Convenience vs. Security: You CAN Have your Cake and Eat it Too

Let’s be honest. Americans on average are stretched far too thin in the workplace. Between 2013 and 2014 the average time Americans spent working rose to 46.7 hours per week. This represents the highest it has been since 2001 and 2002 – and we can only imagine this number increasing.

It goes without saying – people just don’t have the extra time to worry about things like security, and it’s likely last on their list of “to-dos.”

At the same time, the threat to businesses from cyberattacks is at an all-time high, and it seems that we hear about a new successful cyberattack or corporate data breach on a weekly basis.

In this case, wouldn’t it make sense for companies to provide employees with easy to use, secure solutions to ensure that information and networks are properly protected? Why risk providing an already over-worked employee with a solution that is overly complicated, when you could provide them with a solution that doesn’t interrupt their regular work flow.

data-privacy-convenience-vs-security

 

For the longest time, the scenario has been convenience or security: pick one. Typically, technologies that have made our lives more convenient also tend to make them less secure. And technologies that make us more secure are generally less convenient. Historically companies have provided employees with security solutions, but they were complicated and hard to use.

Here’s the secret though — security products that are built with user experience in mind eliminate the tough decision of choosing between convenience and security.

In 2015, it is indeed possible to have both. But it takes a commitment to develop not just security products, but user-friendly products as well, to encourage employee buy-in.

At ZixCorp, we’ve always designed our products with user experience in mind. That’s just one reason why our Zix Email Encryption solution, for example, is trusted by one in four U.S. banks — it not only gives users a seamless experience that requires no extra steps but also is extremely secure.

When looking for solutions that will be used on a daily basis by employees, make sure they are ones that offer security and ease of use. Having a combination of the two is the only way to ensure full internal adoption, compliance and protection for both corporate and customer data.

Posted in Email Encryption, Simple to Use | Tagged , , | Leave a comment

The Privacy Wars Escalate

Dear, oh dear! The Privacy Wars escalated on Friday when one country’s Privacy Protection Commission stated that Facebook “tramples on European law.” Once again the issue appears to hinge on what privacy rights people should have. And it is by no means clear that a consensus of these rights will come any time soon.

Frederic Legrand COMEO/Shutterstock.com

Credit: Frederic Legrand COMEO/Shutterstock.com

Earlier in the week I read that Myrna Arias, a former Bakersfield sales executive, allegedly was fired because she removed a GPS location application from her smartphone. Her opinion: “This intrusion would be highly offensive to a reasonable person.” Mmm! What is the definition of a reasonable person? If you remember back to November of last year, it was alleged that Josh Mohrer, the general manager of Uber NYC, was using similar GPS location functionality to track the movements of the rather attractive Johana Bhuiyan, a BuzzFeed reporter. It was alleged that Mr. Moler admitted to using the functionality and clearly saw nothing wrong in doing so.

Historically, we in our society have been able to reach consensus on issues of ethics given sufficient time. However technology is changing so quickly that what one large group of people regard as unethical may be regarded as acceptable by another large group; and the divide may be based on age, socio-economic status or geography/historical development. The latter is exemplified by the current argument between Facebook and Belgium and by the recent court defeat of Google by the Spanish Data Protection Agency in the now famous Right to be Forgotten case. Clearly the Europeans have a different sense of what a reasonable person would think than, say, U.S. based technology executives. Who is right? Is anyone right?

I suspect that many people-managers would agree with me that spying on staff is morally wrong. Indeed you probably don’t even wish to know where your employees go during their free time. The problem for employers however is that the high profile cases that appear in the media make it seem that most businesses are tracking their employees via their mobile devices, especially via devices that have MDM solutions installed. Mobile Device Management (MDM) solutions, also known as containerized solutions, allow businesses to track not only the position of mobile devices but also what the devices are being used for.

I believe that close to zero companies are actually tracking the movements of their employees, however sadly a few do. Hence whenever a business tries to impose an MDM solution on reluctant staff, a proportion of that staff will suspect ulterior motives. Their view is that a reasonable person would find this level of monitoring unethical. Besides, most employees only require their mobile devices to handle emails, calendar appointments, contact lists and telephone calls; and a secure viewer solution offers all of these functions without scaring staff with privacy issues. It is possible to keep mobile devices secure without raising privacy concerns – find out how, here.

Posted in Bring-Your-Own-Device | Tagged , , , , | Leave a comment

Customer Spotlight – The Miller Group Looks to ZixCorp to Thwart Email Data Breaches

At the current rate, it seems an email data breach is making headlines almost once a week. Whether it’s a nationally recognized retail store or a regional network of hospitals, sensitive information is being exposed as a result of these data breaches.

To make matters worse, time tells us that this trend is on the rise. The Identity Theft Resource Center has tracked data breaches since 2005 involving compromised SSNs, credit/debit card numbers, email/password/username information and protected health information. Crunching the numbers, 5,029 data breaches occurred between 2005 and 2014.

 

The Miller Group (MILLER), a financial services company, recognized this increasing threat and turned to ZixCorp for its email data protection needs.

To protect against the interception of email while in transit, MILLER chose Zix Email Encryption to secure all emails and attachments and also provide a secure, mobile-friendly delivery portal. Since business no longer takes place solely in an office setting, MILLER also chose to implement BYOD solution, ZixOne. With ZixOne, client data never resides on mobile devices. If a device is ever lost or stolen, an administrator can simply disable corporate email access to that specific device – eliminating the concerns about sensitive information falling into the wrong hands. Now, employees are free to address clients’ needs, regardless of location.

Rudy R. Miller, chairman, president and CEO of The Miller Group, stated,

“Data breaches from small-middle size companies to the largest corporations in the world are a reality! Our organization set a benchmark to find the BEST data protection for email and mobile devices on the market. We reviewed a number of products, and it quickly became apparent to our team that the market leader is ZixCorp.

The Zix solutions’ ease of use and seamless integration into our email system were a very important component for our internal and external users. ZixCorp’s launch staff and support folks were just outstanding! We are extremely pleased to join other financial organizations and regulatory bodies in using this must-have product in today’s ever-changing cyber world.”

About MILLER:

  • Established in 1972 and headquartered in Scottsdale, AZ
  • Comprises several affiliated companies and offers a broad range of financial services, including venture capital, private equity and debt financing, among others
  • Services public and private companies throughout North America, Europe and Asia

Posted in Company Update | Tagged , , , , | Leave a comment

Another Lawsuit Sheds Light on Legal Concerns Surrounding Mobile Device Controls

Earlier this month, a California woman filed a lawsuit against her former employer, alleging invasion of privacy, retaliation and unfair business practices related to her termination which occurred after she removed a mobile app that tracked her 24 hours a day. The lawsuit states her manager:

“Admitted that employees would be monitored while off duty and bragged that he knew how fast she was driving at specific moments ever since she installed the app on her phone.”

This type of monitoring is a bit scary and certainly extreme; after all, in speaking to our customers, they have no interest or time to track their employees’ whereabouts. They do, however, have an interest in enabling mobile devices – specifically Bring Your Own Devices (BYOD) – to provide added flexibility and convenience for employees, more attention for customers and increased productivity for their business.

Unfortunately, what seems like a win-win-win has not been simple to implement, and location tracking is only one legal concern employers have to consider. Here’s another BYOD-related lawsuit that adds to the complexity.

We hosted a webinar with mobility expert Michael Finneran and legal counsel Jim Brashear offering a full perspective of the many legal challenges involved with enabling mobility. In light of the recent lawsuit, their insights are even more pertinent today. Check out the webinar “Is BYOD really Bring Your Own Lawsuit” or read their eBook to help you recognize the legal issues surrounding BYOD and how they may impact your mobile strategy.

Posted in Bring-Your-Own-Device | Tagged , , , | Leave a comment

Twitter Breach Reveals the Ease of Scraping and Sniffing

Wow! Hardly a day goes by when we don’t hear about another major breach. Yesterday evening it was the turn of Twitter. A leak of its trading results caused an 18% drop in its share value before the New York Stock Exchange halted trades in its stock.

Twitter-LogoThe data was gleaned from the internet using a technique called data scraping. With data scraping automated programs scour through data streams ignoring regular parsing rules and restructuring raw data so that it can be searched for usable information – that is, intelligence gathering. Data scraping is similar in methodology to packet sniffing, in that again raw data is read, in real time, as it streams along data channels. Both of these activities require computing power, the computing power that is available in modern desktops and laptops. One of the common uses is to spy on network users in order to collect sensitive information such as login details, or user’s cookies. It also allows intruders to read unencrypted email traffic.

I remember being at one training session where the presenter opened his sniffer program to listen in on the hotel WiFi network. Within just a few minutes, he had several POP3/SMTP authentication pairs and their retrieved and sent emails – including some emails from people sitting right in our room. None of the sniffed email accounts were encrypted. I understand that at a later session, some of the attendees downloaded the same tools and were reading other people’s emails too.

Have no doubts: the sniffing of Wi-Fi networks is not the only method for gaining access to network traffic. Copper tapping and fiber tapping are both well-established methods for listening in on net traffic. In the 1970s, at the height of the Cold War, US spy agencies were tapping into Soviet communications under the waters of the Sea of Okhotsk. Indeed it is an open secret now in the present day that the USS Jimmy Carter is able to listen in on undersea fiber-optic cables garnering intelligence of all kinds: Internet traffic, banking transactions, telephone conversations and unencrypted emails.

If the US government has for years been able to splice into fiber cables and copper cables at the bottom of the sea, I think it’s a safe bet that organized criminals can dress up as a telephone engineer and go down a street manhole or get into a local communications cupboard to gain access to internet traffic: your internet traffic. This allows them to read any emails that you send or receive in the clear – that is, unencrypted. There really is only one way to protect your emails from being spied on and that is to encrypt them. By far the most popular way to send and receive encrypted emails is transparently, within a community of trust. Protect your precious data: get the premier email encryption solution developed by Zix. Learn more here.

Posted in Data Breaches | Tagged , , | Leave a comment

Our Week at RSAC

Last week saw Zix at the RSA Conference (RSAC) in San Francisco. The RSAC has been around now for 25 years and has grown to an attendance of around 30,000 people, 500 speakers and 350 vendors. The growth in attendance has meant that the event now fills all of the Moscone Center: two million square feet housed in three massive buildings.

Four of ten members who staffed the Zix booth last week at RSAC

Four of ten members who staffed the Zix booth last week at RSAC

Although still a data security conference and expo, it can be argued that RSAC is also a business conference, because data security is now very much mainstream. In fact at the Zix booth we met with quite a number of Chief Information Security Officers and their direct reports, all of them with strong business acumen as well as IT and data security proficiency.

We had a number of vertical businesses or vertically integrated groups interested in hearing about our email encryption solutions. There was a special interest in bringing these associated groups of companies into what is commonly called a community of trust, where members of the community are included in a directory of pre-screened, pre-certified users who are authorized to send and receive emails transparently. Several people also heard for the first time about Zix’s Best Method of Delivery (BMOD), a procedure to ensure that all recipients of encrypted email can access their emails in the most convenient way possible.

A common theme we heard was the frustration with corporate users who bypass their own corporate security. When users find that security methods are cumbersome, or if they are denied a particular functionality, they will turn to unsanctioned Cloud offerings as a way to streamline their work or to improve their productivity. I remember a recent report by Netskope that found that 70% of uploads from users with compromised accounts are to Cloud apps with a confidence index rating of “poor.” Thus security experts are finding that if their protective efforts are to work in the real world, they must implement solutions that corporate users will actually use; and find easy to use.

While touring the vendor booths, my colleagues and I found a number of mobile device management (MDM) vendors showcasing their BYOD solutions. The variety of apps that are now available for mobile device management solutions is impressive; however when I enquired about securing the data on lost or stolen devices the answer was the same as I’ve heard before: “we send a remote wipe instruction.” When I tell them how easy it is to defeat the remote wipe most acknowledge, albeit privately, that it is the Achilles heel of MDM solutions.

By far the highlight of our time at RSAC was a visit to our booth by the world-famous security guru Kevin Mitnick. The line of people wishing to meet with Kevin was so long that we had to take it down a long aisle and double it back on itself. I’ve also heard a rumor that Kevin will be a guest at an upcoming Zix Webinar.

Celebrity visit: Kevin Mitnick visited the Zix booth on Wednesday

Celebrity visit: Kevin Mitnick visited the Zix booth on Wednesday

Another pleasure for me was meeting with existing Zix customers. Every one of them confirmed that they are very happy with our solutions, and they told me why: the best lexicons (detection filters), the supreme ease of use, and the way Zix solutions are automatically sized to be easily readable on any screen. It was a great week with great people; we’ve already booked our booth space for 2016, and I hope to see you all there next year.

Visit Zix at http://www.zixcorp.com/

 

Posted in Company News | Tagged , , , , | Leave a comment

Cybersecurity Risks: Is It All Hype?

Are we being overly paranoid when it comes to cybersecurity?

If you pay any attention to the media, it seems like there is an increasing deluge of frightening stories about corporate data breaches with hackers accessing credit card numbers, private emails, Social Security numbers and a range of other sensitive information. It’s enough to make a company want to go back to life pre-Internet.

cloak

At the end of the day, just how scared should we really be? Are most companies really at risk of having their data stolen and PCs hijacked by malware? Or is it mostly hype?

Here’s the thing — paranoia refers to irrational fears, but the fear of a breach is very rational.

According to a recent study by Bloomberg, since 2005 more than 75 major data breaches (in which 1,000,000 or more records were compromised) have been publicly disclosed. Additionally, the Ponemon Institute released a report last September with the staggering finding that 43 percent of companies had a data breach in the past year.

These numbers don’t lie.

Whether you believe it or not, there are “bad guys” out there who will go to extreme measures to steal your company’s information and wreak havoc. Companies should be cautious and aware of the risks so they can make sure the right preventative measures are in place.

CSO Online offers 10 great tips that can help information security leaders make sure they are ever-vigilant and have a proactive security posture.

  1. Believe in defense-in-depth and constantly be looking for areas in which to add new and effective layered controls that align with risk mitigation objectives or emerging threats
  2. Continually look to add additional instrumentation to widen scope and depth of coverage for existing controls
  3. Always monitor the sensor network with eyes on the system and review of controls
  4. Continually look for ways to better inspect and correlate data from multiple sensor streams
  5. Pay special and close attention to application security for critical business applications that have access to confidential and private data and transcend much of the layered security
  6. Constantly seek to understand the business better, so as to improve and refine the information security risk assessment
  7. Stay informed about vendor risk process and management to ensure that vendor access to confidential and private data is managed and controlled
  8. Always work with your business to better leverage relationships for pushing the security agenda and to create informal channels for security awareness
  9. Constantly stay informed about new disruptive technology and evaluate its potential security impact before the business use case shows up for security review
  10. Never lose sight of the fundamentals … like always patching … patching … patching

Feel free to share your tips on what organizations can do to make sure they’re building resilient security measures and creating an environment of healthy caution.

Posted in Data Breaches | Tagged , , , | Leave a comment

Obama Unclassified Emails Hacked

Over the weekend, the New York Times reported that an unclassified email account belonging to President Obama has been compromised by Russian hackers. The US government has a system named the Joint Worldwide Intelligence Communications System (JWICS, pronounced “Jay-wicks”) that is utilized to exchange classified information. Although it is alleged to have been one of the systems accessed by Chelsea/Bradley Manning, it is still believed to be very secure. Nevertheless unclassified information is routinely exchanged using regular email accounts, and according to the New York Times, “officials have conceded that the unclassified system routinely contains much information that is considered highly sensitive: schedules, email exchanges with ambassadors and diplomats, discussions of pending personnel moves and legislation, and, inevitably, some debate about policy.”

I was at the RSA Expo in San Francisco last week where I had many conversations with security experts. A number of them expressed their frustration with business executives who still believe that most hackers are talented teenagers working out of their bedrooms. One cited the then 16 year old Kevin Mitnick who, famously, was convicted of breaking into dozens of computer networks back in 1979.

I’ve been saying for years that the threat to businesses is not from naughty schoolboys amusing themselves with technology challenges; it is from well-funded organized crime and from national governments trying to obtain political or economic advantages. In the New York Times article, the authors state that “Chinese hacking groups are known for sweeping up vast amounts of commercial and design information” and that the hackers who accessed President Obama’s unclassified emails “are presumed to be linked to the Russian government, if not working for it.”

Businesses need to protect their intellectual properties, and unfortunately we don’t have the use of JWICS. Instead we have email encryption to protect email when it travels outside secure firewalls, and by far the best implementation of a secure email encryption system is when it exists within a community of trust. That is, where all the members of the community have been pre-certified and cleared to receive encrypted emails transparently.

The most popular transparent solution comes from Zix, and you can read more about Zix solutions here.

Posted in Data Breaches, Email Encryption | Tagged , , | Leave a comment

Is Your Security Failing?

Leaving email unsecured is one of the biggest risks an organization can take, yet many organizations continue to do this. Recently, people from both sides of the US political spectrum were surprised at “revelations” that Hillary Clinton and Jeb Bush exposed their business or government related emails by using privately owned email servers or a personally owned smartphone. While they are now apologetic, in retrospect, about doing this, they have what most people regard as credible reasons for doing so: and these reasons generally revolve around expediency and convenience. Like many people at that time – and five or six years is a long time when it comes to technology –  they believed that email security was complex, cumbersome, time consuming and expensive.

While addressing security can be expensive, the risks of a breach are far more expensive. The Ponemon Institute has calculated that the total cost of a data breach averages over $5 million per incident. Yet organizations routinely email sensitive financial information and private customer information over the public Internet. Nigel Johnson, vice president of business development at ZixCorp, says that organizations are “taking a calculated risk in deciding not to implement email encryption.” And he is surprised that so many senior executives continue to take this risk.

Email controls need to be implemented to protect an organization’s clients, reputation and profits, and despite what Ms. Clinton and Mr. Bush may have been told a few years ago, modern email encryption methods do not have to be complex or time consuming. Zix is recognized as the leader in email encryption and Zix email encryption makes both the sending and receiving of emails quick and easy. So don’t expose your customers, your organization and your reputation with unsecured email, get a secure email solution from Zix.

Posted in Email Encryption | Tagged , , , | Leave a comment

Aligning Security Spending With Risk

I remember reading an article in CIO Magazine that claimed an auditor told Jason Spaltro, executive director of information security at Sony Pictures Entertainment, “If you were a bank, you’d be out of business.” The article, by Allan Holmes, was entitled Your Guide To Good-Enough Compliance. It sought to explain why CIOs and CISOs are so overwhelmed by the demands of their jobs that they did not have the time to invest in reconfiguring electronic systems and processes to meet regulatory requirements.

In the article, Jason Spaltro of Sony was quoted as replying: “it’s a valid business decision to accept the risk [of a security breach] I will not invest $10 million to avoid a possible $1 million loss.” These comments would come back to haunt Spaltro in November 2014 when Sony was breached by a criminal group. The total cost of the breach is not yet known but estimates vary between $150 and $300 million.

According to the 2014 US State of Cybercrime Survey, “While organizations are more concerned about cyber threats, our research finds they have done very little to strategically invest in cybersecurity and ensure that it is aligned with the overall business strategy.” Well that’s easy for them to say: It is very difficult to put a monetary figure on the cost of a data breach because every business is unique, and every breach impacts different businesses in different ways. Let’s face it, security measures don’t come cheap, and justifying the return on investment – the return on problems that don’t occur – can be a hard sell to senior executives. Even trying to estimate the cost of a future breach can be tough, not least due to the intangible values of reputation, damage to the brand, loss of current and future customers, and reductions in the share price.

It also does not help that IT Security budgets are often lumped in with a company’s IT spend. If the CISO is subordinate to the CIO, it is quite likely that next year’s proposed IT projects will be compared to the proposed IT Security projects without effective reference to the risk factors, thus the latter projects will lose out.

An example of a good balance between the cost of protection and the risk of a data breach is in the handling of emails. There are several ways to secure emails: they can be encrypted while stored in the server (data center), encrypted while stored in individual users’ computers, or encrypted while in transit across the public internet. All three are possible to implement, however the former two are cost prohibitive. While it is relatively inexpensive to encrypt and store emails, it requires enormous computing power to search for specific topics and phrases. That is, it would be extremely expensive to find a specific email you sent to a client six months ago because every email on the server, or computer drive, would need to be decrypted to see if it was the one being searched for.

The good balance would be to encrypt emails while in transit, and store them behind an effective firewall in clear text. This solution typically costs less to implement than the first two solutions, but saves enormously in later eDiscovery costs. It also secures emails when they are at their most vulnerable – as they transit the public Internet between senders and recipients.

Zix has a number of email encryption solutions that can help you balance your security spending with the real risks to your organization’s security. To learn more, click here.

Posted in Email Encryption | Tagged , , , | Leave a comment