Aligning Security Spending With Risk

I remember reading an article in CIO Magazine that claimed an auditor told Jason Spaltro, executive director of information security at Sony Pictures Entertainment, “If you were a bank, you’d be out of business.” The article, by Allan Holmes, was entitled Your Guide To Good-Enough Compliance. It sought to explain why CIOs and CISOs are so overwhelmed by the demands of their jobs that they did not have the time to invest in reconfiguring electronic systems and processes to meet regulatory requirements.

In the article, Jason Spaltro of Sony was quoted as replying: “it’s a valid business decision to accept the risk [of a security breach] I will not invest $10 million to avoid a possible $1 million loss.” These comments would come back to haunt Spaltro in November 2014 when Sony was breached by a criminal group. The total cost of the breach is not yet known but estimates vary between $150 and $300 million.

According to the 2014 US State of Cybercrime Survey, “While organizations are more concerned about cyber threats, our research finds they have done very little to strategically invest in cybersecurity and ensure that it is aligned with the overall business strategy.” Well that’s easy for them to say: It is very difficult to put a monetary figure on the cost of a data breach because every business is unique, and every breach impacts different businesses in different ways. Let’s face it, security measures don’t come cheap, and justifying the return on investment – the return on problems that don’t occur – can be a hard sell to senior executives. Even trying to estimate the cost of a future breach can be tough, not least due to the intangible values of reputation, damage to the brand, loss of current and future customers, and reductions in the share price.

It also does not help that IT Security budgets are often lumped in with a company’s IT spend. If the CISO is subordinate to the CIO, it is quite likely that next year’s proposed IT projects will be compared to the proposed IT Security projects without effective reference to the risk factors, thus the latter projects will lose out.

An example of a good balance between the cost of protection and the risk of a data breach is in the handling of emails. There are several ways to secure emails: they can be encrypted while stored in the server (data center), encrypted while stored in individual users’ computers, or encrypted while in transit across the public internet. All three are possible to implement, however the former two are cost prohibitive. While it is relatively inexpensive to encrypt and store emails, it requires enormous computing power to search for specific topics and phrases. That is, it would be extremely expensive to find a specific email you sent to a client six months ago because every email on the server, or computer drive, would need to be decrypted to see if it was the one being searched for.

The good balance would be to encrypt emails while in transit, and store them behind an effective firewall in clear text. This solution typically costs less to implement than the first two solutions, but saves enormously in later eDiscovery costs. It also secures emails when they are at their most vulnerable – as they transit the public Internet between senders and recipients.

Zix has a number of email encryption solutions that can help you balance your security spending with the real risks to your organization’s security. To learn more, click here.

Posted in Email Encryption | Tagged , , , | Leave a comment

Customer Spotlight – Knoxville Finds ZixCorp a No-brainer for Protecting Patient Privacy

As you may have noticed in the news recently, banks and large retailers are no longer the only companies susceptible to large-scale data breaches. With the amount of information traveling between doctors and patients, insurance providers and hospitals, hackers are starting to capitalize.

That’s why Knoxville Hospital & Clinics in Iowa chose ZixCorp’s email data protection suite — including ZixCorp Email Encryption Services and ZixOne Bring-Your-Own-Device (BYOD) solution — to grant employees secure email access within the hospital and on-the-go, while still meeting regulatory obligations like HIPAA and protecting patient privacy.

“The switch to ZixOne made sense to our doctors, nurses and IT administrators,” said Thom Richards, regional CIO for Knoxville Hospitals & Clinics. “With our previous MDM solution, if an employee’s phone were lost, administrators would be required to wipe it of all data — both work and personal. It was frustrating.”

With the ZixOne BYOD solution, if a Knoxville employee loses his or her phone, an administrator can simply disable corporate email access on the specific device — eliminating the need to worry about sensitive information falling into the wrong hands and causing employee frustration. Because the data doesn’t actually reside on the device, there is never a need to remote-wipe.

Due to its easy-to-use interface and regulatory compliance, ZixCorp’s email encryption solution is trusted by one in every five U.S. hospitals and more than 30 Blue Cross Blue Shield organizations. By choosing ZixCorp, Knoxville Hospitals & Clinics is now part of the larger Zix Encryption Network (ZEN) — more than 11,500 companies strong and growing. ZEN offers end-to-end encryption to senders and receivers within the network, making it ideal for the healthcare industry where there is frequent communication between different parties.

“Adopting Zix Email Encryption was a no-brainer,” said Richards. “We’re able to seamlessly communicate with our partners and other affiliated hospitals because chances are, they’re in the network too.”

About Knoxville Hospital & Clinics:

  • Founded in 1935
  • Member of 15 hospital affiliation network throughout Iowa with over 800 clinical and administrative staff
  • Cares for the Knoxville community with everything from wound care, to health coach services and family medicine

Posted in Bring-Your-Own-Device, Company News, Email Encryption | Tagged , , , , | Leave a comment

Protecting Your Clients at Tax Time

The IRS says that tax-refund fraud is expected to soar again this tax season and to hit a whopping $21 billion by 2016, up from $6.5 billion two years ago. Why is this? Joe Public does not realize that the public Internet is just that — public. Anyone, anywhere on the globe, can intercept information in transit across the Internet and use it for nefarious means. OK, OK, you and I both know that all a criminal needs to do to make a fake filing and get the refund is have a name, date of birth and a Social Security number. However professionals shouldn’t be wringing their hands and saying there is nothing they can do. Remember, the great advantage to the tech-savvy consumer of using an online automated tax preparation service (TurboTax, H&R Block, TaxACT, etc.) is that the software creates a secure link between the consumer’s computer and the tax service’s server. And is it not these online services that have been eating into your core business?

Studies from the Federal Financial Institutions Examination Council (FFIEC), the Consumer Financial Protection Bureau (CFPB) and others indicate that a large proportion of financial professionals of all kinds continue to send and receive documents containing Non-public Personal Information (NPI) via email, thus exposing their clients’ most precious family and financial information to the public Internet. Criminals can have a field day targeting your clients and not just because they “work” during tax season and they have a ready-made source of targeted email domain names to observe. It’s because you distribute your email address freely.

For you, the tech-savvy consumers are probably a lost cause. However your existing clients are not, and you have a fiduciary duty to protect their information as it passes back and forth between you. You may be old-school and still use a courier service, but such services are probably eating into your margins. Email, on the other hand, is not only very cheap, but also fast, convenient, and limits the number of paper copies of documents you need to print out or store. However using traditional email is like sending a picture postcard through the mail — anyone can read it en route. Let’s face it, a criminal could open your mailbox, read the postcard and then return it to the mailbox; you would never know. The difference with email is that not only can the text be read, it can also be altered by the criminal, and again you would never know. Hence, for example, the criminal would not even need to send off a bogus tax return on January 1. If he wished to, he could change your client’s banking details in an email, and you would supply the IRS with the criminal’s bank account.

So how can you protect your clients? It is really quite simple. Email encryption has come a long way in the past few years. It used to be that you would need a four-year degree in computer science to understand encryption — not any more. Many solutions will create a branded portal for your company — a Web page that is tailored to your business and for your clientele. You or your staff need not know anything about encryption. Any email containing NPI is automatically encrypted in the background and sent to your secure portal. At the same time, an automatically generated email is sent to your client with a Web link to click on, with very simple instructions on how to see the encrypted email, and to download the encrypted documents. It used to be that clients had to follow a laborious sequence of instructions and would soon become disenfranchised. No more. Two clicks and one password is all that is required. What’s more, replies from your clients are also encrypted. In fact they can send you encrypted documents at any time using your encrypted email portal.

Tax preparation professionals still have the luxury of being respected and trusted by their clients. Let’s deserve that trust by protecting them with modern email encryption.

Posted in Email Encryption | Tagged , , , | Leave a comment

Today’s Lesson in Data Privacy: Educating the Educators?

The marketplace for stolen data is active and alive within the Web. While the going rate for a stolen Social Security number is only about $1, medical records and banking information – both rarer and more data-rich – can earn anywhere from $50 to $1,000!

Looking at the headlines over the past year – Target, Sony, J.P. Morgan, etc. – it makes sense that hackers set their sights on these companies because they deal with credit card numbers, Social Security numbers, bank account numbers and health records on a daily basis.

But, hackers continue to evaluate new targets.

Recently, the University of Chicago, University of Auburn and UC Riverside all reported data breaches, exposing the SSNs, logins, academic information and email addresses of hundreds of thousands of current and former employees and students.

Between the Bursar’s Office, the student health center, financial aid information and academic records, there are vast amounts of sensitive data at the average junior college or four-year university that students, teachers and staff alike would not want to be leaked.

While the study is just about a year old, the Ponemon Institute reports that the education industry has the second highest per-capita data breach cost of all industries at $294, with the overall mean per U.S. industry costing $201. And in most cases, data breaches are caused by a remote, malicious attack.

In addition to being a treasure trove of data — unlike healthcare and financial institutions — there aren’t security mandates in place. This lets higher education institutions take a more laissez-faire approach to security. Regardless, these institutions need to step up their levels of protection to prevent unauthorized access.

Beta News posted a handy infographic that is a great resource for higher education IT departments concerned with privacy. It details five practices that include automated backups for lost data retrieval, real-time security platforms, compliance frameworks, security reports and data archiving.

But we noticed one piece to the puzzle was missing: email security.

Email can be as easy for a hacker to read as a postcard passing through the mail. Sure there are harmless emails passed between student and professor discussing an upcoming assignment, but what about emails containing some of the sensitive information discussed above? Without the proper security measures in place, an unauthorized person can capture emails as they travel across the Internet, and worse, the institution may never know it’s happening.

While email encryption isn’t the silver bullet to safeguarding sensitive information at universities, it should definitely be part of the overall solution.

Protecting email isn’t painful or difficult. It can actually be as easy as hitting “send.” Before evaluating solutions, take a look at the email encryption checklist.

Posted in Email Encryption | Tagged , , , , | Leave a comment

The Community of Trust for Email Encryption

Back in 2007 Jay Heiser, a respected researcher in on-line security and privacy, described a Community of Trust*, this being a secure, multi-organizational collaborative community working within a highly trustable digital environment. The topic of the Community of Trust came up several times during last week’s Zix Webinar. During the webinar, I had the pleasure of interviewing Frank Klimczak of Genisys Credit Union based in Michigan whose company has been a member of the Zix Community of Trust for over eight years.

Frank described in some detail how easy it is for the staff at Genisys to use the Zix Community of Trust when exchanging documents not only with business partners, but also with the health insurance company that looks after the needs of Genisys Credit Union’s own staff. For Genisys, the administration of the Zix solution is a breeze, and for the non-technical staff there is no effort at all in using the solution: the automated system is working in the background 24/7 and so there is no loss of time or productivity and no distraction from core activities.

From the webinar, the main points were:

  • A 2014 FFIEC study demonstrated that there are still banks and credit unions who are not taking “basic cybersecurity action” to protect their customers and their business.
  • Encrypted email secures Non-public Personal Information (NPI) as it transits the public internet.
  • A Community of Trust provides a number of advantages over traditional email encryption, including transparent delivery within a high-trust digital environment.
  • The agencies within the FFIEC (including the NCUA and CFPB) are already members of the Zix Community of Trust, so it makes sense for banks, credit unions and financial institutions to join the same high-trust digital environment.
  • Zix, the market leader in email encryption, already has over 11,500 companies and many millions of users protected by its proven solutions.
  • Customers who use providers that have Zix solutions tend to remain with these providers.

If you’d like to watch a recording of last week’s webinar, please click on this link.

* Heiser, J. (2007), How to Create a Community of Trust, Gartner, Inc., Stamford, CT. Research ID Number G00145683.

Posted in Technology | Tagged , , , | Leave a comment

Securing Mobile Devices with the Remote Wipe Instruction – Or Not!

I’ve just been reading through technical notes that come with a big brand mobility solution. I won’t embarrass them by using their name, however one of their key statements is “If you lose the mobile device, you can use the remote wiping feature to prevent someone from obtaining your personal information from the device.” The notes continue on by giving the instruction sequence to follow to send the remote wipe instruction to the lost or stolen mobility device.

Another big brand website is a little more honest about lost or stolen devices: “If your device is offline, the remote erase begins the next time it’s online.”

Next time it’s online? Mmmm! What happens if the device never comes back online? This has got me to thinking, what would you be protecting yourself against by wiping your phone anyway? There is the possibility you’ve taken some embarrassing photos and my advice to you would be….don’t! I find the imagination is more fun anyway. However, most opportunist thieves are probably not interested in the data on your device: they just want to wipe the device and sell it, in which case they’ll do the wiping for you.

So just who are you trying to protect yourself against when you try to remote wipe your mobile device? Certainly not the opportunist thieves – the vast majority of the thieves who steal five million devices in the US each year. No, you should be worried about a tiny but significant minority of “professionals” who are on the lookout for saleable information, be it bank account or PayPal details, passwords, intellectual property or corporate business data.

This tiny but scary profession has the ability to do great damage to individuals and to companies if one of your devices should end up in their hands. You see, while the opportunist thief is not a threat to your data security, the information broker – to whom he may sell the device – is. And if the information broker is smart enough to root or jailbreak your device, or compromise the keychain, then you can bet your bottom dollar that he has sufficient smarts to get his team to protect their stolen devices against your remote wipe instructions.

How they do it is very sobering as we remember that most of these devices were not designed for security: they were designed for ease of use. Hence it is fast and simple to activate airplane mode, it is almost as fast to power the device down – and neither of these actions require the entry of a password or thumb print. And even if the manufacturers ever do require a password in the future, there are still Faraday bags that you can order over the Internet, or a square of kitchen foil (see my picture below) ready in the thief’s pocket. Wrap the device in aluminum foil and the remote wipe instruction will never be received, ever.

So dear reader, please beware.  Do not be relying on a remote wipe instruction to get you or your company out of trouble. Pick a mobility solution that does not store the important data on the device, the solution that never requires a remote wipe – because there is nothing stored that requires to be wiped. Pick the secure viewer solution – ZixOne.

Posted in Bring-Your-Own-Device | Tagged , , , | Leave a comment

Email Decryption: Breaking the Code on Our Hidden Messages

At Zix, we love encryption. We’re fascinated by the many ways encryption protects information not just today, but throughout history. So we are sharing some coded messages that recently appeared in a few of our outgoing emails. See if you can crack the code before looking at the hints!

The first email was fairly simple.

Here was the encrypted headline we sent out:

AJY JT UIF XPSMET MBSHFTU TIBSFE BODSZQUJPO DPNNVOJUZ XJUI PWFS GPSUX-GPVS NJMMJPO NFNCFST.

The cipher was a classic 1-letter cipher:

ABCDEFGHIJKLMNOPQRSTUVWXYZ

BCDEFGHIJKLMNOPQRSTUVWXYZA

Here’s the decrypted headline:

ZIX IS THE WORLDS LARGEST SHARED ENCRYPTION COMMUNITY WITH OVER FORTY-FOUR MILLION MEMBERS.

The second email was a bit more challenging.

Here’s the coded message:

RXREO ZPLFMR RDQPM RHUNQLFRK CRVWRRL DRDCREZ YA VNR JPH LRVWYEB PZ QIVYDQVPUQMMO RLUEOGVRK.

2

For the encryption, we stacked two ciphers. The first was a 3-letter cipher followed by a substitution cipher to break up the pattern:

ABCDEFGHIJKLMNOPQRSTUVWXYZ

DEFGHIJKLMNOPQRSTUVWXYZABC (3-Letter Cipher)

QCUKRAFNPSBMDLYGTEZVIXWHOJ (Substitution Cipher) 

Here’s the message for the second email:

EVERY SINGLE EMAIL EXCHANGED BETWEEN MEMBERS OF THE ZIX NETWORK IS AUTOMATICALLY ENCRYPTED.

The third email was the most challenging.

Here’s the message encrypted:

QPG HM HQWT EHMZMBHZZ ZPUVZVWVZQPU TRDR BZZ DLZHZ GPETARVZQP.

To make this one more difficult, we stacked 3 unique ciphers. We started with a 1-letter cipher to the right:

NMD HM ENTQ EHMZMBHZK HMRSHSTSHNMR TRDR YHW DLZHK DMBQXOSHNM.

Then we applied a 3-letter cipher going left to the first word and every other word after that:

QPG HM HQWT EHMZMBHZK KPUVKVWVKQPU TRDR BKZ DLZHK GPETARVKQP.

And finally, we added a rule to change every “K” to a “Z”.

QPG HM HQWT EHMZMBHZZ ZPUVZVWVZQPU TRDR BZZ DLZHZ GPETARVZQP.

Here’s the third message decoded:

ONE IN FOUR FINANCIAL INSTITUTIONS USES ZIX EMAIL ENCRYPTION.

Of course, our email encryption uses much more sophisticated encryption methods, but we hope you enjoyed our riddles. Please let us know if you were able to crack the code on any of our email messages.

Posted in Email Encryption | Tagged , , , , | Leave a comment

GAME: The New Secure Email App for Google Apps Users

I’m a big fan of Google. For several years now I’ve used Google Voice numbers to filter calls both to my personal smartphone and to our home phone. My wife loves Google’s global spam filter that has silenced our home phone around dinner time. I use Google Maps whenever I travel. So too, I like Google Apps for Work: If you’re not familiar with Google Apps, it comes with reams of cloud storage space and a multitude of work collaboration tools. I personally use Smartsheet, an online project management suite, while a good friend of mine recommends CloudFactor, a Google App that allows him to access Salesforce.com data from his Gmail account. Another friend has a very positive view of Appogee, an HR management tool.

Therefore you can imagine my delight to discover that Google Apps now offers an email encryption service specifically designed to work with Google Apps. Security breaches have been in the news a lot recently, and the Edward Snowden revelations about message interception demonstrate that email is at its most vulnerable when in transit across the public Internet.

Unlike most other email encryption solutions, GAME (Google Apps Message Encryption) works seamlessly with Google Apps, operating automatically in the background to secure any emails you or your staff send that contain sensitive data in the email body or in any attachments.

There is a GAME Global Directory that automatically aids identification of, and secure delivery to, other GAME subscribers, and they enjoy automatic transparent secure delivery. That is, secure emails are automatically decrypted at the destination and appear in the recipient’s inbox as a plaintext message, just like the other messages in their inbox. Just so the recipient knows that the email has been encrypted in transit, a banner at the top of the decrypted email informs him of this: a nice touch. When sending secure emails to non-GAME-subscribers, the recipient receives an easy-to-understand notification email that gives instructions on how to view or decrypt the secure message in just two easy steps.

What could be easier? A proven email encryption solution that fuses with Google Apps, that is fully hosted in the cloud, and that requires no infrastructure investments or up-front costs. Just an easily manageable monthly subscription.

You can read more here.

Posted in Email Encryption | Tagged , , , , , | Leave a comment

Human Error Leads to Exposure of 31 World Leaders

Thanks to The Guardian newspaper and a freedom of information request, I’ve just read that the personal information of 31 world leaders was exposed due to human error and the ease of hitting the “send” button.

Handout photo, courtesy of G20 and Getty Images

The breach was caused by a staff member at Australia’s Department of Immigration while world leaders attended the G20 Leaders’ Summit in Australia last November. According to the BBC, ‘The breach was said to be the result of “human error”, with the sender forgetting to check the auto-fill function in Microsoft Outlook’s email service before hitting send.’

In addition to dates of birth, titles, nationalities and so on, the email included sensitive information such as the passport numbers and visa numbers of US President Barack Obama, UK Prime Minister David Cameron, Russian President Vladimir Putin, German Chancellor Angela Merkel, Chinese President Xi Jinping and 26 other world leaders.

The data loss was not made public at the time and we have The Guardian newspaper to thank for uncovering this particular leak. I am absolutely certain that only a tiny fraction of such leaks are ever made public: they happen every day and, while organizations often don’t find out about their leaks, when they do they rarely admit to them for fear of losing customers and share value. I’ve said this before and I’ll say it again: busy people make mistakes. In the rush to squeeze as much work into busy schedules, it is a statistical certainly that sensitive data will be included in the wrong email sent to the wrong person. The only way to prevent data loss due to human error is to utilize an automated data loss prevention solution such as ZixDLP, a data loss prevention solution that is working in the background twenty-four hours a day, seven days a week.

ZixDLP can be deployed in less than one day. It is easily integrated into your current network and administering it is simple – that is, you don’t need more staff. Outbound emails and their attachments are scanned by ZixDLP in real time, and if sensitive data is detected going to an inappropriate address, the email is sent to a quarantine system, thus giving you and your employees a second chance to check the content.

Don’t go exposing your clients, staff and business to avoidable data loss: take action before you get hit.

Posted in Data Loss Prevention | Tagged , , , , | Leave a comment

Why We Don’t Think Twice Before Hitting Send

One of the (many) revelations to come out of the Sony hack fiasco is that as a collective population we often don’t think twice before hitting send on an unprotected email.

For instance, as news of the Sony hack began to unfold late last year, we saw reports of leaked emails containing candid (and not-so-nice) thoughts about celebrities, credit card numbers, passwords and more. The fact that executives were comfortable sending this information unprotected shows there is a serious gap between how email privacy is perceived and the reality of email security.

With all the information at our disposal about the risks of unprotected email, why do so many people in an organization — from CEOs to interns — still send unprotected email without giving it a second thought?

The “It Won’t Happen to Me” Mentality

You always hear stories about people not getting car insurance because they don’t need it. They think “I’m a careful driver, so I won’t get in an accident.” But they immediately regret that decision when they get in their first fender bender.

Every day in business you’ll find employees who subconsciously take the “it won’t happen to me approach” and, when sending emails, believe only the intended recipient will read their message or sensitive information.

In reality, sending an unprotected email is a lot like putting a postcard in the mail, in that the contents can be read along the way to the recipient. However, the information contained in company emails is a lot less frivolous than the “Hello from Hawaii!” greetings found on the back of a postcard.

It’s important to create a work culture that places security well before risk and provides an easy way for employees to make the decision to take the “better to be safe than sorry” approach.

Lack of Awareness about Security Risks

In general, most employees aren’t aware that “bad guys” can intercept their email through a man-in-the-middle (MITM) attack — just one of the many weapons cyber-thieves have in their arsenal.

MITM attacks come about by thieves taking advantage of vulnerabilities that allow them to see transmitted data in clear text. For instance, with the “Heartbleed” bug, as many as 10,000 sites were affected by the security flaw that allowed hackers to steal valuable data even when HTTPS was enabled (and users thought their traffic was secure).

This is where employee education comes into play. The more informed employees are, the more likely they are to take the appropriate steps to secure email.

Sending Sensitive Emails Unintentionally

When sending dozens — if not hundreds — of emails a day, even the best-intentioned employee may accidentally send out an unprotected email containing sensitive or personal information.

Companies need to adopt an approach in which all emails are protected to avoid any sensitive information slipping through the cracks.

If you have to ask, “Should I be encrypting this?” chances are you should.

When in doubt, look to Zix Email Encryption Services. Zix makes it easy to send encrypted email without inhibiting day-to-day workflow — it’s as easy as using a regular email solution and doesn’t let sensitive information slip through the cracks. With Zix, employees really won’t have to think twice before hitting send.

Send

Posted in Data Protection Trends, Email Encryption | Tagged , , , , , , , | Leave a comment