Lawyers Washing their Hands of Email Encryption

During the 1990s, I worked as an operations manager in a big-brand food production plant. Needless to say, the plant had the usual quorum of food hygiene staff who would do spot checks to make sure everyone was behaving themselves. One year, the hygiene staff decided to spend some discretionary budget on a few hundred vinyl and Perspex signs reminding workers to wash their hands after using the “facilities.” I don’t know about you, but I would imagine that if I were mounting these signs in the restroom, I would place them on the back of the stall doors and above the urinals – so that staff would see these signs at the appropriate time. But oh no! According to the professionals, the correct location to place the signs was above the sinks, so that people would be encouraged to wash their hands….. while washing their hands.

wash your hands

I was reminded of this folly this morning while reading this survey report from the American Bar Association. According to the report, only one third of lawyers are currently protecting their clients’ information by using email encryption. Over 70% apparently rely on what’s called a confidentiality statement at the end of the message body. Notice I write “at the end of the message body.” Think about it: you have to read all the way through someone’s confidential information before you reach the confidentiality statement. Hence if the information is not intended for you, you’ve already read confidential information intended for another client of your lawyer. Are you feeling protected?

I love this quote from Robert Ambrogi’s blog site: “It is akin to putting a note inside a box that says, ‘Do not open this box.’”

What’s worse, according to the survey, many of the lawyers who do use encryption use old fashioned, difficult to use systems that require recipients to be sent separate passwords. We already know that clients hate such systems because they have to spend time going to special websites and jumping through hoops to retrieve their email. Not to mention if the email goes to the wrong recipient, most likely the password email will also go to that same wrong recipient. If you’re a lawyer, please don’t “wash your hands” of protecting your clients: learn about modern email encryption by clicking on this link. Also, you may enjoy this blog about the worthlessness of confidentiality statements.

Posted in Email Encryption | Tagged , , , | Leave a comment

Together, ZixCorp and Intel Security Work to Shore Up Data Breach Vulnerabilities

Today ZixCorp announced a partnership with Intel Security through the Security Innovation Alliance (SIA) in a push to provide customers with easy-to-use and secure email encryption solutions.

ZixCorp-Partners-Intel Security-Email Encryption

The SIA brings together top security vendors to provide customers with trusted products that can integrate seamlessly into a customer’s security environment. Working together, ZixCorp, Intel Security and other SIA partners can deliver more comprehensive solutions.

Intel Security’s 35,000+ customers can now benefit from ZixCorp’s leading easy-to-use email encryption that is already trusted by one in four U.S. banks and one in five U.S. hospitals.

Data Security Now “In Vogue”

With the threat of email snooping looming large, email encryption is now an important tool in an organization’s data security arsenal. Sending an unencrypted email is akin to putting a postcard in the mail — easy for anyone and everyone to read if they’re motivated enough to look. While having a stranger read your postcard to Aunt Milly is harmless, the contents of corporate emails are rarely as frivolous.

The SIA provides companies access to trusted and easy-to-integrate solutions that can help them avoid potentially costly data breaches. Investing in data security measures has never been more vital, and with the SIA, it has never been easier. To learn more about the SIA and ZixCorp’s involvement, visit:

Any Questions?

Give us a shout on Twitter — @ZixCorp.

Posted in Company News, Email Encryption | Tagged , , , | Leave a comment

Will the NIST Practice Guide Help Develop Your Effective Mobile Security Strategy?

With so many recent data breaches in the healthcare industry, senior managers are looking for advice on how best to secure protected health Information (PHI). Many busy health professionals are using mobile devices while at work and during their leisure time. Hence mobile security has become a key issue for IT departments as they look to protect sensitive medical information from unwelcome eyes.

Gone are the days of filing cabinets holding patients’ paper records. Today, most patients would rather email their doctors than call them. And healthcare providers are increasingly using smartphones and tablets to perform routine tasks such as accessing medical records, communicating with insurance providers and submitting prescriptions.

Given the recent data breaches that have plagued the healthcare industry — many through human error — The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) has released a draft guide to help CIOs, CISOs and security managers improve security for mobile devices and to mitigate risks.

The guide addresses issues such as:

  • A healthcare worker might lose or misplace a mobile device containing private health information, or be a victim of exploitation or theft.
  • Compromised mobile devices enable hackers to access the healthcare organization’s network.
  • Untrusted networks use a man-in-the-middle strategy to obtain credentials to access the enterprise network.

Today we ask: Will these guidelines ensure an effective mobile security strategy?

Sensitive patient data needs to be protected, especially on mobile devices

Given the sheer number of breaches, it’s no surprise that there is now a greater emphasis placed on protecting electronic medical records and on securing their delivery to, or receipt from, mobile devices. This helps avoid any issues related to identity theft or privacy as a result of unprotected data. If data is left unprotected any time it is stored, collected or accessed on a smartphone or other mobile device, it is particularly vulnerable. Not only are mobile devices misplaced or stolen regularly, but users also frequently connect to unsecured Wi-Fi networks. However, if data is encrypted, even if a hacker gains access to a data center or taps into network traffic, the data is unreadable without the encryption key. Email encryption solutions can also be implemented to shield data while in transit. With patient records and billing information communicated between insurers, patients and doctors’ offices, this is key.

The guide serves as an affordable and easily accessible resource of information

Primarily designed for security engineers and IT professionals, the guide is free of charge and offers step-by-step instructions. This can be useful for organizations with access to these types of experts, but for a smaller organization, resources might be more limited.

A challenge with this type of general guideline is that the underlying technology is changing rapidly. Individual apps are constantly pushing out updates, operating systems are regularly updated and new device models are released each year. This means that by the time the next update rolls out, some the guidance may not apply.

Discussing ease of use

While the guide is targeted at more technical staff, it does recognize that security largely depends upon user experience. For example, the guide states that the major threats to data integrity are:

  • A lost or stolen mobile device
  • A user who:
    • Walks away from a logged-on mobile device
    • Downloads viruses or other malware
    • Uses an unsecured Wi-Fi network

The guide offers process diagrams to aid organizations in designing the secure exchange of data. However, while recognizing that human error is a major threat, it does not provide as much advice on mitigating such human error. For example, internal procedures and instructions in the event that a device is lost or stolen (the how-to’s of a proper response), devices that are or are not allowed (for example, disallowing jailbroken devices), and approved third-party apps used to protect mobile devices and data (hint: look for apps that keep data off the device entirely).


While it’s impossible to create and implement guidelines that apply to organizations of every size and account for every possible scenario, the mobile security guidelines put together by NIST offer a solid building block for healthcare organizations. Ultimately, implementing necessary security measures must be balanced with ensuring that healthcare workers can easily use the technology to perform their day-to-day responsibilities. If technology is cumbersome and difficult to use, employee adoption and buy-in is sure to be slow, leaving healthcare professionals looking for work-arounds to avoid using the solutions. These are risks no organization should be willing to take.

Learn more about preventing PHI being stored on mobile devices here.

Posted in Bring-Your-Own-Device, Compliance | Tagged , , , , | Leave a comment

PGP: Pretty Good Privacy, or Pretty Hard to Use?

Pretty good privacy, or PGP, is often referred to as the “first born” when it comes to data encryption. Originally developed in 1991, PGP is an encryption and decryption program that is used for signing, encrypting and decrypting text, emails, files and more.

With the endless string of data breaches, cyber threats and government spying, there has been an increased focus on data protection tools such as email encryption. Companies and privacy-conscious citizens are seeking solutions to protect their data from unwanted eyes and avoid the potentially catastrophic effects of a data breach. But one fairly obvious technophile doesn’t seem to be following this adoption trend.

Recently, SC Magazine reported that Phil Zimmerman, one of the world’s foremost cryptologists and creator of PGP, isn’t encrypting his communications and doesn’t use the service he created. Does he simply have nothing to hide, or is there more to the story?

Zimmerman later clarified that he doesn’t use PGP, because it isn’t compatible with the MacBook he uses for email, and that it has never worked with any iOS device.

While this is true, there are other encryption solutions available for OS X and iOS devices.

Regardless of operating system, anyone using an outdated email encryption solution like PGP knows it can be a painfully frustrating process. Remembering encryption keys or dealing with a clunky interface can be challenging, even for experienced people. And forget about using outdated email encryption on a mobile device.

The truth is, for encrypted email to be widely adopted both within companies and throughout society at large, an emphasis on the user experience needs to be rejuvenated.

Fortunately, we are beginning to see a change. Companies are realizing that if the solutions they offer their employees and recipients are difficult to use, the odds of adoption decrease dramatically. And with low adoption, the companies’ risk for data exposure increases.

In order to increase adoption, companies are turning to email encryption solutions that are easy-to-use and seamless to integrate. By making email encryption as simple as regular email, companies can rest assured that sensitive and confidential data is protected in transit.

For an easy-to-use solution, look no further than Zix Email Encryption. Want to discuss further? Feel free to reach out on Twitter @ZixCorp.

Posted in Email Encryption | Tagged , , , , | Leave a comment

ZixSelect Mobile: End-to-End Encryption for Mobility

ZixSelect Mobile has created quite a buzz within the Zix customer base. IT and security professionals are already familiar with ZixGateway, an automated method for monitoring outbound emails in real-time that takes immediate action to secure any sensitive information contained in these emails. The concept is well understood: policy filters are specially tuned for each business type. This means that employees can get on with doing what they do best – their jobs – without stressing about email security. CISOs love the model because it removes human error from the equation.

ZixSelect Mobile now extends and enhances the ease of use of ZixGateway for mobile users. Now they can decide to encrypt individual emails at the tap of a button, and remain fully protected by ZixGateway.


Here’s how it works: A user has the ZixOne BYOD solution on his or her smartphone or tablet. He types an email in the usual way. He knows that corporate data is protected by ZixGateway, however there is special information in this email that he wishes to have encrypted. Just below the subject line in his email there is a green button that he slides to the right, instructing ZixGateway to encrypt the email. When he presses send, the email passes securely over the public network to the ZixOne server and then on to his organizations mail server. As that same outbound email then leaves the server, ZixGateway recognizes the ZixSelect Mobile instruction to maintain encryption, over the public Internet, all the way to the final recipient or recipients. In other words, ZixOne can now guarantee that any email they wish to send securely will remain secure from end-to-end, sender to recipient.

In addition to providing the industry’s easiest to use secure email mobility solution, ZixSelect Mobile with ZixOne stores no corporate data on mobility devices. CISOs love the fact that corporate data is streamed to this secure viewer solution only when it is being viewed by the employee: no corporate data is retained in permanent memory, thus removing the need for a remote wipe or kill-switch should an employee lose his device. This is extremely effective security.

To learn more, download the ZixSelect Mobile datasheet.

Posted in Bring-Your-Own-Device, Email Encryption, Email Encryption Trends, Simple to Use | Tagged , , , | Leave a comment

Customer Spotlight – For First State Bank of Rice, Investing in Cybersecurity Is a Way of Life

Data breaches can happen for a number of reasons. A thief can get a hold of an employee’s mobile device that contains corporate data, an employee can accidentally forward sensitive information to the wrong email address, or a hacker can even intercept unencrypted email containing personally identifiable information. While these scenarios are all very different, one thing is the same – they can all lead to a data breach with private information exposed.

Investing in Cybersecurity

In working with managed service provide Unicom Technologies Inc., First State Bank (FSB) of Rice could identify evolving threats and enhance its data security program. And since email is a top vulnerability, FSB needed a data security “umbrella” of sorts that could protect against the various types of email security risks and maintain the trust of its customers. With that idea in mind, the bank turned to ZixCorp for help with email data protection.

FSB President and CEO Michael J. Montgomery sums it up perfectly:

“Investing in cybersecurity is becoming a way of life for any business, but particularly so for banks that have an abundance of valuable personal data, such as financial data, tax identification numbers and Social Security numbers. Our clients trust us to take care of their financial needs, but they also rely on us to protect their privacy.”

To secure outbound messages containing sensitive data, FSB employees use ZixGateway, an email encryption solution that automatically scans outbound email. If it detects any sensitive data, ZixGateway automatically encrypts outgoing emails and relieves employees of the hassle and stress of extra steps. Because mistakes happen to the best of us, FSB also deployed ZixDLP, a data loss prevention tool with quarantine filters, to prevent employees from accidentally sending an email to the wrong recipient or exchanging the wrong file.

As Montgomery puts it:

“Our employees live in the communities we serve. They understand the importance of data security, but mistakes happen. Automatic encryption and DLP make sure that nothing sensitive falls through the cracks. Our employees love it and so does our board of directors.”

With the rise of mobile devices in the workplace, FSB knew that it also needed a Bring-Your-Own-Device (BYOD) security solution. ZixOne provides FSB employees with secure access to corporate email on their personal devices without jeopardizing customer data or employee control. How? No data actually resides on the device. If an employee’s personal phone or tablet is ever lost or stolen, an administrator can easily disable corporate email access to that device, dissolving the fear of confidential information falling into the wrong hands.

First State Bank of Rice serves as a model for investing in the proper email data protection solutions. By covering all of its bases, FSB continues to thwart security risks and prove that customer privacy is a top priority.

About First State Bank of Rice:

  • Financial services company established in 1928
  • Member of the Rice Bancshares, Inc. located in Rice, Texas
  • Manages $150 million in assets

Posted in Company Update, Technology | Tagged , , , , | Leave a comment

Data Security Role of FTC Is Upheld

Regular readers know that I recommend every type of organization protect itself against data breaches, not just those operating under regulatory mandates.

There has long been an argument that modern legislation such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) offer sufficient protections to businesses and consumers, hence it probably came as a shock to global hotel company, Wyndham Worldwide Corp, when they were sued by the Federal Trade Commission (FTC) under Section 5 of the Federal Trade Commission Act of 1914.

FTCAccording to documents filed in the District Court in Arizona in 2012, Wyndham engaged in “unfair and deceptive acts and practices” when,  between 2008 and 2010, data breaches of Wyndham systems led to the release of over 600,000 Wyndham customers’ personal data. When you dive down into the weeds, Wyndham was accused of failing to use firewalls, failing to address known security vulnerabilities on servers, using “default” user names and passwords to access servers, failure to limit third party access, and so on. Pretty damning accusations I know, but what business was it of the FTC?

Interestingly, when the case was heard by the U.S. Court of Appeals for the Third Circuit in Philadelphia a few days ago, lawyers representing Wyndham challenged the authority of the FTC in an area where there already exists “a less extensive regulatory scheme” – meaning the Fair Credit Reporting Act, HIPAA etc. The three appeal court judges sided with the Federal Trade Commission agreeing that it has the authority to regulate corporate cyber security. Thus, at least for the time being, until Congress adopts more wide-ranging legislation governing data security, the FTC has the green light to pursue organizations that they deem liable for data breaches that cause harm to consumers.

In this age of constantly changing threats, businesses should not be waiting around to find out if they’ll be retrospectively fined by the FTC, or if congress will eventually get around to adopting more wide-ranging legislation governing data security. Instead they should be taking immediate action to protect corporate and client data, not only to protect from liability, but also to protect their brand images from the negative exposure of headline news.

Zix is the leader in email data protection. Find out about Zix secure solutions here.

Posted in Data Breaches, Data Protection Trends | Tagged , , , | Leave a comment

Newswire Services Aren’t the Only Exposure for Public Companies

For years, the top markets investing in data protection were healthcare, financial services and government. The reasons were clear:

  1. These companies and organizations collect, manage and exchange an endless amount of personal data – social security numbers, health records, banks accounts, etc. – and data protection is crucial to maintaining trust with clients, patients and the public.
  2. With so much personal data, these same companies and organizations are highly regulated, and data protection is required for regulatory compliance. See acronyms such as HIPAA and GLBA.

Some companies that support these industries have also implemented data protection, due to the recent expansion of regulatory requirements.

But without compliance concerns, other industries were not as aware of the risks to sensitive data and were not inclined to use data protection until breaches began saturating the news cycle. Even with a greater understanding of breaches and risks, companies in these other industries still haven’t flocked to data protection, and again the reasons were clear:

  1. Given the option to invest in tools or strategies that lead to growth or to invest in security solutions that don’t offer a clear ROI, companies (especially public ones) will lean toward the former option.
  2. They don’t believe that they have sensitive data worth stealing, or they don’t see themselves as a potential target.

If public companies thought they weren’t a target, yesterday proved otherwise.

A federal indictment was filed against a group that hacked into the computer networks of three newswire companies to steal confidential press releases. The group made stock trades ahead of public announcements and stole more than $30 million.

Newswire services are not the only vulnerability for public companies. Below is a list of exposures that public companies should be aware of and proactive in securing.

  • Email: Financials sent to auditors, press release drafts exchanged between in-house teams and outside investor relations and public relations firms, dozens of materials sent to board members for review and approval. The amount of sensitive data exchanged in email is exhaustive. If you’re not encrypting email, it’s accessible to more people than your recipients, as Kevin Mitnick recently demonstrated in an email hack.
  • Mobile Devices: Smartphones and tablets are easy connections to the office. Employees and consultants read investor relations materials, download customer lists and read “INTERNAL ONLY” documents. They do so from the train into work, in restaurants with their family and traveling on work trips or even vacations. Devices are so conveniently small that they’re easy to lose. If you aren’t protecting corporate data accessed on devices, they’re also easy targets for theft.
  • File Sharing: We’ve all experienced it – a notification that our email attachment is too big to exchange through the mail server. You can’t trim off a sheet in the excel doc or pieces of a critical presentation, so you store it in an online file share, send a link and move on to other business. Too bad your employees use a free and insecure file-sharing Web site that leaves corporate data at anyone’s disposal.
  • Electronic Equipment: Encryption isn’t just a good solution for email; it’s helpful in protecting laptops and USB devices that are lost too, and desktops that are vulnerable to a break-in. We know what you’re thinking: That kind of thing doesn’t happen! Thieves aren’t breaking into the office at night when nobody’s at work. Wrong, think social media, tailgating and social engineering. A criminal finds out through social media that an employee is on vacation, slips past the locked door by tagging along with another employee and sits at a computer while telling passers-by that a maintenance request was received to fix an issue while the employee was out.
  • Paper Records: With the beauty of computers, who uses paper anymore? Ask that of anyone who has aggressively tapped on the error message that continues to pop-up on the printer even though there is NO PAPER JAM. Paper still exists. Sensitive data still gets printed. Invest in shredding.
  • Employees: The many good-hearted employees make mistakes sometimes. The few malicious ones tend to go unnoticed. Data loss prevention takes care of both.

If you work for a public company, reviewing these exposures is a good start to protecting your corporate data and your stock. If you work for a private company, don’t be fooled into thinking you don’t have anything worth stealing.

Have other exposures you’d like to add to our list? Feel free to submit ideas in our comments section.

Posted in Data Breaches | Tagged , , , , , , | Leave a comment

SEC Hacking: First Nine Are Indicted

As reported by Zix in June, the SEC has been investigating an ongoing cyber-attack by a sophisticated group, based in the U.S. and Europe, against publicly traded companies in order to beat the stock market. According to the indictment, filed in New Jersey today, from early 2010 until the present the group hacked into computer networks of three newswire companies to steal confidential press releases ahead of their official public release dates to gain “material nonpublic information.” This meant that the group was able to make trades in stocks ahead of public announcements, thus fraudulently netting over $30 million. SEC Hacking

As reported by the BBC, the FBI confirms that five of the individuals residing in the U.S. have been taken into custody this morning. According to the indictment, the group accessed more than 150,000 press releases in a scheme similar to one in 2005 except that today’s indictment is for a far broader scheme than anything previously detected by U.S. authorities.

What is most concerning about this and other similar cases is that sensitive information, “material nonpublic information,” has been passing between major U.S. companies, news-wire companies and other parties in unsecured ways. Here at Zix, we often hear about press release drafts, earnings scripts, PowerPoint presentations and emails between auditors, board members and consultants being sent in clear-text. With the help of Kevin Mitnick, we’ve demonstrated that emails can be intercepted in man-in-the-middle attacks so that unencrypted emails can be read by criminals in real time. The same applies to press releases emailed by companies to their public relations agencies and press-release wire companies.

Zix, the nation’s leader in email data protection, provides a number of email encryption solutions that prevent intercepted emails from being read. Utilizing AES256 encryption in a Community of Trust, plus our groundbreaking BMOD method for secure delivery to anyone, Zix Email Encryption gives public corporations (as well as government agencies, large private companies and SMBs) the means to keep their email – including email on mobile devices – secure.

For more information on Zix reliable security solutions, click here.

Posted in Email Encryption, Technology | Tagged , , , | Leave a comment

Black Hat and DEF CON Showcase the Latest Hacks

Last week, Black Hat and DEF CON wrapped up conferences that offer a window into the latest hacker exploitations and ways to thwart some (but not all) of them. Below we’ve highlighted a few threats, beginning with the one that’s gaining the most media attention.

Recapping Black Hat and DefCon Graphic

The remote hijacking of a Chrysler Jeep

The Internet of Things is meant to make objects “smarter,” but hackers have leveraged vulnerabilities in connected devices to make them scarier. In 2013, at Black Hat and DEF CON, a session highlighted the cyber-attack of medical devices. If that wasn’t frightening enough, researchers showcased how they took control of a moving Jeep Cherokee, commanding its “internal network to steering, brakes and the engine.” Chrysler has since recalled 1.4 million vehicles, such as 2013-2015 MY Dodge Viper specialty vehicles, 2014-2015 Dodge Durango SUVs, 2015 Dodge Challenger sports coupes and of course 2014-2015 Jeep Grand Cherokee and Cherokee SUVs.

SIM Cards are NOT unbeatable

A research professor and his team revealed how they cracked into commercial SIM cards in 80 minutes or less. The presentation highlights how hackers or intelligence agencies can use side-channel attacks to impersonate payment cards or steal data from mobile devices (another use case for implementing a no-data-on-the-device approach for mobile security).

Macs are NOT unbeatable either

If you conduct a search on “Mac Hacks,” your browser will be flooded with findings on how to enhance your use and love of the Mac operating system. Do the same for Windows or Android, and your search retrieves stories on security concerns and updates. This probably isn’t news to you, but what may be is recent research showcasing several Mac vulnerabilities that bypass Apple’s security.

Your finger print is no longer unique

Researchers presented several new methods to extract user fingerprints from mobile devices. Mostly applicable to Android devices, one method exploited a weak sensor to collect fingerprints on a large scale. So it begs the question, is your fingerprint unique if someone else uses it?

Finally, we’d like to share a hack mentioned by Black Hat and DEF CON Founder Jeff Moss at the end of his interview with Chris Preimesberger of eWeek: If someone takes a picture of your keys, they can make a copy of your keys. Crazy!

For other hacks unveiled last week, check out Sarah Kuranda’s article for CRN. She provides a nice summary of the events’ sessions.

Posted in Technology | Tagged , , , , | Leave a comment