Category: Compliance

14 Jun 2019

Thinking Inside the Box: Addressing Internal Cyber Vulnerabilities

In cybersecurity, it’s easy to become obsessed over external malicious factors and lose sight of the whole picture which includes internal vulnerabilities. When it comes to cybersecurity, the best defense includes shoring up your internal defenses because many critical vulnerabilities are too close to home for comfort.

What is an internal cyber vulnerability?

A vulnerability is a flaw in a system that exposes the system to risk of attack. In cybersecurity, these vulnerabilities can be related to the computer systems and processes and procedures you use. While you may know famous software vulnerabilities like Heartbleed and WannaCry, internal vulnerabilities can be much more mundane. For example, someone leaving the default password on a router or assuming your employees know how to recognize spear phishing attacks can lead to a lot of heartache for a chief information security officer.

As they say in sports, “The best defense is a good offense.” In this case, a good offense includes taking a proactive approach to identifying and fixing vulnerabilities, which we’ll cover next.

How to identify cyber vulnerabilities in enterprise-level organizations

Before you can identify cyber vulnerabilities, you must have a clear idea of your organizational assets, including intellectual property. Frédéric Virmont, a seasoned cybersecurity expert, says, “You have to identify what’s critical for the business: servers, applications, everything. Once you identify those critical assets, then you can make a plan to secure them and ensure they’re maintained with security patches.”

After identifying your critical business assets, you can expose and triage any vulnerabilities through various security tools—and then patch them up.

Put staff on your list of organizational assets as cyber vulnerabilities include accidental and intentional insider attacks by employees.

Six ways to reduce internal cyber vulnerabilities with pre-emptive measures

1) Encrypt data and communications – Protect your data while it’s in transit and at rest with a user-friendly encryption solution. Billions of emails are sent every day and without encryption each one represents a security risk. And in 2018, 4.8 billion records were stolen during breaches and less than three per cent of those records were encrypted.

2) Teach employees about cybersecurity – A recent PwC report in the US found that 32 percent of respondents consider insider threats more costly and damaging than external incidents. Because employees are on the frontline of cybersecurity, it’s essential to educate them about the importance of using security programs and processes and how to identify and report suspicious incidents. Cybercrime is increasingly sophisticated—especially social engineering and spear phishing—which is why regular and effective cybersecurity training is necessary for all staff.

3) Beef up your security policies – Make sure your policies support your security efforts. Some of the best practices include:

  • Limiting user access through assigning appropriate permissions to non-IT employees
  • Setting appropriate guidelines for creating strong passwords or enforcing two-factor authentication
  • Limiting Internet usage by defining or controlling what type of content can be viewed
  • Defining file storage locations for employees and denying usage of USB drives or personal cloud storage
  • Choosing policy-based encryption with flexible delivery methods for communications
  • Effective vetting of third-party vendors

4) Have an up-to-date disaster recovery plan – A disaster recovery plan allows all staff to act swiftly—using prepared strategy—when disaster strikes. This way, organizational efforts can go towards closing the vulnerability and monitoring it, rather than trying to figure out what to do in the middle of a crisis.

5) Don’t migrate vulnerabilities to the cloud – While there are many benefits to offloading on-premise servers and applications to the cloud, organizations must avoid bringing along existing vulnerabilities with them. Implementing security tools prior to cloud migration is essential.

6) Communicate effectively with the board – Since they may not always understand the technical assets, many boards shy away from cybersecurity risk management. Instead of communicating about tech specs, talk to the board about the cost of not implementing security measures, return on investment trends and reputation management with clients. Raphael Narezzi suggests talking to the board of directors like this, “It can be a cost today, but I guarantee you, the scenario we see when a board acts before an event, is a completely different scenario than when they don’t act at all.”

The benefits of closing internal vulnerabilities

Closing internal vulnerabilities takes time, resources and expertise and is now part of the cost of doing business. But there are benefits. As mentioned above, data security results in customer-centric benefits such as building reputation and digital trust and helps pave the way for competitive differentiators.

Closing internal vulnerabilities takes time, resources and expertise and is now part of the cost of doing business. But there are benefits with a solid return on investment. A recent Forrester Total Economic Impact™ study, for example, revealed that a typical enterprise-level organization can expect a seven-month payback period and slash $2.7M off their bottom line by employing our flexible OneWorld encryption solution. Get the full Forrester Total Economic Impact™ study of OneWorld now.

With so much at risk, isn’t it time to shore up your vulnerabilities?

At Echoworx, encryption is all we do. Our OneWorld encryption platform and cloud security services are a natural extension to existing security programs and offer a wide range of flexible options for secure message delivery. You can learn more about the ROI of Echoworx OneWorld encryption here.

By: Randy Yu, Senior Manager Technical Operations & Support, Echoworx

21 May 2019
The challenges of a digital government

The Wireless Government: Why a Digital Government is a Better Government

From large conglomeratic banking institutions to massive global shipping firms, the world’s ‘upload to all-things-digital’ continues at breakneck pace. And so does the patchwork list of regional, national and even international privacy regulations dictating who can and how to do business in this brave new digital world continue to grow. But are governments at-risk of slipping behind the very regulations they aim to impose on their business communities?

As American poet Walt Whitman lamented over a century ago: “That powerful play goes on, and you may contribute a verse.” The same can be said for those who run legacy government infrastructure to (finally) take their processes into the 21st Century. And, as our planet continues its perpetual rotations around the sun, the digital world might continue to grow – with or without them.

So how does a government upload their tangle of ministries, services and legislature into a wireless world?

Making digital a priority

From large digital initiatives, like the UK National Health Service (NHS)’s blanket ban of fax machines, announced in early-2019, which affects 1.2 million people, to even more ambitious total uploads of government services, like the Government of Ontario’s digital first strategy, outlined in the Canadian province’s 2019 Budget, governments are beginning to take note of the importance of digital communication. Not only is going digital environmentally friendly, but the resulting systems are streamlined, instantaneous and competitive.

And, with digital adoption, comes the need to communicate securely. From complex back-and-forth procurement agreements with vendors to sensitive citizen services, like sending health records between hospitals, encryption plays an important role at every level of a digital government. At Echoworx, we facilitate seamless transitions from cumbersome paper communications to paperless solutions.

Here’s how enterprise organizations are uploading legacy systems to the cloud.

The challenges of a digital government

Unlike the nimble tech start-ups we have become used to, most governments are the product of decades – even centuries – of incoming politicians, revolutions, legislature and mountains of paperwork carefully wrapped in layers of red tape. In other words, they are hardly the right environment for the fast-moving sweeping changes necessary for digital innovation. Combined with a contemporary customer-centric digital business model, which balances an excellent user experience with airtight secure data-protecting algorithms, and you have a true bureaucratic headache on your hands.

Working with third-party providers, like Echoworx, can help mitigate the workload of uploading an existing paper-based system online. From helping banks send millions of e-statements per day to something as simple as adding branding and language options to a secure communication, for examples, third-party providers are experts at what they do and offer seamless access to existing digital infrastructure.

Here are some advantages of third-party email security systems.

A new type of government

When a customer enters a coffee shop, they are prompted to join a queue to either place an order with a smiling barista or pick up an order they commanded via a mobile device. While in line, this customer is presented with an array of colour, branding and, most important, impulse buys or add-ons shown as tantalizing options through display case glass – just out of reach.

This coffeeshop model of greeting, presenting and selling to customers is a form of client stewardship beginning to permeate into banks, financial services and even insurance organizations. The cold professionalism of yesteryear is rapidly being replaced by a more fun, inviting and open model which puts the customer at ease and, most importantly, puts them first.

For government services, the goal needs to be the same – offering seamless digital services which add a warm pulse to sometimes cold mundane processes. And this inviting environment starts with opting out of soulless white envelopes for the more engaging and instantaneous world of encrypted digital communications.

Take the mass encrypted messaging capabilities of Echoworx OneWorld, for example. Using OneWorld’s ‘Secure Bulk Mail’ delivery option, senders can deliver encrypted, branded and personalized communications to massive lists of recipients at the click of a mouse. In addition to leveraging the monetary savings of going paperless, Secure Bulk Mail offers senders options to track the status of their messages – which is especially important to government departments and ministries who need to send out mass messages to concerned or affected citizens.

See Echoworx’s full array of secure flexible delivery methods.

Going digital keeps the treasury happy

Like in the business world, a government is always keeping an eye on its bottom line. But, while a business may experience ups and downs, answering to its board or shareholders, a government ultimately answers to its citizens – who vote during elections. In addition to streamlining services and enabling simpler secure dialogue with constituents, a digital government also has additional cost-mitigating factors to consider.

For example, according to recent Total Economic Impact™ (TEI) study conducted by Forrester Research, the average enterprise-level organization, such as a government, can expect cost-mitigating benefits valued at up to $2.7M. And, given an average $1 cost-per-page associated with sending communications via traditional snail mail, a government has the potential to save approximately $1.5M over a three-year period.

But the best part? With an average payback period of about seven months, a government can adopt OneWorld, a fully flexible, user-friendly and robust enterprise-level encryption solution and get their money back before election time!

See the full TEI study of OneWorld by Forrester Research here.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx

24 Feb 2019
YWhat's Your Post-Brexit Plan

Privacy in a Post-GDPR Britain: What’s Your Brexit Plan?

Deal or no deal – Britain is heading for a Brexit. And, while some Britons stockpile everything from pasta to clothing to cat food, British companies are bracing themselves for a digital void of uncertainty. But with the right proactive cybersecurity measures in-place and a little planning, there is no reason for a UK business to be lost at cyber-sea!

Here are some points to consider when constructing your Brexit plan:

  1. The General Data Protection Regulation (GDPR) is not a law

    As its name suggests, the GDPR is not a law – but a regulation. While the GDPR does apply to all member states of the European Economic Area of the European Union, each country is free to interpret the regulation as they see fit. In Denmark, for example, a stricter interpretation of the GDPR has led to mandatory encryption laws being applied to Danish data. As a rule: Be sure to read up on the local GDPR-inspired laws for any EU regions you operate in.

  2. Third-country – not third-class

    Since they all fall under the GDPR, and must theoretically comply with the privacy regulation, organizations operating out of member states of the EEA are free to exchange information across EU borders. But, while so-called ‘Third-Countries,’ referring to nations outside EEA borders, are not likewise given a free pass, they can exchange data once they are vetted as having adequate data protection laws and practices.

    See how Canada is changing its laws to be more GDPR-friendly.

  3. The UK just might be OK

    By the time the Brexit break is made official, Britain will have been under the GDPR for nearly a year. Among other things, this means their Data Protection Act 2018, if left intact, should theoretically comply to GDPR demands. But special attention must be paid to mirror any subsequent changes to the GDPR – like if Denmark’s mandatory encryption laws were to be adopted by other EU nations, for example.

  4. The GDPR is out of UK control

    A post-Britain Brexit no longer has a seat at the EU negotiating table – including for any matters related to the GDPR. This means that, if your British organization is going to do business on the Continent, preparing for unanticipated decisions might be your best course of action. Having proactive data protection features, like end-to-end encryption, for example, can help you navigate any sudden changes.

    See how the NHS is beginning to ramp up their digital defenses.

  5. You can’t hide from the GDPR

    Even after Brexit, countless citizens of EU nations are going to continue working in Britain. In addition to covering nations within the EEA, the GDPR also covers the citizens of those nations – regardless of where they reside. If a Belgian national living in London, for example, provides personal information to your British organization, their data is protected by the GDPR.

    Learn more about the GDPR.

  6. It’s not just about you

    If you intend to navigate the GDPR and continue doing business within the EEA from Britain, you need to consider who you are working with in the UK. Under GDPR regulations, any third-parties working alongside your organization, who might be handling EU personal data, must also be compliant. Before establishing or continuing a third-party relationship post-Brexit, look for cybersecurity audit certifications – here’s why they are important.

Your Post-Brexit Plan:

While the UK continues to battle, outline and hash out its Brexit plan, there are ways your organization can help weather the storm. In addition to adopting proactive data protection policies, like encryption, your organization should consider having a backup plan. Echoworx, for example, has data centres in Ireland and Germany, which allows our clients to securely send GDPR-compliant messages within the EEA.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx

15 Feb 2019

Got Danish Data? Email Encryption is Now Mandatory in Denmark

To encrypt or not to encrypt: that is no longer the question in Denmark – where new interpretations of the General Data Protection Regulation (GDPR) are making encryption history. As of January 1, 2019, all organizations working in any capacity with Denmark must now apply acceptable encryption when communicating sensitive data.

Why Denmark?

While the GDPR does apply to all EU members and their citizens, regardless of where they reside, each country has unique interpretations of the specific parts of the regulation. In the case of Denmark, a more literal definition of Section 9 of the GDPR, addressing the ‘processing of special categories of personal data,’ has been adopted. As a result, any sensitive data in transit falling under Danish jurisdiction needs to be protected – meaning mandatory email encryption.

What does this mean for Danish business?

Any organization conducting business in Denmark or involving Danish citizens, including in a third-party capacity, must protect personal data with either secure TLS or end-to-end encryption. But how you employ data protection measures is also important. Opportunistic TLS, for example, where unsuccessful connections fall back to clear text, does not offer adequate protection. Non-abiders to the new rules can face sanctions or, worse, crushing fines in the aftermath of a breach. This new GDPR development is expected to spur similar measures in other EU countries.

Learn more about encryption delivery methods.

What measures can an organization take?

Since the GDPR came into effect last May, the message has been clear and simple from Europe: Protect personal data or do business elsewhere. And, by adopting proactive privacy by design policies, using the GDPR as a baseline, an organization can ensure they are compliant in the EU and anywhere else where similar privacy policies exist. Therefore this newest Danish development should be viewed as a competitive advantage – not a hindrance.

While a closed system theoretically might work for Danish companies who interact solely with Danes, this mindset can cause compatibility problems the second business is conducted abroad. A flexible secure message platform can help avoid compatibility issues and maintaining compliance.

Learn more about the flexible features of Echoworx’s OneWorld encryption platform.

By Christian Peel, VP Engineering, Echoworx

18 Jan 2019
Protecting sensitive incoming data

Inbound Encryption: The Why and How

While your organization has systems in place to encrypt outgoing emails, what happens when you receive an email that contains sensitive information? If it’s not already encrypted, do you refuse to accept it? Does it get caught in your compliance filters? If so, what message are you sending by not receiving?

What is inbound encryption?

Inbound encryption is the process by which emails containing sensitive information, such as credit card numbers, are encrypted before they are stored in an organization’s mail servers. Inbound encryption filters scan all emails against a set of established rules, looking at content and attachments, as well as recipients.

Why is inbound encryption needed?

PCI requirements state that emails containing cardholder data must be encrypted during transmission across open, public networks, and that cardholder data must be protected while it is stored. This means that sensitive or personal information such as credit card numbers cannot be saved on your network without being encrypted.

For example, you might run a large retail organization to which customers are sending email queries containing sensitive data – like credit card information. In order to comply with PCI legislation, your email filtering system might be set up to block or delete these types of emails. This, in turn, might lead to customer dissatisfaction as their emails go unanswered – leading to lost business and unintended brand damage.

How does inbound encryption work?

Using a Secure PDF delivery system allows organizations to minimize their PCI risk. Instead of doing the encryption themselves, they employ a third-party service which provides on-the-fly email encryption, triggered by automated policies on a PCI-certified platform. When messages containing sensitive information arrive encrypted and secure, they are less likely to be blocked by existing email filtering services.

Any incoming emails that trigger an encryption policy are automatically encrypted within a Secure PDF, along with any attachments, before being delivered direct to a recipient’s inbox. Upon receiving the email, the recipient simply downloads the encrypted attachments and enters a self-registered passphrase to authenticate, open and read the contents.

What to look for in an effective inbound encryption solution

Providing a secure encryption option for all inbound email doesn’t have to be complicated. Using a Secure PDF delivery system not only guarantees secure storage of sensitive information, it also ensures that your organization will comply with privacy regulations and data security standards.

Learn more about inbound encryption with Echoworx OneWorld.

In addition to Secure PDF delivery, any encryption solution worth its salt needs to offer additional secure delivery methods, from Web Portal, to Secure Attachments, SMIME/PGP and TLS. Although replies and any additional dialogue may be performed via built-in Secure Reply features, your employees might also exercise additional options to communicate securely with their clients.

Learn more about Echoworx OneWorld secure encryption delivery methods.

By Derek Christiansen, Engagement Manager, Echoworx

09 Nov 2018
Get ready for PIPEDA

Are You Prepared for Canada’s Mandatory Breach Reporting Law?

With the introduction of new rules under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), saying sorry for a data breach is no longer good enough. As of November 2018, all data breaches involving Canadian data of a personal nature must be reported and affected parties must be notified.

But who does PIPEDA apply to?

PIPEDA is Canada’s federal privacy law for private-sector organizations. In a nutshell, this law applies to all personal data collected, used or disclosed in the course of commercial activity when doing business with Canada. Under the new data breach rules, if any of this personal data is leaked, a report must be filed with the Office of the Privacy Commissioner of Canada, a record of the breach must be created, and all individuals affected by the breach need to be notified that their information has been compromised.

Following Europe’s privacy protective lead

The updates to PIPEDA comes on the heels of the European Union’s GDPR – which launched last May. While existing Canadian data privacy protection practices do satisfy current GDPR demands, these additional rules serve as a proactive reassurance as European rules continue to harden over the next few years. They are also designed to help keep Canadian businesses competitive in Europe – and avoid massive fines.

And these new changes to PIPEDA don’t come without teeth!

In addition to brand damage, and the potential for lawsuits, violations to PIPEDA now carry serious fines of up to $100,000. While not as high as the devastating multi-million-dollar fines of the GDPR, the penalties are high enough to enforce compliance.

So how do you stay compliant?

Adequate protection of sensitive personal data is easier said than done – often requiring a multi-pronged approach. In order to comply with new PIPEDA rules, you need to take proactive steps to help prevent a breach from occurring in the first place – this includes protecting data leaving your system. And encryption of sensitive data is a key indicator demonstrating that information has been adequately protected under any privacy regulation or law.

Here are 10 ways you can secure sensitive data in transit.

By Alex Loo, VP of Operations at Echoworx

13 Sep 2018
What is a Chief Data Officer

What is a Chief Data Officer?

We live in a post-privacy age.

Our location can be pinpointed with GPS. Our photos and itineraries are known to the world, through our smartphones connected to the internet. We post our most intimate thoughts and opinions to social media for all to see. We browse targeted advertising based on our Google searches and online buying habits.

Tom Goodwin, head of innovation at Zenith Media, argues that we welcome this loss of privacy because we enjoy the benefits it affords us… right up until a company fails to protect our data.[i] Then we are up in arms about the violation of our privacy. It is the stuff of public relations nightmares.

At Echoworx, our own research finds another data privacy conundrum: the transformative nature of personal data after a breach. People are willing to disclose quantitative data, under the assumption it is protected. This same data takes on embarrassing qualitative characteristics once it becomes public during a breach – leading to a fatal loss of customer trust.

How are businesses to navigate these contradictions? How can businesses offer people the benefits of the post-privacy age without making them feel they’ve surrendered something precious? How can businesses gain the confidence to securely protect sensitive data?

One solution is found in the growing importance of the Chief Data Officer.

Rise of the Chief Data Officer

The Chief Data Officer role was born during the 2008-09 financial crisis. In the aftermath, there was a clear need for a person who could ensure compliance with increased regulatory demands. More than ever in banking and finance, data and its reporting to regulators required greater scrutiny. For years, data had been an afterthought in most organizations. Had available data been managed effectively at the time, we might have had warning of the crisis, or been able to make a more complete recovery.

In the decade since, however, the role of the CDO has expanded and evolved as the era of Big Data dawned. Suddenly the value of data as an asset became clear. The CDO was needed to take charge of maximizing its value.

In 2012, the advisory firm NewVantage Partners began an annual survey of Fortune-1000 c-executives. That first year, only 12% of firms had a CDO. By 2018, that number had risen to 63.4%. This trend looks set to continue. By some estimates, a Chief Data Officer will be considered a “mission-critical” role in up to 75% of large enterprises within the next 3-5 years. Even the Pentagon has hired its first CDO!

Why you need a Chief Data Officer

The CDO’s chief value today is as the point-person for optimizing the vast amounts of data generated by today’s companies. He or she can extract value from it, and foster innovation around Big Data and analytics. The CDO drives technology solutions, enhances cybersecurity and increase revenues. He or she works to eliminate data siloes and redundancies. Technological change is managed to reduce the costs of “data wrangling” within a company.

The CDO plans and executes corporate strategy around emerging technologies such as artificial intelligence (AI), machine learning, and blockchain. The CDO also represents an agile solution to the fast-moving developments in regulation and data privacy for which traditional management may not be well suited. As technology evolves, so too does the CDO role.

Privacy vs value in a post-privacy world

Data is a double-edged sword. It holds tremendous value for corporations. It also demands careful stewardship of information entrusted to them and promises liabilities (both financial and reputational) in the event of a breach.

By bringing all data and related activity under the CDO, organizations can establish systems to ensure that all data gathered by, stored, or shared within an organization is treated securely, ethically, and in compliance with local and international laws and regulations.[ii] Proper data management and careful application of security measures, such as enhanced encryption of sensitive data, can help reduce enterprise risk. These policies also allow companies to maximize value from the data they collect.

In this post-privacy era, corporations that interact with sensitive customer data must adapt if they want to be successful. If they focus on “serving people better” with explicit requests for permission, clear opt-ins, rigorous security and encryption, they can build a “value exchange over a lifetime” with customers. This is the kind of transformation that the CDO can bring to organizations. In this way, the CDO helps navigate the line between privacy and post-privacy in a connected world.

By Alex Loo, VP of Operations, Echoworx

___________

[i] https://www.thedrum.com/opinion/2018/07/17/tom-goodwin-making-the-most-post-privacy-world

[ii] https://aws.amazon.com/blogs/publicsector/the-rise-of-the-chief-data-officer-as-a-data-leader/

 

16 Jul 2018
California Consumer Privacy

California’s Data Privacy Law, AB 375: It’s Personal

In June 2018, California passed one of the most advanced privacy laws in the US – The California Consumer Privacy Act of 2018 (AB 375). The act is hailed as a major step forward and is being compared with the General Data Privacy Regulation (GDPR) in Europe.

Upon review, AB 375 presents several challenges, not least of which is that it is not slated to go into affect until 2020, and the many big tech companies are calling for changes to provisions of the law.

What is in the law

AB 375 establishes several data privacy rights for Californian residents and, like the GDPR in Europe, this law applies to any business that sells to or has personal data on California Residents.

These data privacy rights are:

  1. The right of Californians to know what personal information is being collected.
  2. The right of Californians to know whether their personal information is sold or disclosed and to whom.
  3. The right of Californians to say no to the sale of personal information.
  4. The right of Californians to access their personal information.
  5. The right of Californians to equal service and price, regardless of their choice to disclose personal information.

In short, AB 375 gives Californians a way to opt out of almost all secondary uses of their personal information whether for sale to data brokers, tracking or other uses not tied directly to the provision of a service.

Who must comply with AB 375?

Unlike the GDPR, California’s AB 375 privacy law only applies to a specific category of for-profit business. The organizations affected must conduct or be brand-affiliated with business within California, receive or disclose the personal information of more than 50,000 Californians and produce gross revenues of more than $25M – 50 per cent of which must be derived from the sale of personal information. This means that California not-for-profits, small businesses or even large corporations who collect below minimum required levels of personal information are not affected by this law.

What is not included in AB 375

While the California privacy law does have penalties for breaches that result from not adequately protecting information, AB 375 does not contain requirements for how businesses must protect information. This law also lacks any language to guide a court in analyzing if the data protection practices of an organization are adequate.

Impact on California market

Unlike the European GDPR, AB 375 does not contain specific instructions for Security of Processing businesses to follow. But the law does prescribe how businesses are to get consent for collecting and using personal information. Consumers cannot be discriminated against for exercising their rights.

AB 375 relies heavily on other California and federal laws to provide guidance on these areas. And, as a result, several conflicts exist with other laws – requiring further clarification through regulatory guidance or changes to AB 375 itself.

Additionally, there are still questions about how AB 375 might be amended under pressure from technology companies and privacy advocates or what supplementary regulations might be.

A logical solution

Encryption of sensitive data is key to demonstrating that information has been adequately protected under any privacy regulation or law.

Echoworx is committed to meeting the privacy and legal requirements of the countries in which it operates. Echoworx continues to add data centers around the world to ensure that data is resident as close as possible to the country or region of origin. We currently operate data centers in the US, UK, Ireland, Germany, Mexico and Canada to ensure data can be stored and maintained in accordance with the regulations and legislation that our customers are subject to.

By Brian Cole, Senior Manager of Security Operations and Support, Echoworx

10 Apr 2018
Cloud Act

Quiet before the storm: CLOUD act

Recent developments in the court case between the US Government and Microsoft have impacts to companies offering services globally.   The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) aims to simplify the way enforcement groups obtain personal data stored by U.S.- based technology companies.

What Has Happened:

In December 2013, a United States Magistrate Judge issued a warrant under the authority of the Stored Communications Act (SCA) to Microsoft for production of data that was hosted at a Microsoft Data Centre in Ireland.   Microsoft refused to comply with the parts of the order that required production from their Ireland Data Centre based on the warrant violating European Law.

Microsoft appealed the decision to the US Second Circuit court which received submissions in support of Microsoft from various parties.  The Irish Government submitted a brief stating that the warrant violated the European Union’s Data Protection Directive, Ireland’s own Privacy Laws, and that the US Government should have used the longstanding Mutual Legal Assistance Treaty between the US and Ireland which allows for the collection of data supported by local warrants.  The US Second Circuit found in favour of Microsoft and the US Department of Justice appealed to the Supreme Court.

Oral Arguments on the case were heard on Feb 27th.  However, in March, the US Congress Passed, and the President signed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act).  This law amended the SCA to make it a requirement that US based service providers must turn over data that is in their possession regardless of where in the world the data is located.  Based on this development, the US Department of Justice asked the Supreme Court to dismiss the case as moot and Microsoft did not oppose.

Even prior to this decision, there had been significant questions raised with respect to US Government Access to data on citizens in other countries.  The Article 29 Working Group had released a report calling into question if the US was adhering to the requirements of the US/EU Privacy Shield agreements. In the report they recommended that new negotiations between the US and EU begin to develop a plan to close a few identified gaps.   They Working Group warned that if action was not taken, they would take the issue to court to have the Privacy Shield agreement invalidated.

Impact on Market:

This is all happening in the context of the coming into force of the EU General Data Protection regulation which has strict requirements on companies who deal with the data of EU residents.  Specifically, Article 48 of the EU General Data Protection Regulation states that:

 Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.

 This directly contradicts the requirements of the CLOUD Act which directly override the need to use the MLAT approach.

Naturally, this leaves many questions as to who’s laws are more relevant, the status of previously agreed treaties and agreements, and a few other questions. It is also likely to have a significant impact on US companies as subscribers move to cloud service providers in their local jurisdictions – or at least those in jurisdictions that do not have such legal entanglements.

Echoworx is a Canadian based company, and current Canadian law requires the use of Mutual Legal Assistance Treaties (MLATs) when that data is stored in a foreign country. Echoworx is also committed to meeting the privacy and legal requirements of the countries in which it operates. Echoworx continues to add data centres around the world to ensure that data is resident as close as possible to the country or region of origin. We currently operate data centres in the US, UK, Ireland, Mexico, and Canada to ensure data can be stored and maintained in accordance with the regulations and legislation that our customers are subject to.

By David Broad CISSP, Information Security and Audit Lead, Echoworx

07 Mar 2018
GDPR

Encryption, helping address GDPR compliance

As of May 25, 2018, all companies dealing with personal data in the European Union (EU) must be employing a high level of security to safeguard EU citizens’ information. Under the General Data Protection Regulation (GDPR), companies that aren’t taking adequate measures in protecting the data of those residing in the 28 EU countries (prior to Brexit) face fines of up to 20 million euros ($21.9 million) or 4 percent of a company’s global annual revenue. Regulatory authorities will have greater powers to act against businesses that don’t comply.

GDPR sets the baseline

David Broad, Information Security and Audit Lead for Echoworx, says the GDPR sets the baseline for how companies must protect their own information and that of their clients’. The baseline security practices must also be consistent with any third party service the company uses (such as Amazon), even if the company is located outside the EU. Regulations across the EU “used to be a fairly wide patchwork,” says Broad, and the GDPR will harmonize those rules. The EU has always had stringent regulations, but there were significant problems if a company was doing business in multiple countries as rules could differ in each.

“It was seen by many as a disadvantage, and an impediment to business,” says Broad. “Now, there will be one standard everyone understands and knows.”

A logical solution

Encryption is a logical solution for these companies and while it’s not mandatory or the only solution, the GDPR encourages its use as a best practice to protect sensitive information from breaches. Increasingly, encryption is viewed as the go-to method to protect communications in transit and to safeguard stored information, according to Jacob Ginsberg, Senior Director with Echoworx.

Ginsberg says companies are recognizing the importance of encryption and security in thwarting cyberattacks and data breaches and utilizing it. The GDPR encourages the idea of security and privacy by design from the early stages of development, he says. Those two aspects – privacy and security – were not always working in conjunction with each other and the GDPR will help to align them. Encryption can play a role in aligning these aspects.

The importance of encryption

Protecting information in transit – whether through email or large file exchange – can be a challenge for some organizations, as they may not control the network or the email server, and the server may not even be in the EU, says Broad.

“You can’t just send customer data over a network you don’t have control of,” he says. An organization may use some form of encryption for data in transit, or opt not to send encrypted data by email. Instead, it could send a benign message to a client telling the client to log in to the company portal to retrieve the pertinent information.

Not every company wants to build a portal due to the heavy investment in technology required, or because they may not need it all the time. For example, some companies may only need a portal for a short time each year – such as to receive annual tax documents.

Just as Amazon provides e-commerce solutions for sellers who don’t want to deal with logistics, payments, hardware and data storage, encryption providers such as Echoworx can help companies comply with the GDPR by providing encryption solutions and services to help customers protect important data.

By Christian Peel, ‎VP Customer Engineering, Echoworx

14 Sep 2017
Echoworx | Email Encryption Solutions | GDPR: Reduce your risk, protect your customers

GDPR: Reduce your risk, protect your customers

You’ve met the GDPR, but you could still be breached, and the fines are massive. How can you minimize the risk?

By May 25, 2018, companies doing business with EU residents must meet General Data Protection Regulation (GDPR) standards or risk fines as high as 20 million euros or 4 percent of their annual worldwide profits. But even if your company meets the Regulation, hackers will keep trying to get at your data, and if they’re successful, you could face class-action lawsuits and the destruction of hard-won consumer trust.

And you could still face GDPR fines.

The news is full of good reasons for consumer distrust, such as the 2017 Equifax breach when 143 million records were stolen, including social security numbers linked to them. But if you can show that you have taken every possible step to protect the people who rely on you, the courts and your customers are more likely to give you the benefit of the doubt.

Encryption is an obvious step, and it is part of GDPR, so under the Regulation, you must convert your data into a coded, difficult-to-unlock format that maintains authentication, integrity and non-repudiation. But you also need to implement data minimization and de-identification.

In simple terms, data minimization means that you don’t ask for or keep more than you need, while de-identification temporarily removes links between the data points and the individuals they describe.

  1. Data minimization

With so much personal data available, it may be tempting to collect and cross-reference new information to learn more about your customers. But consumers don’t like it, and are increasingly suspicious of sharing their details. So while a next-of-kin’s name and phone number on a financial services account could help verify family if the account holder dies, asking for the relative’s workplace data may be going too far. And you’re definitely crossing the line if you use any of the data for a purpose that the customer hasn’t agreed to.

The GDPR explicitly states that you need to limit the amount of data you collect, as well as the way you use it. It also says that you can only use the data for its specified, lawful purpose, and stresses the importance of having a plan to destroy the information once the agreed-upon use is finished.

And frankly, less data means you have less to steal.

  1. De-identification

Your institution might need to have some data linked directly to individuals’ names in some instances, for example, keeping names, account numbers and addresses together for account-statement generation. However, other work clusters will not need identifying information, but may need to be able to link it back later.

De-identification is different from anonymization; the information is still linked, but steps are taken to mask it. This can include giving people pseudonyms, plus “k-anonymization”, which hides or replaces details that could expose an identity, such as a birth date.

As a part of encryption, de-identification makes it that much harder for hackers to make use of stolen information.

The rewards of minimizing risk

While it’s EU law, complying with the GDPR has value no matter where your company does business. Meeting these standards, minimizing your data collection and ensuring de-identification will help you protect your reputation, add reasons for your customers to trust you, and reduce your overall risk.

Want to learn more?  Click on the link below to watch an in-depth discussion with the Privacy by Design creator Dr. Ann Cavoukian, and know how you can prepare for the GDPR. 

 By Alex Loo, VP Operations, Echoworx

08 Sep 2017
Echoworx | Email Encryption Solutions | Privacy by Design - or by Disaster?

Privacy by Design – or by Disaster?

Got any European business? If you do, the GDPR could trigger fines of 20 million euros against you after May 25, 2018, unless you’ve built the highest levels of privacy protections into your systems.

The General Data Protection Regulation (GDPR) protects individuals’ privacy and human rights, and comes into effect in May. It applies to EU-based companies, plus overseas companies doing business in the EU. The scope covers a broad range of personal data, for example, names, email addresses, social media, bank details or computer IP addresses.

For companies that don’t meet the GDPR, there are fines as high as 20 million euros or up to 4 percent of your annual worldwide profits – a big bite out of your bottom line. The good news is that there is a directive to guide you, known as Privacy by Design, or “PbD”.

Privacy by Design
Meeting GDPR means following the seven PbD principles that are included almost verbatim in the regulation.

  1. Proactive not reactive; preventative not remedial Think of this as “privacy by design or disaster.” If you build appropriate privacy, encryption and overall cybersecurity into your products and services, you’re less likely to have the disaster-side breach that means fines, class-action lawsuits, and damage to your reputation.
  1. Privacy as the default setting Most people don’t read EULAs or the lengthy legal documents from financial institutions. Make your offerings easier to use by defaulting to the highest levels of privacy and encryption, and ask clearly for specific permission to use the customer’s data for anything other than what they intend. For example, keep opt-in boxes empty so the distracted end-user doesn’t give permission by accident.
  1. Privacy embedded into design How well are your apps and data-management systems encrypted? This needs to be a default, no-choice, built-in fact of all of your data architecture.
  1. Full functionality – positive-sum, not zero-sum There’s an argument that full security and full privacy are not compatible, but it’s wrong – strong encryption lets you have both. What’s more, when your clients and customers know you’re using it, they’ll have a higher level of trust for you, and be more willing to share their data.
  1. End-to-end security – full lifecycle protection With your system designed to respect and maintain privacy at every touch, what happens when you’re done with the data? From the moment a customer gives their name, to the closing of the account, you need to ensure their data is securely managed, and eventually, destroyed.
  1. Visibility and transparency – keep it open Be able to demonstrate that you are using the data as it’s intended at every step. But you also need to be willing to share all the data you’ve collected about someone with that individual, because the data belongs to them. And being able to see it means they can correct inaccuracies, making it much more useful to you.
  1. Respect for user privacy – keep it user-centric Being user-centric means that your company and data architects are proactive about protecting customer privacy. But incorporating strong data encryption and overall cybersecurity isn’t just about being safe. The investment in these technologies and practices will foster the respect and trust of your customers, which is a good thing no matter where you do business.

Still have questions? Watch our webinar, along with Privacy by Design creator Dr. Ann Cavoukian, for an in-depth understanding on how to prepare for the GDPR. 

 By Alex Loo, VP Operations, Echoworx

14 Mar 2017
Echoworx | Email Encryption Solutions | GDPR: Will You Weather the Security Storm? 1

GDPR: Will You Weather the Security Storm?

You would think that simple and secure communication with employees and customers would be top of any financial services firm’s checklist, wouldn’t you? That the need for confidentiality and regulatory compliance had never been greater? Especially given that financial data has been among the most commonly exposed and stolen in recent breaches. Think again! Our survey last year found that despite 83 per cent of financial services professionals using email more than any other form of communication, 23 per cent either do not use or are unaware of any email and file sharing encryption technology in place.

dontuse.jpg

It’s time for businesses to batten down the hatches, because the General Data Protection Regulation (GDPR) is coming and businesses are worried about its impact. The European Commission has passed new pan-region regulations, which will come into force in April 2018. Businesses that don’t comply with the new laws could face fines of €20 million or four per cent of global turnover – whichever is greater. Fines of this level will have a significant impact on any business. You only have to look at the costs incurred by TalkTalk following its high profile data breach last year (£60 million and counting, and a considerable loss of customers) – and you can see fines like this keeping the CFO awake at night.

We hosted a roundtable event for CIOs and CISOs of financial services companies. Most admitted that they knew something needed to be done about GDPR compliance, but they didn’t know where to start. It was clear from talking to these senior financial services industry figures that companies are wholly aware of the threat posed by cyber attackers and hackers. They have already taken action against it. However, the pressure to reduce costs is a struggle felt by all. Research by TheCityUK Cyber Taskforce (p.11) found that 46 per cent of companies have cyber threats as a key concern to their business, compared to just 10 per cent in the same survey a year earlier.

weathering_storms2.jpg

It’s not just internal email that needs to be covered by the right level of security. External communication with customers need security measures too. Stories of cybercrime and data breaches continue to hit the headlines daily, while consumers are more technically and security savvy than ever. In fact, a recent survey by the US Dept of Commerce found that, 45 per cent of consumers reported that cybersecurity concerns stopped them from conducting financial transactions online.

Financial services organisations should have strong encryption solutions in place that are both manageable for the business and meet the needs and expectations of customers. Banks have continued to resist because they think it is too complicated. Many argue that customers won’t understand how to use more complex security solutions. This simply isn’t an excuse any more. There are plenty of options on the market that have put user experience at the centre. A valuable email encryption solution makes the process simple for both sender and recipient.

weathering_storms3.jpg

The cost of a data breach to a financial services organisation goes far beyond just financial considerations (although with the prospect of huge fines looming as part of the GDPR – it’s certainly a substantial worry). Reduction in customer confidence and reputation damage are an equally expensive contributing factor. For a long time, FS companies have upped their security precautions at the perimeter of their businesses. Now they need to extend this protection to their customers as well. Issues like TalkTalk breach, along with new government powers to snoop in the form of the Investigatory Powers Bill have left customers more worried than ever before about the security of their data. Banks need to act fast to reassure customers and to avoid churn to a more secure rival. Moreover, all FS companies must ensure they are compliant with the GDPR, by embracing encryption of personal data and the whole idea of security and privacy by design, before it hits in 2018.

The General Data Protection Regulation (GDPR) comes into effect across Europe in May 2018,  US and Canadian companies who think it doesn’t affect them are in for a rude awakening – with fines of €20 million, or 4% of your global revenue, whichever is higher!

To learn more about GDPR watch our webinar with Privacy by Design creator, Dr. Ann Cavoukian.

 By Jacob Ginsberg, Senior Director, Echoworx

This article originally appeared in the Global Banking & Finance Review

06 Jan 2017
Echoworx | Email Encryption Solutions | A Welcome Reset for Citizen Privacy

A Welcome Reset for Citizen Privacy

Canada’s Public Consultation on National Security

The notion that we are being watched digitally has, seemingly overnight, become something many people now accept as a fact of life in the modern, post-Snowden world. Much of the news around citizen privacy, as always, has been focused on the US, but are we on the sidelines? Canada is an active participant in the five-eyes program, has rolled out the now politically toxic Bill C-51, and as members of NATO, NORAD, and enough acronyms to fill an alphabet soup, we are very much an active player. Not to mention how connected we are on a personal level to the greater world. I may be Canadian, but I hold no illusions about my data – I exist online, along with my purchasing and travel behavior, web searches, e-mail and social media conversations, what TV shows I watch, and very often my location, on countless servers around the world – and the same goes for you. The more interesting question, now that extra-legal surveillance has become the de facto standard, is how have governments reacted and where, policy wise, do we go from here?

Drawn to the dark side

Both the US and UK have decided to go one way, attempting to drag extra-legal surveillance into the realm of legitimacy. In the US, choosing to have Edward Snowden continue to be a persona non grata, the FBI attempting to use the All Writs Act to compel Apple to write software that would break security features, the accepted use of Stingray devices on a local level, and the list goes on. The UK as well has been mulling over legislation of the draft Investigatory Powers bill that would compel internet service providers, telecom companies, and other services you rely on to turn in information about your habits without a warrant. Canada, in its own right, has made some concerning moves to the dark side. C-51, for instance, was a worrying enough debacle that the Liberals needed to reaffirm that yes, they do, in fact, still believe in The Charter. More recently this summer, the Canadian Association of Chiefs of Police began vocally calling for the power to get people’s phone passwords through the course of an investigation.

Opportunity for a reset

But it appears as if we’ve been afforded the opportunity for a reset. The Canadian government has opened up several public comment periods this year surrounding national security, and specifically how it will adapt to investigations in the digital age. This is an encouraging step to allow citizens’ concerns to be heard and offers the opportunity to make improvements to Canada’s national security laws and regulations, namely C-51. And while it takes two to tango, and some citizens are hesitant about the effectiveness of such consultations and the government’s reply, it is the responsibility of our democracy to respond and adjust, in an accommodating way to the public, as that is their hallmark.

The voice of resistance

Thankfully, the voice of resistance and, in this case, reason, continues to get louder and more forceful around the globe when it comes to issues of privacy versus security. Apple was willing to stare down the government rather than publicly compromise the security of their users. Alex Stamos, former CISO of Yahoo, resigned when he learned of a secret program whereby the government could search the e-mail of all Yahoo email users, in real time, without a warrant required. With the public consultation, we too have the opportunity to voice our objection to these larger trends towards the invasion of citizens’ lives and lowering the barriers to violating privacy.

So I, along with hundreds of others in the Canadian security industry, took part in the public comment period the government had devoted to national security. Hopefully you did the same. This was an opportunity to defend our fundamental rights and reset our legislation on citizen privacy.

Now, we sit back and wait to see how, in the face of an incredible amount of technological power, this government decides to treat its citizens – as an information mine to be exploited, or as the country’s most precious resource to be protected. We will be watching.

By Jacob Ginsberg, Senior Director, Echoworx

27 May 2016
Echoworx | Email Encryption Solutions | First the IP Bill, Then What?

First the IP Bill, Then What?

In the face of democratic debate, against all the clamoring voices of human rights organizations, global tech firms such as Facebook and Google, lawyers, journalists, and a host of academics; it seems that with regrettable flippancy, the Investigatory Powers Bill will be passed later this year.

The UK government’s plan for mass surveillance opens the door to indiscriminate and intrusive ‘snooping’. Furthermore, the provisions set out by Teresa May could undermine almost all cybersecurity and encryption measures currently in place. These two powerful and cogent arguments have been meekly put forward in parliament, and have now seemingly been rejected by the UK government.

The human rights impact of the Bill on British people will be huge, but very little has been made of the global and economic ramifications. The Bill, while costing the country billions in lost business, could also legitimize similarly heavy-handed practices in other states.

The UK government has shown that even in one of the most technologically developed countries, that privacy can be eroded by circling democratic process. The message from the UK is clear – it’s acceptable to pass ambiguous ‘snooping’ laws with very little backing. This sets a dangerous precedent and creates a genuine risk that other countries will adopt a similar approach of using a general lack of understanding and capitalizing on fear to push through laws which destroy user privacy.

Other major states are already considering similar moves. France’s parliamentarians recently reformed a penal bill that would punish companies if they refused to provide decrypted versions of messages their products have encrypted. For now, the French government has rejected encryption backdoors as ‘the wrong solution’, but the debate is at tipping point.

After WhatsApp announced it would push encryption further into everyday life, it immediately fell into hot water in Brazil for not storing messages demanded by the country’s courts. After various delays, Google has also moved to default encryption in the most recent release of Android, while Amazon has backtracked, promising that encryption will make a return on its newest Fire operating system. Most infamously, the FBI vs. Apple debate has rolled and rolled, and finally seems to have come to an inconclusive stop.

What is clear is that across the globe there is fast becoming a divide – governments vs. technology companies. The UK has set the precedent: simply pass draconian surveillance laws, and the problem is solved.

The global implications are huge, but the Bill will also cost taxpayers in two tangible ways. The government estimates that implementing the Bill will cost £174m, while experts suggest the figure will be well over £1 billion. These figures are based on a similar scheme that was rejected on cost grounds in Denmark, and have been scaled up proportionally for the UK.

Far larger, however, is the economic cost when companies flee Britain’s shores when the Bill passes. Companies are concerned that the proposed Bill will introduce state security into the heart of day-to-day operations, and will therefore move headquarters further afield. The UK’s data storage/hosting market would be crippled and the country could lose over £10 billion worth of business almost overnight.

The Bill hardly instills any confidence, especially while the implementation and ramifications barely seem to have been considered. A war over encryption is likely to rage, and its impact on the digital economy and day-to-day lives cannot be overstated.

By Jacob Ginsberg, Senior Director, Echoworx

This article originally appeared in Info Security Magazine