Why We Don’t Think Twice Before Hitting Send

One of the (many) revelations to come out of the Sony hack fiasco is that as a collective population we often don’t think twice before hitting send on an unprotected email.

For instance, as news of the Sony hack began to unfold late last year, we saw reports of leaked emails containing candid (and not-so-nice) thoughts about celebrities, credit card numbers, passwords and more. The fact that executives were comfortable sending this information unprotected shows there is a serious gap between how email privacy is perceived and the reality of email security.

With all the information at our disposal about the risks of unprotected email, why do so many people in an organization — from CEOs to interns — still send unprotected email without giving it a second thought?

The “It Won’t Happen to Me” Mentality

You always hear stories about people not getting car insurance because they don’t need it. They think “I’m a careful driver, so I won’t get in an accident.” But they immediately regret that decision when they get in their first fender bender.

Every day in business you’ll find employees who subconsciously take the “it won’t happen to me approach” and, when sending emails, believe only the intended recipient will read their message or sensitive information.

In reality, sending an unprotected email is a lot like putting a postcard in the mail, in that the contents can be read along the way to the recipient. However, the information contained in company emails is a lot less frivolous than the “Hello from Hawaii!” greetings found on the back of a postcard.

It’s important to create a work culture that places security well before risk and provides an easy way for employees to make the decision to take the “better to be safe than sorry” approach.

Lack of Awareness about Security Risks

In general, most employees aren’t aware that “bad guys” can intercept their email through a man-in-the-middle (MITM) attack — just one of the many weapons cyber-thieves have in their arsenal.

MITM attacks come about by thieves taking advantage of vulnerabilities that allow them to see transmitted data in clear text. For instance, with the “Heartbleed” bug, as many as 10,000 sites were affected by the security flaw that allowed hackers to steal valuable data even when HTTPS was enabled (and users thought their traffic was secure).

This is where employee education comes into play. The more informed employees are, the more likely they are to take the appropriate steps to secure email.

Sending Sensitive Emails Unintentionally

When sending dozens — if not hundreds — of emails a day, even the best-intentioned employee may accidentally send out an unprotected email containing sensitive or personal information.

Companies need to adopt an approach in which all emails are protected to avoid any sensitive information slipping through the cracks.

If you have to ask, “Should I be encrypting this?” chances are you should.

When in doubt, look to Zix Email Encryption Services. Zix makes it easy to send encrypted email without inhibiting day-to-day workflow — it’s as easy as using a regular email solution and doesn’t let sensitive information slip through the cracks. With Zix, employees really won’t have to think twice before hitting send.

Send

Posted in Data Protection Trends, Email Encryption | Tagged , , , , , , , | Leave a comment

Employee Privacy and Employer Liability: The BYOD Dilemma

You may remember this blog and an expert panel webinar I hosted in January. Since then, I have received several requests to give my own opinion* on how to best ensure employee personal privacy and to minimize any potential employer liability issues associated with enabling BYOD in the workplace.

Let’s recap the July 2014 US Supreme Court ruling on smartphone privacy, Riley v. California. The ruling was unanimous – all nine Justices in favor – therefore this decision is not going to be overturned during my lifetime. Chief Justice John Roberts wrote that smartphones “differ in both a quantitative and a qualitative sense from other objects…………..[m]odern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans ‘the privacies of life.’”

More than a dozen states now have laws that prohibit employers from accessing their employees’ (and candidates) social media accounts. Personally owned mobile devices contain or enable access to vastly more of an employee’s private data. My opinion is that, in due course, all private, personal data stored in mobile devices – including BYOD and company-provided devices – will be protected from intrusion by the government, the employer and other unauthorized parties. Not only will this mean that employers will need to ensure that it is impossible for IT staff or others to access other employees’ private data, but employers will not be allowed to erase that private data without the voluntary, fully-informed consent of the employee. In many situations this may render today’s remote wipe consents illegal.

One of the several things I learned from the January webinar is that requiring an employee to sign a multi-page policy document in order to use a mobile device for work purposes may not result in the voluntary, fully-informed consent of the employee. This is because the relationship between employer and employee is not one of parties in an equal bargaining position; it is an asymmetrical relationship. Thus, a court could determine that an employee was effectively coerced to sign the remote wipe policy in order to use a device that is, for all practical purposes, required for employment.

As mobile device privacy laws evolve, MDM and containerized solutions will need to change radically. Firstly, MDM solutions have the capability to snoop into the types of personal apps the employee installs on his or her device, and possibly even their personal content within those apps. The fact that your IT staff claim they never do it, or your policy prohibits it, will not hold water: How do you prove in court that nobody actually snooped or that an employment-related decision was not influenced by employee personal data that is accessible by the employer? Secondly, how do you keep your remote wipe from erasing the employee’s protected personal information? It’s not realistic to expect employees to segregate their personal data into a tidy little container on their device, maintained entirely separate from their work lives.

It may be that the folks developing enterprise mobility management suites will, in time, come up with solutions to these headaches, but I prefer a solution that already avoids all these problems. That is the secure viewer solution, the one where no corporate data is ever stored on the BYOD device and where it is impossible for the employer to snoop into personal data. What’s more, the solution addresses the majority of concerns expressed by participants in this survey conducted for Zix.

Have a look at the infographic HERE

 

* Disclaimer: I’m not a lawyer, nor do I play one on TV (though I’m open to offers), so this post is not legal advice.

Posted in Bring-Your-Own-Device | Tagged , , , , , | Leave a comment

Partner Spotlight—Holy Data Protection! MicroAge and ZixCorp Team Up to Safeguard Your Sensitive Information

Just like Batman needs Robin, ZixCorp needs its trusted partners to ensure customers are equipped with the right security solutions to keep their data protected.

That’s why, in September 2014, ZixCorp entered into a new channel partnership with MicroAge—a leading IT solutions provider with a reputation spanning five decades for selling only the most reliable and innovative security solutions. At the time, MicroAge was a loyal client that was in the market for an easy-to-use email encryption solution and specifically asked for Zix Email Encryption.

Now, as a premier solution provider, MicroAge offers the complete ZixCorp suite—email encryption, BYOD and DLP—to its clients.

Working with MicroAge has enabled ZixCorp to extend its reach even farther into the healthcare and financial industries. This happens to be ZixCorp’s sweet spot, with one in five U.S. hospitals and one in four banks already using a ZixCorp solution.

“Our healthcare and financial clients rely on us to protect sensitive information and overcome challenging compliance issues,” said Tracey Hayes, Vice President of Sales at MicroAge. “We’ve earned their trust, and we felt ZixCorp was a natural extension for our company and our clients based on its positive reputation with both large and small companies in the same industries.”

Partnerships like these reflect the growing demand for email data protection and BYOD security. After a year plagued by data breaches, ZixCorp and MicroAge can look forward to working together to bring innovative security solutions to market in 2015 and for many years to come.

About MicroAge:

  • Founded in 1976 and headquartered in Tempe, AZ
  • Respected industry pioneer with a heritage of industry innovation spanning five decades
  • Serves clients in everything from the data center to the desktop with innovative technologies from industry-leading suppliers.
  • Learn more about MicroAge here.

 

Posted in Partner Update | Tagged , , , | Leave a comment

Securing Emails in the Title Industry

Imagine the following scenario. Your client is preparing to send money to you for an upcoming transaction, so you send an email with the necessary wire transfer information. Later you find that the transaction has not yet gone through, and so you call your client. At the other end of the phone you imagine you hear a gulp before the client informs you, emotionally, that he transferred the money hours ago to the account clearly listed in your email. You and your client have been victims of a man-in-the-middle attack.american title

Up until now, title agencies and their business partners have been regarded as soft targets, particularly when it comes to the non-public personal information that flows back and forth between, agents, partners and clients. Consequently the Consumer Financial Protection Bureau (CFPB) has issued a set of rules that will become mandatory in August to protect sensitive information.

This Thursday, Neil Farquharson will be speaking at the American Land Title Association Business Strategies Conference in Philadelphia. During a one hour presentation, he will discuss email and data loss prevention solutions that will help make title and settlement companies compliant with the new rules. If you are unable to attend, please read our ebook Securing Emails in the Title Industry that you can download here

Posted in Data Protection Trends, Email Encryption | Tagged , , , , , , | Leave a comment

The Solution to State Mandated Encryption

Connecticut lawmakers have begun pushing for a mandate that would improve the state’s cybersecurity standing by requiring vendors to encrypt all personal data stored and transmitted as a condition of entering into a contract with the state.

mandated encryptionAccording to an article in Government Technology, businesses also would have to enable stronger password protections and control how much personal identifying information can be downloaded at one time, to help mitigate damage in the event any data is stolen. Ultimately, this should help Connecticut become a safer state in which to live and do business in.

If the mandate passes, Connecticut would join Maryland and New Jersey as states requiring customer data encryption.

At this point, encryption needs to be mandated on a state-by-state basis. Connecticut Senate Majority Leader Bob Duff, (D-Norwalk) hopes that legislative action by one or more states could prompt additional action by the federal government, but that likely won’t happen anytime soon:

“Unfortunately, as we all know too well, Washington has become dysfunctional,” Duff said. “Washington is unable to function in a quick manner – something that is necessary with the fast moving field of technology. The responsibility has fallen to the states.”

Until Washington decides to take action, states will need to find a workable solution that is cost-effective and offers the highest level of protection. Duff explained to Government Technology that the burden of encryption could be difficult on small companies that, in order to comply, would need to spend 20 percent or more in computer and software costs.

So what’s the best solution?

One option is for states to require vendors and businesses to join an email encryption network that would allow seamless communication within the state, and beyond. As states begin to mandate encryption, there would be a common encryption platform that could eventually be the standard encryption model used by businesses across all 50 states.

The Zix Encryption Network is already used by over 11,500 companies including 1 in 4 American banks, 1 in 5 U.S. hospitals, all U.S. federal financial regulators, the U.S. Securities & Exchange Commission and more than 20 state financial regulators.

If states are going to mandate encryption, why not ask them to join a network that’s already used by a large number of national and state-wide businesses and regulators?

Not only does joining the same network provide convenience by having all businesses on the same platform – eliminating passwords and portals – but it’s also one of the most affordable options out there since it can be scaled to any size business.

At Zix, we fully advocate and support the decision to mandate encryption at both the state and national level. While encryption isn’t a solve all, it is part of an imperative need to step up our game when it comes to the protection of American citizens and businesses.

Posted in Email Encryption, Email Encryption Trends | Tagged , , , , | Leave a comment

Ms. Clinton Would Benefit From Zix Email Data Protection

Love her or dislike her, you’ve got to admire Hillary Clinton’s tenacity. I just watched the video recording of her on the New York Times website, and boy did she come out fighting. I guess the reception of her statements may determine whether or not she runs for her party’s ticket, but I’m going to leave politics to politicians and focus on something far more important: Ms. Clinton’s oblique reference to ZixOne.

Hillary

In her almost three minute statement addressing email concerns, Ms. Clinton began by saying “I opted for convenience.” She then went on to state “I thought it would be easier to carry just one device for my work and for my personal emails, instead of two.” On this issue Ms. Clinton and I are in perfect agreement. Why would anyone wish to carry two smartphones? They’re designed for convenience, and to be carried easily.

ZixOne is so named because one mobile device can manage both your work emails and your personal emails. The work emails are kept entirely separate from the personal emails. In fact the work emails aren’t even stored on the single device – ZixOne is also named because only one copy of each email exists, the one on the work email server. ZixOne brings you secure access to your work emails plus audit and record keeping functionality that would more than please any Select Committee or Accountability Review Board.

If all of the above wasn’t concerning enough in terms of security, a major shiver goes down my spine when I consider  that Ms. Clinton was using a personal email account that may or may not have been secure. At Zix, our business solutions come with email encryption and data protection functionality that is far superior to any known personal email service.

Find out more about Zix email data protection here.

Posted in Bring-Your-Own-Device, Simple to Use | Tagged , , , , , , | Leave a comment

Email Encryption: And now for the whole story

Thanks to massive media coverage, we’re all well aware of recent data security breaches – Sony, Target, Home Depot, Anthem and more – and you may have noticed a knee jerk reaction from some executives who, once they find out about a breach, talk about moving quickly from insufficient protection to encryption overkill, without regard to how this will affect their business operations.

However I’d like to point out that all of the above breaches refer to hacking attacks on data stored within company networks. That is, breaches that are detectable – at least within a few months! What the media rarely acknowledges however is that email interception is almost never detected and therefore not newsworthy. But because it is not detected does not mean it is not happening. The irony is that your data is more vulnerable in transit, as it passes between end points and servers, than it ever is at rest. Edward Snowden notoriously divulged that the NSA and (the United Kingdom’s) GCHQ routinely act as a man-in-the-middle to intercept emails in transit and then to retransmit these emails with neither the senders nor the recipients ever being the wiser.

The root problem is that SMTP emerged back at the dawn of the Internet. As an Internet standard, SMTP is used by the big players in the email arena allowing email to function seamlessly.

email keyAs it relates to email encryption a similar story has emerged as of late.   Remember the relatively recent headlines announcing the support of encrypted email as a standard by Yahoo, Google and other big names.   These headlines are a good reminder to be careful not to take everything at face value.

These providers have indeed made some improvements to the security of email by using SMTP transmitted over TLS but their implementation does not ensure the confidentiality of the email. In other words they’re relying on a technique sometimes referred to as Opportunistic TLS which means there is no authentication of the intended recipient. It’s important to understand the dangers of that approach.

A data thief can utilize a man in the middle attack to cause the email to be misrouted without detection, causing your data to end up in the wrong hands – and you would never know. Is the email encryption promoted by these vendors actually satisfying security demands? Encryption without authentication creates the perception you are secure when in fact, your data is still vulnerable.

Taking all of this into consideration, the wrong thing to do would be to remove encryption altogether because of its perceived difficulty and cost. So what is the solution? A modern email encryption solution that delivers a simple and secure email encryption experience. Features such as automatic encryption and decryption, between a community of companies, provides businesses and users with a solution that reduces the common pain points. Zix doesn’t just provide the illusion that your data is secured; we ensure your encrypted email is always protected.

Find out more here.

Posted in Data Breaches, Email Encryption | Tagged , , , , , | Leave a comment

Target Layoffs and the Loss of Customer Trust

Last week’s announcement that Target is laying off several thousand employees generated a plethora of negative articles and comments across the web and news outlets, not least due to the outgoing CEO’s golden parachute. What I did not see were articles linking Target’s massive data breach to its subsequent downturn in business due to loss of customer trust.Target trust

To me it seems self-evident that if a business exposes the card details of 40 million of its customers, these customers are not going to trust that business again. And as the USA is a country of card users, these customers are going to go elsewhere to use their cards. Just as other giant US vendors have gone the way of the dinosaurs, sadly we may be witnessing the irreversible downward spiral of a once-respected US institution.

So what initiated the fall of Target Corporation? As far as we understand, Target had installed effective countermeasures, but the IT staff did not have the confidence to act on its alerts. There is good evidence that businesses do not empower their employees to interrupt business operations. For example, during the Piper Alpha incident, dozens of men who had taken shelter in a fireproof accommodation block died because other employees believed they would be punished for stopping production. Similarly there is evidence that when an employee does stop operations for safety reasons, that employee will often be fired.

Trust is hard to earn and easy to lose. Yet over the last 16 years, Zix has built a client list of over 11,500 businesses that trust Zix to protect their emails; and who in turn are trusted by their customers. I was especially pleased to learn that Cisco is trusting Zix to develop their new Enhanced IEA email encryption solution. Current users will be able to continue working with IEA, while retaining their existing architectures, without interrupting their email services. To me it is axiomatic that for a modern business to be successful, trust is key.

Posted in Email Encryption | Tagged , , , , , | Leave a comment

Cisco Partners with Zix for Email Encryption

Customers of Cisco who use the Cisco IronPort Encryption Appliance (IEA) have good reason to cheer this morning. Today Cisco announced a partnership with ZixCorp to offer a migration path to a new, enhanced solution.

The new solution, known as Enhanced IEA, will allow users to continue working with IEA , while retaining their existing architectures, and without interrupting service. Enhanced IEA is due for release in May 2015. Cisco says that the email encryption experience that users already enjoy will be maintained.

Cisco also announced that later this year, they’ll be reselling the Cisco ZixGateway. This will be a bolstering of their existing PostX Envelope solution with the trusted email encryption capabilities of ZixGateway.

To read the press release, click here.

Cisco Partnership

Posted in Company News, Email Encryption | Tagged , , , | Leave a comment

Questions CIOs Should Ask Before Adopting Email Encryption

For companies and CIOs, making the decision to implement encryption is just the first step in the process towards email security. With so many solutions and providers out there, it can be a daunting task to find the right one.

Don’t worry — Zix has your back. Below are five questions CIOs should ask before they choose an email encryption solution:

  1. Does the solution include a hosted, shared email encryption network?  

    Why not encrypt every email? The simple answer is that it’s really hard, and most solutions simply don’t accommodate the way people work today. Passwords? Portals? No one has the time to take those extra steps. By being part of a shared email encryption network, employees ensure that 100 percent of the emails they send to other users within the network are secured — and they don’t need to stop and take extra steps that slow down your business.

  2. Does the solution offer policy-based encryption filters?  

    Policy-based encryption filters play an important role by identifying and protecting sensitive information in emails and attachments. Occasionally, even the best-intentioned employees might not think an email needs encrypting, or they might forget altogether. To ensure compliance and guarantee that all emails containing sensitive information are secure, CIO’s should look for solutions that offer policy filters that scan all outbound messages. Industry-specific filters that can be customized for your business are even better. If the system suspects an email contains sensitive information, it will determine which emails must be encrypted and which must be quarantined.

  3. Is the solution easy to use?  

    Ultimately, email encryption is a business tool and should be seamless for both sender and receiver. Often, this is not the case, and wrinkles in the process can result in costly breaches in compliance (not to mention drops in productivity). An easy-to-use platform can help to ensure universal adoption within an organization. For instance, does the solution automatically decrypt inbound messages at the Gateway so recipients don’t need to bother? On the recipient side, does the solution automatically encrypt messages to simplify the process for them? Are reply, reply-all and forward messages automatically encrypted?

  4. Does the solution provider have a proven solution and reliable track record?  

    Not all email encryption solutions or providers are created equal. Choosing a provider is a long-term commitment, so make sure you do your reference check and use a solution that other organizations in your industry trust. You should also check whether the infrastructure has any certifications and accreditations, such as SysTrust/SOC 3 or PCI Level 1.

  5. Does your solution provider have you covered during and after the deployment?  

    The job isn’t over once an organization deploys an email encryption solution. First things first: Make sure you understand how long it will take to deploy the solution. You don’t want a major disruption to your business. It is possible to deploy a solution in less than a day. Once the solution is in place, employees at all levels must be educated on the ins and outs of email encryption and must understand how to use the solution. Additionally, you’ll want to make sure the solution is monitored and maintained by the vendor so it requires minimal ongoing resources from your team.

Are you in the process of selecting an email encryption solution? For more information on what to look for, check out our email encryption checklist.

Posted in Email Encryption | Tagged , , , | Leave a comment