Don’t Sweat Cyber Monday with DLP

Ah, Thanksgiving. The official start to the Holiday season. While “Black Friday” nabs many of the headlines (and YouTube videos), an increased number of people trade parking nightmares and endless lines at stores this weekend in exchange for online shopping during Cyber Monday.

Come Monday, November 30, shoppers will flood into their workplaces ready to boot up their company computers and get online in time to snag some deals. With online retailers running flash sales and making only small volumes of product available to shoppers, you can almost guarantee employees will be doing their best to get their hands on the items they and their families covet most. Amidst all the shopping, sales watching and deal hunting, employees are still expected to get their work done. If you are anything like us, the thought of employees splitting time between work and shopping is a bit of a red flag. The potential for a data breach due to distraction is at an all-time high on Cyber Monday.

As we have covered on this blog before, human error is one of the most common causes of data breaches. Whether it is attaching the wrong file or sending an email to the wrong person, human error is a very real threat that CSOs and IT staff need to address.

On a day like Cyber Monday, many employees will believe they are multitaskers. The only problem is — when folks are “multitasking,” they are not giving the task at hand proper attention, increasing the chance for a mistake.

Don’t worry though! There is a solution.

While it’s probably next to impossible to stop employees from shopping or being distracted on a day like Cyber Monday, companies can lower their risk for accidental data breaches. How? By implementing a Data Loss Prevention (DLP) solution, a company can feel safe knowing that a distracted employee won’t accidentally cause a massive data breach due to an email error. With DLP, email leaving your network is automatically scanned, checked for sensitive information and quarantined if a policy is triggered – protecting your employees and your company.

Happy Shopping!

Shopping Minions

Posted in Data Breaches, Data Loss Prevention | Tagged , , , , | Leave a comment

Added Insight into Google Email Encryption Report

In the last few days, Google has said that it will soon start warning Gmail users of potential security risks when they receive an email from a non-encrypted connection.  We agree that raising user awareness of the vulnerability of unencrypted email is a good thing.  At Zix we typically encrypt over 1 million messages a day and all of them have our signature branding to better inform the recipient.  However we are concerned that the conclusions of the paper, conducted by researchers at the University of Michigan, Google, and the University of Illinois at Urbana Champaign, have been widely misinterpreted by parts of the media. For example, there is one newspaper reporting on the “Alarming Rise in encrypted messaging” and warning that encryption is reaching epidemic proportions; while at the other end of the spectrum, we have a Tech Crunch article that is creating a false sense of security.

Why do we think it’s producing a false sense of security?  The paper focuses on Transport Layer Security or TLS which is a very basic form of point to point email encryption.  The media have interpreted a rise in TLS as ‘we’re almost there’ in terms of broad usage of email encryption.  For example the previously mentioned article in Tech Crunch provides these statistics “Over the last few years (and especially after the Snowden leaks), Google and other email providers started to change this and today, 57 percent of messages that users on other email providers send to Gmail are encrypted (and 81 percent of outgoing messages from Gmail are, too). Gmail-to-Gmail traffic is always encrypted.”

The university paper includes security warnings, which make perfect sense. The paper focuses on opportunistic TLS and leads with the fact that Gmail, Yahoo and Outlook all proactively encrypt and authenticate emails. The study finds that of the “long tail” of over 700,000 SMTP servers only 35% successfully encrypt, and only a tiny 1.1% specify a DMARC authentication policy. This is the essence of where we are, and we should not accept the falsehood that poorly implemented point to point TLS has achieved mainstream usage.

Even in situations where TLS appears to be working correctly there can be fragility: the study reports that between October 8th and 17th of 2015, successful outbound STARTTLS dropped dramatically, corresponding with the public disclosure of the POODLE man-in-the-middle exploit. It appears that system administrators, while applying the patch against POODLE, accidently misconfigured mail servers thus disabling previously working implementations of STARTTLS. Another concern flagged by the study is that MX records (mail exchanger records) that record domain names and specify how email should be routed by SMTP are easily spoofed by hackers. That is, hackers can return the names of false servers that they themselves control. There is a protection against this named Domain Name System Security Extensions (DNSSEC); however the study states that less than 0.6% of domains have deployed DNSSEC.


Google’s study dramatically demonstrates the need for email encryption and shows conclusively that users who depend upon this free TLS technology are just as likely to be unprotected as protected. Most business domains are not properly configured for TLS. The TLS protection afforded is hit-and-miss, and so companies that require the guarantee of security cannot rely on this. It certainly does not meet the standards of regulatory bodies that require the protection of client information. Remember, in the opportunistic TLS environment described in the study, when STARTTLS does not work, the system fails open: that is, the email is sent in clear text. Even when it does work, authenticating the sender or sending domain is still not guaranteed.

Zix solutions however, let customers control the level of server authentication required for TLS connections. Likewise Zix lets its customers set the level of cypher that is used in encrypting emails, such as AES 256. Zix utilizes the Best Method of Delivery (BMOD) that ensures that email delivery is secure, while making the sender’s and the recipient’s user experience as easy as possible. BMOD can include the use of TLS, but only in situations where the recipient’s TLS implementation is known to be secure, both in its level of authentication and encryption ciphers used. Zix’s primary method of delivery, however, is transparently, within a community of trust, using S/MIME and utilizing public/private keys and certificates.

Zix secure email solutions can be found here.

Posted in Email Encryption | Tagged , , , , | Leave a comment

Regulatory Fatigue Hits Financial Institutions

Regulatory FatigueReading through Thomson Reuters’ annual Cost Of Compliance report makes troubling reading. Compliance officers are “experiencing regulatory fatigue and overload in the face of snowballing regulations.” Of the 600 compliance practitioners from financial services businesses who were surveyed, 70% expect regulators to increase their regulatory burden in the following twelve months. Given their beliefs, and the volume of regulatory change, the survey respondents are being hard-pushed to maintain compliance and data security. Worse, in their most recent corporate governance survey, Thompson Reuters found that over half the surveyed organizations knew of situations where board members had left sensitive documents in public places.

Other key findings regarding risk to sensitive data:

Unsecured email: 60% of organizations never or only occasionally encrypt their board communications, and only a quarter indicated that they always do so.

Mobile devices: Private computing devices are now commonly used by most board members for board communications, but only a third of them are provided by the company itself. The remaining two thirds are BYOD devices. There has been an increase in the use of these devices for board communications. 10% of organizations reported they have had a board member whose device, containing board communications, has been lost or stolen.

A third of organizations continue to print and courier materials to board members: madness in an age when email encryption can distribute sensitive board material securely. Plus companies are not always sure that executives destroy all copies of board related materials. This is important because companies do not routinely include paper copies of documents or the electronic copies of such stored on BYOD devices in litigation holds, thus opening themselves up to legal penalties. The Cost Of Compliance report states:

Personal liability: 59 percent of respondents (53 percent in 2014) expect the personal liability of compliance officers to increase in 2015, with 15 percent expecting a significant increase.

A good approach to managing these risks and thereby reducing “regulatory fatigue” is to:

  • Transmit all confidential information using encrypted email
  • Require two-factor authentication for remote access to business networks
  • Ensure personal devices are password protected with a complex password or thumb print
  • Use BYOD security solutions that do not store sensitive data on the device for longer than the few moments required to view it.

For information about Zix’s industry-leading email and BYOD security solutions, please click here.

Posted in Data Protection Trends | Tagged , , , , | Leave a comment

New California Data Breach Notification Statute Defines Encryption

Most readers won’t have noticed California’s updated breach notification statute, due to take effect on January 1st of 2016. However it is worth noting that California often leads the way with new legislation – good or bad – that will usually be followed by the other states in their own good time. Back in 2003, California became the first state to require the issue of security breach notifications. Since then, nearly every state has followed by enacting laws that require organizations who experience a security breach to notify the affected people.

This is the third time in as many years that California has amended its data breach notification statute. However, dig down into the new statute and you’ll find some good news: after years of muddy ambiguity, California has provided a definition for encryption:

‘For purposes of this section, “encrypted” means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.’

California’s breach notification statute has had an encryption safe harbor since its inception, however the meaning of ‘encrypted’ was not previously specified, and this is why the above is important to our organizations. This means that should your business communications be intercepted or breached, there is no need to report the breach if all these communications are encrypted.

The statute does place more of a burden upon breached organizations: the first amendment expands the definition of ‘personal information’ to include data collected through the use of automated license plate recognition systems – optical pattern recognition systems used by law enforcement; the second amendment changes the format of notices to be sent to potential victims, to include a clear header, ‘Notice of Data Breach;’ while the third amendment is the definition of encryption, already stated above.

Organizations need to be aware of their obligations should they suffer a data breach, however it makes more sense to avoid breaches if at all possible by implementing cost effective data security solutions. One weak point in data transfer is the sending and receiving of emails over the Public Internet. Secure email encryption protects your business and your clients’ private information from being viewed by the bad guys. To learn more, you can find helpful email encryption resources here.

CA data breach notifications

Posted in Uncategorized | Tagged , , , | Leave a comment

Moving to The Cloud with ZixHosted Services

Just the other day, I was chatting with a Zix customer who is considering a move from an on-premises mail server to a cloud-based mail server, in his case Office 365 (O365). His company has been using ZixGateway for a number of years as its email encryption service, and he was aware that he could continue to use his on-premises ZixGateway with a cloud-based O365 solution. I suggested that if he is going to migrate to O365 in the cloud, why not also migrate his Zix Email Encryption and DLP solutions to the cloud.

ZixHosted CloudThere are great advantages to migrating from an on-premises ZixGateway solution to a hosted solution. For a start, Zix takes up the administration and maintenance responsibility for your email encryption: all upgrades and patches are managed by Zix, as is disaster recovery protection. Your secure email systems are kept fine-tuned and up to date by Zix while your own staff and system resources can be reallocated to focus on their core competencies. Your security staff can now manage your email data protection without requiring special skills.

There are options to use O365 or Google Apps, or indeed any cloud email server, while employees can utilize Outlook on their personal computer, or their favorite browser, to send and read their emails – just as they would normally – and most cloud providers that would be used for AS/AV or archiving are supported by ZixHosted. A Zix deployment coordinator will help you set up the hosted environment so that all email connections to the cloud are secured through TLS. ZixHosted solutions are supported by the ZixData Center, staffed 24 hours a day and certified and accredited to the highest standards.

If like my Zix customer above, you’re thinking of moving your email to a cloud service and wish the best email encryption and DLP protection in the industry, click on this link to find out more.


Posted in Email Encryption | Tagged , , , | Leave a comment

The Forgotten Cyberthreat

In case you missed it, The New York Times published a great piece over the weekend: The Cyberthreat Under the Street, and it turns out, there are bigger threats living beneath our streets than some sewer rats or the tall tale of an alligator.

The piece begins its report with the statistic that there have been 16 fiber cuts in the San Francisco Bay Area in the past year.

What is a fiber cut exactly? In this case, it was the severing of the fiber optic cables that supply telecommunications to the region — a region that happens to house Lawrence Livermore National Laboratory, an overseer of the nation’s nuclear weapons, numerous academic institutions and technology companies — that resulted in the inability to make mobile or landline calls, send texts or emails and a complete Internet outage.

Globalization or communication concept. Earth and luminous raysAs cybersecurity and the constant string of data breaches have commanded national headlines, we seem to have forgotten the physical infrastructure that supports the intangible cloud and the valuable data it carries. We may talk about the Internet in terms of wireless and hotspots, but it relies on physical cables that are vulnerable to attack. So vulnerable, that anyone could go down a manhole to gain access.

According to security experts and networking engineers, the real vulnerabilities lie at Internet exchange points (I.X.P.s), the locations where networks converge. In total, there about 80 I.X.P.s in the United States, with only a few serving as vital intersections for domestic and international traffic coming from undersea cables.

Many of these I.X.P.s are housed in extremely vulnerable locations, some actually located in older buildings that lack security. What’s even more shocking is the fact that it’s possible to lease adjacent office space within these very buildings.   

“I guess it’s a hide-in-plain-sight strategy,” said Jim Poole, vice president for global providers for Equinix, another company that owns I.X.P.s (some more protected than others). “I would hazard a guess that if an I.X.P. is not very secure, they are probably so obscure no one would know they were there.”

With these cables left vulnerable and exposed, how easy would it be to tap into them and steal data? As it turns out, not too hard by way of a man-in-the-middle attack, something we have discussed frequently on this blog.

A man-in-the-middle attack is a way to intercept Internet traffic while in transit. And if that traffic happens to be unencrypted, it is open season for any motivated hacker. We were able to demonstrate such an attack with notorious hacker Kevin Mitnick, and all it took was a $400 fiber tap.

While there isn’t a detailed map in existence (that we know of) tracking the Internet’s complex network of highways and byways to show clear locations, Paul Barford, a professor of computer science at the University of Wisconsin recently completed a map of the United States’ long-haul Internet infrastructure — a four-year effort. What qualifies as long-haul must stretch at least 30 miles and connect population centers of at least 100,00 people — basically any suburban city upwards to major metropolitan areas.

“What we’re trying to avoid is giving bad guys a map to do bad things,” Professor Barford said. “Now that we can see the possible pinch points in the U.S., we are looking at ways to mitigate them.”

We see your point, Professor Barford, but until there is more security in place, it would greatly benefit companies to ensure that their communications are encrypted once it leaves their network.

Posted in Data Protection Trends | Tagged , , , , , | Leave a comment

Manage Holiday Stress with BYOD

It’s that time again.

Hectic parking lots, crowded malls and full social calendars — the Holidays are officially upon us.

Besides some well-deserved — and likely much needed — time off, what’s the best gift an organization can give to its employees? Many would agree that having the ability to take time off without coming back to a deluge of emails and to check into the office with minimal disruptions to quality family time — or the ability to BYOD — is quite the gift.

With BYOD, employees are no longer restricted to the walls of their offices or tied to their laptops. Email, documents and address books can travel easily with minimal disruptions to actual travel plans. Although they hate to admit it, most employees will log on over the holidays. So why not make sure they do so conveniently and securely?

Get some work done on the plane


Sometimes those PTO days are hard to come by, but with the help of BYOD, there’s no point in using up precious PTO hours when you don’t need to.

Sleeping on a plane is tough, and chances are you have seen all the movies being offered on the flight. Why not use your cross country journey in the clouds as an opportunity to log on and be productive before officially signing off for the long weekend? With most planes equipped with Wi-Fi, it’s easier than ever to maintain contact with everyone still at the office.

By the time you’ve landed, you’ve practically put in a full day’s work and are ready to enjoy the Thanksgiving feast that awaits you.

Sneak in a few emails between Nordstrom and Best Buy


Unfortunately we all have that one coworker. You know … the one whose holiday plans include not having any holiday plans. He/she is the type more likely to ignore OOF replies than heed them as an actual warning to not expect a response.

And you can always expect an urgent request to come in from that person at the worst time. While it’s not ideal, in order to avoid a follow-up from Mr. Can’t Wait, use those moments between stores while you’re out shopping on Black Friday. With BYOD, everything you need is at your fingertips.

Get the most out of being stranded at the airport

home alone airport

Just because your boss is ready for you to get back to work doesn’t necessarily mean the weather is willing to let you. Make the most out of your time in the airport when a flight is cancelled or delayed. Once you’ve booked your next flight, get ahead of your workload and start checking emails. You will do yourself a huge favor by getting a head start.

cat christmas

Thanks to the gift of BYOD, employees can maximize family time, while still staying on top of work, ensuring a smooth return to the office. And with solutions that keep corporate data off devices, organizations can rest assured that all work completed on-the-go is safe and secure.


Posted in Bring-Your-Own-Device | Tagged , , , | Leave a comment

Google’s Project Zero Discovers More BYOD Vulnerabilities

Google’s Project Zero team has just made public a series of security flaws found on the popular Samsung Galaxy Edge smartphone. Project Zero is a team of Google security analysts formed in July of 2014 with the aim of finding zero-day exploits. It is most famous for releasing details of an exploitable Windows 8.1 bug in January 2015 after giving Microsoft a 90 day notice to issue a patch.

Hand Holding Google Android Phone

Source: Kārlis Dambrāns

For the new Galaxy Edge S6 analysis, the Project Zero team gave themselves one week to attempt three challenges:

  1. Gain remote access to contacts, photos and messages
  2. Gain access to contacts, photos, geolocation, etc. from an application installed from the Google Play store with no permissions
  3. Persist code execution across a device wipe, using the access gained in parts 1 or 2

By the end of the week, the team had found 11 issues with the smartphone; and Samsung was given the details. Most of the exploits have now been fixed by Samsung. The majority of the vulnerabilities were via the device’s own drivers and on-board image processing and, apparently, “trivial to exploit.”

While it is good to note that both Google and Samsung will be pushing out security updates to their Nexus and Galaxy products more often, I am reminded that Android flaws continue to be found. Take for example the Stagefright vulnerability discovered by Joshua Drake of Zimperium in July of this year, or all of these vulnerabilities reported in 2014 alone.

The truth is that all BYOD and company owned devices have vulnerabilities that can and will be exploited. However the opportunities for stealing corporate data from mobile devices can be dramatically reduced by avoiding traditional mobile management applications and instead having a solution that gives access to company data without downloading that data to permanent memory.

Zix has a tried and tested BYOD solution named ZixONE. With ZixOne, your employees have access to corporate email without jeopardizing data protection or productivity, because corporate data never resides on their personal devices. Find out more about Zix’s groundbreaking solution by clicking here.

Posted in Bring-Your-Own-Device | Tagged , , , | Leave a comment

Zix Email Encryption Protects Against Faulty TLS Implementations

A new study from researchers at the University of Michigan, Google and the University of Illinois-Urbana Champaign has confirmed what we at Zix have known for a long time: some ISPs create a situation where emails intended to be encrypted are actually sent across the network unencrypted; meaning that they can be intercepted and read by hackers.

The STARTTLS instruction is used by networks to initiate TLS secure sessions, thereby ensuring that encrypted emails are sent securely. Unfortunately some ISPs have been choosing to remove the STARTTLS instruction, while others have been setting up encryption improperly, thus making it easy for hackers to defeat it. The study researchers found that much of the growth in email encryption seen in the past year is due to the larger providers such as Outlook and Yahoo Mail recently adopting TLS. However most of the smaller providers still lag behind in adopting properly configured and authenticated TLS encryption for email. This means that the STARTTLS instruction can be switched off by hackers who have network access. These hackers can then use man-in-the-middle techniques to intercept and read the email traffic.

Best Method of Delivery

Zix customers are protected from this risk. Firstly, Best Method of Delivery (BMOD) uses the resources of ZixDirectory to look up the details and receiving capabilities of almost 50 million email addresses and domains to determine the best way to deliver each email to every recipient. This means that not only is every email delivered securely, but also each is delivered in the way most easy for the recipient to access and read. Secondly, and most relevant to this blog, Zix has already blacklisted ISPs who cannot guarantee secure TLS delivery. For them, Zix uses an alternative secure delivery method for emails being routed to recipients served by these suspect ISPs. The BMOD delivery method is illustrated in the figure.


The unique architecture of BMOD, combined with the community approach of ZixDirectory, enables Zix to deliver encrypted email in the most secure, most easy manner. To learn more about Best Method of Delivery, watch our short whiteboard session here.

Posted in Email Encryption | Tagged , , , | Leave a comment

Customer Spotlight – ZixCorp Gives Boost of Confidence to Trinity Health

In today’s healthcare industry, it’s not uncommon to find workplaces where the burden of security decisions falls squarely on the shoulders of employees — specifically when it comes to whether or not information transmitted by email should be encrypted. This decision — which could have lasting consequences for a company — is a complex one that could not only expose a patient’s protected health information (PHI) but also be a violation of HIPAA.

With sensitive information regularly changing hands among patients, healthcare providers and insurers, each email represents an opportunity for an individual’s PHI to fall into the wrong hands with one miss-click.

Ohio-based Trinity Health System had security measures in place to ensure that email was encrypted but recognized its current solution was time-consuming, inconvenient and added stress on employees.

“We have an obligation to our community to protect our patients and their privacy, and data security has long been a top priority for Trinity Health System. We’ve used email encryption for years, but our previous solution placed too much reliance on our employees. Determining when to encrypt added stress on daily communication, and the extra steps weren’t convenient,” said Tom Kiger, director of Information Systems for Trinity Health System.

To remedy the situation, Trinity Health System began searching for a solution that automated and simplified email encryption and turned to ZixCorp to help.

By incorporating ZixGateway into its security strategy, email messages and attachments from 2,000 employees are automatically scanned and encrypted if any sensitive information is detected. Any replies back to employees are automatically secured and decrypted before arriving in their inboxes. With full transparency and no interruptions, it’s as if Trinity Health employees are using regular email.

“In implementing automatic email encryption with ZixCorp, everyone is better protected. We enhance data security for our patients while eliminating the burden on our employees,” added Kiger.

Tasks such as sending and receiving email shouldn’t be a burden — even if those messages need to be encrypted. With an automated solution, healthcare providers can focus on what matters most: patient care.

Here’s a little about Trinity Health System:

  • Serves more than 200,000 individuals in the tri-state area of Ohio, Pennsylvania and West Virginia
  • Offers a full array of acute and outpatient services and maintains physician offices, walk-in lab facilities, cancer center and a digestive and nutrition center

Healthcare Security

Posted in Company Update | Tagged , , , | Leave a comment