Category: Information Security

03 Apr 2019
customer centric encryption

Why Customer-Centric Encryption Matters in Financial Services

Before message encryption became mainstream with its incorporation into popular messaging platforms, like WhatsApp, and into deep-reaching, headline-grabbing international privacy regulations, like the EU’s General Data Protection Regulation (GDPR), the financial services industry could usually get away with using overly-complex data security options which were not user friendly. Customers simply didn’t know protecting their data could be seamless and practically invisible.

They know it now and expect customer-centric encryption solutions—especially from the financial services organizations that secure their most sensitive data.

Financial services firms shouldn’t need to choose between security and customer experience. If you look at encryption specs, you’ll notice that algorithms aren’t the primary differentiators of any secure email solution. Almost all contemporary security products feature 2048-bit RSA encryption, 256-bit AES encryption and SHA2 signatures.

The real differentiator is customer experience—how easy is it for customers and employees to use the encryption solution? And do they get the awesome customer experience they’ve come to expect?

Five ways encryption can secure customer-centric innovation

The customer experience differentiators that enterprise-level financial services organizations should look for in an encryption solution include:

  • Definable policies to control which communications require encryption and how they are sent.
  • Multiple flexible delivery methods for different types of secure encrypted communications.
  • Easy and frictionless user experience for employees and customers, no matter how tech-savvy they are (or aren’t).
  • Multiple brand and language options to support brand alignment and customer expectations and to give customers the peace of mind that comes with receiving secure messages from a trusted source.
  • Dedicated account support to help organizations understand how email encryption fits into their business model.

Customer experience is so important because it directly relates to trust—the new currency in banking. Your clients need to trust you with their most personal data and—like it or not—clunky user experiences erode their faith in your ability to protect their data. And when clients lose faith and no longer trust your brand, they will leave. A recent Echoworx survey found that 80 per cent of customers consider leaving a brand after a data breach. With so many CEOs concerned about company reputation, it doesn’t make sense to settle for an encryption solution that can’t support an awesome customer experience—the risk to the brand is just too high.

In addition to benefitting your customer-centric business model, there are added monetary benefits to adopting a flexible frictionless encryption solution. A recent Forrester Total Economic Impact™ study, for example, revealed that a typical enterprise-level organization can slash $2.7M off their bottom line through employing our flexible OneWorld encryption solution.

Get the full Forrester Total Economic Impact™ study of OneWorld here.

Achieving both regulatory compliance and customer-centricity

Like all companies, financial services organizations are subject to privacy regulations like the GDPR. But that’s the tip of the iceberg—and being non-compliant with these privacy laws comes with stiff sharp-toothed penalties.

Regulations financial services companies are subject to[1] or should be aware of include[2]:

  • FINRA guidelines
  • Gramm-Leach-Bliley Act (GLBA)
  • SEC 17A-3 and 17A-4
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Federal Rules of Civil Procedure (FRCP)
  • Sarbanes-Oxley (SOX)
  • EU General Data Protection Regulation (GDPR)
  • Canadian Securities Administrators National Instrument 31-303 (CSA NI)
  • Investment Dealers Association of Canada (IDA29.7)
  • Model Requirements for the Management of Electronic Records (MOREQ)
  • California Consumer Privacy Act (CCPA)
  • New York Department of Financial Services (NYDFS) Cybersecurity Regulation

Since compliance is so integral to the financial services industry, it’s in your organization’s best interest to choose an encryption solution that has privacy by design; this means your secure email platform figures out how to send messages based on the policies you define during your initial service customization. For example, a business partner receives transparent encryption via TLS, a customer receives a monthly statement as a secure PDF attachment and a European bank may require PGP emails because employees have PGP software running on their desktops.

What customer-centric encryption means to your bottom line

In financial services, providing a frictionless and secure customer experience isn’t optional for seamless secure communication. But there are additional monetary benefits to choosing and implementing the right flexible encryption solution. For example, a recent Total Economic Impact™ (TEI) study conducted by Forrester suggests that typical enterprise-level organizations employing Echoworx’s OneWorld encryption platform can slash nearly $320K off their bottom line with the adoption of self-service support options, like automatic password resets – increasing call centre productivity and removing the need for additional overhead.

Customer-centric encryption helps financial services organizations build and keep trust with clients, stay compliant and reduce costs. Isn’t it time to take advantage of this proven competitive differentiator?

The Echoworx Difference

At Echoworx, encryption is all we do. Our OneWorld encryption platform is a natural extension for most existing systems and offers a wide range of flexible, adaptable and dependable encryption delivery methods for use at enterprise-level corporations.

Learn more about the ROI of Echoworx OneWorld encryption here.

By: Christian Peel, VP Engineering at Echoworx

——–

[1] https://www.echoworx.com/project/encryption-technologies-financial-services/

[2] https://www2.deloitte.com/us/en/pages/regulatory/articles/banking-regulatory-outlook.html

09 Mar 2019
Customer Satisfaction

How to stimulate digital engagement with customers

In the offline world, organizations build their customer base slowly over time and these customers generally become and stay loyal to the company—unless there’s a major screw up. But that’s not how it goes in the digital world; though competition is fierce, digital customers are easy to get but hard to keep. Even the smallest user-experience blip can send them packing.

Digital customer engagement—which relies heavily on digital communications—plays an important role in customer experience and satisfaction. Organizations must create an inviting digital environment that encourages engagement and builds digital trust. While digital trust is easy to gain, it’s easier to lose and impossible to get back.

With that in mind, we suggest your digital environment supports these four elements: security, user experience, cost mitigation and compliance. With these in place, it’s easier and safer than ever to stimulate digital engagement with your customers.

Secure communications

Customers expect built-in data security and yet 69 per cent of customers don’t believe organizations do everything they can to protect client data. Your organization can differentiate itself from the competition by delivering on the promise of secure communications. One way to ensure secure communications for all senders and receivers is by using an encryption solution with flexible delivery methods including TLS, S/MIME, PGP and secure web portals. Encryption is a value proposition for businesses that want to gain customer trust while protecting themselves against costly data breaches.

User experience

Customers get a good user experience when data protection is built into the process. Making encryption the default option takes advantage of the human condition—we tend to follow the path of least resistance. Save your customers the trouble of adding an extra step—if they remember or find the time—without leaving encryption to chance. Your choice of encryption can also protect your customers from phishing and spear phishing attacks, where malicious parties mimic your brand via email to steal private information or install malware. Encryption that can support multiple brands with multiple delivery methods in multiple languages assures customers that your secure messages are from a trusted source—not spam.

Cost mitigation

Customer engagement is desirable as part of a streamlined service that helps your clients and supports your business model. But if customer engagement systems chain you to the same old clunky hardware, more IT resources and more customer support staff, the costs can soon outweigh the benefits. The good news is it doesn’t have to be this way. For example, according to a recent study commissioned by Echoworx, moving your PGP system to a cloud-based encryption environment alleviates nearly $800K of on-premise legacy system costs—without any disruption to your customers.

See the full report here.

Compliance

Organizations are subject to multiple privacy regulations—including GDPR, PIPEDA and HIPAA—depending on where they operate and where their customers live. Violating these regulations leads to fines and penalties. For example, GDPR violations can cost up to $20 million or four percent annual turnover (whichever is greater). These regulations also make it mandatory to report any data breach. To give you an idea of how fleeting digital trust is, most digital customers will leave forever once they hear about a breach. When you choose an encryption platform, make sure it includes features to keep you on the right side of compliance—and helps your customers feel secure during their online engagement with you.

It’s harder and more important than ever to maintain digital trust. Set yourself up for success by implementing systems like encryption to support and stimulate your online customer engagement activities.

The Echoworx Differenc

At Echoworx, encryption is all we do. Our OneWorld encryption platform is a natural extension for most existing systems and offers a wide range of flexible, adaptable and dependable encryption delivery methods for use at enterprise-level corporations.

Learn more about Echoworx OneWorld encryption delivery methods here.

By Alex Loo, VP of Operations at Echoworx

 

26 Feb 2019

A Perfect 10? Why Flexible Encryption Matters for Your Business

According to Forrester, “consumers use technologies that support convenience and put a higher value on CX (Customer Experience).[i]” And as banking, financial service, government, healthcare, legal and compliance professionals know, customers expect that experience to include encrypted communications and data protection. If your organization uses an out-of-the-box email security product with built-in email encryption, you’re off to a good start.

But if you’re leading a customer-obsessed organization, a tailored approach to encryption is likely more aligned to your business values than an out-of-the-box solution. Implementing a flexible encryption solution as a natural extension to your existing encryption framework takes your data security and digital trust factor from good to great.

Here are four business reasons for adopting a flexible encryption model:

1 – Increase nimbleness and continual alignment to business processes

Business processes vary across any organization. One group sends millions of e-statements monthly while others send sensitive documents one at a time to internal or external parties. Enabling an encryption platform with flexible controls for every scenario gives you the power to create a customizable user experience for senders and recipients while staying in control of encrypted messages that are in transit and at rest.

2 – Build trust instantly with multiple language and branding options – 

If your organization operates internationally, excellent customer experience includes communications in your client’s preferred language. And it goes without saying, all communications must be aligned to your brand no matter which line of business sends them. With 79 per cent of people taking less than 30 seconds to evaluate the safety of an email, off-brand but legitimate emails from your company can quickly get categorized as spam and cast doubt on your organization’s digital trustworthiness. With Echoworx OneWorld, a natural encryption extension for common enterprise solutions, you can set language policies to automatically apply to encrypted communications based on sender, brand, locale and receiver attributes.

3 – Get ahead of your competition in information security management –

In a recent survey of IT professionals and IT decision-makers, we found that although encryption is a priority for most organizations, less than half the organizations with encryption software use it extensively. This means that in any industry, chances are good that using a flexible encryption solution to secure delivery methods can be a differentiator for your business.And when you choose a user-friendly option, your encryption and data security measures become a customer-centric value proposition. Take mobile and desktop user experiences, for example. With over 80 per cent of emails being initially read on some form of mobile device, any encryption solution should offer a comparable or identical desktop user experience.

4 – Increase long-term performance through proactive risk management –

The 2018 Global State of Information Security Survey report suggests that long-term economic performance is more likely when companies increase risk resilience rather than merely attempt to avoid risk.[ii] This happens because resilient companies—ones with disaster recovery or business continuity plans—can bounce back faster from unfortunate incidents than those without. From a cyber-security point of view, proactive risk management includes encryption that supports multiple secure delivery methods with effective fallback options, secure password encryption procedures and a streamlined user experience that makes using encryption the easy default.

In a customer-obsessed business culture, organizations must be proactive about meeting and exceeding client expectations while keeping client data secure. It’s easier and more necessary than ever to adopt secure encryption across your organization. Securing sensitive data is the right thing to do—and comes with a strong business case.

The Echoworx Difference

At Echoworx, encryption is all we do. Our OneWorld encryption platform is a natural extension for most existing systems and offers a wide range of flexible, adaptable and dependable encryption delivery methods for use at enterprise-level corporations.

Learn more about Echoworx OneWorld encryption delivery methods here.

By Christian Peel, VP Engineering, Echoworx

——-

[i] https://go.forrester.com/blogs/new-leaders-emerge-as-businesses-are-disrupted-more-rapidly/

[ii] https://www.pwc.com/us/en/cybersecurity/assets/pwc-2018-gsiss-strengthening-digital-society-against-cyber-shocks.pdf

22 Feb 2019
who controls your encryption experience

Who Controls Your Encryption Experience?

At its core, security is an exercise of control. Security controls how our property is used, who has access to it and keeps it safe. In cybersecurity, this notion generally refers to the protection of an organization’s digital assets– keeping data safe and sound.

But what happens to this secure sense of control when data goes beyond your reach – outside your digital perimeter? You encrypt it.

Here are some points to consider for effective encryption – without relinquishing control:

 

  1. Compliance needs met with encryption

    Under international privacy rules, like the GDPR, non-compliance can lead to massive fines you can’t afford. And, while delivery methods like TLS or PGP are effective for protecting data in transit and end-to-end, they do not accommodate every situation – additional options are needed. If a TLS connection is not available, you may want automatic fallbacks to another secure delivery methods, such as via web portal or as an encrypted attachment – ensuring sensitive data always remains protected.

    Explore the pros and cons of different secure delivery methods.

  2. Proactive policies leave less room for internal error

    Encryption is a feature of any serious cybersecurity design – but real world application still lags, according to Echoworx data. When a platform is not user friendly and encrypting a message is difficult, there is a tendency for senders to favour the path of least resistance – sending sensitive data without protection. Setting proactive encryption policies in motion not only makes encryption mandatory based on pre-set rules, but also improves platform usability by automating a sometimes-confusing process.

    Take inbound encryption policies, for example. When a customer sends an organization sensitive information, like a credit card number, over an open or unrecognized channel, there is a chance existing email filters might flag and block their message for reasons of compliance. By setting inbound encryption policies, incoming emails containing sensitive data are automatically encrypted, before being delivered to a recipient’s inbox – safe, sound and compliant.

  1. Stay in control of encryption controls

    From the choice of email service provider to something as simple as a device-type, there are a variety of ways recipients might be inadvertently controlling their encryption experience. This unintended result can prove detrimental to their user experience – especially if there are better encryption delivery methods for their situation.

    Using proactive policies, your organization can push secure delivery methods tailored to specific customers. You might, for example, set policies which restrict TLS to trusted partners only – or employ attachment-only encryption for secure statement delivery.

    See specific use cases of our OneWorld encryption platform.

  1. Offer a consistent encryption experience

    Part of a true streamlined user experience relies on a consistent user experience – regardless of device, location, location or connectivity. An encrypted message experience, for example, should offer the same user experience regardless of whether the secure message is accessed on a desktop computer or offline via a mobile device – without the need for third-party apps. This same consistent user experience also helps streamline working within collaborative environments.

    Common business scenarios, for example, often involve engaging with a sensitive document across multiple devices and environments. Is the document going to look and act the same offline and online? If working collaboratively on a sensitive encrypted document, is the user experience identical for all parties involved?

    Explore the different delivery methods offered by the Echoworx Oneworld encryption platform.

  1. Be able to recall encrypted messages

    The ability to recall a compromised message even after it has been read, is a simple, yet fundamental feature enabling control of an encryption experience. Whether a message is sent to an unintended recipient or whether a message is no longer safe, control over a message shouldn’t have to be relinquished just by pressing ‘Send.’

  1. Branding is more than changing the colour

    Branding and the separation of brands is crucial to any enterprise conglomerate. The ability to brand, separate and segment customer interactions according to brand can mean anything from how a secure message is received to a desired language. Different brands should also be siloed to prevent eavesdropping from other business units.

    Learn how you can brand your encrypted messages for a more personalized customer experience.

 

By Derek Christiansen, Engagement Manager, Echoworx

21 Feb 2019
NHS goes fully digital

The End of Fax Britannica! Is a New Paperless Age Coming to Britain’s Public Sector?

On January 1, 2019, Britain’s National Health Service (NHS) made a big digital move – no new fax machines. While this might seem insignificant, the underpinning message is deep: a full commitment to digital message channels. And, as the largest public service employer in the UK, with 1.2 million souls, the implications of such a move might run even deeper.

Background

For several years, the NHS has been threatening to go digital, phasing out their snail mail communications and bringing their 70-year-old national healthcare service online – and digital. And, from issues of usability to the more serious, like the loss of 900,000 patient letters in late-2017, the largest NHS blip yet, things have been off to a rocky start.

But, spearheaded by former-Minister of Fun, now Minister of Health, Matt Hancock, ‘The NHS Long-Term Plan’ remains unchanged and unfaltering in its commitment to all things digital. In terms of digital adoption, the 136-page report opens strong: “Virtually every aspect of modern life has been, and will continue to be, radically reshaped by innovation and technology – and healthcare is no exception.”[1]

Zero Fax Given

By 2020, the NHS aims to banish fax machines from their system entirely – with a goal of total phase out by March of next year. Among other things, this means they are shifting their reliance to a purely digital environment – pushing their need for an effective encryption solution to a critical level. Minister Hancock includes the need for encryption into a proposed plan to build an NHS digital architecture which can provide a strong basis for a new generation of digital services.

The savings are big

Going paperless via digital communications offers tremendous value to organizations like the NHS. Between 2013 and 2016, for example, the NHS saved £136M (approx. $178M) with their Electronic Prescription Service (EPS) – a digital communications service currently used by 93 per cent of English GP practices. And something as simple as booking appointments through digital channels is expected to save the NHS a further ₤50M (approx. $65M) per annum.[2]

A second advantage to a digital paperless NHS future is to promote the service as a leading environment for innovative healthcare organizations. As a health-tech hub, NHS users are granted front-row seats to emerging healthcare technology and practices.

Fax machines are just the beginning

In just one decade, by 2029, the NHS aims to be completely paperless – quite an undertaking. But the benefits are huge! By offering paperless healthcare options, patients, medical professionals and NHS employees alike gain access to instantaneous services available anywhere – empowering NHS users to be healthier and stay independent longer.

But with all the sensitive personal information involved in healthcare, robust enterprise-level encryption solutions are needed. And, from TLS to end-to-end encryption solutions, like attachment only encryption, any realistic solution is also going to need to offer flexibility for an excellent, non-confusing and seamless user experience.

See the different ways businesses are leveraging encryption throughout their organizations.

By Christian Peel, VP Engineering, Echoworx

—–

[1] https://www.longtermplan.nhs.uk/wp-content/uploads/2019/01/nhs-long-term-plan.pdf

[2] https://www.longtermplan.nhs.uk/wp-content/uploads/2019/01/nhs-long-term-plan.pdf

15 Feb 2019

Got Danish Data? Email Encryption is Now Mandatory in Denmark

To encrypt or not to encrypt: that is no longer the question in Denmark – where new interpretations of the General Data Protection Regulation (GDPR) are making encryption history. As of January 1, 2019, all organizations working in any capacity with Denmark must now apply acceptable encryption when communicating sensitive data.

Why Denmark?

While the GDPR does apply to all EU members and their citizens, regardless of where they reside, each country has unique interpretations of the specific parts of the regulation. In the case of Denmark, a more literal definition of Section 9 of the GDPR, addressing the ‘processing of special categories of personal data,’ has been adopted. As a result, any sensitive data in transit falling under Danish jurisdiction needs to be protected – meaning mandatory email encryption.

What does this mean for Danish business?

Any organization conducting business in Denmark or involving Danish citizens, including in a third-party capacity, must protect personal data with either secure TLS or end-to-end encryption. But how you employ data protection measures is also important. Opportunistic TLS, for example, where unsuccessful connections fall back to clear text, does not offer adequate protection. Non-abiders to the new rules can face sanctions or, worse, crushing fines in the aftermath of a breach. This new GDPR development is expected to spur similar measures in other EU countries.

Learn more about encryption delivery methods.

What measures can an organization take?

Since the GDPR came into effect last May, the message has been clear and simple from Europe: Protect personal data or do business elsewhere. And, by adopting proactive privacy by design policies, using the GDPR as a baseline, an organization can ensure they are compliant in the EU and anywhere else where similar privacy policies exist. Therefore this newest Danish development should be viewed as a competitive advantage – not a hindrance.

While a closed system theoretically might work for Danish companies who interact solely with Danes, this mindset can cause compatibility problems the second business is conducted abroad. A flexible secure message platform can help avoid compatibility issues and maintaining compliance.

Learn more about the flexible features of Echoworx’s OneWorld encryption platform.

By Christian Peel, VP Engineering, Echoworx

18 Jan 2019
Protecting sensitive incoming data

Inbound Encryption: The Why and How

While your organization has systems in place to encrypt outgoing emails, what happens when you receive an email that contains sensitive information? If it’s not already encrypted, do you refuse to accept it? Does it get caught in your compliance filters? If so, what message are you sending by not receiving?

What is inbound encryption?

Inbound encryption is the process by which emails containing sensitive information, such as credit card numbers, are encrypted before they are stored in an organization’s mail servers. Inbound encryption filters scan all emails against a set of established rules, looking at content and attachments, as well as recipients.

Why is inbound encryption needed?

PCI requirements state that emails containing cardholder data must be encrypted during transmission across open, public networks, and that cardholder data must be protected while it is stored. This means that sensitive or personal information such as credit card numbers cannot be saved on your network without being encrypted.

For example, you might run a large retail organization to which customers are sending email queries containing sensitive data – like credit card information. In order to comply with PCI legislation, your email filtering system might be set up to block or delete these types of emails. This, in turn, might lead to customer dissatisfaction as their emails go unanswered – leading to lost business and unintended brand damage.

How does inbound encryption work?

Using a Secure PDF delivery system allows organizations to minimize their PCI risk. Instead of doing the encryption themselves, they employ a third-party service which provides on-the-fly email encryption, triggered by automated policies on a PCI-certified platform. When messages containing sensitive information arrive encrypted and secure, they are less likely to be blocked by existing email filtering services.

Any incoming emails that trigger an encryption policy are automatically encrypted within a Secure PDF, along with any attachments, before being delivered direct to a recipient’s inbox. Upon receiving the email, the recipient simply downloads the encrypted attachments and enters a self-registered passphrase to authenticate, open and read the contents.

What to look for in an effective inbound encryption solution

Providing a secure encryption option for all inbound email doesn’t have to be complicated. Using a Secure PDF delivery system not only guarantees secure storage of sensitive information, it also ensures that your organization will comply with privacy regulations and data security standards.

Learn more about inbound encryption with Echoworx OneWorld.

In addition to Secure PDF delivery, any encryption solution worth its salt needs to offer additional secure delivery methods, from Web Portal, to Secure Attachments, SMIME/PGP and TLS. Although replies and any additional dialogue may be performed via built-in Secure Reply features, your employees might also exercise additional options to communicate securely with their clients.

Learn more about Echoworx OneWorld secure encryption delivery methods.

By Derek Christiansen, Engagement Manager, Echoworx

02 Jan 2019
Generation Z, Personal Data and Digital Trust: Unlike Any Before

Generation Z, Personal Data and Digital Trust: Unlike Any Before

Solve this riddle: I am always connected – but avoid social situations. I demonstrate a firm attention to detail – but have the attention span of a goldfish. I freely give out personal information – but demand it be protected. I distrust corporations – but communicate to them as if they were family.

Who am I?

If you guessed a Millennial, you’re on the right track. But these characteristics are more appropriately attributed to members of Generation Z – the first generation of digital natives, born beginning in the mid-90s through the 2000s, set to bloom into the consumer market. And, given that they are to make up a whopping 40 per cent of all consumers by 2020, [1] with $44B in buying power,[2] this is one group your organization needs to prepare for – especially when it comes to data protection.

How does Generation Z share digital information?

As digital natives, Gen Z’s do not know life without being connected to the digital world. And, since most of their life is already online, some even making their first digital selfie appearance via an uploaded ultrasound from the womb, they are much more comfortable with having even their most intimate details available at the click of a mouse. They are ‘always on,’ with some members of Generation Z checking their social media a hundred times a day or more, and this is reflected in how they share digital information.

According to Echoworx data, the level of comfort which Generation Z share personal information online is at-par with or even exceeding those same metrics for Millennials. For example, 56 per cent of Generation Z are not opposed to publishing their credit score on social media. This same metric is considerably lower for Millennials, with 44 per cent being comfortable, and continues to decline through older generations.

Are Generation Z gullible? Or just faster?

The average attention span of a member of Generation Z is 8 seconds, according to data from the Digital Marketing Institute. And, as digital natives, they crave instant gratification for the price of personal data – without much consideration for long-term consequences or questioning what their details are being used for. But, on account of their low attention spans, Gen Z’s are experts at filtering and retaining information presented to them.[3]

So, are they gullible? No. But this doesn’t necessarily mean they are responsible. And their lightning quick digital speed can lead to sloppy practices when it comes to protecting their data. For example, according to Echoworx data, nearly half of Gen Z’s change their digital passwords regularly. Compare this same figure to Millennials, where nearly three quarters of them regularly update their online login credentials.

Are Generation Z reckless with their personal digital data?

In order to understand the point of view of a Gen Z, you need to look at things from their perspective. For example, would you trust your parents with your SIN? Would you ask your sister for advice on the best way to peel an apple? If you answered yes, simply substitute your family member with an online influencer or one of your favourite brands. If you are always on, you live online.

And you trust people you care about to point you in the right direction. This is why Gen Z’s are so comfortable providing details for or taking advice from brands or influencers.

When you look at it from this perspective, readily divulging personal information online is not as crazy as it sounds to older generations.

And older generations are not perfect either. According to a recent Gallup Poll, nearly a quarter of Americans were victims of cybercrime in 2018.[4] This is despite the claim of 71 per cent of poll respondents who worry about cyber crime and the two thirds of Americans, according to data from the American Bankers Association (ABA), who are taking measures to protect sensitive data.[5]

Digital trust is a fragile game to play

Unlike its offline equivalents, digital trust carries its own hubris of sorts in that if it is easy to get, it’s even easier to lose and nearly impossible to get back. In fact, according to Echoworx data, over three quarters of Generation Z consider leaving brands after a data breach. So how do you play the game?

Easy. You protect them.

According to Deloitte, consumer expectations online are at an all-time high and your customers demand control over their personal data. And a full 69 per cent of customers do not believe organizations are doing everything they can to protect their data.[6] But, according to data from the ABA, nearly half of Americans continue to trust traditional industries, like banks and healthcare.[7]

While some might view this newfound fascination with personal data collection to be detrimental to conducting business – your organization should view it as a competitive differentiator. If your brand goes all-out in a quest to protect customer data, employing best proactive practices, such as a personalized and cusotmer focused encryption experience for sensitive documents in transit, your customers will take notice.

Learn more about maintaining the digital trust of your customers.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx

——

[1] https://digitalmarketinginstitute.com/en-ca/the-insider-3987498273498375892/19-10-16-is-your-business-ready-for-the-rise-of-generation-z?blog

[2] https://www.forbes.com/sites/kristinwestcottgrant/2018/05/09/data-privacy-social-media-visual-content-adobe-through-the-lens-of-generation-z/#5c812c243a9c

[3] https://digitalmarketinginstitute.com/en-ca/the-insider-3987498273498375892/19-10-16-is-your-business-ready-for-the-rise-of-generation-z?blog

[4] https://bankingjournal.aba.com/2018/12/gallup-poll-quarter-of-americans-victimized-by-cybercrime/

[5] https://bankingjournal.aba.com/2018/12/survey-data-privacy-growing-as-concern-banks-seen-as-trusted/

[6] https://www2.deloitte.com/insights/us/en/industry/technology/digital-media-trends-consumption-habits-survey.html

[7] https://bankingjournal.aba.com/2018/12/survey-data-privacy-growing-as-concern-banks-seen-as-trusted/

28 Dec 2018

New Year? New Information Security Challenges!

As we head into the New Year, we reflect on the trials, tribulations and challenges faced over the past year – before outlining specific resolutions to these problems. In the world of information security, these improvements are usually within the realms of identifying threats, preventing cybersecurity issues and staying on top of the latest and greatest in data protection technology.

And what a busy year it’s been! From the introduction of new privacy-building legislature, like the GDPR or California’s AB 375, to new privacy-destroying laws, like Australia’s new encryption laws calling for data backdoors, it’s been quite the rollercoaster. We’ve also seen data breaches and instances of ransomware bring even the massive corporate conglomerates, like Marriot, to their knees.

So what is to be done in 2019?

The unfortunate reality of the world of information security is that new threats, new scams and new malicious actors to worry about seem to pop up every day. Staying atop this constant morphing information is enough to drive someone nuts. And the consequences of falling behind can be detrimental to your business, your reputation and, ultimately, your customers.

This past year, our Distinguished Software Engineer at Echoworx, Slava Ivanov, has made it his mission to gather and coagulate the latest cybersecurity tricks and tips into a concise serial 101 document of definitions. From lighter topics, like the newly emerged Japanese ‘posterior authentication’ technology, which grants access to a system or machine via ‘butt prints,’ to more serious information security issues, like spearfishing, to data protection issues, like blowfish cryptography used in encryption, Slava’s index of terms offers an excellent primer to anyone starting research on a term.

So, before you formalize your organization’s New Years resolutions this year, consider a quick glance at Slava’s ‘Information Security 101’ to see if there is something you missed in 2018!

Click here to browse last year’s top trending information security terms and definitions.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx

11 Dec 2018
Australia demands encryption backdoors

Trouble in Oz: Australia’s New Controversial Data Backdoors

Dangerous privacy precedents are now being set in Australia – a nation traditionally known for its dedication to Commonwealth democratic stability. As of December 2018, Australia has newly-minted legislature under its belt which allows their intelligence and law enforcement to demand backdoor access into the sensitive encrypted data of target organizations.

As other friendly governments take note of this new development, this legislature might signal the beginning of dark times for digital privacy and the way we store and share sensitive information.

But first – a little background:

Since their inception, members of the so-called ‘Five Eyes,’ a collective body of intelligence and law enforcement organizations hailing from the UK, the US, Canada, New Zealand and Australia, have been lobbying for more access to their citizens for years. Gaining access to private citizen data represented a unique opportunity to not only keep an eye on those few amongst us with malicious intent – but also represented another opportunity to control and manage their populaces.

In recent history, this has manifested itself in digital ways – from legislature, like the US Government’s PATRIOT Act or the UK’s more-recent Investigatory Powers Act, to the use of dangerous euphemisms, like “responsible encryption.” Sensitive digital data is a treasure trove to the Five Eyes and they have been salivating for years at the prospect of getting in.

Backdoors are still doors

In layman’s terms, the new privacy legislature passed by in Australian Parliament demands that third-party digital service providers create backdoors through which state organizations may access end-to-end encrypted information when prompted. While they can make these requests formally to an organization, it’s worth noting they also now have the power to demand individuals at target organizations, from Sally the CEO to Bill in IT, provide this backdoor access upon request.

And these demands have serious teeth.

If an organization refuses a request by an Australian Government body, like a law enforcement agency, they face millions of dollars in fines. Individuals who fail to comply face jail time.

Sound scary?

It gets worse.

There’s a global impact of these new privacy laws

As a member of the Five Eyes, Australia is a major player in the global intelligence community. Not only does this country, and their legislature, help set a considerable part of the bar of what is acceptable for government intelligence agencies to do – but they also have created a dangerous precedent which might spread other members of the Five Eyes collective.

The danger of testing the depth of a river with both feet

An unintended consequence of creating these backdoors is the new potential vulnerabilities they pose to the Australian Government organizations who demanded them. While they claim to have solved major issues of national security, with their new ability to spy on their own citizens, the Australian Government has ironically created dangerous vulnerabilities in their own systems available for exploitation by malicious agents.

What can be done?

At Echoworx, and throughout the cybersecurity community, we firmly believe in the protection of encrypted data. Without the ability to send and receive confidential data via digital platforms, everyone’s privacy is at risk, and what’s worse, we could be opening doors to the very criminals we’re trying to stop.

By Derek Christiansen, Engagement Manager, Echoworx

01 Dec 2018
information security

Security 101: A 2018 Thesaurus for InfoSec

There is much emphasis being given to information security in today’s digitally connected ecosystem, and it truly is the need of the hour – below you can find answers to some of the most pertinent topics in information security.

Slava Ivanov, Distinguished Software Engineer at Echoworx with his years of progressive experience in delivering security solutions to solve business challenges, coupled with his strong knowledge of software development cycles is committed in developing a 2018 Thesaurus for information security.

 

DECEMBER |

 

Q: CONFUSED WITH THE INTERNET, DEEP WEB OR DARK WEB?

A: The Internet consists of tonline resources available through search engines, like websites we use to shop, bank or socialize. The Deep Web is the part of Internet that is not indexed by major search engines. To visit such places, you would need to go directly to the resource. It isn’t necessary malicious, but just too large to be indexed. The Dark Web is the part of Deep Web not just unindexed, but also requiring special access. The Dark Web is often based on additional sub-networks, like Tor or Freenet and often associated with criminal activities.

Q: WHAT IS ‘POSTERIOR AUTHENTICATION?’

A: When we speak about biometric security, usually we are referring to face recognition or fingerprints – but this authentication method is all about your posterior. Japanese researchers have developed a seat with 360 sensors, which apparently measure your seat groove, aka ‘buttprints,’ or rear-pressure. The researchers claim 98% accuracy in correctly identifying a sitting person. Not bad eh? This method of authentication could have applications in effective anti-theft systems for our cars or yet another method to log in into your device when you sit behind your desk.

Q: WHAT IS A KEYLOGGER?

A: Keyloggers are also known as keystroke loggers. There are many types of keyloggers based on a variety of keylogging methods including two well-known: software- and hardware-based keyloggers. The hardware keyloggers are usually fitted between a keyboard and a device. As they run entirely on hardware, security software wouldn’t be able to detect it. Software keyloggers can be built into rootkits or other less detectable forms. While the programs themselves are legal, many of them used for the purpose of stealing confidential information. Detecting any type of keyloggers is a difficult task since they’re designed to stay hidden.

 

NOVEMBER |

 

Q: WHAT IS SOCIAL ENGINEERING?

A: Social engineering is the art of manipulating people so they give up confidential information. Even highly secure systems that cannot be penetrated by digital, or cryptographic means, can be compromised by simply calling an employee of the target organization on the phone and impersonating a co-worker or IT personnel. Some well-known social engineering techniques include phishing, clickjacking, vishing, and baiting. There is no simple solution to prevent a social engineering attack, but the best defense is user education and security awareness.

Q: VULNERABILITY VS. EXPLOIT: WHAT’S THE DIFFERENCE?

A: A security vulnerability is an unintended flaw in software or a system which leaves it open for potential exploitation, such as unauthorized access or malicious behavior, like viruses, worms and other malware. Exploit is another term for a security vulnerability, however it’s an actual active problem, as opposed to a potential problem. For example, a broken lock on your cottage door would be a vulnerability, which must be addressed sooner than later. But a broken door lock in a major city would be an example of an exploit – there might be people in the area, actively exploiting for this known vulnerability.

Q:WHAT IS A PENTEST?

A: Pentest is the short form of penetration test. This is a security exercise where a trusted cyber-security expert attempts to find the vulnerabilities of a system before malicious attackers can exploit them. To produce a pentest report, the system is targeted by simulated attacks: brute-force, SQL injections, etc. The findings are then shared with the target company’s security team for the implementation of subsequent security fixes and patches. In order to keep the system secure, the pentest should be performed on a regular basis, especially when new technology is added.

Q: WHAT DOES CIA HAVE TO DO WITH CYBERSECURITY?

A: In Information Security, the CIA Triad stands for Confidentiality, Integrity and Availability – not to be confused with the US Central Intelligence Agency. Confidentiality – keeping sensitive data secure; Encryption is a reliable solution to ensure confidentiality. Integrity – keeping data intact; Cryptographic hashes and digital signing are used to verify information hasn’t been altered. Availability – keeping data accessible; Strategic planning and resource allocation ensures services and applications are available 24/7, including backup plans, data recovery and services scalability.

 

OCTOBER |

 

Q: WHAT IS BOTNET?

A: The word “Botnet” is a combination of the words robot and network. The botnet is known as a group of Internet-connected devices – IoT and mobile devices, computers, networks – affected by malware. Each compromised device is called “bot” and can be controlled remotely by a botnet’s originator, known as a “bot master.” Botnets are increasingly rented out by cyber criminals as commodities and commonly used in DDoS attacks. Botnets are able to take advantage of collective computer power, send large volumes of spam, steal credentials en masse or spy on people and organizations.

Q: IS CRYPTOJACKING A NEW THREAT IN THE WILD?

A: Cryptojacking is the unauthorized use of a victim’s computer to mine cryptocurrency. According to a recent Symantec security report, cryptojacking just came out of nowhere and exploded like nothing before. Hackers see it as a cheap and easy way to make more money with less risk. Unlike other types of malware, cryptojacking does not damage a victim’s data or computer. But, since they do steal CPU processing resources, the victim will be paying with a reduced device lifecycle, more power usage and overall performance issues.

Q: WHAT IS SPYWARE?

A: Spyware is a type of malicious software installed onto your computer, often without your knowledge. It is designed to monitor your computing activities and collect and report the data back to companies for marketing purposes. The data collection usually includes your personal information such as your name, address, browsing habits, preferences, interests or downloads. Besides being an invasion of privacy, this software can cause serious performance issues.

Q: WHAT IS THE BIRTHDAY ATTACK?

A: The Birthday Attack is a type of brute-force attack based on the birthday paradox, which states that out of 253 people in a room, there’s a 50% chance someone has your birth date; however, only 23 people need to be in the room to get a 50% chance of any two sharing the same birthday. This is because the matches are based on pairs. This statistical phenomenon also applies to finding collisions in hashing algorithms because it’s much harder to find something that collides with a given hash than to find any two inputs that have the same hash value.

Q: WHAT IS SAME ORIGIN POLICY?

A: In computing, Same-Origin Policy is the browser-based defense mechanism that ensures certain conditions must be met before content (usually JavaScript) will be run when served from a given web application. Under the policy, the browser permits one web page script to access data in another web page only when they have the same origin; where the origin is a combination of web resource protocol, domain and port.

 

SEPTEMBER |

 

Q: ARE OPEN SOURCE PROJECTS MORE SECURE THAN PROPRIETARY ONES?

A: A common misconception is that open source projects are more secure, either because anyone can inspect the source code, or because so many eyes are watching it. And, vice versa, a commercial product of a well-known company is more secure because everyone trusts it. The security of the project comes from a combination of many factors, including how many developers are working on it, what are their backgrounds, quality control of the project, etc. There are many examples of horribly insecure applications that come from both camps.

Q: WHAT IS CROSS-SITE REQUEST FORGERY?

A: Cross-Site Request Forgery (CSRF) is the type of attack on web site where an intruder camouflages as a legitimate and trusted user. For example, a webpage image tag may be compromised and point to a URL associated with some action; when the user loads this page, the browser executes this action and the user might not be aware that such attack has occurred. The attack can be used to modify firewall settings, post unauthorized data on a forum or conduct fraudulent financial transactions.

Q: WHY DOES MY PKI IDENTITY INCLUDE TWO KEYS?

A: A public and private key pair is a pair of asymmetric keys that perform the encrypt/decrypt functions of a secure data transmission. Public key is public and available to everyone. On the other hand, the Private Key must remain confidential to its respective owner. When encrypting data, the public key of the recipient is used – and only this recipient will be able to decrypt it. When signing, the private key is used to confirm identity of sender.

Q: IS IT “DOS” OR “DDOS” ATTACK?

A: A denial-of-service (DoS) attack is a type of cyber attack designed to make a computer or network unavailable to its intended users by disrupting the services of a host. This is typically done by flooding the host with an overwhelming number of packets to oversaturate server capacity, resulting in denial-of-service or memory buffer overflow which can cause the host to consume disk space, memory, or CPU time. A distributed denial-of-service (DDoS) attack is analogous to DoS, but traffic would come from different sources, which makes it impossible to prevent by just blocking a single source of attack.

 

AUGUST |

 

Q: I USE GOOGLE CHROME, DO YOU?

A: There are plenty of browsers available these days to choose from: Chrome, with its built-in Google search engine; Edge, with its ability to make notes right on the page; Firefox, with its option to continue reading the pages where you left on another device; Safari, which is perfectly tailored for mobile devices. No matter what your criteria for choosing the Internet browser, the most important thing is to keep it up-to-date with all security patches and updates. Enjoy your safe browsing.

Q: WHAT IS A DIGITAL CERTIFICATE?

A: In cryptography, a Digital Certificate is an electronic form of identification, much like your passport or driver’s license. It provides information about your identity and is issued by a certification authority (CA) for a specific period of time. The CA guarantees the validity of the information included within the certificate. The most common format for digital certificates is defined by X.509 standard. There are a variety of areas where certificates are used: SSL/TLS, S/MIME, code signing, etc.

Q: WHAT DO COMPUTER COOKIES TASTE LIKE?

A: A cookie is a small file from a website which is stored on your computer by a web browser. The yummy part of the cookie is that it can store, for example, login info, zip code, etc. so you don’t need to type it in over and over again. The bitter part of it is that it can keep track of your habits and be used by advertising networks. The yucky taste comes when a cookie carrying sensitive information is intercepted by a hacker. Clean up cookies regularly, keep your antivirus software up-to-date, and visit the websites you trust – enjoy the great taste of cookies!

Q: WHAT DOES SSO STAND FOR?

A: SSO stands for Single Sign-On. With single sign-on, the user can authenticate once and then use multiple systems or applications without having to log in again. Without SSO of any kind, users may have to remember a different username and password (different credentials) for each system used. This leads the user to use short, simple or similar passwords for every resource. To reduce password fatigue, time to re-enter identity info, “forgot password” requests, etc., many organizations are implementing Single Sign-On.

Q: WHAT IS S/MIME?

A: S/MIME (Secure Multipurpose Internet Mail Extensions) is the standard to secure MIME messages which brings SMTP communication to the next level by allowing widely accepted e-mail protocol to be used without compromising security. It uses PKI (Public key Infrastructure) to encrypt and/or sign the data. S/MIME provides cryptographic service benefits into e-mail: confidentiality and data integrity with message encryption; authentication and non-repudiation with digital signing.

 

JULY |

 

Q: WHAT IS MIME?

A: MIME (Multipurpose Internet Mail Extensions) is the Internet standard that defines how a message has to be formatted for transfer between different e-mail systems. MIME is a very flexible format and allows the inclusion of virtually any type of data such as text, images, audio, applications, etc. With appropriate encoding MIME is able to handle messages written in international languages as well. MIME is designed for SMTP communications, but many definitions of the standard are widely used in WWW communication protocols.

Q: WHAT IS TABNABBING?

A: Tabnabbing, also known as Tabjacking, is a phishing attack that makes use of the inattention of a user to opened multiple browser tabs to steal the user’s sensitive information. For example, you have opened the page affected by the exploit along with other tabs in the browser. If the script of the malicious tab detects inactivity, the web page will be reloaded and display, for example, a fake Gmail login page instead. Due to lack of attention to the opened tabs, user may enter the requested credentials and they will be stolen by the criminals.

Q: HOW CAN A VPN ENHANCE MY PRIVACY AND SECURITY?

A: A VPN (Virtual Private Network) extends a private network (ex.: company network) across a public network, (ex.: Internet) and enables users to access private network resources as if they were directly connected to this private network. A VPN uses encryption technology to encrypt network traffic, so if an attacker sniffs on the packets, he only gets encrypted data. It detects modification of transmitted data and provides its integrity. A VPN uses authentication to prevent unauthorized access to the resources.

Q: IS “PHARMING” YET ANOTHER WORD WITH A MISTAKE?

A: Pharming is an advanced type of cybercrime, similar to phishing, which combines the meanings of the words “phishing” and “farming”. The usual purpose of pharming is to obtain usernames and passwords from online retailers or banks, without needing to phish you with malicious e-mails or links. You go to a well-known web resource, as always, but end up at the hacker’s system – made to look like a legitimate website. One of the techniques used in a pharming attack is the corruption of the DNS services on the computer system by malicious code known as DNS cache poisoning.

 

JUNE |

 

Q: HOW TO BE SAFE WHEN MAKING ONLINE PAYMENTS?

A: There are a few things to consider when you shop online: 1. Make sure the retail website is using an SSL connection and that the business is trustworthy. 2. Always favour credit card transactions over debit. 3. Do not make payments when connected to a public Wi-Fi network. 4. Consider to opt out of storing your credit card information on a retailer’s website – even if you use it often. 5. Never enter your PIN code or banking password when completing a transaction. The last word: Check your credit card statement regularly, sign up for transaction notifications, if possible, and stay safe.

Q: HOW TO BE SAFE ON STARBUCKS WI-FI?

A: To stay safe while using a public Wi-Fi network, use only a secure connection (SSL) to websites you trust. Avoid using personal usernames and passwords, even just to check your email, as hackers can monitor unprotected Wi-Fi networks and your information can be stolen. Turn off File Sharing and AirDrop options, and check that your laptop’s firewall is enabled.  For even better protection, secure and encrypt your connection by using a Virtual Private Network (VPN) – a safe digital tunnel to your device.

Q: WHAT IS IOT ANYWAY?

A: The Internet of Things (IoT) is an ecosystem of connected devices able to communicate with us, and with one another, over the Internet. A smart thermostat, controllable from our phones and tablets, for example, is a well-known IoT-connected device. Everything these days is “smart,” from simple sensors and actuators to refrigerators and cars. The future of the IoT is very exciting and stands to revolutionize the way we live, making entire cities and countries function in a smarter and more efficient way. It truly is a Golden Age for IoT devices.

Q: HOW WELL IS BLOWFISH SWIMMING IN CRYPTOGRAPHY?

A: Blowfish is a symmetric encryption algorithm designed by Bruce Schneier in 1993 as the replacement for older DES and IDEA algorithms. It has a 64-bit block size and uses a variable-length key, from 32 bits to 448 bits, which is suitable for both domestic and export uses. Blowfish attempts to make a brute-force attack difficult by making the initial key setup a fairly slow operation. This algorithm is unpatented, unlicensed and is available free to everyone. Blowfish shouldn’t be used for large files due to small block size (64-bit as opposed to AES’s 128-bit block size).

 

MAY |

 

Q: ARE BLUEJACKING, BLUESNARFING AND BLUEBUGGING NEW SHADES OF BLUE?

A: Bluejacking, the earliest Bluetooth attack, is the sending of unsolicited messages to Bluetooth-enabled devices. Bluejacking is quite harmless and is usually limited to sending text messages, images or sounds to a targeted device. Bluesnarfing is more damaging and targets a user’s privacy – with an attacker connecting to an early-Bluetooth device, without the owner’s knowledge, and downloading their phonebook, calendar and more. Bluebugging goes further – with complete virtual takeover of the device. Once connected, an attacker can access your contacts, make calls, listen to calls, read your messages and emails and even track your location, without your knowledge.

Q: SAML OR OAUTH?

A: SAML (Security Assertion Markup Language) is usually used when solution requires centralized identity management; involves SSO with at least one enterprise participant; provides access to an application. OAuth (Open Authorization) is usually used when a solution provides access to resources, such as accounts, files, etc.; or involves mobile devices. Both technologies can be used at the same time. For example: SAML for authentication; once SAML token is processed, use it as the OAuth bearer token to access protected resources over HTTP.

Q: WHAT ARE THE TYPES OF BIOMETRICS?

A: There are two main types of biometrics: Physiological biometrics is something related to what we are, including specific measurements, dimensions, and characteristics of our body. Your face, eyes, vein pattern or a fingerprint are an example of physiological biometric data. Behavioral biometrics is what we do and is related to our personal habits and unique movements. Your voice, gestures, walking style, and the handwritten signature is the simplest example of this type.

Q: IS IT POSSIBLE TO STOP IDENTITY THEFT?

A: It’s almost impossible to completely prevent identity theft, however it is possible to reduce the risk by following some simple tips: 1. Be aware of your privacy settings on social media. 2. Use strong and different passwords when creating online accounts. 3. Do not check out suspicious emails which may be phishing for data. 4. Do not provide any information to websites which not using an SSL connection. 5. Protect your PC by using a firewall, antivirus and spyware protection software, and by keeping it up to date.

 

APRIL |

 

Q: WHY USE SAML?

A: The Security Assertion Markup Language (SAML) is an open standard that represents an XML-based framework for sharing security information about identity, authentication, and authorization across different systems. SAML eliminates the need for multiple applications and services passwords by enabling a token-based authentication exchange. It solves the key challenge by enabling single sign-on (SSO) functionality. SAML saves administrative time and increases security with centralized control over authentication and access.

Q: WHAT IS PCI COMPLIANCE?

A: PCI stands for the Payment Card Industry, and is often followed by the letters DSS, which stand for Data Security Standard. PCI compliant businesses must consistently adhere to the rules defined by the PCI Security Standards Council. Some of which are: Maintain an information security policy; Monitor and maintain a secure network; Implement strong access controls; Protect sensitive information. Customers, of such businesses, should feel safe and confident that their data will be protected.

Q: WHAT IS IDENTITY THEFT?

A: Identity theft is unwanted or unauthorized access to your personal information. Once someone gets hold of your personal details, they are able to commit all sorts of crimes using them, including telecommunications fraud, money laundering, cybercrimes, and more. Criminals use seemingly harmless pieces of information, like your date of birth, to gain access to other information about you, including your address, email, place of birth, insurance numbers, and passwords. Take care to protect your data by being aware of your privacy when sharing sensitive data.

Q: WHAT IS ADVANCED ENCRYPTION STANDARD (AES)?

A: The Advanced Encryption Standard (AES) is a symmetric-key block cipher algorithm. AES is a subset of the Rijndael cipher developed by two Belgian cryptographers, Vincent Rijmen and Joan Daemen. AES is capable of handling 128-bit blocks, using keys sized at 128, 192, and 256 bits. Key size is unlimited, whereas the maximum block size is 256 bits. AES is more secure and enables faster encryption than its predecessors DES and 3DES. Overall AES has proven to be a reliable cipher over time.

 

MARCH |

 

Q: BLUETOOTH: CONVENIENCE WITH A PRICE?

A: We are using Bluetooth technology every day to connect our headphones, fitness trackers, car’s hands-free system, etc. It’s important to know about security issues associated with technology. Bluetooth sends data wirelessly where it can be intercepted by the wrong people. To protect your information, consider to set your devices to “undiscoverable” when not in use. Never accept pairing requests from unknown parties. Download and install regular security updates for your devices.

Q: IS THERE A MISTAKE IN THE WORD “PHISHING”?

A: Phishing scams mimic reputable entitles like banks, online resources, legitimate and authorized organizations in an attempt to obtain sensitive information such as usernames, passwords, credit card details, etc. It’s called Phishing due to long-time hacker tradition to use “PH” instead of “F”. Be careful not to fall for the tricks set up by those Phishermen and prevent yourself from getting caught in the Phish net.

Q: WHAT IS DIFFIE-HELLMAN KEY EXCHANGE?

A: Diffie-Hellman (DH) is a key exchange protocol originally conceptualized by Ralph Merkle. It’s named after Whitfield Diffie and Martin Hellman – two cryptographers. DH allows to securely exchange cryptographic keys over a public channel without having anything shared beforehand. An established shared secret key can then be used to encrypt subsequent communications. DH exchange itself doesn’t provide authentication of the parties and could be vulnerable to man-in-the-middle attack. Variants of DH with authentication should be considered.

Q: WHAT IS SSL HANDSHAKE?

A: SSL/TLS connection between a client and a server starts with a “handshake.” This includes a few steps – starting with validating the identity of the other party and concluding with the generation of a common Session key. First the server sends a Public key to the client to be used for encryption; The client generates a Symmetric key, encrypts it and sends it back; Then the server decrypts this Session key using its Private key. Now the server and the client are ready to use this Symmetric key to encrypt and decrypt transfer of data.

 

FEBRUARY |

 

Q: IS FACE RECOGNITION TECHNOLOGY FOR AUTHENTICATION ONLY?

A: Face recognition technology is already helping in many areas of our lives such as, airport security screening, friendly unsupervised video surveillance, investigation of crime scenes, etc. Lets explore how the technology can be used to personalize marketing approaches? It can, for example, replace a store loyalty card. When you walk into the store, the staff would know what you bought the last time, provide you with personal offers, and redeem your points. The store itself may tailor your offerings by analyzing facial data, such as gender, age, and ethnicity. The possibilities are endless.

Q: DOES TLS USE SYMMETRIC OR ASYMMETRIC ENCRYPTION?

A: Both. TLS uses asymmetric encryption algorithm only to establish a secure client-server session. For asymmetric encryption, the sender needs a Public key to encrypt data and the receiver needs a Private key to decrypt it. The bulk payload encryption requires speed, so a symmetric encryption algorithm is used to exchange information over an established secured session. For symmetric encryption both sender and receiver share a single Symmetric key to encrypt and decrypt data.

Q: “OK, GOOGLE” SHOULD I BE CONCERNED ABOUT MY PRIVACY?

A: Voice enabled assistants, like Google Home, Amazon Echo, etc., can answer your question, provide a weather report, turn up the thermostat, control the lights, or even order a pizza. This convenience comes with a price. Assistant is always listening. Consider using the “mic mute” button to turn it off when not needed. Anyone can control your device. Consider not connecting some IoT appliances like smart door locks; disable payment options not being used. Enjoy your digital home assistant, but don’t make it the host.

Q: WHAT IS OBFUSCATION?

A: The purpose of obfuscation is to prevent someone from understanding the meaning of something. In software development, it’s often used on the computer code to make tampering, reverse engineering, or theft of a product’s functionality more difficult. It’s important to understand that obfuscation is not like encryption, but rather like encoding. It can be reversed by using the same technique or simply as a manual process that just takes time.

Q: WHAT ARE THE FACTORS OF AUTHENTICATION?

A: There are three main categories of Authentication:

  • Knowledge is something you know, for example simple user name and password;
  • Possession is something you have, it may be your access card or keyfob;
  • Inherence is something you are, your biometric characteristic, like fingerprint.
    Sometimes, your location is considered a 4thfactor.Multifactor Authentication significantly increases security but will obviously impact user experience.

 

JANUARY |

 

Q: WHAT IS DATA ENCODING?

A: In computer technology, encoding transforms original data into another format so it can be transferred and consumed by different systems. For example, use binary-to-text Base64 encoding for binary files to send it over email. Encoding uses publicly available algorithms and can be easily reversed (decoded). The main purpose of encoding is not to keep information secret, but to ensure it’s safely and properly consumed.

Q: IS BIOMETRICS THE ULTIMATE AUTHENTICATION SOLUTION?

A: Biometrics is the technical term for metrics related to human characteristics, like your fingerprint, voice, eye iris, etc. Many consumer products have adopted biometrics for authentication as a matter of user convenience, while enterprise grade products are opting-out to ensure maximum information security. The main authenticationfactor is knowledge, such as a password or PIN. Biometric data was never designed to be the secret. Can you imagine yourself wearing gloves all the time?

Q: IS FACE ID MORE SECURE THAN TOUCH ID?

A: Apple claims there is a 1 in a million chance someone can unlock your device using Face ID compared to 1 in 50000 chances of someone having the same fingerprint as you. Does this mean the security of Face ID is 20 times higher? The important thing to remember is that Face ID and Touch ID are more about convenience and design than security. Your password (PIN) will always remain the biggest point of weakness on your device. So, it’s best to make it a strong one.

Q: WHAT THE “HEX”?

A: Hexadecimal numbers (hex or base-16) are widely used in computing and math as representation of binary values. Each hexadecimal digit represents four bits or half a byte. 16 unique symbols 0-9 and A-F used to represent a value.

HEX.jpgThis purple color has HTML hex number #7334A4
#73(hex) is (7×16) + (3×1) = 115 (decimal) of red
#34(hex) is (3×16) + (4×1) = 52 (decimal) of green
#A4(hex) is (10×16) + (4×1) = 164 (decimal) of blue
In RGB space our color will be rgb (115, 52, 164)

This is a very condensed version of the many security terms and acronyms in use today, but we hope it helps. Don’t stop now. Learn how you can use encryption to build trusted communications with white papers, reports, webinars, and videos.

ENCRYPTION RESOURCES

 

16 Nov 2018
TLS encrypted delivery

Is TLS good enough for secure email?

When it comes to collecting sensitive customer data, you simply cannot afford to take any chances. Your customers trust you and you need to protect them – and their most-personal details. But, while protecting your digital perimeter is important, your organization also needs to ensure sensitive data stays secure during transit.

One way to do this is to leverage a TLS encryption solution. But what exactly is TLS? How does it work? And when is it good enough for secure email?

Here’s what you need to know about TLS:

What is TLS?

In layman’s terms, TLS, short for ‘Transport Layer Security, is a method of encrypting the connection between two parties communicating over the Internet – think of an encrypted tunnel. TLS can be applied to email to prevent unwanted eyes from viewing messages in transit – or from accessing data transmitted between a user and a website. The ease of this type of message encryption makes it one of the more popular types of delivery methods.

When is more message security needed?

TLS is one of the most primary and simple methods of delivering secure messages. But is it secure enough? It depends – you tell us.

Do you have access to alternative encryption methods if a TLS connection is not available? What exactly are your security needs? Are you worried about third-parties, like Google via Gmail, scanning your correspondence? Are you worried about man-in-the-middle attacks, where a secure connection is compromised? These are just a few of the questions you need to address when determining whether TLS is secure enough for you.

How do you get more message security?

While regular TLS-encrypted messages do have their benefits, this delivery method doesn’t always meet every one of your customers’ needs. That’s why Echoworx OneWorld goes further, automatically offering more encryption delivery methods. OneWorld also offers flexibility within the TLS environment – with the ability to create specific policies for using TLS and branded email footers highlighting that a message was delivered securely.

Are there secure alternatives to TLS?

In instances where TLS is not desireable you need to have other options – to ensure no message goes out unencrypted or to a compromised environment. And there are a variety of other secure delivery options available, from public key encryption methods, like S/MIME and PGP, to Secure Web Portals.

Echoworx’s OneWorld encryption platform offers all these options, as well as encrypted attachments. And, since OneWorld checks to see if TLS is available before transit, sensitive messages are never sent unencrypted.

See more secure message delivery methods.

By Christian Peel, VP Engineering, Echoworx

15 Nov 2018
protecting your customers is more than just building a bigger firewall

The World Turned Upside Down? Digital Trust, Paradox and Encryption

Gaining a customer’s trust is a reward earned only after many years of careful branding, superb service and product quality. And a trusting customer is a loyal customer who you can count on to work with you every time – through thick and thin.

Right?

Not quite.

When it comes to gaining digital trust, traditional approaches can go topsy-turvy in a hurry. Paradoxically, unlike the delicate offline relationships you nurture so carefully, gaining digital trust is a piece of cake – an ooey gooey cake – where users are more likely to share more personal details with you than they would a person they are dating. In fact, according to Echoworx research, the average user takes just 30 seconds to assess the safety of an email before sending along their most-personal data.

Sounds sweet? It is. Maybe even too sweet – since the ease of getting customers to trust your brand online comes with a huge price tag of responsibility that is too much to chew for the digitally unprepared. And you are only one slip-up away from losing them forever – with 80 per cent of customers considering leaving your brand after a breach.

So, given that your organization invests so much money and time building your brand, why take the risk of not adequately protecting sensitive data to avoid it all crashing down? This is suddenly where pre-emptive investments in cybersecurity infrastructure start making sense – in the organizational sense.

In the past, cybersecurity was traditionally seen as a more internal issue. In layman’s terms, the mantra was, if you keep the bad guys out, the money stays in the bank. But, given today’s customer-centric view on providing digital services, and the real threats of ransomware attacks, this view has evolved into an organizational problem – a crisis of brand.

So how do you prevent losing your customers?

Easy: You protect them.

And protecting your customers is more than just building a bigger firewall. You also need to consider sensitive data which leaves your walled garden of information. While encryption is an effective way at securing your communications, clunky solutions make your messages look like spam – to the detriment of the end-user or customer and therefore defeating the point.

Secure encrypted messages should look authentic and be flexible to cater to the needs of your customer base. Branding, languages and any other organization-specific details should be customizable as to not affect user experience. This not only eliminates confusion (something scammers thrive off) but is also just good customer service.

You also need to consider offering multiple delivery methods to meet different customer needs. For example, sometimes you want to encrypt a document, not an entire message. You might look for a delivery method which allows for attachment-only encryption.

The more your encrypted messages mimic the look and feel of your regular communications, without sacrificing user experience, the more your customers trust digital interactions with you. And the more you protect them, the less likely you are to experience a devastating breach. This is how investing in data privacy is not only good for protecting your organizational infrastructure – it’s also good for your business, your brand and is just good customer service.

By Lorena Magee, VP of Marketing, Echoworx

19 Oct 2018
Am i a data controller or data processor

A Match Made in the Cloud: The Data Controller and the Data Processor

The EU’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018. Most notably, the GDPR gives individuals more control over their personal information, and it requires that companies be clear about why they are collecting information. Under the GDPR, corporations that access customer information are defined as a controller and/or processor. Any corporation that does business within the EU or with EU citizens or residents must comply with the GDPR, even if it is based outside Europe.

What’s the relationship between controllers and processors?

The controller is the person, company or agency which determines which data will be collected, from whom and for what purpose. The controller also determines where and how personal data is stored and managed. The processor is the person, company or agency that processes data on behalf of a controller. In effect: the controller is looking for data storage, and the processor provides the storage. But both are subject to the GDPR.

In most circumstances, controllers will upload data to a processor. The processor will then process the data and store it in the cloud. Because the controller retains control over the data, trust in the processor is essential.

Here are some questions to consider:

  • Do you know where your processors’ servers are located?
  • Does your processor comply with the GDPR?
  • Are their cloud processes secure? Can they prove this with third party audits?
  • Is your processor WebTrust certified? Are they SOC2 compliant?

Controllers must also be clear about data retention policies. Individuals must know how long their data will be kept, and data cannot be held longer than necessary. At the end of that period, all data must be destroyed. Processors who store data in multiple systems must have procedures in place to ensure that it can be deleted.
As a data processor, Echoworx only delivers mail to end users. We store all emails in encrypted form, and delete them promptly. We’re in full compliance with the GDPR.

What does this mean to me?

There are many instances where organizations might encounter touchpoints in the controller/processor relationship. Take banking, for example: You might be a big bank who simply has too many customers to provide reliable and effective data encryption in-house. Your bank signs a contractional agreement with a third-party encryption provider to encrypt and send high volumes of secure financial statements. Since you retain control over customer contact and statement details, your role in this relationship is that of a data controller – whereas the third-party encryption platform, which processes the data for secure transit, is the data processor.
Ultimately, you are responsible for ensuring the safety of sensitive customer details – from something as simple as their address to something more complex like their financial history. And, under regulations like the GDPR, and even newer regulations, like California’s AB 375, you are also responsible for ensuring your third-party processors abide by your security standards.

To help establish a baseline of what is needed, you might consider investing in a third-party cybersecurity audit – here’s what you need to know.

Cybersecurity Leadership Exchange Forum (CLX Forum) provides additional insight

A substantive discussion of the GDPR and its implications is provided by the CLX Forum, a Canadian thought leadership community, in their book Canadian Cybersecurity 2018: An Anthology of CIO/CISO Enterprise-Level Perspectives. Among many interesting observations, Edward Kiledjian, VP Information Security, Compliance and CISO at OpenText, discusses the question of who owns personal information. While this has yet to be settled in North America, the GDPR is clear that in Europe, private citizens now own their data. At any time, an EU citizen can revoke an organization’s right to store his or her personal data. And if an EU citizen asks an organization to destroy data, the organization must do so within one month. It’s also important to note that previously collected data is not exempt from these regulations. If your organization has collected data from EU residents in the past, controllers must obtain consent for current use of that data. [1]

Another important aspect of the GDPR is that its regulatory agency is actively testing security. As part of this process, it is also measuring how companies respond to attacks. As Amir Belkhelladi, Partner, Risk Advisory, at Deloitte Canada, points out, corporate boards are now directly accountable to the GDPR regulatory agency. Boards must understand how data is collected, used, stored and destroyed. They must also ensure that management is following these new regulations. [2]

Fines with teeth

Before the GDPR, companies worried mostly about the reputational impact of a cybersecurity breach. Now, in addition to expensive brand damage, there are serious financial implications for security failures. Companies that don’t adequately protect data can face fines of up to 20 million Euros, or 4 per cent of their global annual revenue, whichever is higher. Companies have just 72 hours to report a breach, and they are required to notify customers “without undue delay” after becoming aware of a breach.

Companies that do not provide goods or services to EU residents are not required to comply with the GDPR. But GDPR protocol also applies to EU residents living abroad and for companies who hire third parties with connections to EU countries. For those that continue to do business in Europe, privacy by design will become their new watchword. Organizations must ensure their systems meet these stringent standards. Will some small organizations decide that they can no longer do business with EU citizens? Almost certainly. But for every organization that does operate in Europe, compliance should be mandatory. And since GDPR is the most stringent set of privacy regulations ever enacted, companies that do comply can be assured that they are covered worldwide.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx

 


[1] CLX Forum, Chapter 12, “General Data Protection Regulation (GDPR)”

[2] CLX Forum, Chapter 3, “Coaching Your Board and Leadership Peers on Cybersecurity Issues”

11 Oct 2018
trust is the new currency in banking

How is trust the new currency in banking?

A recent Echoworx survey indicates that nearly half of customers send personal information using email and trust the safety of an email in 30 seconds or less. But is this trust warranted? When questioned, only 40 per cent of organizations who have encryption capabilities use the technology extensively to protect sensitive data – with a third of emails which should be encrypted being sent over open lines. More worrying is that most data breaches go undetected , and that 61 per cent of employees admit sending confidential information in unencrypted emails.

Trust is critical

Mark Carney, governor of the Bank of England, says that maintaining public confidence and trust is the primary role of central banks. In addition, the “past, present, and future” of financial institutions depends on public confidence.[1]

And to be trusted, according to a recent Javelin report, a bank must be reliable in how they protect sensitive customer data. This reliability translates to how personal data is stored, the proactive measures in place to prevent unwanted access to their accounts and the compensation formulas in-place in the case of loss or fraud. [2]

Will GDPR have an impact?

With the recent adoption of the GDPR in the EU, institutions will now have to publicize any breach within 72 hours. This will almost certainly affect consumer perceptions about banks and their safety measures, particularly since public perception is at odds with reality in this regard: 1 in 4 institutions have been hacked, yet only 3 per cent of customers believed that their own institutions had suffered this fate. Speaking about the ephemeral nature of trust, Mark Carney has said, “Trust arrives on foot, but leaves in a Ferrari.” In the wake of GDPR, more institutions may come to understand this.

Customer data: an asset and a liability

Trust in financial institutions leads to more customers being willing to share their data. 60 per cent of consumers are willing to trade personal data in exchange for benefits – lower pricing on a financial product, for example. Millennials are the group that is the most willing to share their data; they are also the group that is the most aware of their data, and how banks collect it. Baby boomers and the elderly do have high levels of trust, but this does not translate into a willingness to share data.

Financial institutions know that 65 per cent of customers choose their financial institution based on privacy and security. And, as a result, over half of customers trust their primary financial institution.[3]

But how durable is trust in the event of a data breach? 86 per cent of customers indicated that they would switch their financial institution if it suffered a data breach, and those that place a premium on privacy and security would be well-placed to acquire some of these customers.

In reality, of course, many customers would find switching providers to be an inconvenience. But while these customers might not leave, they would still limit their business: 35 per cent of customers said they would reduce the number of transactions they make; 28 per cent would redistribute some assets to another provider; and 28 per cent would be cautious about making additional investments with their institution. In all these scenarios, the bank would experience a financial impact.

Banks can still build digital trust

There are many ways for banks to build digital consumer trust, which in turn will result in greater customer engagement and retention. Here are some of the most critical:

  1. Focus on the customer. Banks should focus on digital services that customers need and that are in their best interests. This customer-centric view should be evident at every level of the institution.
  2. Remove friction. Remove errors and streamline digital services. Work to understand why customers are having difficulties: this will help ensure lasting resolution is obtained.
  3. Brand secure communications. Customers should never be confused by digital communications, from fees to e-statements. Malicious emails mimic your legitimate communications to trick your customers. Any secure communications need proper branding and language options.
  4. Protect customers. Put policies in place to protect data and guard customer privacy. Actively defend against cybersecurity threats using proactive measures – like encryption.

 

Trust brings customers and encourages them to stay. Trust lets banks gain access to the information that helps them improve their services. Trust is the currency that customers value above all else. There can be little doubt: institutions that embrace trust, that make it central to their way of doing business, will thrive, even in a challenging landscape with ever-evolving threats.

By Derek Christiansen, Engagement Manager, Echoworx

———

[1] https://www.bloomberg.com/news/articles/2018-05-25/boe-s-carney-says-central-banking-comes-down-to-trust-in-money

[2] https://www.javelinstrategy.com/sites/default/files/18-4003J-FM-2018%20Trust%20in%20Banking%20Awards%20Whitepaper.pdf

[3] https://www.javelinstrategy.com/sites/default/files/18-4003J-FM-2018%20Trust%20in%20Banking%20Awards%20Whitepaper.pdf