Tag: risk mitigation

24 Apr 2020

Spotlight on Email Security

People transitioned to remote work overnight, sending information like bids, intellectual property, medical records and personal customer data all through their emails. Protecting this data is vital.

You’re doing a great job protecting against inbound email attacks (spam, phishing, malware) but what about the email leaving your organization? Here are five of the most important factors to consider when looking for more ways to protect data being sent through emails:

1. Easy to use

Can a person easily send secure email without any extra steps? Sending an email is a behavior all of us do automatically; introducing encryption shouldn’t hinder this process. Likewise, the person receiving it should easily be able to open the encrypted email. Good solutions will take these behaviors into account and keep them quick and efficient. Organizations can easily adopt encryption as long as their workflow doesn’t change.

2. Easy to send

Does the solution support multiple delivery methods? If you’re communicating with other businesses, they may have an encryption method already set up. Your solution should support multiple delivery methods, like TLS, PGP and third party S/MIME to take advantage of this. A good solution should also support delivery methods that make it easy for anybody to pick up messages, through encrypted PDF/ZIP or a secure web and mobile web portal. Enterprise administrators should be able to select the delivery methods that best meet their business needs.

3. Easy to access

As organizations are increasingly adopting cloud based solutions, shouldn’t your encryption decision follow the same strategy? Can the solution run completely in the cloud, so you don’t have to run any software or hardware on premise? Cloud implementations save you deployment time and resources, and allow the encryption solution to grow with the company.

4. Easy to automate

Does the solution allow you to easily set scanning policies to inspect email subject lines, body, attachments, and take action accordingly? You may only want to encrypt emails that contain certain keywords or regular expressions like credit card numbers or other customer information. A good solution will use a robust policy engine to allow you to create and edit policies to determine what should be encrypted and how.

5. Easy to get approval for

Is the solution easy to integrate and manage across the organization? Can it adapt to your changing policy and regulatory requirements without impacting everyone? You can never predict where a security leak will come from. A cost effective solution will be adaptive and scalable to meet a wide spectrum of business requirements; protecting all sensitive information from going out in the clear, not just executives or specific departments.

It’s time we all get serious about securing email.

By Jacob Ginsberg, Senior Director Market Intelligence at Echoworx

14 Apr 2020

Encryption Expands, but Gaps in Adoption Raise Concern

Global information technology leaders tend to focus too much on senior executives at the expense of other business areas raising concern and vulnerability.

A strong majority of IT leaders are deeply concerned with security and have adopted some level of protections for data being sent through email, a study by industry encryption leader Echoworx has found. However, a distressing 13% of the largest firms [with more than 10,000 employees] were not encrypting their sensitive communications despite the steady rise in attempted security intrusions.

“Cyber criminals, hackers, agents of industrial and government espionage all see unprotected email as an easy target,” said Echoworx Director Market Intelligence, Jacob Ginsberg. “In the first half of last year over 4.1 billion records were compromised as a result of security breaches, with a stunning 70% of those breaches being email related.”

Protection efforts are unevenly focused

In collaboration with Pulse, an online research hub for chief information officers, Echoworx surveyed 100 Chief Information and Chief Technology Officers (CIOs, CTOs) from North America, Europe, the Middle East and Africa.

As a pioneer in email data protection, Echoworx has researched attitudes toward protecting information and files sent using email for two decades. As early as 2004, it found that while 68% of IT executives had concerns about email privacy, fewer than half had developed a strategy using encryption to protect it. By 2016, 63% of firms had developed a strategy. The 2020 study found that 83% have now done so.

The rise in those top-line numbers has been encouraging but further questioning exposed protection efforts are unevenly focused. The tendency to limit encryption to the top of the corporate pyramid, was noted, leaving vulnerabilities to data and files communicated through email in key areas including HR and payroll, product development, finance and more.

Asked how they were prioritizing the use of encryption, IT leaders said they had prioritized high-level internal messages (26%) followed by sensitive third-party data (24%), protected/regulated data such as medical or credit info (16%) and then intellectual property (10%). But when asked where they were prioritizing the access to encryption, IT leaders see Security, IT, and Engineering departments as being most in need of protection.

However, sensitive data and are shared through an entire firm and with third parties, by practically all business lines and departments in emails. The more limited email data protection and security are throughout an enterprise, the more at risk the company is for email breaches. That calls for a more collaborative and holistic approach, where the protection of data is available for all employees who may handle sensitive data.

…when adopting a ‘zero trust’ strategy – for all messages both internal and external – you have to extend protections throughout an organization … to everyone. – Director Market Intelligence, Jacob Ginsberg

Encryption reserved to select few

That’s currently not happening. Respondents said technology solutions for email data protection were often directed toward the top tiers of an enterprise, even though the measures could benefit whole companies. In most firms, respondents said using encryption to protect email was reserved for the “leadership”, “senior executives” and that it was “based on hierarchy.”

“IT leaders tell us they need to change the mindset, that enterprises need to take a more collaborative approach to address the gaps in email data encryption strategies,” said Jacob Ginsberg. “It’s essential to protect top executives’ communications, but when adopting a ‘zero trust’ strategy – for all messages both internal and external – you have to extend protections throughout an organization … to everyone.”

When building a zero-trust security environment, those who make purchasing decisions should evaluate the all network communication taking place in an enterprise, Ginsberg said. But among respondents, 59% said they had dedicated teams that study email security purchases, 31% said such decisions were made based on cross-department consultations, and a surprising 9% said that decisions were made solely by top executives.

Whose making purchasing decisions? A surprising 9% said decisions are made solely by top executives

Procurement missing the mark on zero-trust security

And even when procurement is a team decision, further questioning found it is often by one that doesn’t reflect the businesses diverse activities: 54% of respondents said the purchasing team were from a single department, while only 46% said purchasing team members included several departments.

“When protecting a company’s assets, most in the industry agree that more needs to be done to improve email security,” said Jacob Ginsberg. “Yet, this study shows that more needs to be done to ensure that email security technology decisions are balanced between the requirements of the whole business and the requirements of the security team.”

For the full insights, Echoworx has produced a one-minute white paper on the survey, asking CIOs how they think their encryption strategies stand up against today’s digital reality.

By Lorena Magee, VP Marketing at Echoworx

22 Nov 2019

Still Selling ‘Risk Acceptance’ to Your Customers?

As organizations continue their digital migrations, the list of cyber-threats, risks and vulnerabilities grows exponentially. From a more connected workplace to new laws and regulations governing privacy and data protection, keeping up on our ever-expanding digital world can be challenging and expensive.

One method to confront cyber-risk is to adopt a laissez-faire risk acceptance approach – where the costs of prevention seemingly outweigh the consequences of doing nothing at all. In this scenario, a bank or business takes a gamble that a cyber-security incident won’t happen or that they can just pay a nominal one-time fee if it does. In other words: Instead of protecting customer data, investing in streamlined cybersecurity solutions or sealing off a vulnerability, an organization simply opts to leave the door open with the hope that no one comes knocking.

The economics of risk acceptance in cybersecurity

Is risk acceptance the most-economical mindset in the short run? Assuming an organization is not the target of a particularly devastating attack, they might come out unscathed from the initial breach, with nominal fines or nothing at all. For example, if a cybersecurity solution is going to cost $250,000 to protect a $50,000 problem – it might not make initial sense to invest. But when you factor in brand damage, changes in regulations, emerging technology, and subsequent fines and class action lawsuits there are different angles to consider – especially when something big hits.

During the 2017 Equifax acquisition, for example, when a massive breach compromised the personal information of over 140M Americans, or nearly half the country, the Equifax brand suffered irreparable damage and has been ordered to pay up to $700M in fines. This all stemmed from their “failure to take reasonable steps to secure their network.” This breach is one of the worst to ever have happened in the US and, with 13 major breaches affecting mergers and acquisitions deals between 2014 and 2018, it was hardly the only one.

Do you think it was worth it? We don’t.

Customers won’t buy risk acceptance

Issues of brand damage come to the forefront of any risk acceptance plan once a breach occurs – regardless of size. Any customer-centric organization worth its salt knows that customers care about their personal data and do not reward businesses who do not value it enough to protect it. In fact, according to Echoworx data, 80 per cent of customers consider leaving a brand after a breach.

In a nutshell: You can’t afford to sell risk acceptance to your customers.

Instead of gambling with customer data, a true proactive choice involves taking every precaution to protect them with risk-mitigating defenses. Since digital trust and loyalty of customers is rooted in user experience and demonstrated brand assurance of safety, you need to offer flexible and streamlined cybersecurity solutions that work.

With our OneWorld encryption platform, for example, you can protect customer data in transit without affecting customer experience. With support for 22 languages, multiple branding options and configurable sets of encryption policies, our streamlined encryption experience ensures nothing is left to chance – including your customers.

Start selling risk mitigating encryption now.

Risk acceptance doesn’t cut it across borders

If you are an international brand, with offices all around the world, you might be boxed out of local markets if you can’t protect your customers. But investing in the bare minimum isn’t good enough either. In order to comply with different privacy jurisdictions, avoiding the potential for hammering fines or being excluded from a market completely, an organization needs to invest in flexible, streamlined and easy-to-understand proactive cybersecurity solutions.

Picture this scenario, for example: You are an organization based in the US which does business in the EU and is looking to break into APEC. From Europe’s General Data Protection Regulation (GDPR) to South Korea’s Personal Information Protection Act (PIPA) to California’s Consumer Privacy Act (CCPA) closer to home, for examples, you are now navigating a whole patchwork of privacy laws. How do you exchange your daily flow of sensitive data between offices?

Until recently, a company might be able to fly under the regulatory radar without encrypting sensitive communications. But more severe interpretations of these laws, like those regarding the GDPR in Denmark, now mean you can’t legally do business in some of these countries without an encryption solution flexible enough to accommodate different jurisdictional demands. That throws a pretty major wrench in any international business plan.

Enable your cross-border communications now.

Risk acceptance jeopardizes your digital future

As the saying goes: Ignoring the problem doesn’t make it go away. In the case of cybersecurity, inadequate investment in data-protecting technology can make current vulnerabilities larger, as business grows, or render an organization unable to adequately deal with future issues. And, in the case of mergers and acquisitions, not being flexible enough or set up to move with the technological tide can stall, cancel or, at the very least, lower the value of the deal.

In other words: In a world of every-changing regulations, which are not going away, and new technology, which demands flexibility, if you adopt a culture of risk acceptance, you risk being left in the dust.

As a cloud-based Software-as-a-Service (SaaS) provider, Echoworx provides flexible solutions for organizations looking to update legacy message encryption technology. Many organizations, for example, need to reduce the complexity of their existing legacy solutions, like a legacy PGP system, into a single consolidated cloud-based platform. As a fully managed, infinitely scalable and geo-redundant encryption solution, our OneWorld encryption platform helps organizations get up to speed with secure communications and be prepared for whatever changes are around the corner.

Upgrade your legacy encryption system to the cloud now.

Risk mitigation is simple – yet effective

Investing in comprehensive data-protecting cybersecurity solutions for risk mitigation, as opposed to acceptance, is not a compromise for today’s customer – it’s an expectation. They expect airtight security for their valuable personal data – something they can get with or without your brand. The solution is easy: you don’t gamble with them; you protect them before something happens.

Protecting your secure communications with encryption is an effective way to ensure data in transit stays safe, you can easily adapt to new regulations and you can protect your own valuable company data and secrets. As a tool of risk mitigation, applying encryption to sensitive messages means you do not take chances when it comes to the safety of your data. This is an integral keystone of any merger or acquisition process – something that can affect the ultimate value of your deal.

A path to secure communications with OneWorld

Our OneWorld encryption platform is an important risk-mitigating addition to any customer-centric cybersecurity suite. With multiple flexible delivery methods, available in 22 languages, full reporting and with extensive options to support multiple brands, OneWorld assures your customers that you do indeed value their business and data at every point of their customer journey. And its streamlined user-friendly interface and definable customizable set of encryption policies ensures data protection occupies a central part of any organizational business policy.

Protect your communications now.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx