This Is App Wrapping, Unwrapped

There’s a common misperception that just because a mobile device is secured — such as having an “unbreakable” passcode — that the data on the device is also secure. But, there is no such thing as an unbreakable passcode (especially if it’s just limited to four digits). To actually protect data on the device, there needs to be an additional layer of mobile protection.

This tends to come in two forms:

  1. MDM, which controls the entire device, OR
  2. Containerization, which separates the personal from corporate data

Both have their pitfalls, ranging from remote wiping to a less-than-stellar user experience.

That’s why companies have started trying a third mobile management strategy called app wrapping.

App wrapping can be compared to the wrapping on a chocolate bar. Similar to how the wrapper protects the chocolate, app wrapping adds an extra layer of protection around a regular mobile app, offering security and management features.

But don’t let the sweetness fool you.  This technique is a management and maintenance nightmare.

Between its burdensome implementation and required individual licensing from vendors, app wrapping is not as ideal as it sounds. Problems can arise when there is an app or OS update, requiring your team to update its app wrapping package and redistribute to users. This will raise havoc when you have implemented wrapping on multiple apps.

The best alternative to MDM, containerization and app wrapping is simply keeping corporate data off employees’ personal devices.

If a device is ever lost or stolen, no need to worry that someone will easily crack your passcode or jailbreak your employees’ phone. Companies can simply disable access to apps containing corporate information instead of wiping the device completely of all corporate and personal data. At the same time, companies can avoid employee complaints and liability associated with loss of control, personal data and privacy.

Don’t get wrapped up in ineffective security solutions.

You can manage employees’ mobile devices effectively by keeping the data off the device with solutions like ZixOne.

Android KitKat

Android KitKat

Posted in Bring-Your-Own-Device | Tagged , , , , , | Leave a comment

Artificial Intelligence: Friend or Foe?

A few days ago, the Future of Life Institute (FLI) published an open letter here, signed by a large number of eminent professors and industry leaders. The impetus for the letter can be traced back to early December when Professor Stephen Hawking, the renowned theoretical physicist from Cambridge University, warned of the dangers of letting artificial intelligence (AI) develop itself. That is, putting AI in charge of designing and building newer AI.

Image via Warner Brothers

Image via Warner Brothers

Up until now the idea of AI has largely been confined to science fiction: Isaac Asimov’s I,Robot series, recently made into a movie starring Will Smith, or the Terminator movies for example. Back in 1968 Stanley Kubrick and Arthur C. Clarke scared movie-goers half to death with 2001: A Space Odyssey when the computer HAL “had an acute emotional crisis” and started killing the astronauts. These dystopic futures have been regarded as good horror movie fare and not to be taken seriously – until now.

We’re already seeing early versions of AI being used, at least experimentally. For example in the case of driverless cars, cars that will be tested on the open highway with artificial intelligence doing the driving. Doctor Ben Metlock, one of the signatories to the FLI letter, states:  “Traditionally we have a legal system that deals with a situation where cars have human agents. When we have driverless cars we have autonomous agents… You can imagine a scenario when a driverless car has to decide whether to protect the life of someone inside the car or someone outside.” In other words, AI may soon be making life and death decisions autonomously.

Happily for us, automation – the little brother of AI – is still our friend. Automation can make decisions for us in real time, removing the hassle or drudgery of many decisions that would otherwise bog down our lives. One such automated system from Zix is policy based email encryption. Humans like you and me can send and receive sensitive emails in the normal manner, thereby working at our full productivity. Operating  in the background, the ZixGateway detects which emails need to be protected with encryption and which do not; and the ZixGateway will make these decisions in real-time, consistently getting these decisions right.

I’m not sure that I want AI making life and death decisions for me, but I do like the ZixGateway for protecting the sensitive information in my emails.

Posted in Email Encryption | Tagged , , , , | Leave a comment

Privacy and BYOD – How our Landscape is Changing

I’ve been watching privacy issues here in the US and around the world, particularly as they pertain to BYOD. Let me tell you, 2014 was quite a year for privacy issues and individual rights.

Around the US we had a number of lawsuits by employees against their employers for expecting them to answer their phones and emails 24/7 but not paying them for this out-of-hours work. Then in May, the European Court of Justice ruled against Google forcing Google to respond to demands to erase private information from browser listing – the so called Right to be Forgotten. Then in July, US policing experts were stunned when in a unanimous decision, the Supreme Court ruled that law enforcement may not look though a person’s cell phone or smart device without first obtaining a court order, essentially making a smartphone equivalent to a suspect’s home in terms of requiring a search warrant. And by the end of the year, six new states had joined the existing sixteen states who outlaw the practice of employers demanding access to employees’ social media information.

To me, all this implied a major shift away from business and employer rights toward individual and employee rights, and in doing so further muddying the water around BYOD. Let’s face it; traditional Enterprise Mobility Management (EMM) and Mobile Device Management (MDM) require significant management of their BYOD devices. It might be possible to create environments where personal information is guaranteed to be protected, but I have to believe that the coding would be cumbersome in space, effort and in administering such solutions.

In this article, Fiberlink claimed to have remotely wiped 81,000 devices in the first six months of 2014, with 49% of these being done without human intervention. In a separate report from Fiberlink, they stated that 86% of their BYOD wipes are of corporate data only. This implies that 14% include personal data. My arithmetic may be a little rusty, but this equates to over 11,000 personal data wipes in only six months. I think it goes without saying that many employees would find the deletion of private information reprehensible, but more importantly does it expose employers to criminal or civil liability? And if it does not now, might it do so within a year or two? For example, the new General Data Protection Regulations in Europe extend the scope of the EU data protection law to all foreign companies, including US based companies who process data of EU residents, with potential fines for breaches a gigantic 5% of annual revenues. Might US law follow suit?

I’d already read this blog by my friend Jim Brashear, so I decided to ask him if all these trends suggest a sea-change in how BYOD privacy is perceived by the courts, employees and society in general. He advocated that we call up Phil Lee, an expert on European and US privacy law, based in Palo Alto, California: which we duly did.

What Phil shared with us was, for me, both surprising and concerning, and I immediately felt that business owners need to have this information. Hence I invited Phil and Jim to join me for a live discussion on January 27th so they can share that knowledge.

So please join me on Tuesday January 27th as Phil Lee and Jim Brashear discuss the changing legal perspectives on BYOD. You can sign up here.

Posted in Bring-Your-Own-Device | Tagged , , , , | Leave a comment

Security Roulette – Ready to place your bet?

In roulette, odds are talked about in terms of the house edge, or the advantage the casino holds over the player. The house edge is always in the casino’s favor, so while a player may have a stroke of luck here or there, the odds are they’ll leave the table empty handed.

Corporate security isn’t too far off from roulette – the stakes are high and, in 2015, the odds are no longer in your favor.

Sony is the latest poster child for a company that took a gamble on security—and lost.

In 2005, the executive director of information security at Sony, Jason Spaltro, sat across the table from an auditor who completed a review of Sony’s security practices. The auditor told Spaltro that the odds of a security breach were high, citing insufficient access controls and weak passwords.

Spaltro had a decision to make – invest or take a gamble. Spaltro decided to take a risk and stated:

“It’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss.”

This thinking was shortsighted and, by taking a gamble, sealed Sony’s fate as having one of the most high-profile security breaches in history.

Even months before the cyber-attack, an audit performed by PricewaterhouseCoopers raised several red flags, showing that there were significant network vulnerabilities at Sony that still needed to be addressed. Sony knew there were vulnerabilities but didn’t take the appropriate steps to fix them, thus exposing social security numbers, employment files including salaries, medical information, passports and visas, home addresses, and a wealth of other sensitive employment and personal information. Not surprisingly, Sony has been handed two class action lawsuits by employees on the foundation of negligence. One lawsuit cites the attack as an “epic nightmare…unfolding in slow motion for Sony’s current and former employees.” It goes on to read:

“At its core, the story of ‘what went wrong’ at Sony boils down to two inexcusable problems: (1) Sony failed to secure its computer systems, servers, and databases (“Network”), despite weaknesses that it has known about for years, because Sony made a ‘business decision to accept the risk’ of losses associated with being hacked.”

Negligence is inexcusable in 2015, and companies need to stop gambling and start investing in the appropriate security solutions. It’s no longer a matter of if a breach will happen, but when.

It is important to realize that the Sony incident sets a precedent for liability that should serve as a wakeup call for all companies. Even if your company doesn’t fall under regulatory buckets like HIPAA which require the protection of personal information, it doesn’t mean your company won’t be held liable if employee or customer/client information is exposed and the organization is found to have been negligent.

Be smart this year, and don’t let a gamble turn into an epic nightmare.

Posted in Data Breaches, Email Encryption | Tagged , , , , | Leave a comment

Where Is Your Corporate Data?

The expectations of today’s modern workforce are rapidly changing – employees expect the freedom to work anywhere, anytime and through the device of their choosing. For IT departments, this means employees are demanding faster, uninterrupted access to data.

With 113 smartphones lost or stolen every minute, you’ll want to make sure that corporate data is secure. If your employees are on their phones while out and about, chances are your corporate data is too and it may not be adequately protected.

To keep your data secure no matter where it goes, download your free mobile policy quick guide here.

Posted in Bring-Your-Own-Device | Tagged , , , , | Leave a comment

How The North Pole is Thwarting the Grinch with Email Encryption

With boys and girls putting aside their pens and paper, and turning to email as their delivery method of choice for their Christmas letters, how can they be sure that their Christmas list makes it safely and securely to the North Pole?

In light of ongoing data breaches in 2014 and increased threats from the Grinch, the North Pole’s CEO, St. Nick, made it his team’s mission to find a secure Christmas list protection tool.

Luckily, Zix Email Encryption offered the security St. Nick and The North Pole’s operations team of elves needed to protect precious Christmas lists, while also providing a solution easy enough for children to use.

“In recent years, we’ve noticed that the Grinch has invested considerable resources into cyber attacks against the North Pole, leaving kids without their favorite toy Christmas morning,” said Buddy, Head IT Elf of The North Pole. “This led to the passing of the Christmas List Accountability Act, or CLAA. While it doesn’t go into effect until Christmas 2015, we decided to get a jump start on Christmas list data encryption this year.”

GIF: http://stream1.gifsoup.com/view/854474/grinch-smile-o.gif

Since implementing Zix Email Encryption, The North Pole has safely received over 500,000 Christmas lists electronically.

“It’s important that parents and children understand we take both security and Christmas lists very seriously. With Zix Email Encryption, we know that all Christmas lists are protected by industry leading encryption technology,” said Buddy. “Additionally, parents don’t need to worry about their children’s personal information getting intercepted by the Grinch.”

GIF: https://33.media.tumblr.com/dacc3472cb6ba61dcf9c44cf8f604fde/tumblr_nfxpmbKxQs1tmzlb4o1_500.gif

Don’t be a cotton-headed ninny mugggins this Christmas season. Make sure your Christmas list gets to the North Pole safely with the help of Zix Email Encryption.

A little about The North Pole:

  • Headquartered in The North Pole, Artic Circle
  • Purveyor of Christmas joy delivering over 5 billion gifts across the globe in one night
  • Founded in 1200 AD

Posted in Email Encryption | Tagged , , , , | Leave a comment

Customer Spotlight — Zix “Automagically” Protects Patient Health Information

Healthcare organizations aren’t just responsible for protecting their patients’ health, they are also accountable for protecting their personal health information. Given the nature of the healthcare industry, hospitals and health systems are repositories for sensitive information ranging from medical histories and prescriptions to personal information such as billing information, Social Security Numbers and insurance claim information. Gathered in one place, this can be a treasure trove for someone with ill intentions.

Every day millions of emails containing patient health information are exchanged by healthcare organizations. To meet compliance needs and protect this information in transit, it must be properly encrypted. However, one of the biggest obstacles healthcare organizations face with any sort of technology, including encryption, is incorporating it into the day-to-day workflow without having it distract from their No. 1 priority — patient care.

When the Health Insurance Portability and Accountability Act (HIPAA) went into effect in 2003, one of East Tennessee’s largest primary care organizations, Summit Medical Group, was one of the first healthcare organizations to adopt an email encryption solution. Summit Medical Group’s goal was twofold — find a solution that effectively secures patients’ protected health information (PHI) and have it be un-intrusive for staff to use.

After looking at a variety of options, the team chose Zix Email Encryption. Eleven years later Summit Medical Group is still happy with the decision and just signed its third renewal.

“We originally brought Zix Email Encryption on board in 2003 due to HIPAA compliance laws as they related to protecting PHI,” said Joseph Ortiz, chief information officer for Summit Medical Group. “We continue to use the service because, quite frankly, it’s the best product that’s out there.”

With Zix Email Encryption, the team at Summit Medical doesn’t have to worry about an email slipping through the cracks unencrypted. The policy filters employed by ZixGateway automatically scan emails, including their attachments and subject lines, for any sensitive information and can encrypt, route or block those emails according to corporate policies.

With Zix, doctors and staff don’t have to think twice about hitting send on an email. Instead, they go about their day as if they were using regular email.

“With ZixCorp, we send email ‘automagically’ since it operates in the background. This has a minimal impact on both physician and employee workflows since no extra steps are required,” explained Ortiz. “If you know you’re sending PHI, you can explicitly encrypt the email using the encryption button, but even if you don’t think about it, ZixGateway will still catch it and ensure the safekeeping of PHI.”

A little about Summit Medical Group:

  • One of East Tennessee’s largest primary care organization
  • Comprises 215 physicians and more than 100 advanced practitioners at 53 practice locations in 12East Tennessee counties
  • Headquartered in Knoxville, Tenn., and provides healthcare services to more than 308,000 patients, averaging 81,000 encounters each month

Posted in Email Encryption | Tagged , , , , | Leave a comment

Working weekends, nights or during the holiday? You aren’t alone …

While it has been said that the holidays are best spent in the warm embrace of kith and kin, this season, 57 percent of full-time employees in the U.S. will spend at least part of their holiday break clutching laptops, smartphones and tablets to catch up on work.

holiday byod

In a recent study, ZixCorp asked more than 1,000 full-time employees about their work practices outside of their regular “9 to 5.” The survey explored not only how much time employees spend working outside regular business hours but also how they are accessing work outside the confines of corporate walls.

Let’s take a look at some high-level findings.

  1. There is a surprisingly large expectation that employees be reachable outside “9 to 5.” Of the respondents, 76 percent said it’s either stated or implied that they be accessible outside of regular work hours. Combined with the fact that the majority of employees use their personal (not company-owned) devices to access work after hours, it seems like a no brainer that companies would then invest in a non-intrusive BYOD solution on personal devices to access and protect corporate data on the go.
  2. BYOD impacts work/life balance. Of the respondents, 75 percent believe that the ability to use mobile devices to access work information or email outside of work hours is a positive development, and 68 percent said that being able to access their work outside of regular hours is necessary to do their job effectively. If used in excess, BYOD may hinder work/life balance, but overall BYOD provides the flexibility employees want to leave the office when needed and still be productive.
  3. Companies may not realize the extent to which their employees are accessing work after hours. On their days off, 64 percent of full-time employees spend time working, with 22 percent working four hours or more; 43 percent of full-time employees spend more than an hour working at night after they leave the office.
  4. Email is the driving force. Respondents said the primary work completed during their off time is checking/responding to work emails. Email is the backbone of business communications today, and with instant access on mobile devices, email assists employees in responding to customer requests, finalizing big deals or keeping them informed of a project status, even when on the go.

In this era of BYOD and accessibility, it’s more important than ever for employers to leverage the appropriate security measures for employees to securely access company data away from the office. To meet the growing need to access work outside the traditional office and enable a more productive workforce, employers should be accountable for implementing the right BYOD policy during the upcoming holiday season and thereafter.

Posted in Bring-Your-Own-Device | Tagged , , , , , , , , | Leave a comment

Reasonable Expectations of Employee Privacy in BYOD

In June 2014, the U.S. Supreme Court ruled in Riley v. California that police officers generally* may not search the digital information on a smartphone without first obtaining a warrant. Law enforcement professionals were surprised and appalled, because case law previously said the Fourth Amendment does not require a warrant for a search of personal items obtained incident to an arrest.

What does a criminal law case that limits police cell phone searches have to do with corporate Bring-Your-Own-Device (BYOD) policy? The case illustrates evolving legal theories about reasonable expectations of privacy in personal devices. If it is illegal for law enforcement to access personal information on a smart phone without a warrant, where do businesses stand when they demand access to data on their employees’ devices or remotely wipe that data?

As Chief Justice John Roberts explained:

“Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans ‘the privacies of life.’”

Privacy concerns in mobile devices are a hot topic. The FBI Director’s recent statements opposing stronger mobile device encryption, for example, raised concerns among privacy advocates who were already spooked by government surveillance revelations. Another example of the importance of device privacy was highlighted in a uSamp survey recently commissioned by Zix Corporation. Nearly one-third of respondents said that they would rather lose their wallet than their mobile device. That’s not surprising.

IT professionals and business owners are struggling with how Enterprise Mobility Management (EMM) impacts employees’ reasonable privacy concerns about giving their employer control over personal mobile devices. To alleviate employer concerns, human resources and legal departments are requiring employees to sign BYOD waivers, usually named Mobile Device User Agreements. Typically two to eight pages of intimidating legal provisions, those documents give the employer broad rights to access, read, alter and wipe information on the device.

Although the waivers may help solve some of management’s legal concerns, BYOD waivers do nothing to address employees’ legitimate privacy concerns or their objections to losing control over personal devices. Moreover, having access to mobile device data can create legal risks for the employer even if employees sign a BYOD waiver. An employee might assert, for example, that the employer discriminated against the employee based on information that the employer obtained from the employee’s device.

Defenders of BYOD waivers assert that employees voluntarily sign over device privacy and control in order to participate in BYOD. Employees may perceive, however, that BYOD is a job imperative and they have no real choice. And employees may conclude that the employer’s promise of EMM device containerization is more an illusion of privacy than a real comfort – because employees don’t often segregate their work and personal lives and data neatly into digital sandboxes.

At Zix, we have a completely different approach to providing mobile device access to work. With our ZixOne® app, employees can manage their work email, including attachments, and access their work calendar and contacts from their Android or iOS mobile devices. Employees interact with their email as usual – composing new messages, replying and forwarding existing messages and reviewing attachments – without storing that data on the mobile device. If the device is lost or stolen, the employer simply disables that device’s access to work email, calendar and contacts. Because ZixOne does not store corporate email on the mobile device, the employer doesn’t need to control or wipe the device.

ZixOne respects employee concerns about privacy and device control, while protecting corporate email content. That strikes us as a better approach than taking control of personal devices and demanding employee signatures on a BYOD waiver.

* The Court allowed for certain exceptions, such as exigent circumstances.

Posted in Bring-Your-Own-Device, Privacy | Tagged , , , , , | Leave a comment

Email Encryption: What’s in a Name?

We’ve all seen the headlines — The Year of Encryption — but that doesn’t mean people have been able to wrap their minds around the technology. Sure there’s a basic understanding of what it is:

via Google

via Google

Used to safeguard personally identifiable information (PII) — think medical records, social security numbers and banking information — email encryption could be the difference between a lawsuit and front-page headline, and a healthy successful business in day-to-day business communications.

But how does it work? And is it easy to use?

If you’re using an outdated, cumbersome solution, it can be anything but easy to understand. And when the “how to” isn’t exactly clear, you don’t want to rely on your employees using the fingers-crossed method, hoping sensitive information doesn’t leak into the wild each time an email is sent.

With Zix, there are no hops to jump through. Just an easy-to-use (ultra-secure) email encryption solution that everyone in an organization can love!

Posted in Email Encryption, Simple to Use | Tagged , , , , , | Leave a comment