the customer. When customer trust and satisfaction is tied into data security, it’s easy to see how email encryption no longer fits into the nice-to-have category. It’s now essential.

Why email encryption is critical in business: compliance & avoiding fines

Implementing an encryption solution also helps you keep government hands—mandated by legislation—out of your pockets.

If your organization doesn’t protect data from being intercepted on route, the fines can be substantial. Just one year in after launch of the General Data Protection Regulation (GDPR) in the EU, for example, and we are already seeing massive fines – like the €50M fine Google was ordered to pay at the beginning of 2018 for GDPR violations.

In Canada, under the newly-updated Personal Information Protection and Electronic Documents Act (PIPEDA), it’s now mandatory to report data breaches, with non-compliance fines going as high as $100,000.

With privacy legislation expanding—California, New York and even Qatar, among many others, have created their own guidelines—organizations can no longer afford to ignore email encryption for private data. Privacy legislation now has teeth and the fines are steep.

There’s no question that taking care of your business means encryption. The next thing to do is work with an encryption provider who understands your needs and addresses them effectively.

Finding an encryption provider that works for you

Global information security spending, as a whole, is set to exceed $124B in 2019, according to a recent Gartner report —which means your organization has a lot of choice when it comes to encryption solutions. This choice is good but can also lead to overwhelm and poor decisions. For example, if an organization has an encryption solution in place, but it’s not widely used, it can mean they didn’t choose an encryption provider that could meet their needs and guide them through the process. We don’t want that to happen to you, so we put together a list of things to look for in an email encryption provider.

Seven things to look for in an enterprise-level encryption provider:

  1. Proven track record – Ask how long the provider has been working in encryption. At Echoworx, for example, we understand the risks of email management because we’ve been providing encryption solutions for almost two decades.
  2. Solutions that go beyond out-of-the-box encryption – While out-of-the-box encryption is much better than zero encryption, look for a provider that can counsel you on solutions based on your needs. Many enterprise-level organizations require flexible delivery and policy-based encryption options—which go beyond the box.
  3. Cloud solutions that reduce overhead – Sending encrypted messages simply costs more when you run a legacy on-premise encryption solution. Costs include hardware and physical on-premise servers and staff to run them. Look for a third-party encryption provider that allows you to upload your secure communications to the cloud, offload support queries, gain access to encryption experts, save money and put less burden on your IT resources.
  4. Data centres around the world – Worldwide data centres allow users to deploy communications within their jurisdictions and within regulatory compliance. For example, at Echoworx, we have data centres in six countries: Germany, Ireland, the United Kingdom, Canada, Mexico and the United States. This helps cut costs, maintain compliance and cuts down on deployment time.
  5. Reputation management – Every time a piece of sensitive information leaves an organization’s digital perimeter, it puts a company’s reputation at-risk. An encryption provider should understand this risk and offer solutions like full brand alignment in multiple languages to support a seamless end-user experience.
  6. Systems that support dynamic scaling – Can your provider’s encryption solution scale dynamically as email demand on the system fluctuates from day to day or even hour to hour—and accommodate increased demand without delay? Is your system available in AWS Cloud in 13 countries?
  7. Vetted partners for peace of mind – Do you trust your provider to handle your data securely and responsibly? At Echoworx, we subject our business to regular audits. We are proud to be: SOC2 Certified, Web Trust Certified, a Microsoft Root Certificate Member and an Apple Root Certificate Member.

One last thing to look for in an encryption provider: a track record of positive return on investment (ROI).

A recent Forrester Total Economic Impact™ study, for example, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits. This same study showed that using OneWorld’s self-service support options—like automatic password resets—increases call centre productivity, removes the need for additional overhead and can save enterprise-level organizations almost $320K over three years.

Get the full Forrester Total Economic Impact™ study of OneWorld now.

As you can see, the cost of unencrypted email communications is high and the risk too great. Isn’t it time you found a trusted encryption provider that can meet the needs of your business and customers?

By: Beverly Barrett, Director, Channel Management, Echoworx

24 Apr 2019
Five ways to minimize the risk of insider threats

Insider Cyber Threats? Closer to Home than You Think!

For enterprise-level organizations, it’s no longer enough to protect data and systems from nefarious external agents. Organizations must also implement defensive measures to protect themselves from something much closer to home: insider threats.

Internal cyber attacks happen inadvertently or on purpose. We want to share the four types of insider threats and some defensive measures that help organizations reduce the risk of these threats.

Two types of accidental insider attacks

Instead of jumping into a zero-trust environment that’s so restrictive it hampers productivity and user-experience, remember that most of your employees and trusted partners do not have malicious intent. Inadvertent or unintended insider attacks happen because the insider is oblivious or negligent.

An oblivious attack is when someone with access to company information is compromised by an outside agent but doesn’t realize it. This can happen when someone leaves a company device unattended or uses unencrypted Wi-Fi on a company device.

A negligent attack is when someone bypasses a security protocol, often to speed up a work process or because of a lack of knowledge about the security protocol. When employees lack proper security training, they’re more vulnerable to phishing and spear phishing attempts.

Two types of intentional insider attacks

The two primary types of intentional insider attacks come from malicious and professional attackers.

A malicious attack comes from an insider who becomes disgruntled and goes rogue to get even with the company for a real or imagined offense. This could involve stealing data or sabotaging a company network or system.

A professional attack comes from an insider who is a career thief. This involves exploiting system vulnerabilities for profit.

External attacks through the inside

 While blunt force attacks remain a common threat at the gates of any firewall, there are also ways for malicious actors to attack your company through the inside. Called social engineering attacks, a hacker might impersonate someone at an organization via stolen credentials, stolen information or supply chain attack. A smart air conditioning unit, for example, might be connected to an organization network, creating a third-party backdoor vulnerability bypassing frontline defenses.

Five ways to minimize the risk of insider threats

With all these foxes in the hen house, organizations are wise to take a defensive approach to insider threats.

  1. Get the Board on board – Even in 2019, it’s common for boards to not ask about or understand cybersecurity. Rafael Narezzi, a prominent Cyber Security Strategist, suggests that everyone on the Board of Directors must “understand what [cybersecurity] is. Not in deep technical talk but the consequences for the business if they don’t act.” When the Board and senior leadership team understands the cost and consequences of cyber threats, there will be more support for cybersecurity initiatives.This lack of attention is more common than you’d probably guess. PwC’s Global Economic Crime and Fraud Survey 2018 found that less than half of surveyed organizations had conducted a cybercrime risk assessment. This is despite cybercrime being one of the top three most reported frauds!
  1. Use an effective and user-friendly encryption solution – It’s imperative that organizational data is secured because so many insiders have access to it and sending that sensitive information to clients, vendors and partners is a regular part of doing business.Features to look for in an enterprise-level encryption solution include:
  • Automatic encryption policies that apply encryption under defined circumstances (such as when certain information or keywords appear in an email).
  • Multiple flexible delivery methods for different types of secure encrypted communications that allow the sender to control how a message is sent and whether to include features like a time limit.
  • Easy and frictionless user experience for employees and customers.With a frictionless user experience—for example, with the Echoworx One World encryption platform—employees are less likely to bypass security protocols because they’re built into regular workflows and don’t make security a burden for senders or recipients.In addition to reducing risks to insider threats, there are financial benefits to adopting a flexible, frictionless encryption solution. A recent Forrester Total Economic Impact™ study, for example, revealed that a typical enterprise-level organization can enjoy $2.7M in cost-mitigating benefits through employing our flexible OneWorld encryption solution.  Get the full Forrester Total Economic Impact™ study of OneWorld now.
  1. Educate staff on cybersecurity – Even though employees know why they shouldn’t open attachments and click links from strange emails or use “p@ssw0rd” as a password, they’re still vulnerable to attacks because cybercrime is increasingly sophisticated. To change that, make sure all employees take part in regular and effective cybersecurity training that helps them understand why it’s important, how to implement security measures at work and how to spot sophisticated phishing and spear phishing scams.Training can include tests and tricks. A good trick involves sending a fake phishing attempt to staff to reinforce real-world lessons from the cybersecurity training.
  1. Build security into all products and processes from the start – Train developer teams to create products that are secure by design. Frédéric Virmont, a cybersecurity industry expert, says, “Security is like quality; it must be from the beginning to the end of the life cycle. For developers, now we have tools where they can code and check security along the way. If you wait until the end of the product, it’s too late. Once the house is built, it’s too late to add emergency exits.”This idea includes permissions architecture. A non-secure design gives all users access to more data than necessary. To be security minded, create a permissions architecture that gives access based on needs and roles. For example, the chief marketing officer wouldn’t have the same permissions as customer service agents.
  2. Make cybersecurity the path of least resistance for all users – Like it or not, we do what’s easy. For organizations, this means that overly-complex data security protocols hamper adoption. Because cybersecurity methods only work when staff and customers use them, user-experience must always be considered and prioritized.Going back to the encryption example above, we’ve found that a lot of internal users are reluctant to send encrypted emails because they don’t know how to encrypt them or don’t like the spammy look for their recipient. These are two unnecessary barriers that get in the way of frictionless security and set the stage perfectly for negligent insider attacks.

Insider threats are real and a recent PwC report in the US found that 32 per cent of respondents consider insider threats costlier and more damaging than external incidents.

By taking a security approach that involves a frictionless encryption solution, security by design (and the path of least resistance) and effective education for staff and the Board of Directors, your organization can minimize risks associated with malicious and unintentional insider attacks.

Given all of the above, is why at Echoworx, encryption is all we do. Our OneWorld encryption platform and cloud security services are a natural extension to existing security programs and offers a wide range of flexible options for secure message delivery. You can learn more about the benefits of Echoworx OneWorld encryption here.

By: Brian Au, IT Specialist, Echoworx


sources:

https://www.pwc.com/gx/en/services/advisory/forensics/economic-crime-survey.html

15 Feb 2019
cyber security your competitive advantage

Can cybersecurity be a competitive edge?

In the old days, before organizations became customer-obsessed and held off-site leadership events to drill down on their value proposition, information security was simple. There was the CIO and a few stewards of the air-conditioned server room which was invisible to the non-IT eye. Back then, cybersecurity operated in the shadows and it worked just fine … until it didn’t.

Fast forward to today when cyber security is front and centre for senior leadership, boards, customers and partners. All these stakeholders can tell you what Target is now famous for: a customer data breach that cost the company over $200 million to resolve.

And in an increasingly-competitive business landscape, forward-thinking organizations are integrating information security into business processes to avoid becoming the next cautionary tale on the six o’clock news.

Enough to make organizations WannaCry: Evolving cybersecurity threats

The continuously evolving cybersecurity threats organizations face include malicious security breaches and attacks, accidental breaches initiated from well-intentioned employees and known governmental surveillance. Ironically, as businesses benefit from connected infrastructure networks (think of advances in supply chain management, for example), that connectedness also increases the risk of security threats—because attacks can spread across connected networks so quickly.

CIOs and chief security officers are no longer alone at the table advocating for better privacy and data security measures but there’s still room for improvement. The 2018 Global State of Information Security Survey report found that only 40 per cent of corporate boards participate in their organization’s security strategy.

But perhaps the biggest threat of all is a lingering notion that cyber security is an IT problem. It’s not an IT problem. It’s a business problem. Unfortunately, most business leaders don’t understand the nuts and bolts of data security and digital threats which can make it more difficult to address the issue.

Security specialists may get more traction at the leadership and board level by framing cybersecurity as a competitive edge. That’s not finessing the facts considering that 92 per cent of organizations surveyed through the EY 2018-19 Global Information Security Survey called their information security insufficient. 92 per cent!

Four ways cyber security investment helps organizations gain a competitive edge:

  1.  Reduces compliance risks and fines – Legislation such as the GDPR, HIPAA and PIPEDA affects the way companies do business and fines can be substantial. Did you know that GDPR violations can cost up to $20 million or four per cent annual turnover (whichever is greater)?[iv] Since EU citizens are covered under the GDPR even when they’re out of the EU, international companies can stay on the right side of compliance by using proactive policy-based email encryption measures that automatically apply protection to predetermined groups of users (e.g., EU citizens).
  1. Reduces unnecessary cost – The average cost of a single data breach is $3.6 million (USD).[v] But Target’s breach cost 55 times that much which is why a cybersecurity strategy that protects the downside is so valuable. For example, investing in a flexible encryption platform means encryption can be automated to accommodate any business situation and keep data secure—without any hassle.
  1. Protects the company brand – Inadvertently allowing malicious entities or hackers to access your customers’ personal information is a quick way to reduce or eliminate their trust in you. Imagine how long it will take Equifax to win back the trust of 147 million Americans after the 2017 breach. Investing in proactive cybersecurity measures, like encryption, helps you preserve the fragile relationship that is the reality of digital trust.
  1. Delivers a value proposition for your customers – Your customers may not be able to keep up with the ever-evolving world of cybersecurity, but they expect protection to be a built-in feature of doing business with you. Proactive cybersecurity measures make conducting online business safer and more reliable which saves customers time, streamlines their experience and delivers real value to them.

 

Quick tip: Make your competitive edge easy to use

An information security program likely has multiple lines of defense, including encryption, authorization and data integrity measures, but these systems and processes only work if people use them. We encourage you to implement cybersecurity systems and processes that are easy for employees and customers to use. Because even when cybersecurity is top of mind, most employees and customers won’t be inconvenienced for the sake of security.

By Alex Loo, VP of Operations at Echoworx

28 Dec 2018

New Year? New Information Security Challenges!

As we head into the New Year, we reflect on the trials, tribulations and challenges faced over the past year – before outlining specific resolutions to these problems. In the world of information security, these improvements are usually within the realms of identifying threats, preventing cybersecurity issues and staying on top of the latest and greatest in data protection technology.

And what a busy year it’s been! From the introduction of new privacy-building legislature, like the GDPR or California’s AB 375, to new privacy-destroying laws, like Australia’s new encryption laws calling for data backdoors, it’s been quite the rollercoaster. We’ve also seen data breaches and instances of ransomware bring even the massive corporate conglomerates, like Marriot, to their knees.

So what is to be done in 2019?

The unfortunate reality of the world of information security is that new threats, new scams and new malicious actors to worry about seem to pop up every day. Staying atop this constant morphing information is enough to drive someone nuts. And the consequences of falling behind can be detrimental to your business, your reputation and, ultimately, your customers.

This past year, our Distinguished Software Engineer at Echoworx, Slava Ivanov, has made it his mission to gather and coagulate the latest cybersecurity tricks and tips into a concise serial 101 document of definitions. From lighter topics, like the newly emerged Japanese ‘posterior authentication’ technology, which grants access to a system or machine via ‘butt prints,’ to more serious information security issues, like spearfishing, to data protection issues, like blowfish cryptography used in encryption, Slava’s index of terms offers an excellent primer to anyone starting research on a term.

So, before you formalize your organization’s New Years resolutions this year, consider a quick glance at Slava’s ‘Information Security 101’ to see if there is something you missed in 2018!

Click here to browse last year’s top trending information security terms and definitions.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx

11 Dec 2018
Australia demands encryption backdoors

Trouble in Oz: Australia’s New Controversial Data Backdoors

Dangerous privacy precedents are now being set in Australia – a nation traditionally known for its dedication to Commonwealth democratic stability. As of December 2018, Australia has newly-minted legislature under its belt which allows their intelligence and law enforcement to demand backdoor access into the sensitive encrypted data of target organizations.

As other friendly governments take note of this new development, this legislature might signal the beginning of dark times for digital privacy and the way we store and share sensitive information.

But first – a little background:

Since their inception, members of the so-called ‘Five Eyes,’ a collective body of intelligence and law enforcement organizations hailing from the UK, the US, Canada, New Zealand and Australia, have been lobbying for more access to their citizens for years. Gaining access to private citizen data represented a unique opportunity to not only keep an eye on those few amongst us with malicious intent – but also represented another opportunity to control and manage their populaces.

In recent history, this has manifested itself in digital ways – from legislature, like the US Government’s PATRIOT Act or the UK’s more-recent Investigatory Powers Act, to the use of dangerous euphemisms, like “responsible encryption.” Sensitive digital data is a treasure trove to the Five Eyes and they have been salivating for years at the prospect of getting in.

Backdoors are still doors

In layman’s terms, the new privacy legislature passed by in Australian Parliament demands that third-party digital service providers create backdoors through which state organizations may access end-to-end encrypted information when prompted. While they can make these requests formally to an organization, it’s worth noting they also now have the power to demand individuals at target organizations, from Sally the CEO to Bill in IT, provide this backdoor access upon request.

And these demands have serious teeth.

If an organization refuses a request by an Australian Government body, like a law enforcement agency, they face millions of dollars in fines. Individuals who fail to comply face jail time.

Sound scary?

It gets worse.

There’s a global impact of these new privacy laws

As a member of the Five Eyes, Australia is a major player in the global intelligence community. Not only does this country, and their legislature, help set a considerable part of the bar of what is acceptable for government intelligence agencies to do – but they also have created a dangerous precedent which might spread other members of the Five Eyes collective.

The danger of testing the depth of a river with both feet

An unintended consequence of creating these backdoors is the new potential vulnerabilities they pose to the Australian Government organizations who demanded them. While they claim to have solved major issues of national security, with their new ability to spy on their own citizens, the Australian Government has ironically created dangerous vulnerabilities in their own systems available for exploitation by malicious agents.

What can be done?

At Echoworx, and throughout the cybersecurity community, we firmly believe in the protection of encrypted data. Without the ability to send and receive confidential data via digital platforms, everyone’s privacy is at risk, and what’s worse, we could be opening doors to the very criminals we’re trying to stop.

By Derek Christiansen, Engagement Manager, Echoworx

25 Oct 2018
Moving PGP to the cloud

Moving Your PGP to the Cloud? Here’s What You Need to Know

Is PGP encryption part of your secure messaging strategy? Are you currently hosting this system on-premise? Ever thought about moving your PGP email encryption to the cloud? It may sound daunting, but, with the right tools and services, moving to the cloud is an investment to consider for you and your customers.

An on-premise PGP system is resource intensive, and requires software installed on your workstation and servers. The demand on your IT department can be considerable – migrating it to the cloud can take a lot of strain off your staff.

Here are a few points to consider if you are thinking of making the move:

Email encryption should be more than just adequate

We have a responsibility to protect the sensitive messages that we send, and we need to do it in a way that doesn’t get in the way of doing business.

An effective email encryption solution has five main qualities:

  • It is easy to implement
  • It can scale to keep up with growing demands and sudden bursts in email volumes
  • It is feature rich, standards-based and current, supporting encryption technologies widely used today
  • It is jurisdictionally aware, so messages sent from the EU, for example, aren’t stored in or sent through the U.S. or other jurisdictions which might compromise compliance with GDPR rules
  • It is operated securely by a trusted vendor which is dedicated to security

Legacy systems shouldn’t stop you moving to the cloud

Moving an on-premise PGP system to the cloud is not only possible, these legacy systems can actually be migrated without disruption, a critical business consideration if your organization sends large numbers of secure messages daily. And you gain access to additional secure delivery methods, like the ability to send messages via web portal, and additional features, like the ability to custom brand encrypted messages.

Key management without the management

According to the thirteenth encryption study commissioned by Thales to the Ponemon Institute, key management continues to be a major pain-point for 57 per cent of organizations. And many of these organizations report they continue to manually manage their key process. This is not a new stat. In fact, key management has remained a consistent pain-point year over year! Moving to the cloud allows you to simplify your key management process – and automate it.

Why use Security as a Service?

In today’s climate, businesses must scale quickly to meet everchanging demands. Security threats are always evolving, and technology continues to transform at a rapid pace. New developments such as mobile computing, the Internet of Things, Software as a Service and Infrastructure as a Service are leading to fundamental changes in the way businesses operate.

Working with a cloud Security as a Service provider can bring many benefits. Sheila Jordan, CIO at Symantec, for example, points out that while IT and technology investments can be used to operate and grow a company, the list of tasks to be performed will always be greater than the resources and funds available. IT is often seen as an easy place to cut costs, and in response, CIOs “must prioritize the demands that most directly affect the profitability and financial goals of the company.” CIOs are responsible not only for protecting data, but also for helping companies use that data to generate actionable insights. Moving to the cloud lets organizations track and report in real time.[1]

Thinking about Security as a Service? Here are some questions to consider:

  • What is your risk profile?
  • Is there a specific crisis you’re responding to?
  • Do you have a clear plan in place?

 

Once the decision to move to the cloud has been made, choose your vendor carefully. Don’t look for a single point solution: if you do, you might find that the solution you’ve chosen has quickly become obsolete or is not the sole focus of a bigger product. Look to your new partner to educate and train your teams and guide your company through the process. Most importantly, get to know the team you’ll be working with, as good relationships can make the difference when dealing with a crisis.

Sheila Jordan from Symantec puts it best: “When you work with a partner that understands your business and where you are headed, they can offer global support and solutions that will grow with your organization. The right partners will always be customer-focused, doing everything in their power to drive your company forward.”

See how easy it is to migrate your PGP to the cloud.

By Christian Peel, VP Engineering, Echoworx

———

[1] Sheila Jordan, “Security as a Service,” in Canadian Cybersecurity 2018: An Anthology of CIO/CISO Enterprise-Level Perspectives, ed. Ajay K. Sood (Toronto: CLX Forum, 2018), 23-45.

27 Sep 2018
cybersecurity audits

Why Are Cybersecurity Audits Important?

The cybersecurity environment is changing. Rates of malicious email and malware continue to rise, and new threats are emerging. Meanwhile, ransomware attacks have become so common that targeted attack groups are now using them as decoys to provide cover for more serious forms of attack.

In a sea of constantly-evolving cyber threats, can your company stay afloat?

If you think a firewall is all you need to consider when assessing the cybersecurity of your digital perimeter – probably not. After all, cyber attacks are now a question of when, not if, and no one solution is going to solve all the problems. This is where having a second opinion can go a long way in understanding the contemporary cybersecurity landscape of threats, available defenses, third-party risk and new regulations.

Enter the cybersecurity audit.

Why conduct cybersecurity audits?

Cybersecurity is a complex web of systems and processes that must evolve in response to threats. And third-party cybersecurity audits help bring clarity and insight. In some organizations, there may be a lack of awareness of how often security policies should be reviewed, and why. IT departments may not have the tools they need to ensure systems are secure. Worse, they might not realize this! And even when cybersecurity is a key element of organizational culture, focus on business scorecards and metrics can keep attention on the past, on threats already faced. Instead, companies must look to the future, to anticipate the threats that have not yet emerged – taking the proactive cybersecurity measures of privacy by design.

How will cybersecurity audits help you?

There are four main reasons why your company will benefit from cybersecurity audits.

  1. They provide knowledge and validation. Audit providers have extensive experience and offer best practices to strengthen company programs. Auditors have training in new regulations (such as the GDPR). They can ensure systems and processes meet current regulatory standards. Auditors can also flag potential issues and suggest improvements.
  2. They offer neutral and objective evaluations of programs. Objective assessments also provide the best picture of how attractive a company might be to hackers.
  3. Third party audits can be more accurate. Because auditors are not directly associated with the company, they may have a more precise view of the entire organizational structure, including BYOD and mobile devices that might not be an official part of an organization’s workflow.
  4. They help validate your privacy policies to prospective third-party partners. And vice-versa.

What does a cybersecurity audit look for?

Assessment of cybersecurity requires specific technical skills. Auditors must examine server configurations, conduct penetration testing and review security event management rule sets.[1] Not every IT department has individuals with the skills and knowledge to perform these tasks.

In addition, there are complex regulations regarding data protections and privacy, and your organization must follow these regulations in every jurisdiction in which it does business. The recently-passed GDPR, for example, requires that data breaches involving data from EU residents to be publicly disclosed within 72 hours. Will your company recognize that such a breach has occurred? How well does your company keep personally identifiable information (PII) secure? Your company collects data – is it accessible to your partners, suppliers, or customers? Do your contracts specify how vendors and distributors will handle this data? Do these organizations have systems in place to keep your data secure?

Why are cybersecurity audits important?

A recent PWC report says 87 per cent of global CEOs believe investing in cybersecurity is important for building trust with customers. Yet less than half of businesses worldwide are conducting audits of the third-parties which handle their collected personal data. In other words, there is a 54 per cent chance an organization collecting personal data is not sure whether this data is being adequately protected – despite their CEOs expressing the importance of doing so.

If a company believes in protecting personal data, or, in the very least, wants to avoid an expensive data breach, they must do their due diligence when choosing third-party providers. This is why conducting cybersecurity audits is so important. An organization needs to know where and how their data is stored because, at the end of the day, any organization which collects personal data is ultimately responsible for any data protection claims – claims which transfer to third-parties.

We practice what we preach!

At Echoworx, we breathe encryption and work every day to help enterprise organizations protect their sensitive data in transit. It only makes sense that we’d invest in the highest levels of cybersecurity. That’s why our entire organization, top to bottom, is scrutinized by third-party auditors regularly to ensure airtight data protection – and we’re proud of our SOC2 and Web Trust certifications!

See our cybersecurity qualifications for yourself!

By Alex Loo, VP of Operations, Echoworx

———

[1] http://www.isaca.org/Knowledge-Center/Research/Documents/Auditing-Cyber-Security_whp_eng_0217.pdf?regnum=463832

14 Sep 2018
Is your business vulnerable to cybersecurity threats?

Is Your Business Vulnerable to Cybersecurity Threats?

In 2017, Deloitte was ranked the best cybersecurity consultant in the world for the fifth year in a row. But later that year, news emerged that Deloitte itself was the victim of an ongoing hack that had lasted nearly a full year.[1]

How could this dramatic reversal have happened so quickly?

Any enterprise is vulnerable to cyberattack. The bigger the company, the bigger the target. For most companies it’s only a matter of time.

Hackers aim to steal sensitive data such as corporate secrets, personal data and intellectual property. Hackers also launch sabotage attacks. The financial damage to the global economy exceeds $575 billion annually—more than the GDP of many countries.

How vulnerable is your business?

Cybersecurity = constant vigilance

Here are some cybersecurity vulnerabilities to watch for:

  • Security misconfiguration. This is the most common and dangerous flaw because it relies on exploiting some simple computing errors, such as running outdated software, using factory default settings and passwords, and using default accounts.
  • Buffer overflows. When an application attempts to put more data into a buffer than it can hold, the buffer overflows. This can let an attacker overwrite memory blocks to corrupt data, crash programs, or install malicious code. These attacks are common and hard to uncover, but are also more difficult to exploit than an injection vulnerability attack.
  • Sensitive data exposure. This refers to any instance of a hacker gaining access to sensitive data, either directly from a system, or as it is in transit between a user and a server. The most direct flaw that can be exploited is a lack of encryption, or encryption that is compromised by weak passwords or lack of multi-factor authentication. Every organization that manages sensitive data may be vulnerable to this type of attack.
  • Broken authentication and session management. Exposed accounts, passwords, or session IDs represent leaks or flaws in authentication procedures. Hackers use these to take over accounts and impersonate legitimate users.
  • Outdated security software or infrastructure. Older equipment doesn’t readily support modern applications, and it isn’t easily protected against current threats.

 

The threat from hackers is only growing as sophisticated techniques become more widespread. The most recent breach level report  shows that an average of over seven million records were lost or stolen every day in 2017 – that’s 82 records a second! And of these hundreds of millions of cybersecurity incidents, only four per cent are considered ‘secure breaches,’ meaning the data stolen was protected with encryption. Over a quarter of these breaches occurred in healthcare.

The newest form of cyberattack is crypto-jacking. Also known as coin-mining, this is the unauthorized use of computers to mine cryptocurrency. Hackers plant code on a target computer using malicious links in emails or infected websites. Symantec reports that coin-mining activity increased by 34,000% during 2017, and that detection of coin miners increased by 8,500%. At the end of 2017 coin-mining activity was also detected on mobile devices, and it will likely grow in this space as well.

Defending your business

While no system is 100% safe from attack, strong encryption is an effective defense tool against hacking.

Keep these tips in mind:

  • Encrypt all sensitive information that hackers or cybercriminals could access.
  • Keep login credentials confidential and protected with passwords.
  • Use multi-factor authentication whenever possible.
  • Practicing strong password hashing.


We use the cloud. That’s safe, right?

Cloud computing doesn’t protect you from risk. As Sandra Liepkalns, CISO at LoyaltyOne points out, data still must be stored physically, and “the cloud” just means that you’re using off-site servers. Do you know where those servers are? If your servers are in the United States, do they have the proper credentials to handle GDPR-protected information from Europe? And what about physical threats? Are the servers located in areas prone to flooding or forest fires? What about hurricanes? Or earthquakes?

At the end of the day, every organization is responsible for protecting customer data. After all, it’s not a matter of if your organization will be breached, but when. Don’t be caught unprepared! Minimize the risks and make security integral to all your systems and processes.

By Randy Yu, Manager of Deployment at Echoworx

———–

[1] https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails

25 Jan 2018
Echoworx | Email Encryption Solutions | How bad is bad? Mexico's threat landscape

How bad is bad? Mexico’s threat landscape

Mexico is one of the fastest growing economies in the world, focused in employing technology to spur businesses forward. But this dependency on technology comes with a dark side – businesses are significantly more vulnerable to cyber threats and data breaches.

Mexico has been attracting the attention of malicious cyber threat performers. The attraction is largely thanks to its growing regional and global geo-strategic significance, coupled with the nation’s increasing economic and financial wealth.

According to recent studies, Mexican organizations are facing similar threats to those operating in the world’s most developed economies. Mexico ranks second in Latin America – just behind Brazil – for the most cyberattacks, with the banking, retail, and telecommunications sectors targeted most.

Serious time of reckoning

The occurrence of cybercriminal activity in Mexico, the diversity of financial institutions, and the sector’s growing capital value are all targeting factors. Criminal groups, clearly capable, besieged the Mexican financial sector by compromising ATMs and defrauding bank customers on a significant scale. Less sophisticated attacks, such as the use of banking Trojans, ransomware, and POS malware, are widespread and pose a significant threat.

Key vulnerabilities observed in Mexico’s cyber landscape are a lack of a cybersecurity culture, old-fashioned system configurations, and obsolete versions of software applications. The right to privacy along with protection of personal information for both individuals and corporations is an extremely relevant issue for international organizations and the public sector. If cybersecurity is not strengthened, more businesses in Mexico will become exposed.

If Mexico wants to be a pioneer of data rights, the new infrastructure must effectively adapt to changes in the way information is transmitted around the world and they must comply not just with national and regional directives, but with international protection of information practices.

The question arises

Is your business at crossroads? Shoulder the costs of increasing defenses or become increasingly susceptible to the risk of attacks!

Sound choice would be to migrate towards a proactive model by incorporating security checkpoints opposed to a reactive model. Having the right security measures in place could prove to be a differentiator in edging out competitors.

A positive drift

According to PwC Mexico, “91% of Mexican companies have prioritized cybersecurity in their organizations and Mexico is the country with the most investment in cybersecurity in Latin America.” The financial sector has led the way in this area, followed by telecommunications, both of which are Mexico’s most globalized economic sectors.

Here is where the Government of Mexico should work closely in conjunction with private firms. The benefits of furthering research on the issue of data protection would be mutually beneficial, keeping the focus on creating a sustainable and securely growing economy.

Echoworx has responded to Mexico’s data security demands by setting up our advanced encryption platform OneWorld within a local data center near Mexico City. This expansion has been fueled by the increasing demand from multinational enterprises operating in Mexico to process and protect their sensitive information locally.

With our agile email encryption platform, it’s easier than ever for organizations to be compliant, maintain brand reputation, build customer trust, and gain a competitive edge – while maximizing the protection of their confidential communications, intellectual property, and other sensitive data.

Mexico is touted to be among the global leaders in digital transactions, and with security being of paramount concern safeguarding communications must be a top priority. As a leader in email encryption, Echoworx is focused on strengthening cybersecurity by collaborating with various equally passionate stakeholders to safeguard the collaboration and communication of sensitive information throughout Mexico.

Let’s connect
Our team will be at InfoSecurity Mexico at the Centro Citibanamex in Mexico this May. If you plan to be in town, you’ll find the Echoworx team in booth #209We will be presenting real use cases of how organizations are gaining value by integrating encryption into their business processes, while securing communications. Stop by, join us for a chat!

By Christian Peel, ‎VP Customer Engineering, Echoworx