Posts

4 Lessons from the Q4 Data Breach Review

Last week, our strategic partner Privacy Ref held their quarterly review of recent data breaches.  In his presentation, Ben Siegel, CIPM, identified 4 lessons learned from recent data breaches, including: Google Android; Hillary Tentler, CPA; Folsom State Prison; and the Internal Revenue Service.

#1: Unauthorized Mobile Apps Create Risk

Issue: Users can download apps from sites other than the Google Play store. These apps are not “vetted” and gain access to tokens used to control users’ accounts.

Lesson: As the threat is outside of Google’s control, you need to put systems in place to prevent unauthorized apps from access your company’s data via mobile devices.

#2: Local Data is At Risk, Too

Issue: In the burglary of an accountant’s home, three hard drives were stolen and only one was recovered during the arrest.

Lesson: Physical devices, when stolen, can result in a serious data breach; While moving 100% cloud is more secure, it may not be a practical option for your business yet. You should ensure any local data is encrypted and subject to regular backup.

#3: Internal Breaches are Still a Breach

Issue: A file including names, social security numbers, and other sensitive data was saved to a shared location accessible to anybody in the organization.

Lesson: You can protect yourself from internal breaches with solutions that use defined business rules to automatically enforce permission restrictions based on the content of your files.

#4: It is Too Easy to Email Protected Information

Issue: Employees were sending emails with personally identifiable information (PII) clearly visible, in violation of regulatory requirements.

Lesson: You should not rely on people to do the right thing all of the time — mistakes happen and can be damaging and costly. System exist that scan and encrypt emails automatically if they contain sensitive or protected information.


Do you need a privacy assessment or a privacy plan review? Are you ready to better protect your data — on premise and/or in the cloud?

Contact us to discuss your needs.


 

3 Email Encryption Options for Google Apps

Security KeyIn the Google Apps ecosystem, we see three primary players with integrated email encryption services.

  • ZixMail
    • A comprehensive message encryption service that includes user tagging of messages for encryption and heuristics and business rules to auto-encrypt. ZixMail also includes the ZixGateway of other ZixMail users, enabling automated end-to-end secure communications.
  • Google Apps Message Encryption (GAME)
    • A private-label of Zixmail run in Google’s data center. GAME uses the ZixMail encryption engine and services, matched to the email rules capability of Gmail.

 

  • Virtru
    • An encryption-in-place service that integrates with Google Apps which runs in the Chrome Browser, Outlook on Windows desktops, and on mobile devices. Virtru includes features such as forwarding blocks and email expirations. Data loss prevention rules for HIPAA compliance are available at an additional cost.

To learn more about these solutions in depth, read our new eBook: Email Encryption in Google Apps.

Email Encryption is Not Compliance

Security Key
While providing a reasonable level of protection from inappropriate access to your data, the built-in encryption is not sufficient to meet information privacy regulations. Laws such as the Health Information Portability and Accountability Act (“HIPAA”), and industry regulations including the Personal Card Information (“PCI”) standards require more than data encryption.

Privacy laws and regulations typically include three components:

  1. Policies and procedures that, when followed, provide appropriate data protections
  2. A means to monitor compliance, with the ability to detect and mitigate potential violations of the policies and procedures
  3. A defined response and resolution procedure in the event of a breach

As explained in our eBook, Email Encryption in Google Apps, Technology can support the implementation of these three components, but does not offer a full solution on its own.


Contact us to assess your email encryption needs and to define an affordable solution.


 

Expanding HIPAA Accountability

HIPAA Logo
As more businesses provide health care coverage, or assist employees in obtaining coverage, under the Affordable Care Act, we find ourselves possessing and managing even more sensitive personal information about our employees.  And, while we are not working with medical records, per se, we are often exposed to insurance account and activity information that cannot be disclosed.

Communications with your insurance broker or carrier should be secure — from end to end.

The good news is that you have options.

  • Policy-Based TLS Encryption
    • If your broker or carrier is willing to share some technical info, you can setup policy-based TLS encryption that will forcibly encrypt all emails between your email service and theirs.
    • They will likely need you to prove, or certify, that you encrypt data from your email service to your end users on every platform.
    • Policy-Based TLS Encryption is part of Google Apps, but not every email service is capable.
    • This is the lowest cost, but most technical solution.
  • Manual Encryption Tools
    • Third party apps, like Virtru, let users encrypt email messages before they are sent.
    • They are inexpensive and easy to use, and can also track when messages are opened or forwarded.
    • They are NOT foolproof, as they depend on users knowing what must be encrypted and remembering to do so — every time.
    • This is the lowest cost solution, but most susceptible to an accidental breach.
  • Automated Encryption Tools
    • Integrated email encryption solutions, like Zixmail, give users the ability to flag messages for encryption.
    • They also use heuristics to scan all email traffic, identifying those that should be encrypted and doing so automatically.
    • While slightly more expensive, these tools effectively monitor policy compliance and mitigate your risks.

Select the type of encryption solution you need, based on how your business operates and who is responsible for keeping information private.


 

Unlike many providers, we offer each type of email encryption service on a per-user basis. Most businesses have a limited number of staff working with sensitive information; we can provide these users with encryption services. Our approach provides the protection you need and respects your budget and priorities. Contact us to learn more.


 

4 Questions to Ask When Selecting an Email Encryption Solution

Email Lock
Once you determine who within your organization should be using email encryption to secure sensitive and protected information, you need to select from sea of vendors all claiming to be the “leading” provider.

Here are four (4) questions to ask when selecting an email encryption solution

1) Does the solution include a hosted, shared email encryption network?

Encrypting every email is hard, expensive, and does not accommodate the way most of us work. Using passwords and accessing portals are extra steps that take time and can create frustration. A shared email encryption network ensures that 100% of emails sent within the network are secured without any additional actions required by the sender or the recipient.

2) Does the solution offer policy-based encryption filters?

Most encryption solutions relying on users to trigger encryption by clicking a button or putting a tag into the subject line.  Even if users understand every scenario that warrants encryption, they are likely to miss a few along the way. Solutions with policy-based encryption filters scan and automatically encrypt messages that contain sensitive information. The best solutions provide standard heuristics for common regulatory requirements and let you create custom policies to meet your business’ specific needs.

3) Is the solution easy to use?

Email is a business tool, and email encryption is no different. Ideally, the solution should be easy to use for sender and recipient. Difficult processes result in mistakes, compliance breaches, lost productivity, and users circumventing the system. Easy to use solutions foster adoption and compliance by automatically encrypting message, decrypting inbound messages at the gateway, and ensuring that replies and forwards get encrypted as well.

4) Is the solution provider awesome?

Choosing an email encryption provider is a long-term commitment and the lowest price is not always the best deal. Make sure your provider is trusted by others in your industry. Check to ensure their infrastructure has certifications and accreditations, such as SysTrust/SOC 3 or PCI Level 1. Make sure the solution can be deployed quickly and that your provider supports your deployment technically and with user training. Verify that your provider will support you on an on-going basis and minimize the resources required from you and your team.

 


 We offer multiple email encryption solutions. Contact us to discuss your needs and explore the solution best for you and your business.


 

Email (is still) Like a Postcard

Postcard
With all of the advancement in email servers, services, and cloud solutions, fundamentally, email is still like a postcard.

When you mail a postcard, the postal service will make its best attempt to get it delivered in a reasonable period of time.  While most postcards make it, occasionally a few get lost in the mail.

And while your message from vacation, your short message to a friend, or a quick thank you makes its travels, everybody that touches the postcard along the way can read it. Not that everybody, or even anybody will, but they can.

For the type of messages we send on postcards, we do not really care about privacy. Our email messages, however, often contain personal, sensitive, or corporate data that we want or need to keep private.

It is relatively easy for hackers to capture corporate data from emails as it travels across the public Internet. It is also easy for the staff at your MSP or IT service firm to read or intercept messages.

Yes, when we deploy Google Apps and other services, we put technology in place such as policy-based TLS encryption that helps mitigate risks and forced SLL encryption.  Many on-premise email servers have these features active as well.

But for many businesses, this is not enough. Government and industry regulatory requirements, including HIPAA, PCI, and PII, affect nearly every business with employees, that accepts credit cards, or keeps a customer file. Financial firms and publicly traded firms also face regulatory requirements from the SEC, FINRA, and Sarbanes/Oxley.

To meet increasing demands for data privacy and protection, you need message level encryption for at least those employees that deal with sensitive or protected information. If your solution is difficult to use, or inconvenient for recipients, employees will look to circumvent the system or opt not to encrypt messages, customers and partners will complain, and your business will suffer.

When looking at email encryption solutions, evaluate solutions that require little or no user involvement, make it easy for recipients to read encrypted messages, and work well on mobile devices. The good news, is that these solutions are affordable and can be deployed based on need.


For more information, contact us about selecting the right email encryption solution for you and your business.