Customer Spotlight – For First State Bank of Rice, Investing in Cybersecurity Is a Way of Life

Data breaches can happen for a number of reasons. A thief can get a hold of an employee’s mobile device that contains corporate data, an employee can accidentally forward sensitive information to the wrong email address, or a hacker can even intercept unencrypted email containing personally identifiable information. While these scenarios are all very different, one thing is the same – they can all lead to a data breach with private information exposed.

Investing in Cybersecurity

In working with managed service provide Unicom Technologies Inc., First State Bank (FSB) of Rice could identify evolving threats and enhance its data security program. And since email is a top vulnerability, FSB needed a data security “umbrella” of sorts that could protect against the various types of email security risks and maintain the trust of its customers. With that idea in mind, the bank turned to ZixCorp for help with email data protection.

FSB President and CEO Michael J. Montgomery sums it up perfectly:

“Investing in cybersecurity is becoming a way of life for any business, but particularly so for banks that have an abundance of valuable personal data, such as financial data, tax identification numbers and Social Security numbers. Our clients trust us to take care of their financial needs, but they also rely on us to protect their privacy.”

To secure outbound messages containing sensitive data, FSB employees use ZixGateway, an email encryption solution that automatically scans outbound email. If it detects any sensitive data, ZixGateway automatically encrypts outgoing emails and relieves employees of the hassle and stress of extra steps. Because mistakes happen to the best of us, FSB also deployed ZixDLP, a data loss prevention tool with quarantine filters, to prevent employees from accidentally sending an email to the wrong recipient or exchanging the wrong file.

As Montgomery puts it:

“Our employees live in the communities we serve. They understand the importance of data security, but mistakes happen. Automatic encryption and DLP make sure that nothing sensitive falls through the cracks. Our employees love it and so does our board of directors.”

With the rise of mobile devices in the workplace, FSB knew that it also needed a Bring-Your-Own-Device (BYOD) security solution. ZixOne provides FSB employees with secure access to corporate email on their personal devices without jeopardizing customer data or employee control. How? No data actually resides on the device. If an employee’s personal phone or tablet is ever lost or stolen, an administrator can easily disable corporate email access to that device, dissolving the fear of confidential information falling into the wrong hands.

First State Bank of Rice serves as a model for investing in the proper email data protection solutions. By covering all of its bases, FSB continues to thwart security risks and prove that customer privacy is a top priority.

About First State Bank of Rice:

  • Financial services company established in 1928
  • Member of the Rice Bancshares, Inc. located in Rice, Texas
  • Manages $150 million in assets

Posted in Company Update, Technology | Tagged , , , , | Leave a comment

Data Security Role of FTC Is Upheld

Regular readers know that I recommend every type of organization protect itself against data breaches, not just those operating under regulatory mandates.

There has long been an argument that modern legislation such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) offer sufficient protections to businesses and consumers, hence it probably came as a shock to global hotel company, Wyndham Worldwide Corp, when they were sued by the Federal Trade Commission (FTC) under Section 5 of the Federal Trade Commission Act of 1914.

FTCAccording to documents filed in the District Court in Arizona in 2012, Wyndham engaged in “unfair and deceptive acts and practices” when,  between 2008 and 2010, data breaches of Wyndham systems led to the release of over 600,000 Wyndham customers’ personal data. When you dive down into the weeds, Wyndham was accused of failing to use firewalls, failing to address known security vulnerabilities on servers, using “default” user names and passwords to access servers, failure to limit third party access, and so on. Pretty damning accusations I know, but what business was it of the FTC?

Interestingly, when the case was heard by the U.S. Court of Appeals for the Third Circuit in Philadelphia a few days ago, lawyers representing Wyndham challenged the authority of the FTC in an area where there already exists “a less extensive regulatory scheme” – meaning the Fair Credit Reporting Act, HIPAA etc. The three appeal court judges sided with the Federal Trade Commission agreeing that it has the authority to regulate corporate cyber security. Thus, at least for the time being, until Congress adopts more wide-ranging legislation governing data security, the FTC has the green light to pursue organizations that they deem liable for data breaches that cause harm to consumers.

In this age of constantly changing threats, businesses should not be waiting around to find out if they’ll be retrospectively fined by the FTC, or if congress will eventually get around to adopting more wide-ranging legislation governing data security. Instead they should be taking immediate action to protect corporate and client data, not only to protect from liability, but also to protect their brand images from the negative exposure of headline news.

Zix is the leader in email data protection. Find out about Zix secure solutions here.

Posted in Data Breaches, Data Protection Trends | Tagged , , , | Leave a comment

Newswire Services Aren’t the Only Exposure for Public Companies

For years, the top markets investing in data protection were healthcare, financial services and government. The reasons were clear:

  1. These companies and organizations collect, manage and exchange an endless amount of personal data – social security numbers, health records, banks accounts, etc. – and data protection is crucial to maintaining trust with clients, patients and the public.
  2. With so much personal data, these same companies and organizations are highly regulated, and data protection is required for regulatory compliance. See acronyms such as HIPAA and GLBA.

Some companies that support these industries have also implemented data protection, due to the recent expansion of regulatory requirements.

But without compliance concerns, other industries were not as aware of the risks to sensitive data and were not inclined to use data protection until breaches began saturating the news cycle. Even with a greater understanding of breaches and risks, companies in these other industries still haven’t flocked to data protection, and again the reasons were clear:

  1. Given the option to invest in tools or strategies that lead to growth or to invest in security solutions that don’t offer a clear ROI, companies (especially public ones) will lean toward the former option.
  2. They don’t believe that they have sensitive data worth stealing, or they don’t see themselves as a potential target.

If public companies thought they weren’t a target, yesterday proved otherwise.

A federal indictment was filed against a group that hacked into the computer networks of three newswire companies to steal confidential press releases. The group made stock trades ahead of public announcements and stole more than $30 million.

Newswire services are not the only vulnerability for public companies. Below is a list of exposures that public companies should be aware of and proactive in securing.

  • Email: Financials sent to auditors, press release drafts exchanged between in-house teams and outside investor relations and public relations firms, dozens of materials sent to board members for review and approval. The amount of sensitive data exchanged in email is exhaustive. If you’re not encrypting email, it’s accessible to more people than your recipients, as Kevin Mitnick recently demonstrated in an email hack.
  • Mobile Devices: Smartphones and tablets are easy connections to the office. Employees and consultants read investor relations materials, download customer lists and read “INTERNAL ONLY” documents. They do so from the train into work, in restaurants with their family and traveling on work trips or even vacations. Devices are so conveniently small that they’re easy to lose. If you aren’t protecting corporate data accessed on devices, they’re also easy targets for theft.
  • File Sharing: We’ve all experienced it – a notification that our email attachment is too big to exchange through the mail server. You can’t trim off a sheet in the excel doc or pieces of a critical presentation, so you store it in an online file share, send a link and move on to other business. Too bad your employees use a free and insecure file-sharing Web site that leaves corporate data at anyone’s disposal.
  • Electronic Equipment: Encryption isn’t just a good solution for email; it’s helpful in protecting laptops and USB devices that are lost too, and desktops that are vulnerable to a break-in. We know what you’re thinking: That kind of thing doesn’t happen! Thieves aren’t breaking into the office at night when nobody’s at work. Wrong, think social media, tailgating and social engineering. A criminal finds out through social media that an employee is on vacation, slips past the locked door by tagging along with another employee and sits at a computer while telling passers-by that a maintenance request was received to fix an issue while the employee was out.
  • Paper Records: With the beauty of computers, who uses paper anymore? Ask that of anyone who has aggressively tapped on the error message that continues to pop-up on the printer even though there is NO PAPER JAM. Paper still exists. Sensitive data still gets printed. Invest in shredding.
  • Employees: The many good-hearted employees make mistakes sometimes. The few malicious ones tend to go unnoticed. Data loss prevention takes care of both.

If you work for a public company, reviewing these exposures is a good start to protecting your corporate data and your stock. If you work for a private company, don’t be fooled into thinking you don’t have anything worth stealing.

Have other exposures you’d like to add to our list? Feel free to submit ideas in our comments section.

Posted in Data Breaches | Tagged , , , , , , | Leave a comment

SEC Hacking: First Nine Are Indicted

As reported by Zix in June, the SEC has been investigating an ongoing cyber-attack by a sophisticated group, based in the U.S. and Europe, against publicly traded companies in order to beat the stock market. According to the indictment, filed in New Jersey today, from early 2010 until the present the group hacked into computer networks of three newswire companies to steal confidential press releases ahead of their official public release dates to gain “material nonpublic information.” This meant that the group was able to make trades in stocks ahead of public announcements, thus fraudulently netting over $30 million. SEC Hacking

As reported by the BBC, the FBI confirms that five of the individuals residing in the U.S. have been taken into custody this morning. According to the indictment, the group accessed more than 150,000 press releases in a scheme similar to one in 2005 except that today’s indictment is for a far broader scheme than anything previously detected by U.S. authorities.

What is most concerning about this and other similar cases is that sensitive information, “material nonpublic information,” has been passing between major U.S. companies, news-wire companies and other parties in unsecured ways. Here at Zix, we often hear about press release drafts, earnings scripts, PowerPoint presentations and emails between auditors, board members and consultants being sent in clear-text. With the help of Kevin Mitnick, we’ve demonstrated that emails can be intercepted in man-in-the-middle attacks so that unencrypted emails can be read by criminals in real time. The same applies to press releases emailed by companies to their public relations agencies and press-release wire companies.

Zix, the nation’s leader in email data protection, provides a number of email encryption solutions that prevent intercepted emails from being read. Utilizing AES256 encryption in a Community of Trust, plus our groundbreaking BMOD method for secure delivery to anyone, Zix Email Encryption gives public corporations (as well as government agencies, large private companies and SMBs) the means to keep their email – including email on mobile devices – secure.

For more information on Zix reliable security solutions, click here.

Posted in Email Encryption, Technology | Tagged , , , | Leave a comment

Black Hat and DEF CON Showcase the Latest Hacks

Last week, Black Hat and DEF CON wrapped up conferences that offer a window into the latest hacker exploitations and ways to thwart some (but not all) of them. Below we’ve highlighted a few threats, beginning with the one that’s gaining the most media attention.

Recapping Black Hat and DefCon Graphic

The remote hijacking of a Chrysler Jeep

The Internet of Things is meant to make objects “smarter,” but hackers have leveraged vulnerabilities in connected devices to make them scarier. In 2013, at Black Hat and DEF CON, a session highlighted the cyber-attack of medical devices. If that wasn’t frightening enough, researchers showcased how they took control of a moving Jeep Cherokee, commanding its “internal network to steering, brakes and the engine.” Chrysler has since recalled 1.4 million vehicles, such as 2013-2015 MY Dodge Viper specialty vehicles, 2014-2015 Dodge Durango SUVs, 2015 Dodge Challenger sports coupes and of course 2014-2015 Jeep Grand Cherokee and Cherokee SUVs.

SIM Cards are NOT unbeatable

A research professor and his team revealed how they cracked into commercial SIM cards in 80 minutes or less. The presentation highlights how hackers or intelligence agencies can use side-channel attacks to impersonate payment cards or steal data from mobile devices (another use case for implementing a no-data-on-the-device approach for mobile security).

Macs are NOT unbeatable either

If you conduct a search on “Mac Hacks,” your browser will be flooded with findings on how to enhance your use and love of the Mac operating system. Do the same for Windows or Android, and your search retrieves stories on security concerns and updates. This probably isn’t news to you, but what may be is recent research showcasing several Mac vulnerabilities that bypass Apple’s security.

Your finger print is no longer unique

Researchers presented several new methods to extract user fingerprints from mobile devices. Mostly applicable to Android devices, one method exploited a weak sensor to collect fingerprints on a large scale. So it begs the question, is your fingerprint unique if someone else uses it?

Finally, we’d like to share a hack mentioned by Black Hat and DEF CON Founder Jeff Moss at the end of his interview with Chris Preimesberger of eWeek: If someone takes a picture of your keys, they can make a copy of your keys. Crazy!

For other hacks unveiled last week, check out Sarah Kuranda’s article for CRN. She provides a nice summary of the events’ sessions.

Posted in Technology | Tagged , , , , | Leave a comment

10 Human Error Fails: Because We Make Some Stupid Mistakes

In light of human error being one of the most common causes of data breaches – we wanted to hit rewind and take a look back at some of the most epic human error failures of all time. Sure, we are human and make mistakes, but these top the list.

fail whale animated gif

1. Pilot lands at the wrong airport

Hugh Laurie - House - Animated Gif

http://giphy.com/gifs/oops-dr-house-tvshow-GDnomdqpSHlIs

It’s not just beginners that make mistakes! Apparently even longtime veterans make mistakes as shown in an incident in 2014 where two experienced pilots landed a Southwest Airlines plane at the wrong Missouri airport – several miles away at a municipal airport in Taney County, which doesn’t even have a control tower.

2. NASA accidentally taping over the moon landing

Dumb and Dumber - Animated Gif

http://giphy.com/gifs/Y1Rw3VamgPcli

In 2006, NASA admitted it could not find the original video recording of the first moon landing. When they finally realized where it went, the news just got worse …the video was part of a batch of 200,000 tapes that were degaussed – magnetically erased – and re-used to save money.

3. Man throws away winning lotto ticket

Oh no - Animated Gif

http://giphy.com/gifs/YqLdd0vnq76M0

At least you aren’t the Pennsylvania man who won $1.25 million in lottery and accidentally threw away his winning tickets after misreading the numbers. Then upon realizing his mistake spent $400 more on tickets (all losing of course).

4. Blockbuster passes on Netflix

Alec Baldwin - Crying - Animated Gif

http://giphy.com/gifs/thread-adoption-lifetimes-14gjmr7pDMzPXy

The time Blockbuster (now out of business…) laughed in the face of Netflix execs as it turned down the company’s partnership offer.

5. First-class tickets for $51? Yes please

Bridesmaids - Melissa McCarthy - Animated Gif

http://giphy.com/gifs/castle-kate-beckett-richard-WszzRFXpXA6ly

United.com has a “glitch” in its website – allowing customers to purchase first-class trans-Atlantic tickets for as little as $51. The “poor” airline then thought “asking” for the tickets back was the right solution.

6. Invents oil drill. Forgets to patent it.

Full Disclosure - Animated Gif

http://giphy.com/gifs/thecomebackhbo-hbo-comeback-the-3xz2BOhUdBVB3RDOYU

Let’s not forget the guy who invented the oil drill…and neglected to patent it.

7. When Russia sold Alaska

Dr. Evil - Pinky Finger - Animated Gif

http://giphy.com/gifs/laughing-dr-evil-austin-powers-APcFiiTrG0x2

That time when Russia thought Alaska was nothing but useless tundra and ended up selling it to the U.S. for only 2 cents per acre.

8. Another Red Sox season ends with heart break

Kanagaroo and Ball - Animated Gif

http://giphy.com/gifs/tree-kangaroo-5dWWa4tYjpBSM

How about when Bill Buckner, then first baseman for the Boston Red Sox missed an easy ground ball in game 6 of the 1986 World Series leading to the winning run scoring on the play, followed by the Mets winning game 7 and the entire Series – ending yet another season in heart break.

9. Inches are the same as centimeters right?

Teacher and Calculator - Animated Gif

http://giphy.com/gifs/math-hard-nnzm2HjpYOyd2

Sorry NASA – you failed twice… NASA lost its orbiter in space due to the use of two measurement systems (Lockheed Martin engineers used the English system of measurement, while the rest of the team used the metric system) – a loss of $125 million.

10. The Leaning Tower of Pisa

The Muppets - Animated Gif

http://giphy.com/gifs/muppets-annoyed-vwI4mYEHP8k0w

Let’s all be glad we weren’t the ones involved in building the Tower of Pisa which took 177 years to build and only 10 years for it to start leaning.

So while to err is human, it shouldn’t be a reason for a data breach. Make sure your company is protected from the threat of human error with ZixDLP! Get on it!

Dumb and Dumber - Animated Gif

http://giphy.com/gifs/moments-thread-dumber-nYioQ1xNGPFQs

Posted in Data Loss Prevention | Tagged , , | Leave a comment

Zix Launches New Secure Email App for Google Apps Users

Our regular readers know that I’m a big fan of Google and use many Google apps.  For example my wife loves Google Voice’s global spam filter that has silenced our home phone of the marketing calls that used to spoil our evening dinner time.

Zix Message Encryption for Google Apps graphicTherefore I’m especially pleased to discover that Zix has created an encrypted email solution for small to medium businesses that already use Google Apps for Work. It’s for businesses that require up to 35 encrypted email users – 35 seats or less – and it is very easy to purchase and to provision.

It is named Zix Message Encryption for Apps, and it offers small to medium businesses the seamless transparent secure email delivery for which Zix is famous. Transparent secure delivery to other Zix users means that encrypted emails are automatically decrypted at the destination and appear in the recipient’s inbox as a plaintext message, just like the other messages in their inbox. Because it is so seamless, it lets the recipient know that each email has been encrypted in transit by including a blue banner at the top of each decrypted email with the words: “This email was sent securely using ZixCorp.” Sitting at the edge of your Google Apps environment, Zix Message Encryption for Apps makes secure email as easy as regular email for your employees. That is, there are no extra steps or passwords needed either to send or to receive encrypted email. This is because key management is fully automated utilizing ZixDirectory, the industry’s largest hosted global directory.

Ordering is easy:  just have your Google Apps Super Admin search for Zix Message Encryption for Apps in the Google Apps Marketplace.  Once the site is located, your Super Admin uses their Google Apps login credentials to launch the app and to follow the instructions to order service for up to 35 users – they can keep their existing email addresses provided they’re all on your one domain. Need help? There’s an ordering guide here.

You can read more about Zix Message Encryption for Apps by clicking here.

Posted in Company Update, Email Encryption | Tagged , , , , | Leave a comment

Healthcare Companies Continue to Hemorrhage Patient Data

I’ve been reading some recent statistics published by the National Association of Corporate Directors. They compare the self-reported knowledge levels of corporate directors about cybersecurity across a number of industries. What surprises me is that the knowledge levels of directors in the healthcare industry are average compared to those of the other six sectors reported. While there are signs that some senior managers are waking up to the dangers, it seems strange to me that 19 years after enacting HIPAA and 6 years after enacting HITECH, healthcare directors are not the best briefed, best educated in cybersecurity of all business sectors.

Corporate Directors' Cybersecurity Knowledge Chart Segmented by Industry

Source: National Association of Corporate Directors

If you haven’t already done so, you should look at the Office of Civil Rights’ Breach Portal – known to many as “The Wall of Shame.” It shows a staggering number of breaches of healthcare providers, health plan providers and their business associates (BAs). BAs have come under a lot of scrutiny recently mainly due to sending HIPAA information in unencrypted form. If you have any BAs who need to know more about securing emails or who have a complex solution that staff dislike using, get them to watch this webinar discussing how to balance HIPAA regulations with business needs.

In addition to encrypting emails, health providers need to be aware of just how easy it is for staff to send PHI to the wrong people. Recent examples include UPMC Health Plan, where a staff member sent an email attachment with the PHI of 722 clients to the wrong people, Georgia Department of Human Services where PHI for 3000 people was sent to the wrong recipients, and NYC’s Health and Hospitals Corporation similarly affecting almost 4000 patients. It is inevitable that staff – busy staff – will make errors when it comes to sending emails containing PHI, costing your organization punitive damages, losing you clients and severely damaging your organization’s name and brand.

Yet modern solutions can prevent this from happening. Automated data loss prevention prevents PHI going to the wrong people. It automatically stops and quarantines suspicious outgoing email before it leaves your network, giving you a second opportunity to check that the right PHI is going to the right recipient. Also, modern email encryption provides a way for staff to send and receive encrypted PHI without time-consuming activities such as remembering passwords.

To hear my recommendations for healthcare providers and BAs, and those of my colleague Dena Bauckman, click on this link to listen to our webinar.

Posted in Data Breaches | Tagged , , , , | Leave a comment

Start from the Top: An Education in Cybersecurity

As more and more companies fall victim to cyber-attacks and data breaches, the need for education around cybersecurity has been thrust into the spotlight. While some have taken it upon themselves to learn more, a majority are still lost, stuck trying to make sense of everything happening around them.

Corporate-Board-Room- Cybersecurity-Education

While it isn’t necessary for individuals to have a complex understanding of cybersecurity, especially when they are not in a position to make company decisions, it is more than a bit concerning when the Wall Street Journal reports that many on corporate boards struggle with understanding cybersecurity threats. The survey, which was conducted by the National Association of Corporate Directors, revealed that only 11 percent of board members across industries reported they had a “high level” of knowledge about cybersecurity.

When broken out by industry, the stats don’t look much better:

  • 30 percent of healthcare directors said they have “little knowledge” of cybersecurity
  • Only 20 percent of healthcare directors reported having a “high level of knowledge”

The 30 percent stat is by far the lowest of any industry surveyed, which is shocking given the heavy regulatory compliance burden facing healthcare.

This places a spotlight on a major issue within the healthcare industry that needs to be addressed — that is, maintaining a high level of education. As an industry that holds a large amount of consumers’ private information, it is imperative that all involved gain some knowledge about cybersecurity, and boards need enough knowledge at the C-level to effectively enable the implementation of progressive solutions that will protect their organizations.

While each organization’s needs are different, it is recommended that companies employ a layered security solution. Solutions like Zix Email Encryption and ZixDLP play critical roles in helping protect data in email – a top risk in any organization. These solutions help ensure that private information isn’t leaked into the wrong hands in transit and doesn’t get sent out to the wrong person by mistake.

In the end, there needs to be a major emphasis placed on educating key decision makers within companies. Raising cybersecurity awareness at the corporate board level can only help combat the issues we are currently facing.

Are you in healthcare and want to learn more about your obligations to protect private information? Register for our webinar at http://go.zixcorp.com/20150723ZixHealthcareWebinar.html.

Posted in Technology | Tagged , , | Leave a comment

The Latest HIPAA Settlement Is Eye-Catching

On Monday, Joseph Conn published an article for Modern Healthcare highlighting a recent HIPAA settlement between St. Elizabeth’s Medical Center and the Office for Civil Rights (OCR), which as most of you know enforces the HIPAA Privacy Rule. Settlements with the OCR and breaches on its “Wall of Shame” are so frequent that it’s easy to ignore the latest news, but this particular article caught our eye when reporting:Modern Healthcare article snapshot: St. Elizabeth's Medical Center will pay settlement in HIPAA breach

  1. The settlement involved “a relatively rare enforcement area, Internet-based file-sharing services”
  2. Insight from Adam Greene, a well-known privacy lawyer, who said, “you’re going to have to have a business associate agreement (BAA) with any cloud-based (service) providers.”
  3. The violations came to light after complaints from the medical center’s own employee base

Often organizations have to account for employees as a weak link in their security and compliance strategy. We understand why; mistakes happen, as we ourselves pointed out in Monday’s data loss prevention blog. However, this article serves as a great reminder that, interestingly enough, employees are also an organization’s greatest asset.  Not only are employees critical to the success of quality care and daily operations, they can be your eyes and ears to ensure security and compliance are meeting your standards day-in and day-out. After all, you spend valuable resources and time training employees on the appropriate policies and procedures; put that training to even greater use by leveraging employee feedback on what’s working and where you need to fill holes.

Now in turning our attention to the other two highlights – the “rare enforcement area” of Internet-based file-sharing services and the BAA with any cloud-based (service) providers – we would be remiss if we didn’t offer a quick and selfish reminder that Zix is the leader in protecting the most popular file sharing method (aka email) and, unlike many email encryption competitors, will sign a BAA. We’ve signed several hundred so far and are happy to work with you to provide this extra layer of assurance.

Posted in Compliance | Tagged , , , | Leave a comment