Category: Information Security

31 Mar 2020
Encryption Isn’t Just for Financial Services

Encryption Isn’t Just for Financial Services

Bank, financial service and insurance (BFSI) institutions may be the overwhelming past and present juggernauts of secure communications, but they are by no means the sole future of this growing necessity – where information security spending is forecasted to exceed $170.4B in 2022.

Information security is becoming a keystone of any customer-centric business plan – and, in some cases, even mandatory – regardless of industry.

Encryption is no longer an add-on

As early adopters of encryption, BFSI organizations marketed their secure document delivery systems as ‘environmental-friendly’ or ‘postage-saving,’ with more onus put on the customer as an optional add-on. But in addition to streamlined, tree-saving digital features, a more substantial societal embrace of digital delivery methods has given rise to new regulations with teeth paired with expectations that sensitive personal data is being protected. Consequently, over 50 per cent of encryption adopters today, according to Echoworx data, state compliance as a primary reason for implementing an email data encryption strategy. A study by multinational law firm, DLA Piper, reports there have been over $126 million in GDPR fines since the General Data Protection Regulation went into effect in May of 2018.

Enterprise data encryption hits all-time high

While BFSI organizations continue to be the more-prominent adopters of encryption, accounting for a healthy 50 per cent stating extensive use in a recent Ponemon study, other industries are beginning to take note. In fact, according to the same report, manufacturing and transportation organizations are not far behind – accounting for 47 per cent respectively.

This changing trend isn’t a trend at all – but rather an evolution of how we protect data. As a tool of customer stewardship, encryption is a way for all industries to demonstrate that they value and care about the personal data of their patrons. As a mutually beneficial relationship, the resulting digital customer trust encourages consumers to continue conducting business while enabling an organization to effectively collect adequate amounts of data without compromising their integrity – resulting in better customer service.

Echoworx recognizes that the world of encryption is becoming more three-dimensional and varied in terms of its business use cases. In order to accommodate the mosaic of industries set to explode into the encryption market, we offer a wide array of flexible, scalable and user-friendly email data protection solutions to streamline any business process.

Ten ways encryption is being used across departments to protect data in email

Changing customers, changing views on privacy

From the introduction of encryption to popular instant messaging app WhatsApp in 2016 to headline grabbing violations of international privacy regulations, like the massive €400K fine issued to Uber France for their fumbling of sensitive personal data, consumers are now more aware of and concerned for protection of their personal data.

And yet they continue to provide their most precious digital details with little prompting – less prompting than needed for them to disclose their address to a first date, according to Echoworx data. But, if digital customers are easy to get, they are even easier to lose after a data breach and impossible to get back. So why take chances with their data?

According to a recent PwC report, strong levels of digital customer trust are a keystone of any customer service plan. In terms of sharing data, for example, 88 per cent customers who trust an organization are more likely to provide accurate, reliable and consistent personal data. This, in turn, provides more information with which an organization might fine-tine their customer service program.

At Echoworx, we know that offering a streamlined encryption experience is not only good for customer experience – it helps bolster the levels of digital trust needed to build effective business relationships. As more industries go online and digital, this trend is set to occupy a more prominent role in most business use cases.

Fine-tuning the customer experience to align with enterprise goals and expectations

New international regulations demand encryption

By now we know the General Data Protection Regulation (GDPR) of the EU is spurring governments to take matters of data privacy seriously. But did you know that EU citizens are protected by the GDPR regardless of where they live or work? Did you know that Danish interpretations of the GDPR mean encryption is now mandatory for all business in Denmark? Did you know that the UK’s National Health Service (NHS) is eliminating fax machines completely?

Like it or not, organizations looking to compete internationally are going to have to adopt proactive data protection policies, like encryption, into every process. At Echoworx, we realize this can be complicated for massive international organizations sending out millions of sensitive messages a year. That’s why we have data centres located in six countries – including locations in the EU zones.

And it’s not just about the EU!

The encryption forecast is cloudy

While legacy on-premise encryption solutions might continue to dominate the market to the end of the decade, cloud-based encryption continues to grow. In fact, according to a recent Ponemon study, encryption in public cloud services grew over 10 per cent in 2017 – the highest year-over-year growth of any encryption use case observed in the report. We expect this trend to continue and grow stronger.

At Echoworx, our scalable and flexible email data encryption platform and worldwide presence are prepared for this cloudy new world. Our team of experts can help you migrate your on-premises encryption infrastructure to the cloud without any business disruption.

In addition to gaining the benefits of multiple delivery methods, branding and language options and other natural extensions to your existing system, there are additional cost mitigating benefits of working with Echoworx in the cloud. According to a recent Total Economic Impact™ study of Echoworx’s OneWorld encryption platform, conducted by Forrester Research, additional value can be unlocked by working with us as a third- party provider – including cutting down on overhead like support time and additional resources required to run encryption infrastructure in-house.

Read the full Forrester TEI study of OneWorld here.

Encryption is bigger than finance!

Encryption is no longer just about saving paper on bank statements – it is becoming a part of everyday conversation. From international privacy regulations to customer service to actual customer expectations, encryption is no longer an option – regardless of industry. Be prepared – be proactive – talk to us today.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx

———

Sources:

  • Gartner Information Security Forecast – 2019 | Ponemon Global Encryption Trends Study – 2019 | PwC Report – Securing customer trust

24 Mar 2020

Creating a Work-from-Home Business Culture Beyond a Lockdown

Vulnerabilities, from poor data hygiene to weak authentication, can be further amplified during times of crisis when some, or even entire workforces, may be working from home. Here are some quick ways to prepare employees for remote working conditions:

Communicate the importance of corporate data

Employees understand the value of personal identifying data, like a credit card number or SIN, but do they view corporate data the same way? According to Gartner, the potential harm of insider threats at banks, for example, can be the same, if not greater than threats of external nature. Organizations need to educate their employees on the importance of practicing adequate data hygiene when operating remotely.

Suspicious emails, even originating from internal users, need to be triaged to ensure their validity – especially when they contain strange attachments or vague context. Cybercriminals can compromise one account to enter a system before going after their actual targets. Known as ‘spearphishing attacks,’ these attacks can even originate via SMS.

To ensure outgoing data or sensitive information remains intact, employees need to be educated on the importance of encryption. Encryption is an effective way to keep the integrity of messages – to make sure only intended recipients have access. Offering a flexible suite of different ways to send securely, or even enforcing encryption via encryption policies, means secure messages are never rendered undeliverable or, worse, be sent in the clear.

Do they know how to use the video conference? Can they share files remotely? Do they know how to create a group discussion with their teammates? What if their laptop fails – is there a help number they can call? – President of Global Workplace Analytics

Teach the security basics 

As more workplaces move to employees’ homes, so does the business which they conduct. With the recent Coronavirus Disease 2019 (COVID-19), for example, businesses across the planet saw an immediate need for overnight digitization to nearly every business line. For Aviva UK, this meant pushing more of its customer service options online to take the strain off its call centres. The UK insurance giant explains on their website that following their government’s decision to encourage its citizens to work from home, they now encourage more customers to manage their accounts online via their app or by email as an alternative to calling.

But, from exchanging sensitive business agreements to delivering a tax return to something as simple as answering a customer query, there is going to be a lot of important data changing hands. Employees working from remote locations need to understand the importance of communicating this information clearly, safely and seamlessly with customers.

According to Kate Lister, the president of Global Workplace Analytics, as reported by The Washington Post, organizations pushing remote workplaces need to teach their employees everything down to the basics to ensure they follow proper organizational protocol. “Do they know how to use the video conference? Can they share files remotely? Do they know how to create a group discussion with their teammates? What if their laptop fails – is there a help number they can call?” said Lister.

90 per cent of all cyber threats originate with email – Gartner

Warn users of suspicious links

From strange pop-ups to emails originating from unknown senders containing links to malicious sites, phishing is a chameleon crime which can assume all shapes and sizes. And, according to a recent Gartner report, 90 per cent of all cyber threats originate with email – making phishing one of the most significant threats affecting contemporary digital business.

Any employee working remotely needs to understand the real threat phishing poses. Whenever they are working remotely, an employee should always question any suspicious link, even from their personal email if they are working on a personal computer. Encryption should always be applied to any outgoing messages containing sensitive information.

According to Nicole Coughlin Raimundo, the CIO for the Town of Cary, a tech hub in North Carolina, as reported by CNBC, on account of the COVID-19, whose initial outbreak forced the majority of American firms to immediately explore digital alternatives to physical workplaces, she’s seen an uptick in phishing campaigns targeting remote employees. “As part of our work-from-home guidance, we’re continuing to encourage staff to be vigilant and exercise extreme caution when clicking on outbound links,” Raimundo said.

Use strong authentication and passwords

While complex passwords, paired with usernames, are a common go-to for organizational authentication, they are quickly becoming obsolete. To combat this growing issue of authentication, organizations are now demanding established and tested Multi-Factor Authentication (MFA) methods for verifying users are who they say they are.

In addition to educating employees on the importance of password complexity, organizations need to ensure adequate MFA systems are protecting their digital gates. Echoworx, for example, can employ policy-based MFA to ensure recipients are who they say they are before they are granted access to an encrypted message. In an age of zero trust, where anyone connecting to a digital system needs to be verified, MFA is an adequate safeguard.

Passwords can be weak and security questions such as “what is your mother’s maiden name?” – can be easily cracked.

Secure connections to prevent eavesdropping

A public wi-fi network can be a honeypot for employees working remotely. Whether they are installing themselves at a local coffee shop or just quickly checking their email on their mobile device, there are various reasons for connecting to a public wi-fi. While most public wi-fi connections may be perfectly safe, they should be avoided for the mere reason that they are easy to monitor – and may even be set up by malicious actors to collect information, from logins to personal data.

In addition to only working on trusted networks, employees should be connecting to a company-instigated Virtual Private Network (VPN). A VPN works to route a device through a private server, so that any data transmitted is sent via the VPN rather than from their personal device.

Build strong firewalls and update security software

As a first line of security, a firewall paired with up-to-date security software, protocols and other preventative measures is a must for employees operating remotely. In addition to repelling attacks, or at least discouraging them, providing employees with the tools they need to practice proper data hygiene can enable them to identify and prevent security issues from becoming vulnerabilities for an organization.

Implement a BYOD policy

The Bring-Your-Own-Device (BYOD) culture is an inevitable feature of digital business. As more employees work remotely, there is an increased demand for them to use their own machines. But before they connect to company networks, and access company data, their devices need to be vetted, updated and secured by IT departments. This ensures that the computers, smartphones and tablets they use to connect to an organization are not going to pose vulnerabilities.

By Wen Chen, Senior Manager IT and Customer Support at Echoworx

04 Mar 2020

English-First Global Firms See Multilingualism as a Path to Growth

For decades, businesses have internationalized their global operations by adopting English. The gains from this have been real, but recent research suggests they could be even bigger if such internationalization can be paired with language localisation.

Global enterprises need to operate in English. It’s the primary language of technology, finance, regulators, and other major stakeholders. Firms with global operations need to have a unified language for communication and English-first policies have taken hold in many corporate headquarters and regional offices.

There are advantages to this, such as being able to communicate between offices in Mumbai, Shanghai and Sao Paulo. But even in economies with a high level of English-language skills – including tech hotspots such as the Nordics, Israel and Singapore – the use of non-native languages can cause confusion, miscommunication, and unnecessary risk.

Increasingly, firms and researchers are realizing that while the trend toward global English has brought benefits, there may be even more upside to having multilingual capabilities.

Here are some key recent findings and observations:

Multilingual businesses can embrace multiple ways of thinking

The World Economic Forum has recognized that the language people use can change the way they think, sometimes in surprising ways . For instance, Chinese speakers tend to take more gambling risks when they receive positive feedback in their native language, but they became more risk averse when the same feedback is given in English. “Reduced impulsiveness when dealing in a second language can be seen as a positive thing, [but] the picture is potentially much darker when it comes to human interactions,” the WEF noted. “In a second language, research has found that speakers are also likely to be less emotional and show less empathy and consideration for the emotional state of others.”

The WEF suggests firms embrace multilingualism even while having an “official” language. “A balanced exchange of ideas, as well as consideration for others’ emotional states and beliefs, requires a proficient knowledge of each other’s native language. In other words, we need truly bilingual exchanges.”

New technologies increase the need for native-language precision

Second languages are difficult to master in writing, and far more challenging to learn to speak. With the world’s largest technology firms promoting voice commands, the demand for better native-language interfaces is rapidly increasing.

The mobile-first world is changing the way we interact with our devices – Oracle Industry Strategy Director, William Bariselli

The mobile-first world is changing the way we interact with our devices, and we’re currently seeing a shift back to an older method of communication: speech. Users are increasingly starting to type using voice inputs rather than using the keyboards,” says William Bariselli, Industry strategy director at Oracle.  He notes that around 60% of mobile phone users already speak to their device daily, with higher rates among younger generations.

As anyone who has responded to voice prompts on a customer-service line or received a nonsensical response from Siri or Alexa can tell you, speech recognition is far from perfect. But with Google, Apple, Microsoft and Amazon making massive investments in natural language processing and including voice features in virtually all hardware and software, it is certain that the trend toward voice will accelerate.

English is the language of cybercrime

English is the global language of both business and cybercrime. Consumer anti-virus firms Symantec and Kapersky consistently note that email phishing and extortion scams almost always start in English before being adapted into other languages.

Scammers will use poor English deliberately to target people with lower-level reading skills

Scammers will use poor English deliberately to target people with lower-level reading skills – both less-educated native speakers and those who use English as a second language. Consultant and author Joseph Steinberg says this targeting of people with poor English skills is intentional and strategic. “As the vast majority of people simply do not write their emails with The King’s English, to put it mildly. A bogus email impersonating one from the head of corporate computer support is likely more believable with minor errors in it, than if it were written as well as most articles in the New York Times or the Wall Street Journal.”

Native-languages may be a legal requirement

Multilingual operations are often a requirement rather than a choice. Many jurisdictions have regulations that mandate bi- or multi-lingual services. Financial firms in Canada, for instance, must have both English and French content and interfaces for employees and clients. Similarly, Europe’s General Data Protection Regulations obliges firms to provide native-language services when dealing with third parties.

Even if multinationals are not required to adopt a local language by law, they will have to communicate and service with institutions that must do so – such as financial and government institutions, particularly when it comes to official and sensitive communications.

Enterprises can’t afford to have any vital instructions lost in translation when communicating sensitive data and private information – Echoworx Senior Director Market Intelligence, Jacob Ginsberg

“Enterprises can’t afford to have any vital instructions lost in translation when communicating sensitive data and private information,” said Jacob Ginsberg, Senior Director Market Intelligence with email data encryption leader Echoworx. “To avoid confusion, miscommunication or something as simple as a poor customer user experience, secure message notifications and instructions need to be clearly understood by those who receive them.”

Native language capabilities reduce costs

With local language capabilities, employees and customers can fully understand and interact with systems and software, improving their ability to use a product and learn its functionalities. “Only if all buttons, menu lists, commands, messages and notifications are clear, will your customers be able recognize all advantages of using your application,” said Dorota Pawlak , owner of DP Translation Services, which localizes software for Polish market. “Localization … ensures readability and preserves the original functionality to help your users understand your product, which in turn ensures better customer experience.” This lowers unnecessary queries to customer service reps, lowering support costs and freeing money for other activities.

Local language capabilities increase employee retention

Harvard Business School professor Tsedal Neeley sees many advantages of English as a global business language, but notes that forcing employees to adopt foreign language can hurt performance, job satisfaction and retention.”When my colleagues and I interviewed 164 employees at GlobalTech [a pseudonym for a multinational] two years after the company’s English-only policy had been implemented, we found that nearly 70% of employees continued to experience frustration with it. At FrenchCo [another pseudonym], 56% of medium-fluency English speakers and 42% of low-fluency speakers reported worrying about job advancement because of their relatively limited English skills.”

People are more precise on their native language

English is essential to advance in sectors like technology and finance, but English as it is spoken in business is not the same as how it is spoken naturally and has serious limitations. “Phonetically, [business English] has almost nothing to do with American or UK English. They say it is ‘BBC English,’ but actually it is not. It is a phonetically simplified English that uses UK English grammar,” said Salvatore Sanfilippo, an Italian computer programmer with a U.S. cloud services firm. While this allows people from around the world to communicate easily, it has nothing to do with the real English spoken in UK, US, Canada, and other countries where English is a native language,” says Sanfilippo.

A person’s first language will be their first preference

The most obvious reason for language localization is that a vast majority of people prefer to speak their first languages.

The Globalization and Localization Association, a global non-profit, notes a wealth of studies on language preference: 56.2% percent of consumers say that the ability to obtain information in their own language is more important than price,65% of multinationals believe localization results in higher revenues, 95% of Chinese consumers are more comfortable with websites in their language. The ability to communicate in multiple languages can even be a critical factor the success of cross-border merger and acquisition deals.

56.2% percent of consumers say that the ability to obtain information in their own language is more important than price – The Globalization and Localization Association

Similarly Common Sense Advisory  polled 3,002 consumers in 10 countries finding a substantial consumer preference for native tongues, noting that people who lack confidence tend “to avoid English-language websites, spend less time during their visits, and not buy products that lack instructions or post-sales customer support in their language.”

By Christian Peel, VP Customer Engineering at Echoworx

26 Feb 2020

Nordic Countries Score Huge Tech Successes, but Worries About Cybersecurity Mount

The Nordics have become a hot spot for innovation, producing technologies that have reshaped global industries, but governments and industry groups have been cautioning that the region’s phenomenal success could be threatened by weak cybersecurity

When people think of Nordics, they may visualize lands of elk and reindeer, but perhaps they should also be imagining “unicorns,” those rare start-ups that attain a valuation of US$1 billion. With just over 27 million people, the Nordics of have been punching above their weight when it comes to producing innovative tech firms.

The Nordics – comprised of Denmark, Finland, Iceland, Norway, and Sweden – was already home to some of Europe’s largest legacy technology firms, including Ericsson, Nokia and Telenor. This has provided a foundation for start-ups that are relatively small, nimble, entrepreneurial, and with high growth potential.

Although most Nordic unicorns are unfamiliar to the public – with firms in areas like FinTech gaining large market share without much global attention – others have become household names. Skype helped make long-distance charges a thing of the past. Spotify shattered the dominance of Apple’s iTunes. Rovio Entertainment, creator of Angry Birds, boasts more than 4.5 billion downloads of its apps.

It’s been said jokingly that the region’s long winters have encouraged technology development as people don’t want to go outside, but more important factors are those that it shares with other innovation hotbeds – such as Silicon Valley, Singapore and Israel. These include open economies, a global outlook, regulatory support, high personal incomes, and highly educated populations.

The World Economic Forum’s most recent Global IT report ranked Finland, Sweden and Norway among the top five countries in terms of “network readiness” – sandwiched between number one Singapore and the U.S. at number five. That makes them among the world’s top locations in terms of the overall environment for technology use and creation, infrastructure, affordability, skills and technology adoption.

We’ve invested in multiple high-growth countries and regions globally, but few have as many advantages or inspire as much confidence as the Nordics – Echoworx Senior Director Market Intelligence Jacob Ginsberg

“The dynamism of Nordic companies is just exceptional, and the talent in the region is amazing,” said Jacob Ginsberg, Senior Director Market Intelligence of global email data protection leader Echoworx, which recently introduced Nordic languages to its message encryption platform and support network. “We’ve invested in multiple high-growth countries and regions globally, but few have as many advantages or inspire as much confidence as the Nordics.”

Success attracts Cybercrime

As could be expected, the success of the Nordic tech firms has made them a tempting target for cybercriminals, industrial espionage, and even hostile foreign governments.

Nordic firms are acutely aware of the risk of lax cybersecurity. In KPMG’s 2019 CEO survey, 21 per cent of Nordic CEOs rated cybersecurity risks as the top threat to their business while another 19 per cent said their top risks stemmed from emerging and disruptive technology.

The consultancy also found that 65 per cent of Nordic CEOs believe that becoming a victim of a cyber-attack is a case of “when,” not “if” and that 72 per cent view information security as being of strategic and competitive importance.

KPMG’s 2019 Global CEO Outlook | Nordic Executive Summary

 

Recognizing the threat, business organizations and governments have launched multiple initiatives to help enterprises’ technical and financial barriers that may hamper critical data security and business integrity. However, both industry and government say there is still some way to go.

The Danish Business Authority (DBA), for instance, has identified cost as the single biggest factor impeding firms from strengthening their IT security defences. The industry group estimates that as many as 30 per cent of all small to medium-sized enterprises (SMEs) are “acutely vulnerable” to malicious malware attacks.

Meanwhile in Norway, a YouGov survey for the Oslo-headquartered Norwegian Center for Information Security (NorSIS) found that complacency and over-confidence are a major concern, describing the finding as “deeply troublesome.”

… so few Norwegian companies seem to recognize the actual extent of the risk they face from cyber space – NorSIS director general Peggy Heie

“What is extremely worrying from the survey is that so few Norwegian companies seem to recognize the actual extent of the risk they face from cyber space,” NorSIS director general Peggy Heie, told the media.“Company leaders cannot expect partners and authorities to take all the responsibility for the protection against cybercrime.”

Part of the issue is that while Nordic organizations have a high level of digital maturity, the regions Chief Information Officers (CIOs) have tended to focus on optimizing their existing business processes.

In back-to-back annual surveys of Nordic CIOs, global research and advisory firm Gartner found that while they are well positioned with streamlining internal processes, they tend to be back-office focused. As they lack strong relationships with external customers or stakeholders, they are less likely than their international peers to recognize external disruptive factors.

But this tendency toward complacency may be changing quickly. Tech consultancy IDC has forecast that Nordic IT services spending will grow from $24.4B in 2018 to $29.5B in 2023. However, in spite of forecast growth, the consultancy noted that international vendors seeking to enter the market will still need to up their game and deliver tailored advice and hands-on project services.

“Our experience on the ground is very much in line with the IDC forecasts and recommendations” says Echoworx’s Ginsberg. “Even though there is growing demand, Nordic CIOs want services tailored for their needs, including things like true local-language functionality and support services, as well as solutions that can scale to suit everything from two-person startups to ten-thousand-employee conglomerates.”

Echoworx this month announced the expansion of its European footprint with Nordic language support.

By Lorena Magee, VP Marketing at Echoworx

20 Jan 2020

How a Choppy Merger Can Hurt Your Acquisition

Adequate preparation, due diligence and stable execution are necessary for smooth mergers and acquisitions. Failure to do so can result in a choppy path – with potential to hold back, delay and hurt any resulting M&A deal. Often overlooked in the M&A process, issues surrounding digital synchronization and cyber security can be major contributors for a bumpy transition. Here are some digital reasons why an M&A deal might go sour:

A lack of digital protection increases digital risk

Despite their devastating effects on almost every facet of business, even some of the biggest data breaches continue to go undetected throughout high profile M&A deals. In addition to their immediate damage to a deal’s value, an unnoticed data breach can literally poison another organization’s digital infrastructure upon integration. And the longer these breaches go unnoticed the more pronounced (and expensive) their effects.

Take the now-infamous Verizon/Yahoo! acquisition, for example. In 2017, Verizon acquired Yahoo! before realizing their new addition had suffered several breaches just a few years prior. Aside from nearly derailing the entire deal, the result saw a $350M reduction in purchase price, a $35M penalty dished to Yahoo! from the U.S. Securities and Exchange Commission (SEC) and a subsequent $80M paid out through lawsuits to disgruntled shareholders and customers.

But hunting for a history of data breaches is more than just Googling the name of a target organization and hoping nothing comes up. You must go deeper, and you must think outside of the box. In addition to looking for an actual breach, you need to consider potential for a breach and how a lack of comprehensive cyber security safeguards might put your data at risk during a tentative integration process.

For sensitive M&A communications, for example, you need to ensure any valuable information being exchanged, from trade secrets to internal agreement documents, is protected with adequate email encryption safeguards. To help insulate your organization from risk during the M&A process, Echoworx offers an encryption solution with six flexible delivery methods and additional security tools, like message recall.

Why take a chance with your most-valuable company data. Can you ensure that any sensitive email sent, for a wide range of reasons, never goes to a recipient unencrypted?  

Legacy technology slows M&A deals

Unanticipated delays brought by poor synchronization with legacy digital equipment during an M&A affects your bottom line, your customer experience and exposes your system to vulnerabilities. Before signing the dotted line in your M&A deal, consult your IT department to anticipate any possible digital snags. This ensures when it’s time to integrate, there won’t be any major digital holdups or service interruptions for your customers.

If you do find outdated technology, or incompatible technology, third-party cloud-service providers can help bridge the gap. You might, for example, be a bank with customers in Denmark, where encryption is mandatory under the General Data Protection Regulation (GDPR) to conduct business. You cannot take a chance on a target organization with a legacy on-premises encryption platform. But what if you lack the time or resources to upgrade and upload their email infrastructure to your cloud?

OneWorld encryption platform easily migrates any legacy message encryption process to the cloud. As a Software-as-a-Service (SaaS) provider, our dedicated team of encryption professionals do all the heavy lifting – so you don’t have to. A problem which might have taken your IT department time, money and resources to solve is literally done at the click of a button.

Here’s how it works:

Simplifying Post-Merger On Premises Encryption | Watch Now

Non-compliance is closing business doors

You might know the rules of your market and you know the potential value of acquiring or merging with a target organization. But how much do you know about their industry? Are they prepared for and working within the rules of the laws and regulations which affect their industry or geographical area? Or, alternatively, if they do not protect data in their jurisdiction, do you really want to risk trade secrets being intercepted?

In the United States, for example, you might be looking to expand your bank across the country by acquiring established financial hubs in each of your target states. But is your target organization in California prepared for the recent California Consumer Privacy Act (CCPA), which came into effect January 1, 2020?

To keep data safe and compliant in transit under various rules, privacy laws and regulations, you need a flexible encryption solution which can quickly to any regulatory environment. Even if there are no rules, or your target cannot support encryption, there are delivery options to accommodate.

Human error is an M&A liability

From unintentional attacks by inadvertent threat actors to deliberate internal sabotage, human error continues to play a part in 95 per cent of all security incidents, according to research by IBM. And users of webmail services continue to be primary culprits contributing to this problem – sometimes without even realizing it. But human error is hard to anticipate, near impossible to fix and can happen to anyone.

Take the United States Marine Corps, for example. In 2018, this elite military organization, with all its defenses and vigilant staff, still managed to leak the information of about 21,500 marines, sailors and staff by inadvertently sending a non-encrypted email to an incorrect distribution list. You might dismiss this digital slip as a fluke, but, according to the Information Commissioner’s Office (ICO), an independent UK privacy watchdog, incidents of incorrect address information are actually quite common, accounting for 12 per cent of reported data security incidents alone in Q4 of the 2018/2019 year.

Sending a sensitive document doesn’t always have to be a complex process – one involving registration, more information, and additional authentication.

For an M&A process, where hundreds of back-and-forth emails between multiple parties and stakeholders contain sensitive information, from trade secrets to insider deal information, nothing can be left to chance. Since a single slip-up can mean the difference between a deal-signing handshake and a trip back to the negotiation table, organizations need to insulate themselves from human error.

A simple way to rectify human error for sensitive communications is to encrypt them – with secure vetted methods ensuring only intended recipients can view data or a message. But any encryption solution also needs to be flexible enough for day-to-day use. With our OneWorld encryption platform, for example, encryption can be made to fit any business case, from simple ‘Encrypt’ buttons to automatic encryption for certain message, recipient or attachment types.

By Jacob Ginsberg, Senior Director Market Intelligence, Echoworx

20 Dec 2019

CCPA vs GDPR: What’s the Difference?

In 2018, the business world shuddered as the General Data Protection Regulation (GDPR) came into full force. More shuddering is expected shortly with the California Consumer Privacy Act (CCPA) going into effect on January 1, 2020 – with enforcement measures beginning six months later. But what’s the difference between these two privacy acts? This article gives a high-level overview of the similarities and differences between the GDPR and the CCPA and why you need a flexible policy-based encryption solution to deal with one or both of them.

What is the California Consumer Privacy Act (CCPA)?

The CCPA establishes data privacy rights for Californian residents and it applies to businesses that sell products and services to California residents and collect information about them.

Under the CCPA, California residents have the right to:

  • Know what personal information is collected about them.
  • Know whether their personal information is sold or disclosed and to whom.
  • Opt out of allowing businesses to sell their personal information.
  • Access the personal information collected about them—in the last 12 months—in a user-friendly format.
  • Equal service and price, no matter what privacy options they choose.
  • Erase personal data collected (in some situations).

 

Under the CCPA, Californians can opt out of almost all secondary uses of their personal information including sale to data brokers, tracking and other uses not directly related to service delivery.

Here’s what banks need to know about this law.

What is the General Data Protection Regulation (GDPR)?

The GDPR establishes data privacy rights for Eurpean citizens (who may or may not be residents); it’s a uniform privacy law that applies across the Eurpean Union to protect its 512 million citizens. Companies that do business in Europe are subject to the GDPR.

Under the GDPR, Europeans have the right to:

  • Access their personal data.
  • Correct errors contained in their collected personal data.
  • Withdraw consent for data processing.
  • Stop automated decision making when the decision has a legal implication.
  • Withdraw the consent that allows businesses to sell their personal information.
  • Erase personal data collected (in some situations).
  • Access some personal information collected about them in a user-friendly format.

 

Similarities between the CCPA and the GDPR

Both acts give consumers access to personal data, the right to have companies erase some personal data, a way to opt out of having their personal data sold to third parties and claim damages through a private right of action.

Differences between the CCPA and the GDPR

The GDPR gives citizens the right to stop automated decision making when there’s a legal implication and the right to correct errors in collected data but these aren’t included in the CCPA. It’s hard to say which act is more aggressive with enforcement penalties. While the GDPR tops out at four per cent of a company’s annual global revenues, the CCPA allows fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. Depending on the type of breach, those CCPA fines could add up quickly.

Advantages of the CCPA and the GDPR

For consumers, the advantages of the CCPA and the GDPR are clear: more privacy rights and the power to protect those rights through right of action damages and enforcement penalties. The advantages of the GDPR for business is that it’s one blanket regulation to conform to—which is easier than managing patchwork privacy. Imagine if every country in the EU had its own privacy regulations!

Challenges for businesses

American businesses don’t have to imagine patchwork privacy because it’s already happening with state privacy laws and laws governing cyber security, data security and data breach notification in Washington, Texas, Oregon, New York, New Jersey, Nevada, Maryland, Massachusetts, Maine and California. This means organizations that do business across America and Europe have an increasingly complex privacy landscape to navigate. Compliance must be built into the three Ps of business—people, process and products—because even sending an email is no longer simple.

National organizations, for example companies in banking, financial services and insurance, must adapt to and comply with new privacy laws because it’s unlikely the consumer data privacy trend will reverse itself.

Echoworx OneWorld: a flexible, policy-based encryption solution for GDPR and CCPA compliance

An enterprise privacy program covers everything from daily operations and compliance to policies, procedures and investigations. To build compliance across the 3 Ps of business, organizations must adopt a flexible, policy-based encryption solution.

OneWorld features that help enterprises navigate privacy laws including the GDPR and CCPA:

  • Definable policies – This allows you to control which communications get encrypted (and how) based on the message content. These policies are based on your needs, legislation and encryption best practices. Flexible controls for every scenario allow you to create a customized user experience for senders and recipients and stay in control of encrypted messages in transit and at rest. This policy-based encryption helps you stay compliant with privacy laws.
  • Easy and frictionless user experience – A recent Echoworx survey found that 53 per cent of organizations with encryption found it “too difficult to use.” OneWorld makes it easy for employees and customers to use, making encryption — and compliance — a consistent path of least resistance.
  • Enable inbound encryption – Emails with sensitive information—including protected personal information—are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.

Here’s how it works with OneWorld:

Whether it’s the GDPR or the CCPA, encryption is considered an appropriate measure for protecting personal data—and it comes with financial benefits. A recent Forrester Total Economic Impact™ study showed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits and a payback period of only seven months.

Are you ready to make flexible, policy-based encryption—that’s also user-friendly—part of your compliance strategy?

By: Brian Cole, Senior Manager Security Operations and Support, Echoworx

09 Dec 2019

Protecting Trade Secrets: A Crucial Part of Mergers and Acquisitions

Under normal circumstances, you might hide trade secrets behind hardened firewalls under heavy coded locks. But what about when you’re amid a mega merger or acquisition? You need to share intimate details with a prospective buyer or learn about what a target has to offer. But you also need to protect the integrity of sensitive digital data – ensuring any trade secrets which leave point A arrive intact at point B.

To make this work, you need encryption. But you also need an encryption platform which offers the flexibility to accommodate different business situations while featuring effective risk mitigating security measures. This can be easier said than done.

Here’s how our OneWorld encryption platform can help:

  1. Definable message policies for automatic encryption

Mergers and acquisitions are delicate processes involving a lot of back-and-forth correspondence between various concerned parties. Depending how many parties, or people, are involved, things can get confusing fast. Malicious actors prey on this confusion to get what they want – valuable confidential information about your company, like trade secrets.

With our OneWorld email encryption platform, you can set definable policies to ensure encryption is automatically applied to sensitive emails or attachments. Based on a predetermined set of triggers, like keywords or attachment types or something as simple as a specific recipient, emails and their content, including your trade secrets, remain uncompromised.

Automize your email security.

  1. Multi-branding prevents M&A confusion

If you’re a large international company, chances are you operate under multiple brands, out of multiple offices or in multiple languages. This can be problematic when executing delicate mergers and acquisitions, where message authenticity is crucial. From trade secrets to secrets regarding the actual M&A process itself, a confusing encryption experience can open doors to thieves.

With support for multiple brands in up to 22 languages, our OneWorld encryption platform ensures all your encrypted communications look like they come from you. And an easy configurable drop-down menu allows your recipients to interact with your encrypted message in all offered languages. This reduces the potential for confusing, misleading or fraudulent communication.

Add multi-branding to your encrypted messages.

  1. Only intended recipients can read your messages

When negotiating mergers and acquisitions, at some point you are going to be sending confidential trade secrets and other sensitive information to a prospective buyer or partner. While providing these details over the phone, via snail mail or in-person might seem more secure – these methods simply don’t cut it in our fast-paced digital age. But sending them via email can be risky (and even illegal) without protecting the message with adequate encryption.

But how do you retain control over a message once you’ve hit ‘send?’ How do you ensure only an intended recipient sees the sensitive information in your message?

In addition to other password options, our OneWorld encryption platform allows senders to both set their own secure passwords, communicated via password hints or out-of-band to their recipient, or they can defer to a system-generated password system. Both methods ensure that even if an encrypted email is sent to an incorrect recipient, or if a recipient’s email system is compromised, access is not granted without proper password authentication.

Gain more control over encrypted communications.

  1. Detailed reporting to dot your i’s and cross your t’s

Picture this: You sent a confidential encrypted email containing trade secrets to someone crucial to your M&A process. But somehow that email has been misplaced, they’ve forgotten their password for access, or you are not sure they have received it and time is of the essence.

Instead of just resending sensitive information, further muddying the waters, you need to make sure your original message is not compromised, sent to an incorrect recipient or has even been sent. To help you check up on sent messages, and even recall them or change permissions, OneWorld offers a comprehensive set of reporting tools. As the saying goes: Better safe than sorry.

  1. Keep sensitive information safe in transit

At the end of the day, any trade secrets, or other sensitive information you might send throughout an M&A process, are only as secure as the delivery method used to send them. With six flexible secure delivery methods, to fit any business case, the OneWorld email encryption platform ensures no sensitive message goes out in the clear, no secure message is undeliverable and that your prospective partners, M&A targets or buyers can learn more about your company’s details in a safe and controlled manner.

Ensure secure delivery now.

By: Michael Roberts, VP of Technology, Echoworx

27 Nov 2019

Uniform or Patchwork Privacy Laws? How Your Bank Can Mitigate Cyber Risk

As more state privacy laws come into effect in the US, navigating privacy, data residency and jurisdictional requirements is more complicated than ever for banks and financial institutions with national and international reach. Let’s look at what these privacy laws are and how encryption helps banks and financial services institutions mitigate the risk that comes with juggling multiple privacy laws.

Patchwork privacy laws

America is gearing up for the California Consumer Privacy Act (CCPA) that goes into effect on January 1, 2020. The CCPA is now one of many privacy and data security laws that protect consumers across some states.

Current state privacy laws:

  • California Consumer Privacy Act (CCPA)
  • Nevada Senate Bill 220
  • Act to Protect the Privacy of Online Consumer Information (Maine).

While three privacy laws might not seem like much to handle, that’s not the whole picture. There are also laws governing cybersecurity, data security and data breach notification in Washington, Texas, Oregon, New York, New Jersey, Maryland and Massachusetts.

That’s a lot for any national company to keep up with and with each new law enacted, it becomes easier for companies to fall out of compliance, especially if they don’t implement proper risk management.

National privacy laws

National privacy laws include:

  • The General Data Protection Regulation (GDPR) in Europe.
  • The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
  • The Act on Protection of Personal Information (APPI) in Japan.
  • The Health Insurance Portability and Accountability Act (HIPAA) in the USA.
  • The Electronic Communications Privacy Act (ECPA) in the USA, often critcized for being outdated and having no impact.

 

What kind of privacy legislation is best for banks?

Banks and other financial institutions are subject to strict legislation outside of general privacy laws. For example, the Gramm-Leach-Bliley Act (GLBA) governs what kind of information can be shared with third parties and requires financial institutions to disclose how they protect their clients’ private data.

We won’t list the regulations financial services companies are subject to here—suffice to say, banks are already heavily regulated.

The best type of privacy legislation for banking, financial services and insurance companies is legislation they influence to meet their needs (and the needs of their customers).

We’d suggest that one national privacy law would be easier to manage than multiple state laws on top of international privacy laws. Whatever the answer is, banks would be wise to weigh in on the idea of a national privacy law in America—because other businesses sure are.

Why the business community is advocating for an American national privacy law

The CCPA is hailed as “America’s answer to the GDPR” but that doesn’t hold up in terms of reach. The GDPR and the CCPA are similar regulations and both allow for sharp fines for lack of compliance. But the GDPR protects citizens of nations belonging to the European Union—that’s 512 million people. There are 327 million people in the US and 39.5 million people in California.

How many more laws need to be enacted for all 327 million Americans to enjoy the same privacy rights as Californians and Europeans? For many people and businesses, the answer is “too many.”

The complications of patchwork privacy legislation is one reason the Business Roundtable—an association of chief executive officers who promote the U.S. economy through sound public policy—is advocating for a national privacy law for Americans.

Marc Benioff, CEO of Salesforce, writes in a Politico article that a national privacy law is “the right thing for consumers and the industry.”

But this advocacy work hasn’t yet borne fruit so businesses must deal with what is, instead of what could be.

How Echoworx OneWorld—a flexible encryption solution—helps banks navigate patchwork privacy laws

Encryption allows organizations to enhance data protection and breach notification practices. It’s an essential risk management tool that supports an organization’s overall cybersecurity strategy.

Echoworx OneWorld is a user-friendly and customer-centric encryption solution that helps banks and financial services organizations navigate patchwork privacy laws.

OneWorld features that help banks stay compliant to multiple privacy laws:

  • Definable policies – This feature allows you to control which communications get encrypted (and how) based on the message content. This is based on your needs and encryption best practices. Flexible controls for every scenario allow you to create a customizable user experience for senders and recipients and stay in control of encrypted messages in transit and at rest.
  • Multiple options for data residency – We have six data centres located in Canada, the US, Mexico, the UK, Ireland and Germany which means our clients can stay compliant to data residency requirements outlined in the GDPR and American privacy legislation. For example, if an organization works in both the EU and US, they can’t have data residency (or third parties) in the US or else they’ll be out of compliance with the GDPR.
  • Automatic inbound encryption – Emails with sensitive information—including protected personal information—are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.
  • Secure statement delivery – Senders can batch and deliver sensitive encrypted messages, like financial statements, directly to recipient inboxes in an encrypted PDF that’s password protected.
  • Natural extensions for Office Message Encryption (OME) – We work alongside Microsoft to take Office 365 to the next level with flexible use cases, branding, audit and tracking capabilities and certificate encryption. This increases existing encryption capabilities and keeps employees comfortable and confident using their existing communication tools—which makes encryption the path of least resistance.

A recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits and a payback period of seven months.

Banks are already doing business in a patchwork of conflicting privacy environments. Why not make it easier with our user-friendly encryption solution?

By: Brian Cole, Senior Manager Security Operations and Support, Echoworx

 

25 Nov 2019

The Importance of Synchronized Tech: Mergers and Acquisitions that Stick Need to Fit

The ink is dry. The handshakes have been made. Your company has just successfully negotiated a multi-million-mega dollar monster merger or acquisition. And your newest corporate addition has all the promise of taking your business to the next level.

But what’s next? How do you begin integration with your existing IT infrastructure? What sorts of vulnerabilities should your IT department be aware of before marrying your two systems? Is your existing IT infrastructure even set up for marriage? Did your top-brass think of any of this before signing off?

Chances are they didn’t.

And, like cooking a soup on your stovetop, a merger between two organizations only works if all the great ingredients can be mixed, melted and mashed together in one pot. If they can’t, your sweet deal might turn sour in a hurry! Or, worse, if left unattended – burn.

Here are some ways conducting technological due diligence plays a pivotal role before, during and after any merger or acquisition process:

1. A history of breaches – a future of headaches

Conducting conclusive research on a prospective merger or acquisition’s digital history should be a primary first step of your courting process. Asking simple questions like “Have you had a breach?” can vet massive roadblocks further down the merger and acquisitions path. Take the now-infamous 2016 Yahoo!/Verizon merger worth an initial $4.8B, for example. In this instance, since Yahoo! reported two major data breaches of user account data just prior to the sale, Verizon shaved $350M off the final price for the deal. In fact, between 2014 and 2018 alone, there where over 10 major breaches affecting mergers and acquisitions deals, affecting billions of users worldwide.

Since breaches can affect sale prices, stall deals or even cancel them out, careful attention should be paid to poor data hygiene during any merger or acquisitions process. Update your legacy encryption system now.

Common red flags, for example, might be a company not adequately protecting sensitive communications. From legacy encryption systems to not encrypting at all, a company which doesn’t protect is opening another to risk.

With our OneWorld encryption solution, companies can reduce the complexity of legacy systems by consolidating email encryption into a single, scalable cloud-based platform – for a more secure environment for sending sensitive communications. From configurable encryption policies to detailed message reporting, our robust encryption system can help you demonstrate effective risk-mitigating security for any deal

2. Understanding IT infrastructure

When organizations begin to execute elaborate digital transformation plays, any hidden tangled wires, certifications and claims within an existing IT infrastructure suddenly come to the forefront. If left unattended, these tangles can create expensive knots for any merger or acquisition attempts. From obsolete technology lowering a product’s value to legacy systems and processes which simply do not line up.

IT issues need to be top-of-mind throughout any merger or acquisition process. Read more about our certifications.

Proper consultation with your IT department prior to a merger is an effective way to ensure elaborate paper acquisitions play out as planned – especially when you consider that over 50 per cent of initiatives throughout a mergers and acquisitions process, designed to capture synergies, are directly related to IT. A merger or acquisition candidate might claim, for example, that they are SOC2 certified, meaning their security has been vetted and approved by a credible third-party SOC2 evaluator. A member of your IT department can help determine whether this certification is valid or acquired via a third-party.

3. Protecting trade secrets

In order to protect trade secrets, prevent unwanted access and to bring order to your merger or acquisition process, you need to provide protected conduits through which information can be sent, received and replied to.

Mergers and acquisitions can sometimes be periods of organized chaos, as new faces meet new infrastructure and information flies freely from camp A to camp B. Ensure only intended recipients can read your secure message.

In addition to its six flexible secure delivery methods, the OneWorld encryption platform is fully brandable, configurable and features various secure authentication methods. For additional security, OneWorld features a flexible suite of encryption policies which automatically protect any incoming or outbound sensitive data.

4. Sanitizing IT infrastructure

Prior to plugging in to any newly acquired merger or acquisition, be sure to identify any existing vulnerabilities. This ensures that any legacy cybersecurity technology, ageing in-house communications systems and other technological cracks don’t pollute your system once the deal is signed – something 40 per cent of companies fail to do. A thorough audit of a prospect’s digital infrastructure can help mitigate the risk of dealing with expensive interventions further down the line.

Prior to plugging in to any newly acquired merger or acquisition, be sure to identify any existing vulnerabilities. Update your legacy message encryption system.

Moving non-critical systems to the cloud is a simple solution to uncluttering, sanitizing and updating an incompatible legacy system. With Echoworx OneWorld, for example, migrating legacy resource-intensive message encryption service to the cloud is simple. The resulting light, configurable and flexible secure message environment, managed in the cloud, helps organizations consolidate cybersecurity efforts and streamlines the merger and acquisition process.

By Christian Peel, VP Customer Engineering, Echoworx

18 Nov 2019

How to Ensure Only Intended Recipients Can Read Your Secure Message

We’ve all done it: You hit ‘send’ on a message only to notice a mistyped email address. But what if the email contained sensitive information, like a bank statement? What if it’s enough to get you reprimanded or, worse, fired?

Even if the unintended recipient offers to delete the message, how can you guarantee they followed through? How do you know they didn’t sneak a peak before deleting your wayward message?

You need to know this won’t happen to you. You need control. Our OneWorld Email Data Encryption platform can help.

Sender-set passwords for data protected emails

Once a message has been received by a recipient, there is little which can be done to control who sees it. Since even unintended recipients have the potential to view message content, this can pose problems if the message contains confidential sensitive information, like a bank statement or medical information.

With OneWorld, you can set a shared passphrase to access an encrypted email. This encryption password, which can be anything, from a name to a set of numbers, provides effective security for the content you need to protect.

And there are variety of ways to share password information, like password hints or out-of-band options like verbally via telephone, for example. All password options are designed to assure the sender that even if the message is sent to an unintended recipient, access remains protected.

Shared passphrases and password hints

For a password to be effective, it needs to be complex enough not to be guessed but not so difficult as to be confusing for the recipient. Passwords can be based on information already known to the recipient like an account number, for example, or provided by the sender along with a password hint. For added security, complexity requirements can be enforced by the system.

Selecting the shared passphrase and password hint for a message can be done directly through the OneWorld plugin for Microsoft Outlook or the Outlook Web add-in. Passwords can also be set by a subject keyword from any device or email generator application. Any previously set passwords can be retrieved or checked by the sender through their ‘sent’ emails.

System generated passwords for sharing sensitive information

As another option for assuring an even higher level of protection for sensitive information, a System-Generated Verification Code is another way to set a complex password. With this method, which is available for OneWorld’s Web Portal secure delivery method, a random single-use code is provided to the sender who, as in the case with sender-set passwords, can then communicate this system-generated password to the recipient. Password complexity tends to be increased with this method as the sender is forced to use a unique code for every message and DLP engines can be configured to force this type of encryption delivery.

Other solutions send a One-Time-Password (OTP) to the recipient mailbox immediately following an encrypted message, which is a bit like leaving your keys in the door.

Additional perks of OneWorld’s password options

Sender-set Passphrases and System-Generated Verification Codes are effective ways for organizations to avoid any type of registration process. From encrypting attachments only to entire messages, OneWorld allows you to communicate securely with your customer base without any additional steps – you just communicate the password and they gain instant access. And, with the option to reply securely, this method of seamless authentication provides a complete customer-centric circuit of secure communication.

Eliminate your registration process for secure mail now.

By Derek Christiansen, Engagement Manager, Echoworx

11 Nov 2019

California’s CCPA – What Banks Need to Know

The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020 and enforcement measures are scheduled to start six months later. Banks that do business with the state of California and its residents need to protect themselves and get compliant with the CCPA, hailed as “America’s answer to the GDPR.”

A quick view of the CCPA

The CCPA establishes data privacy rights for Californians and, starting soon, this law applies to businesses that sell products and services to California residents and collect information about them.

Under the CCPA, California residents have the right to:

  • Know what personal information is collected about them.
  • Know whether their personal information is sold or disclosed and to whom.
  • Opt out of allowing businesses to sell their personal information.
  • Access the personal information collected about them—in the last 12 months—and receive it in a user-friendly format.
  • Equal service and price, no matter what privacy options they choose.
  • Erase personal data collected (in some situations).

 

This act means Californians can opt out of many secondary uses of their personal information including sales to data brokers, tracking and other uses not directly related to service delivery.

Defining personal information under the CCPA

Section 1798.140, subdivision (o) of the CCPA defines personal information and it’s a long list that includes—but isn’t limited to—identifiers, categories listed in subdivision (e) of Section 1798.80, characteristics of protected classifications, commercial information, biometric information, internet and other electronic network activity, geolocation data, audio, electronic, visual, thermal, olfactory information, professional, employment and education information (that’s not already publicly available) and inferences drawn from information collected.

Call your privacy lawyers and experts because this list is exhaustive; staying in compliance will be complicated and being out of compliance will be costly.

Penalites and fees associated with the CCPA

Like the GDPR, the CCPA has teeth when it comes to penalites. PWC reports that the private right of action damages will be between $100 and $750 per consumer, per breach. And the regulator enforcement penalities will be “up to $2,500 per unintentional violation and $7,500 per intentional violation.”[i]

The impact of the CCPA on banking institutions

As more states institute their own consumer privacy laws, it becomes increasingly complicated for national banks to remain compliant across state borders. Today we’re talking about California but Vermont and South Carolina just passed laws about data collection and breach notification respectively.

Banks must understand privacy laws in all states and countries they do business in and have the processes and products in place to stay compliant with these regulations. They should also expect this trend of patchwork privacy laws to continue and be prepared to adapt to ever-evolving privacy laws.

Any banks that have Eurpean clients are (or should be) GDPR compliant so there’s less work for them to do now as the GDPR and the CCPA have many overlapping requirements. Part of that work includes analyzing data flows, implementing processes to meet the needs of the new regulation and clearly documenting all data and data policies.

Encrypted communications are part of the solution because encryption keeps protected personal information safe at rest and in transit. The Echoworx OneWorld encryption platform makes encryption the path of least resistance which is essential in highly-regulated industries such as banking, financial services and insurance.

How Echoworx OneWorld—a flexible encryption solution—helps banks navigate the CCPA

Encryption is a tool that allows organizations to enhance data protection and breach notification practices.

Encryption is considered[ii]:

  • An appropriate technical and organizational measure for securing personal data when implemented with other appropriate controls to protect the encryption process.
  • An appropriate safeguard for processing personal data for a different purpose than the one it was collected for.

 

But encryption only works when it’s used. And, in a recent survey of IT professionals and IT decision-makers, we found that although encryption is a priority for most organizations, less than half the organizations with encryption software use it extensively.

That’s because many encryption solutions are difficult for employees and clients to use where encryption becomes an extra step; when security is outside of the regular workflow, people are less likely to use it.

At Echoworx, we built our OneWorld encryption platform to seamlessly integrate into existing workflows and make encryption and secure communications the path of least resistance.

OneWorld features that help banks navigate privacy regulations, including the GDPR and CCPA:

  • Definable policies – This feature allows you to control which communications get encrypted (and how) based on the message content. This is set up during implementation—based on your needs and encryption best practices. Flexible controls for every scenario allow you to create a customizable user experience for senders and recipients and stay in control of encrypted messages in transit and at rest.
  • Automatic inbound encryption – Emails with sensitive information—including protected personal information—are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.
  • Secure statement delivery – Senders can batch and deliver sensitive encrypted messages, like financial statements, direct to recipient inboxes in encrypted PDF format, that’s also password protected.
  • Breach notifications – Senders can leverage OneWorld to deliver encrypted and protected communications and notifications to their customers in the instance of a breach.

 

Besides making encryption the path of least resistance, a recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits and a payback period of seven months.

The clock is ticking on the California Consumer Privacy Act. Why wait to make our user-friendly encryption solution part of your compliance strategy?

By: Brian Cole, Senior Manager Security Operations and Support, Echoworx

 


Source:

[i] https://www.pwc.com/us/en/services/consulting/cybersecurity/california-consumer-privacy-act.html

[ii] https://www.echoworx.com/project/encryption-in-the-gdpr/

 

05 Nov 2019

How to Expand Your Tech Stack Responsibly

Contemporary enterprise organizations continue their migration to the cloud to save money, increase flexibility and reduce the burden of keeping experts on staff to manage infrastructure. But, while the benefits of moving to the cloud are real, it’s essential to expand your tech stack responsibly—and that starts with security.

Contemporary security considerations for enterprise-level organizations:

 

  • Sensitive data leaving the company firewall – Once sensitive data leaves the perimeters of an organizational firewall, it’s vulnerable to malicious actors. Some firewalls protect the enterprise network and users while others protect information in transit between cloud applications. As the workplace marches towards all things cloud-based and digital, it’s essential to protect data both in transit and at rest.
  • Bring-Your-Own-Device (BYOD) and remote work culture – Companies now allow—and even encourage—employees to use their personal cell phones, tablets and laptops for work activities. This is another avenue for organizational information to leave the safety of the company network and once it moves onto personal devices, it’s a security risk. The popularity of the BYOD culture is driven in part by the uptick of remote employees.
  • Breaches, hacks and attacks – According to a recent report, 38 per cent of organizations aren’t equipped to detect a sophisticated breach and in 2017, the average cost of a data breach was $3.62M.[i] A strong cybersecurity infrastructure can mean the difference between shutting down operations and business as usual.
  • Shiny object syndrome – Everyone wants to download the latest and greatest tech gamechanger. And while most third-party SaaS solutions are safe, organizations can’t afford to jump on board (or let their employees do so) before conducting their own cybersecurity due diligence.
  • Shadow IT – Employees may be downloading or using third-party software or apps to exchange sensitive information. Organizations need to make a better effort at making the protection of data the path of least resistance.

 

Four ways to expand your tech stack responsibly

 

  1. Lay the foundation with encryption – Encryption converts information or data into a code for the purpose of preventing unauthorized access. Before you do anything else, make sure your data is encrypted in transit and at rest. Encrypting communications secures sensitive data and protects it from nefarious use by malicious agents (including insiders) and from accidental breaches by employees. Choose a user-friendly encryption platform that makes encryption the path of least resistance. With Echoworx’s OneWorld encryption platform, you can turn cybersecurity into a competitive edge, increase digital trust and enjoy a significant return on investment.

For example, a recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits. This same study showed that using the OneWorld platform to replace legacy on-premises encryption solutions could save the software cost of previous solutions and avoid other legacy-related costs for a three-year savings of $793K.

Get the full Forrester Total Economic Impact™ study of OneWorld now.

  1. Apply good governance – Is governance part of your cybersecurity framework? If not, start today. Who oversees and is responsible for managing technological expansion, assessing cyber risks and vulnerabilities and creating a way forward? If the answer isn’t clear, it’s time to make changes and get your board of directors involved too. Did you know that only 40 per cent of corporate boards participate in their organization’s security strategy?[ii]
  1. Assess your current tech stack – In the old days, IT vetted all the tech brought into the business. But in large organizations, tech slips into departments based on team needs, with little regard for the big picture. Many organizations vastly underestimate the amount of software being used across their operations, marketing, sales, human resources, business intelligence and project management teams. When you reveal the real current state, it gives you the information you need to move towards a sensible future state.
  1. Provide the tools your employees need – The biggest culprit of shadow IT are apps and programs designed to streamline employee workflow. You need to provide your employees with the best tools to do their jobs effectively and safely.

Here’s more on how you can minimize your risk of insider threats.

  1. Implement privacy by design – The Privacy by Design framework, developed by privacy expert, Dr. Ann Cavoukian, is based on seven foundational principles. They are proactive not reactive, lead with privacy as the default setting, embed privacy into design, retain full functionality, ensure end-to-end security, maintain visibility and transparency and respect user privacy. If each new item in your tech stack follows these principles, it reduces the risk and costs of taking a reactive approach to data security.

To learn more about Privacy by Design, download our white paper here.

At Echoworx, encryption is all we do. If you’d like to make secure communications easily accessible across your organization, contact us.  We’ll show you how the right encryption technology can differentiate successful digital transformations from the rest.

By: Wen Chen, Senior Manager of IT and Support, Echoworx

——————–

Source:

[i] EY Global Information Security Survey 2018-19

[ii] 2018 Global State of Information Security Survey (PWC)

03 Oct 2019

A Sensitive Issue: Secure Message Encryption for Large Healthcare Networks

Large regional health authorities can employ thousands of people and have a volunteer network in the thousands or tens of thousands. And, since health authorities send, receive and store so much personal and medical data, secure communications are essential.

Here’s why healthcare organizations are vulnerable to privacy breaches, the consequences of mishandling patient data and how encryption makes secure communications possible for health authorities with a large staff and volunteer base.

Why healthcare organizations are vulnerable to privacy and security breaches  

According to a recent report[i], 18 per cent of all cybersecurity breaches happen in healthcare. And internal actors—including employees, former employees, contractors and business associates—cause 59 per cent of the breaches in healthcare.[ii]

Here’s why healthcare organizations including health authorities are vulnerable:

 

  • Lack of training for staff and volunteers – The top two patterns in healthcare breaches relate to miscellaneous errors and privilege misuse. Privilege misuse is about employees peeking into patient records that they have access to but shouldn’t be looking at. Training can help build a culture of privacy and security at healthcare organizations and help staff understand the real consequences of snooping. In 2018, for example, The Ottawa Hospital fired an employee for peeking at 30 patient files and the year before, a student intern was fined $25,000 for accessing the personal health information of 139 people (also in Ontario).

 

  • Outdated communication tools – Some communication tools simply aren’t secure. This includes old pager systems used to send messages—including patient information, diagnoses and hospital room numbers—over unencrypted radio frequencies. When unencrypted communication methods are the path of least resistance, they’ll continued to be used, despite privacy issues.

 

  • Inconsistent mandatory reporting – While mandatory reporting of data breaches is standard across most states and Europe, that’s not the case in Canada. Reporting data breaches isn’t yet mandatory in Manitoba, Quebec or British Columbia. Mandatory reporting is positive because it brings breaches into the public eye—which can encourage organizations to act quickly to resolve security issues.

 

The consequences of mishandling patient data

In Canada, heath information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA). When health authorities mishandle patient data, patients lose trust in them, they come under fire from local privacy watchdogs and they can incur significant costs and fines. For example, at Capital Health in Nova Scotia, one employee improperly accessed the private health records of 105 people over six years—which cost Capital Health a $400K settlement.[iii]

For healthcare organizations with a large employee and volunteer base, encryption reduces the likelihood of mishandled patient data while increasing cybersecurity.

What does encryption do?

Encryption converts data and information into a code to prevent unauthorized access to the data while it’s in transit and at rest. It simply means private information is kept private. When choosing an encryption solution, algorithms aren’t the primary differentiators because almost all contemporary security products feature 2048-bit RSA encryption, 256-bit AES encryption and SHA2 signatures.

Instead, the real encryption differentiator is customer experience—how easy is it for patients, employees and volunteers to use the encryption solution? Our OneWorld encryption platform is user-friendly and seamlessly integrates into existing workflows.

5 ways the OneWorld encryption platform makes secure communications possible for health authorities

 

  1. Automatic encryption – Policy-based encryption allows you to automatically secure communications based on their content. For example, with Echoworx’s OneWorld encryption platform, emails with sensitive information—including protected health information—are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.

 

  1. Reporting and monitoring – In cybersecurity, it’s important to be able to identify and investigate irregular communications. For example, you should be able to see who sent any email you’re reviewing, when it was sent and whether it was opened or not. Reporting and monitoring helps you reduce the risk of internal cyber vulnerabilities.

 

  1. Communications control – With so many employees, volunteers and healthcare partners, it’s easier than ever for sensitive data to leave the safety of your corporate network, either intentionally or accidentally. You can prevent this with communications controls such as preventing email forwarding, setting automatic encryption based on the type of email, keywords, phrases and attachments and enabling a single sign-on solution—to keep sensitive information on your protected network.

 

  1. Path of least resistance – With a user-friendly encryption platform in place, regional health authorities maintain control over their communications and make security the path of least resistance for their end-users. If an encryption platform makes more work for employees, they won’t adopt it. But when it seamlessly integrates into existing daily tasks, they will. User-friendliness isn’t a nice to have; it’s what makes widespread implementation possible.

 

  1. Positive return on investment – While encryption is no longer optional, health authorities can save money by investing in the right platform. For example, the Forrester Total Economic Impact™ study revealed that organizations that adopt Echoworx’s OneWorld encryption platform can expect a return on investment of 155 per cent, a payback period of seven months and the unquantified benefits that come with enhanced customer experience and reduced downtime.

 

If your regional health authority has thousands of employees and volunteers communicating with patients and other healthcare organizations, choosing the right encryption platform is an essential part of your cybersecurity program. Why wait? Reduce the likelihood of mishandled patient data by enabling automaic encryption for thousands of employees. Contact us today.

By: Michael Roberts, VP of Technology, Echoworx

 

Source:

[i] Cyber Security and Healthcare: An Evolving Understanding of Risk (Symantec)

[ii] Verizon’s 2019 Data Breach Investigations Report

[iii] https://www.cbc.ca/news/canada/nova-scotia/capital-health-privacy-breach-proposed-settlement-1.4858784

25 Sep 2019
communications control in healthcare organizations

Maintaining Control Over Sensitive Communications in Healthcare

The healthcare industry is becoming increasingly digital – from its adoption of Electronic Health Record (EHR) technology to various online medical appointment booking and prescription systems. And, since healthcare organizations use, send and receive so much personal and medical data, it’s essential that these digital transformation projects incorporate elements of privacy by design —including secure communications.

Here’s why it’s important to maintain control over secure communications and how healthcare organizations can do that.

What is communications control?

Communications control is about setting up a system that allows your organization to oversee, track and review all digital communications. This is typically done by setting up control policies and permissions and using appropriate tools.

Why is control of secure communications essential in healthcare organizations?

Communications control allows you to protect personal and medical data that you collect, use and share as part of business operations. While it’s easy to agree that protecting client data is the right thing to do, there are many more reasons to implement communications control at your organization.

Five reasons for implementing communications control in healthcare organizations:

 

  1. Clients expect privacy – An EHR includes the most personal details imaginable, from medication lists to medical conditions, and clients trust that you’ll keep this information private and secure.
  2. Bring-your-own-device (BYOD) and remote work culture – It’s now common for companies to allow employees to use their personal cell phones, tablets and laptops for work activities or to operate on company networks. When this happens, sensitive internal information has the potential to travel outside an organization’s digital perimeters —which presents a security risk. The increase in remote employees is one contributor to the popularity of BYOD.
  3. External threats – According to a recent Symantec report, 18 per cent of cybersecurity breaches happen in healthcare. The average cost for a ransomware incident is $76,000 and the average hacking breach costs $2.4M. That’s about 2.4 million reasons to maintain control over sensitive communications!
  4. Insider threats – It’s an uncomfortable truth that data breaches and cyberattacks are often caused by employees—mostly accidentally but sometimes with malicious intent. Learn more about how insider threats happen here.
  5. Client demand for digital solutions – According to McKinsey & Company, consumers prefer digital solutions for many healthcare activities including appointment scheduling, prescription refills, checking personal health information and paying health insurance bills.

 

The good news is that healthcare organizations can address all these factors with secure communication controls, a user-friendly encryption platform and creating a culture of security.

Five ways healthcare organizations can maintain control of their secure communications

 

  1. Encryption, encryption, encryptionEncryption is defined as “the process of converting information or data into a code, especially to prevent unauthorized access.” Communicating without encryption is like leaving your front door and filing cabinets unlocked and wide open.
  2. Set external communications policies (aka controls) – With so many modes of communication, it’s easier than ever for sensitive data to leave the safety of your corporate network, either intentionally or accidentally. Secure communications controls can help prevent this from happening. Examples of communications controls include preventing email forwarding, setting automatic encryption based on the type of email, keywords, phrases and attachments and enabling a single sign-on solution—to help ensure sensitive information stays protected.
  3. Set policies for inbound communications – While you can’t control what people send your organization, you can control how you receive it using preset inbound policies, such as automatic encryption. For example, with Echoworx’s OneWorld encryption platform, emails with sensitive information—including protected health information (PHI)—are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.
  4. Enable reporting and monitoring – While you don’t want to set up a “Big Brother” environment, it’s important to be able to identify and investigate irregular communications. For example, you should be able to see who sent any email you’re reviewing, when it was sent and whether it was opened or not. Learn more about taking pre-emptive measures to reduce internal cyber vulnerabilities here.
  5. Act on irregularities – A proper system allows you to act as soon as you identify suspicious communication behaviour. You should be able to modify user permissions, recall messages and revoke access to encrypted messages (even ones that have left your network).

 

At Echoworx, encryption is all we do. We’re proud to help healthcare organizations take control of their communications and protect their sensitive data with a user-friendly encryption solution that has a demonstrated return on investment. The Forrester Total Economic Impact™ study revealed that organizations that adopt Echoworx’s OneWorld encryption platform can expect a return on investment of 155 per cent, a payback period of seven months and the unquantified benefits that come with enhanced customer experience and reduced downtime.

Get the full Forrester Total Economic Impact™ study of OneWorld now.

By: Steve Davis, Director of Products, Echoworx

 

13 Sep 2019
encryption for group collaboration

Mum’s the Word: Encryption for Group Collaboration

The digital world has opened the seas of technology and revolutionized the way in which we conduct business and serve customers. At the click of a mouse we may apply for mortgages, receive a bank loan or read financial statements. The flow of information has never been more streamlined and customer-centric than it is today.

But what happens when the trappings of contemporary technology outpace our ability to control it?

While your customers embrace the instantaneous nature offered by digital communications, a whole minefield of international privacy regulations, like the EU’s General Data Protection Regulation, demand data protection at every step of the way – privacy by design and privacy in practice.

For those operating in highly regulated business environments, like finance, banking or insurance, these contradictory market demands, dictating an excellent user experience with one hand but airtight algorithms with the other, can disrupt workflow, lead to delays and, ultimately, cause a loss in customer base. Not ideal.

Offering streamlined flexible encryption solutions are one puzzle piece of a greater solution. Without effective secure communication between your staff, their clients and their customers, your organization risks being cut off from the digital world. Here are some ways you can leverage encryption to put your customers first and your brand at the forefront – without interrupting your frictionless collaborative work environment:

  1. Keeping secure communications secure

According to Echoworx data, 80 per cent of customers consider leaving a brand after a breach. Despite this, 69 per cent of customers do not think organizations do enough to protect their data. In a nutshell: You cannot afford to have bad data practices when it comes to exchanging personal data of your customers – even internally.

With five flexible secure methods to send encrypted messages, Echoworx’s OneWorld ensures no sensitive correspondence goes out in the clear. Depending where your colleagues are located, for example, they might favour a more mobile-friendly method of encrypted communication – like sending via secure web portal.

Learn more about OneWorld’s different secure delivery methods.

  1. Offering a consistent user experience

Do your employees work primarily via their mobile devices? Are TLS connections available with your clients? Do your encrypted messages need to be available at-rest for offline working environments? How tech-savvy are your users – both internal and external?

Questions like the above can help you determine an encryption solution which works for your organizational work environment. According to Echoworx research, over half of IT professionals and decision-makers value encryption technology as very important – and yet just 40 per cent say their organizations employ data privacy technology extensively. These figures suggest their current cybersecurity solutions are not applicable to their encryption needs or perhaps offer a poor user experience.

With OneWorld you can make encryption your path of least resistance for your organization. With multiple flexible ways in which to send an encrypted message, and different ways to read and interact with it, you can streamline your collaborative workflow regardless of where users are located.

Learn more about choosing an encryption delivery method which works.

  1. Faster turnaround on important documents

From onboarding a new client to putting something out for deadline, the business world doesn’t forgive cumbersome time-consuming processes. If an important document takes too long, the process is confusing or a deadline is missed, you might lose a customer or, at the very least, make a bad digital impression. The right type of secure document delivery can eliminate these types of snags in favour of a frictionless business process.

In addition to its other flexible delivery methods, OneWorld features the ability to append password-protected encrypted attachments to otherwise normal digital correspondences. This not only allows users to work on a document in its native format, but also eliminates the need for an entire messages to be encrypted. This can improve turnaround on important sensitive documents and streamline collaborative working environments as digital messages can be exchanged in real time.

Learn more about our other secure encryption delivery methods.

  1. Stay compliant, avoid the fines

At the end of the day, the whole point of adopting an encryption strategy is to beef up cyber-defences and avoid costly non-compliance fines. If your organization does not offer a flexible, frictionless and seamless encryption experience, your customers and clients won’t like it and your employees won’t use it. For a collaborative work environment, this presents considerable internal risk for even the most mundane day-to-day workflow.

Learn more about choosing an encryption method which works.

  1. Natural extensions to existing email infrastructure

Our OneWorld encryption platform works seamlessly with existing email infrastructure, like Microsoft Office 365, to offer additional secure delivery methods. These additional options for sending encrypted communications perfectly compliment Office 365 to take your encryption strategy to the next level. From OneWorld’s ability to brand encrypted messages to something as simple, and useful, as being able to track message progress via detailed reports to additional password options, OneWorld helps your organization enhance user experience, add more security and increase work productivity.

Learn more about OneWorld’s natural extensions for OME.

By Michael Roberts, VP Technology at Echoworx