Questions CIOs Should Ask Before Adopting Email Encryption

For companies and CIOs, making the decision to implement encryption is just the first step in the process towards email security. With so many solutions and providers out there, it can be a daunting task to find the right one.

Don’t worry — Zix has your back. Below are five questions CIOs should ask before they choose an email encryption solution:

  1. Does the solution include a hosted, shared email encryption network?  

    Why not encrypt every email? The simple answer is that it’s really hard, and most solutions simply don’t accommodate the way people work today. Passwords? Portals? No one has the time to take those extra steps. By being part of a shared email encryption network, employees ensure that 100 percent of the emails they send to other users within the network are secured — and they don’t need to stop and take extra steps that slow down your business.

  2. Does the solution offer policy-based encryption filters?  

    Policy-based encryption filters play an important role by identifying and protecting sensitive information in emails and attachments. Occasionally, even the best-intentioned employees might not think an email needs encrypting, or they might forget altogether. To ensure compliance and guarantee that all emails containing sensitive information are secure, CIO’s should look for solutions that offer policy filters that scan all outbound messages. Industry-specific filters that can be customized for your business are even better. If the system suspects an email contains sensitive information, it will determine which emails must be encrypted and which must be quarantined.

  3. Is the solution easy to use?  

    Ultimately, email encryption is a business tool and should be seamless for both sender and receiver. Often, this is not the case, and wrinkles in the process can result in costly breaches in compliance (not to mention drops in productivity). An easy-to-use platform can help to ensure universal adoption within an organization. For instance, does the solution automatically decrypt inbound messages at the Gateway so recipients don’t need to bother? On the recipient side, does the solution automatically encrypt messages to simplify the process for them? Are reply, reply-all and forward messages automatically encrypted?

  4. Does the solution provider have a proven solution and reliable track record?  

    Not all email encryption solutions or providers are created equal. Choosing a provider is a long-term commitment, so make sure you do your reference check and use a solution that other organizations in your industry trust. You should also check whether the infrastructure has any certifications and accreditations, such as SysTrust/SOC 3 or PCI Level 1.

  5. Does your solution provider have you covered during and after the deployment?  

    The job isn’t over once an organization deploys an email encryption solution. First things first: Make sure you understand how long it will take to deploy the solution. You don’t want a major disruption to your business. It is possible to deploy a solution in less than a day. Once the solution is in place, employees at all levels must be educated on the ins and outs of email encryption and must understand how to use the solution. Additionally, you’ll want to make sure the solution is monitored and maintained by the vendor so it requires minimal ongoing resources from your team.

Are you in the process of selecting an email encryption solution? For more information on what to look for, check out our email encryption checklist.

Posted in Email Encryption | Tagged , , , | Leave a comment

The Oscars, Encryption and Real-Life Heroes

As a single man I always found the Oscars a bit of a drag: however as a married man I usually experience the Oscars vicariously – my wife enjoys watching the Oscars and I enjoy watching her. This year however I was delighted to see The Imitation Game win an Oscar. You see Alan Turing, the real-life hero of the movie, was a boyhood hero of mine.

Photo courtesy of JB Spector, Museum of Science and Industry

Enigma Machine: Photo courtesy of JB Spector, Museum of Science and Industry

I was an avid reader of military history, and I could not get enough of the documentaries being shown on the then new BBC 2 television channel. I learned that back in the summer of 1939, Polish military intelligence shared their knowledge of a state-of-the-art message encryption machine named Enigma with their allies, the French and the British. In a level of secrecy matched only by the US’s Manhattan Project, the British gathered their best mathematical minds at a place called Bletchley Park to work on codes and cyphers, and the Enigma machine in particular. The project was so secret that President Roosevelt and Prime Minister Churchill agreed only to speak of it when they met face-to-face, and never to refer to it even in the diplomatic bags passing directly between the UK and the US. Official historians believe that the efforts of the team at Bletchley Park shortened the Second World War by two to four years.

As a school boy, I read books about Enigma and counter espionage. For example there is a book and another true-life movie about The Man Who Never Was, a counterespionage trick to protect the Allied invasion of Sicily. Decoded Enigma messages confirmed that the ruse was working – and countless Allied lives were saved.

Not long after I arrived in the US, I visited Chicago. My hotel was within walking distance of the Museum of Science and Industry and I thought I would spend a couple of hours there. Instead I spent the entire day: You see, I discovered U-505, an ocean going submarine from the early 1940s. I found the story of the capture of the submarine captivating.  In June of 1944, decrypted Enigma messages revealed that U-boats were operating near Cape Verde, a group of islands in the Atlantic. The US Navy tasked a six-ship anti-submarine task force to search for these U-boats, and on June 4th sonar contact was made with U-505 and it was depth charged.

U-505 submarine on display at the Museum of Science and Industry

U-505 submarine on display at the Museum of Science and Industry

The captain of the U-boat brought it to the surface and, while abandoning ship, ordered it scuttled. In an act of great bravery, an eight-man party led by Lieutenant Albert David boarded the sinking U-boat to close the scuttling valves and disarm demolition explosives. As well as recovering charts and codes, the US Navy was elated to discover two working Enigma machines on board; and these priceless machines and codes were delivered to Bletchley Park before the end of the month.

Unlike these heroes, Alan Turing and the US Navy boarding party, most of us are fortunate not to be involved in a “hot” war. However we continue to be involved in a war to protect information, a war where encryption continues to play a part. Foreign governments collect corporate information that they pass on to their own domestic companies to give them unfair advantages. Organized crime tries to intercept internet message traffic to steal corporate secrets, banking data and employee personal information. This is when email traffic is most in jeopardy – when it is in transit across the public Internet. Nevertheless, we can protect this kind of information by utilizing email encryption. Email encryption is now so well developed that it can work in the background, twenty-four hours a day, keeping our emails secure without extra effort from us.

The Imitation Game is in theatres now. U-505 is displayed in a climate-controlled space at the Museum of Science and Industry, Chicago, Illinois. And I’m fortunate to be here in the warm office environment of Zix H.Q.

Posted in Email Encryption | Tagged , , , , , | Leave a comment

New Whiteboard Session from Zix

At Zix, we work hard for you. We are constantly working to develop even better ways to deliver secure email. In our continuing work to remain the leading service provider in this category, Zix has developed BMOD, the Best Method Of Delivery for encrypted emails. Click here to watch a seven minute whiteboard session with Neil Farquharson as he describes BMOD.

Posted in Email Encryption | Tagged , , , , | Leave a comment

Official: Humans are Lazy

I don’t know about you, but I love to study the follies of the human condition: how people often act in ways that defeat their own chances of success. For example, my wife’s friend who, when wishing to win the love of her new boyfriend, lit 50 candles and covered her bed in rose petals, thereby guaranteeing she would never see him again; or my neighbor who paid tens of thousands of dollars for a stomach reducing lap band operation, but wouldn’t shell out a few hundred bucks for a gym membership – with obvious sad results.

This is why I love reading Splash Data’s annual list of the 25 worst passwords found on the Internet. In remarkable acts of self-defeatism, people truly protect their personal and corporate data with passwords such as “123456” or “qwerty” or even “password.” It does seem quite incredible to me, but countless thousands of people believe that they and only they have come up with the unique secret password “letmein” or (my own personal favorite) “trustno1.” And frankly, it beggars belief that people think their choices of “batman,” “baseball” and “abc123” could not be defeated by a brute force attack within, say, one picosecond.

This folly, I believe, can only be explained by one unhappy conclusion: humans are lazy. It is not that people are intentionally lazy, it’s probably more to do with time crunch, our constant battle to find enough time every day to do everything that needs to be done, both personal and work related.

In our post-2007 work-more economy people are not only expected to work harder, but also want to work harder and be more productive. In one study employees in the U.S. most frequently cited job security as the reason why they would join an organization, and they’re willing to work hard to make their employer successful and their job more secure.

However there is an obvious downside: being this productive means there is no time left for complex, non-value-adding tasks. Tasks such as keeping a list of difficult to crack passwords, trying to remember these passwords during a busy day, going through procedural hurdles to maintain security, and checking that every email attachment is the right one.

The best way to support hard-working staff while ensuring the best email security is to come to the industry leader in email security. Zix has email encryption solutions and data loss prevention solutions tailored to your business type. Every email sent by your staff is scanned in real time to ensure that sensitive data is encrypted and mistakes by staff are caught before that data leaves your business. It does this in the background twenty-four hours a day, seven days a week. Leaving your staff to do what they do best – getting work done.

Posted in Email Encryption | Tagged , , , | Leave a comment

Making a BYOD Policy Matter

We’ve been hearing a lot of stories recently about how time-pressed staff try valiantly to keep companies efficient despite the difficulties of communicating quickly and effectively in our competitive and often understaffed business environments. We hear of staff using file sharing, personal email accounts, USB drives and DVD ROMs sent through the mail. The other day for example, we heard about nurses in a hospital who communicate with each other via SMS (Short Message Service), a ubiquitous but unencrypted way of sending texts.

The chances are their hospital and all the other business mentioned above have corporate policies for using mobility devices, and the staff have probably read these policies – albeit quickly – and signed the user agreement. The trouble is, in each case the corporate IT, HR or legal representative who wrote the policy probably did not have a good understanding of the complexities of using mobility devices in the workplace. Employees always find a way to keep businesses going not least because their customers or patients rely on them, but also because they themselves would like to remain employed. So who can blame them if their employer has a mobility policy that has been poorly conceived?

Mobile Device Management (MDM) has often been hailed as the ideal solution for managing BYOD in the workplace, however research into user acceptance shows that many if not most employees believe that MDM solutions are misused by employers to track their location, read personal emails and view the personal applications enabled on their BYOD device. Mostly these fears are unfounded, however we do know of one senior executive who admitted tracking the whereabouts of a young lady, yet when challenged was wholly unable to recognize that he was behaving unethically.

Not only do employees fear privacy intrusion, they also find using MDM solutions cumbersome. For example, over 90% of BYOD users disable the auto-lock security feature because it interferes with their ease of use.

Therefore an effective BYOD policy must be grounded in reality and must have the general understanding of, and agreement from the employees who will be using their BYOD devices. It must be understood that the relationship between employer and employee is – for most people – asymmetric. This means that the employer has the power to compel employees to sign a bad BYOD policy. With a good BYOD policy however, employees will understand that this is an opt-in decision, that they may need to relinquish some control over their personal devices, and that their privacy will be protected to a degree that a reasonable person would find acceptable.

Find out more here.

Posted in Bring-Your-Own-Device | Tagged , , , , , | Leave a comment

Best Practices — Keeping Data Safe with Third-party Providers

Your company is only as secure as those who have access to its data.

This includes third-party vendors and business partners such as HR, accounting and law firms, marketing agencies.

While vendors and business partners provide essential services to keep businesses moving forward, they also represent an additional variable when mapping out their cybersecurity plans. Since they may have access to sensitive business information, networks and shared portals, businesses must take the proper steps to keep their data secure.

A recent blog post published by the National Cybersecurity Institute provides excellent insight into how a company should evaluate and address security practices with its providers to ensure that data is adequately protected when it is outside a company’s network. Here are a few top takeaways:

  • Determine what suppliers are at risk. Not all vendors or suppliers have access to the same information. Evaluate what vendors have access to sensitive information so that you know which ones pose the highest risk for a data breach.
  • Discuss your cybersecurity concerns with your vendors. Meet with your vendors’ management to communicate the importance of cybersecurity to your business. Explain the potential issues that could arise from a data breach, and let your vendors know that this is a shared effort.
  • Determine what security measures they have in place. Ask your vendors detailed questions about their internal security policies and what measures they currently use to protect data. If a company isn’t adequately invested in protecting its own data, it will not put in the additional effort to protect yours.
  • Ensure that data is shared securely. Set up internal policies that regulate how data is transported between your company and outside vendors. Utilize an end-to-end encryption solution for data transfer, and designate who can transmit data between entities.

By opening the security dialogue with providers, you can make huge strides forward in safeguarding company data.

Through Zix, customers can comply with the highest industry standards and take comfort knowing the privacy of their customers and partners is secure.

For additional information, please view the ZixCorp Certification & Accreditation Datasheet.

Posted in Data Breaches, Email Encryption | Tagged , , , | Leave a comment

Regrets, I’ve Had a Few

I’ve just been reading about a new mobile application named Strings. The developers claim that they “wanted a way to spontaneously and fearlessly share everything from our most intimate moments and personal thoughts to our daily conversations with friends, family and colleagues.” And then presumably to delete these when they sober up the next morning.

As much as I wish Strings success with their new venture, I can’t help thinking that we’ve seen similar apps in the past, including On Second Thought and Invisible Text. The most successful of these has probably been Snapchat, a messaging app that allows the sharing of videos and images that supposedly “disappear” after a short period of time, usually after just a few seconds. In a scandal that broke last October, it was discovered that a third-party Snapchat client app has been collecting every single photo and video file sent through it for years, giving hackers access to a 13GB library of Snapchats that users thought had been deleted.

Just as there are times we wish we could snatch unfortunate verbal utterances from the air and stuff them back into our mouths, a holy-grail of email has always been the search for a method to recall emails we wish we’d never sent. I seem to remember that Microsoft Outlook had the facility to send a recall notice. For years, I worked for a large multinational company whose HR department loved to send out these recall notices, usually about once a week. Here’s a typical scenario: Jimmy Jones would send out a long missive about something profoundly boring and – predictably – with the wrong attachment. Five minutes later he would generate a second email with a subject line that read:

Jimmy Jones would like to recall his email “Don’t Forget About The Superhero Comic Convention Tomorrow.”

Then five minutes later, a third email would inform me that the convention was the day after tomorrow, and hopefully include the correct attachment. Although these emails did provide some value – they gave us someone to laugh at – I always felt that these recall notices simply drew our attention to the incompetence of the sender. Why didn’t Jimmy check his facts before sending the first email?

There is a potentially ominous side to this though: if Jimmy and his colleagues were making these mistakes with harmless though time-wasting information, how often were they – and countless other colleagues throughout the business – making mistakes with confidential company information. As much as we try to guard against sending confidential information to the wrong person, we all lead busy and stressful working lives. Without some form of automated help, it is almost certain that an occasional wrong email or attachment will be sent to the wrong person, leading to a data leak.

ZixDLP can monitor all your outbound emails in real-time to guard against such data leaks. ZixDLP combines tried and tested policy and content scanning capabilities with an intuitive quarantine interface, giving you a second chance to review suspect emails – and to avoid having any more regrets.

You can read more here.

Posted in Data Loss Prevention | Tagged , , , | Leave a comment

Happy Data Privacy Day! What Day?

While it may not be the most well-known day of recognition (yet), it is certainly important. In case you missed it, January 28, 2015 was the eighth annual Data Privacy Day (DPD). DPD is an international effort centered on respecting privacy, safeguarding data and enabling trust.

If we’ve learned anything from 2014 and years past, it’s that everyone is at risk of a data breach. Neiman Marcus, Michael’s, Home Depot, Sony and others were all hit hard last year – exposing millions and millions of Social Security numbers, credit and debit card information, email addresses and bank account numbers.

But if that’s not enough to prove data privacy is important, maybe the fact that over 90 percent of data breaches in the first half 2014 were preventable will convince you. DPD is all about encouraging and motivating users to consider the privacy implications of their online actions for themselves and others. There’s no such thing as being too safe with sensitive information.

So what were the experts saying?

As expected, the majority of opinions were about safeguarding yourself, your data and your company.

How did people participate?

The National Cyber Security Alliance hosted a Twitter chat focusing on the importance of privacy and online safety. Cybersecurity companies like Kaspersky, Norton and Intel Security chimed in, in addition to individual privacy advocates.

Taking things offline, cities across the country like New York, Atlanta, Austin, San Jose and San Francisco held cybersecurity events, with others expecting to follow suit in the coming months.

Did you celebrate Data Privacy Day? Tweet us @ZixCorp.



Posted in Privacy | Tagged , , , , | Leave a comment

Customer Spotlight — ZixCorp Makes the Team, Protects Patient Privacy

Just like a quarterback needs protection from his offensive line, personal health information (PHI) needs elite protection to be kept safe from unwanted eyes.

The healthcare industry is a repository for sensitive information, and when some of that information belongs to the Chicago Bears, the 2013 Stanley Cup Champions Chicago Blackhawks, the Chicago White Sox and Chicago Cubs, you want to make sure that compliance and protection go hand-in-hand with patient care.

Athletico, the preferred physical therapy team for Chicago’s pro athletes as well as 200 other affiliations, brings with it a certain level of expectation from patients that it strives to live up to. To safeguard patients’ PHI, Athletico uses the best solution on the market — Zix Email Encryption.

“We chose ZixCorp, because we wanted our clients to know we’re doing all we can to secure their PHI,” said Heather Franks, director of IT/IS Operations for Athletico. “We’re committed to thoughtful, caring service in everything we do.”

With Zix, physical therapists and staff can have greater peace of mind and don’t need to think twice before hitting “Send.” They are able to communicate securely without needing to take any additional steps, leaving them more time to focus on their patients.

“Before we installed the Zix solution, we were unable to send patient information securely via email. It was not a form of communication we supported or allowed,” said Franks. “If a therapist wanted to discuss a client’s case with the referring doctor, he or she had to do it by fax, phone or face-to-face. Zix Email Encryption lets us streamline how we communicate with both physicians and patients.”

About Athletico Physical Therapy:

  • Founded in 1991 and headquartered in Chicago
  • Facilities throughout Illinois, Wisconsin and Indiana with more than 1,500 clinical and administrative staff
  • Cares for all of Chicago’s professional sports teams, as well as 200 other affiliations, including high schools, colleges, performing arts groups and more

Posted in Email Encryption | Tagged , , , , | Leave a comment

This Is App Wrapping, Unwrapped

There’s a common misperception that just because a mobile device is secured — such as having an “unbreakable” passcode — that the data on the device is also secure. But, there is no such thing as an unbreakable passcode (especially if it’s just limited to four digits). To actually protect data on the device, there needs to be an additional layer of mobile protection.

This tends to come in two forms:

  1. MDM, which controls the entire device, OR
  2. Containerization, which separates the personal from corporate data

Both have their pitfalls, ranging from remote wiping to a less-than-stellar user experience.

That’s why companies have started trying a third mobile management strategy called app wrapping.

App wrapping can be compared to the wrapping on a chocolate bar. Similar to how the wrapper protects the chocolate, app wrapping adds an extra layer of protection around a regular mobile app, offering security and management features.

But don’t let the sweetness fool you.  This technique is a management and maintenance nightmare.

Between its burdensome implementation and required individual licensing from vendors, app wrapping is not as ideal as it sounds. Problems can arise when there is an app or OS update, requiring your team to update its app wrapping package and redistribute to users. This will raise havoc when you have implemented wrapping on multiple apps.

The best alternative to MDM, containerization and app wrapping is simply keeping corporate data off employees’ personal devices.

If a device is ever lost or stolen, no need to worry that someone will easily crack your passcode or jailbreak your employees’ phone. Companies can simply disable access to apps containing corporate information instead of wiping the device completely of all corporate and personal data. At the same time, companies can avoid employee complaints and liability associated with loss of control, personal data and privacy.

Don’t get wrapped up in ineffective security solutions.

You can manage employees’ mobile devices effectively by keeping the data off the device with solutions like ZixOne.

Android KitKat

Android KitKat

Posted in Bring-Your-Own-Device | Tagged , , , , , | Leave a comment