Category Archives: Blog

Human Error: The Greatest Threat to Data Security

Much of the buzz around cybersecurity issues faced by SMBs and enterprises is related to the idea of an obscure shadowy figure hidden in a basement somewhere typing madly on a keyword. While the external threat of criminal activity should never be discounted, by far, the greatest threat to any business exists from within the business itself: human error. A recent survey of over 100 information security professionals in January 2015 indicated that 72 percent of respondents saw end users as the biggest security threat. As with almost every IT system inside a business, security stakeholders agree that the issue is PEBCAK-related, or simply put, the Problem Exists Between Chair And Keyboard. Think of the sheer number of offers you receive in your inbox for free holidays, too-good-to-be-true deals on electronics or perhaps promotions to meet singles in your area who are looking to mingle. The tactics and subjects lines are endless, but the end result is an insidious entry point into the communications backbone of the business via unsecured email. Potential email breaches aside, most employees at one time or another have tried to access a cloud-based application to achieve a goal only to find it’s not on the “approved list” of software from their IT department. Perhaps it’s for transferring a file that is too large for regular email or to add a password to more sensitive content – actions easily achieved using free software online. The examples are endless, but there’s a good reason IT administrators are against the use of any Shadow IT. They simply don’t want business data stored in consumer-grade cloud applications. Secure Messaging is one way to address this particular issue because employees can easily protect the content of their messages, add large file attachments and send/receive from any device. More importantly, there must be administrative rules in place to ensure employees are prompted to “send secure” based on the content of their email. If we know anything about human nature it’s that no matter how great a technology product is, its value will go largely unexploited if it is not easy to use or disrupts the natural workflow. With this in mind, any secure messaging solution must be a seamless addition to the existing workflow, simple to setup and support, and require minimal user training. To experience Email2’ ease of use for your business for a month at no charge, sign up here and let us know what you think.

New Cyber Defense rules and policies ignore the reality: End users are lazy

In the past few weeks both the EU Commission and White House have come out with commentary and rules in response to the rise of cyber-attacks. There is growing awareness that cyber security is becoming a political and business necessity. While encryption technology has been used for decades to deal with the storage and transit of sensitive information most are complex solutions designed by I.T. and security experts to meet specific industry regulations or threats. In general they do the job they were designed for, however they overlook one massive reality.

In order to be effective security solutions need to be adopted and used by people who don’t care about security. Most data leaks and privacy breaches are inadvertent; the wrong email address, the wrong attachment. It is more convenient to use basic email, cross your fingers and hit send then log into some other product to send sensitive information. To ensure adoption any security solution being deployed must complement the tools end users already use, not complicate them.

For I.T. and Security teams it is crucial that any deployed security solution work seamlessly across an increasingly complex reality of hosted and on-premise email platforms, corporate and personal mobility devices and avoid traditional encryption solutions that require certificates, keys to manage and changes to everyday email. Governments and regulators can create new rules and policies to defend against cyber threats but until solutions are designed for distracted end users who don’t want to learn anything new information is at risk.

http://europa.eu/rapid/press-release_IP-13-94_en.htm

EU Cybersecurity plan to protect open internet and online freedom and opportunity

Brussels, 7 February 2013 – EU Cybersecurity plan to protect open internet and online freedom and opportunity.

The European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, has published a cybersecurity strategy alongside a Commission proposed directive on network and information security (NIS).

The cybersecurity strategy – “An Open, Safe and Secure Cyberspace” – represents the EU’s comprehensive vision on how best to prevent and respond to cyber disruptions and attacks. This is to further European values of freedom and democracy and ensure the digital economy can safely grow. Specific actions are aimed at enhancing cyber resilience of information systems, reducing cybercrime and strengthening EU international cyber-security policy and cyber defence.

The strategy articulates the EU’s vision of cyber-security in terms of five priorities:

  • Achieving cyber resilience
  • Drastically reducing cybercrime
  • Developing cyber defence policy and capabilities related to the Common Security and Defence Policy (CSDP)
  • Developing the industrial and technological resources for cyber-security
  • Establishing a coherent international cyberspace policy for the European Union and promoting core EU values

The EU international cyberspace policy promotes the respect of EU core values, defines norms for responsible behaviour, advocates the application of existing international laws in cyberspace, while assisting countries outside the EU with cyber-security capacity-building, and promoting international cooperation in cyber issues.

The EU has made key advances in better protecting citizens from online crimes, including establishing a European Cybercrime Centre (IP/13/13), proposing legislation on attacks against information systems (IP/10/1239) and the launch of a Global Alliance to fight child sexual abuse online (IP/12/1308). The Strategy also aims at developing and funding a network of national Cybercrime Centers of Excellence to facilitate training and capacity building.

The proposed NIS Directive is a key component of the overall strategy and would require all Member States, key internet enablers and critical infrastructure operators such as e-commerce platforms and social networks and operators in energy, transport, banking and healthcare services to ensure a secure and trustworthy digital environment throughout the EU. The proposed Directive lays down measures including:

(a) Member State must adopt a NIS strategy and designate a national NIS competent authority with adequate financial and human resources to prevent, handle and respond to NIS risks and incidents;

(b) Creating a cooperation mechanism among Member States and the Commission to share early warnings on risks and incidents through a secure infrastructure, cooperate and organise regular peer reviews;

(c) Operators of critical infrastructures in some sectors (financial services, transport, energy, health), enablers of information society services (notably: app stores e-commerce platforms, Internet payment, cloud computing, search engines, social networks) and public administrations must adopt risk management practices and report major security incidents on their core services.

Neelie Kroes, European Commission Vice-President for the Digital Agenda said:

“The more people rely on the internet the more people rely on it to be secure. A secure internet protects our freedoms and rights and our ability to do business. It’s time to take coordinated action – the cost of not acting is much higher than the cost of acting.”

Catherine Ashton, High Representative of the Union for Foreign Affairs and Security Policy/Vice-President of the Commission said:

“For cyberspace to remain open and free, the same norms, principles and values that the EU upholds offline, should also apply online. Fundamental rights, democracy and the rule of law need to be protected in cyberspace. The EU works with its international partners as well as civil society and the private sector to promote these rights globally.”

Cecilia Malmström, EU Commissioner for Home Affairs said:

“The Strategy highlights our concrete actions to drastically reduce cybercrime. Many EU countries are lacking the necessary tools to track down and fight online organised crime. All Member States should set up effective national cybercrime units that can benefit from the expertise and the support of the European Cybercrime Centre EC3.”

Background

Cyber-security incidents are increasing in frequency and magnitude, becoming more complex and know no borders. These incidents can cause major damage to safety and the economy. Efforts to prevent, cooperate and be more transparent about cyber incidents must improve.

Previous efforts by the European Commission and individual Member States have been too fragmented to deal with this growing challenge.

Facts about cybersecurity today

  • There are an estimated 150,000 computer viruses in circulation every day and 148,000 computers compromised daily.
  • According to the World Economic Forum, there is an estimated 10% likelihood of a major critical information infrastructure breakdown in the coming decade, which could cause damages of $250 billion.
  • Cybercrime causes a good share of cyber-security incidents, Symantec estimates that cybercrime victims worldwide lose around €290 billion each year, while a McAfee study put cybercrime profits at €750 billion a year.
  • The 2012 Eurobarometer poll on cyber security found that 38 % of EU internet users have changed their behaviour because of these cyber-security concerns: 18 % are less likely to buy goods online and 15 % are less likely to use online banking. It also shows that 74% of the respondents agreed that the risk of becoming a victim has increased, 12% have already experienced online fraud and 89% avoid disclosing personal information.
  • According to the public consultation on NIS, 56.8% of respondents had experienced over the past year NIS incidents with a serious impact on their activities.
  • Meanwhile, Eurostat figures show that, by January 2012, only 26% of enterprises in the EU had a formally defined ICT security policy.

FINRA fines highlights compliance problems with traditional encryption products

The $1.2 million dollar fine levied by FINRA against ING and its affiliates yesterday brings to light compliance problems with traditional encryption solutions long recognized but tolerated in the finance sector. The announcement stated that the firms “..failed to set up systems to retain certain types of encrypted emails” and therefore the messages were not available to review.

Much of the frustration around traditional encryption solutions (beyond the end user experience) relates to the creation of a secondary email repository. Even when firms, like ING, make best efforts to put encryption and message archiving solutions in place the two solutions are not compatible. There are keys and certificates to manage, and when used together the archive gets filled with encrypted messages that cannot be reviewed or audited.

Email2 has solved these important compliance challenges and is the only encryption solution that will work with any archive / eDiscovery system ensuring that regardless of whether email is on-premise, hosted, or a hybrid of both, all secure messages are available decrypted for audit and eDiscovery purposes (therefore compliant with the recordkeeping provisions of the federal securities laws and FINRA rules, and supervisory requirements under FINRA rules).

Original post: http://www.finra.org/newsroom/newsreleases/2013/p207604

FINRA Fines Five ING Firms $1.2 Million for Email Retention and Review Violations

WASHINGTON — The Financial Industry Regulatory Authority (FINRA) announced today that it has fined five affiliates of ING $1.2 million for failing to retain or review millions of emails for periods ranging from two months to more than six years. The five firms, indirect subsidiaries of ING Groep N.V., are Directed Services, LLC; ING America Equities, Inc.; ING Financial Advisers, LLC; ING Financial Partners, Inc.; and ING Investment Advisors, LLC.

Brad Bennett, Executive Vice President and Chief of Enforcement, said, “As a result of broad systemic failures, these firms failed to capture and retain emails from hundreds of representatives and other associated persons, and failed to take adequate steps to ensure that their principals were fulfilling their responsibilities to review emails. Email retention and review continues to be an important regulatory responsibility and an issue of concern for FINRA.”

FINRA found that the firms failed to properly configure hundreds of employee email accounts to ensure that the emails sent to and from those accounts were retained and reviewed at various times between 2004 and 2012. In addition, four of the firms failed to set up systems to retain certain types of emails, such as emails using alternative email addresses, emails sent to distribution lists, emails received as blind carbon copies, encrypted emails and “cloud” email (emails sent through third-party systems). As a result of these failures, emails sent to and from hundreds of employees and associated persons were not retained; and because the emails were not retained, they were not subject to supervisory review.

In addition, four of the firms failed to review millions of emails that the firms’ email review software had flagged for supervisory review. At various times between January 2005 and May 2011, nearly six million emails flagged for review went unreviewed by supervisory principals because the email review software was not properly configured.

In concluding the settlement, the firms neither admitted nor denied the charges, but consented to the entry of FINRA’s findings. FINRA found that the firms violated the recordkeeping provisions of the federal securities laws and FINRA rules, and supervisory requirements under FINRA rules.

FINRA also ordered the firms to conduct a comprehensive review of their systems for the capture, retention and review of email, and to subsequently certify that they have established procedures reasonably designed to address and correct the violations.

FINRA’s investigation was conducted by the Departments of Enforcement and Member Regulation.

Investors can obtain more information about, and the disciplinary record of, any FINRA-registered broker or brokerage firm by using FINRA’s BrokerCheck. FINRA makes BrokerCheck available at no charge. In 2012, members of the public used this service to conduct 14.6 million reviews of broker or firm records. Investors can access BrokerCheck at www.finra.org/brokercheck or by calling (800) 289-9999. Investors may find copies of this disciplinary action as well as other disciplinary documents in FINRA’s Disciplinary Actions Online database.

FINRA, the Financial Industry Regulatory Authority, is the largest independent regulator for all securities firms doing business in the United States. FINRA is dedicated to investor protection and market integrity through effective and efficient regulation and complementary compliance and technology-based services. FINRA touches virtually every aspect of the securities business – from registering and educating all industry participants to examining securities firms, writing rules, enforcing those rules and the federal securities laws, informing and educating the investing public, providing trade reporting and other industry utilities, and administering the largest dispute resolution forum for investors and firms. For more information, please visit www.finra.org.

With social media and instant messaging on the rise where does that leave Email?

With the numerous social networking tools and instant messaging vehicles available for online communication such as Facebook, Skype, Google Chat, and Twitter, email is often seems less relevant to organizations today.Instant messaging is convenient, fast and to-the point, and for the corporate user sending and receiving 115 emails a day, the appeal is obvious. With SM and IM on the rise, is email becoming obsolete?

Here are some stats that clear it up in our tidy infographic: How Does Email Stack Up?

The Future of Email: More Users, More Functional, More Impactful

Despite the booming popularity of instant messaging vehicles and social media platforms, email is still the internet’s “killer app” remaining internet users’ most widely used form of communication with its use only expected to grow, especially in the corporate sector. Email’s ever increasing functionality beyond just sending messages–from email cloud drives that enable you store data in the cloud, to file sharing applications– enhances email as a medium for communication and collaboration. Email’s growth and increasing functionality position it as a channel that will only be more impactful in the future.

SOURCES:

  • Direct Marketing Association, https://imis.the-dma.org//bookstore/index.cfm?
  • Facebook June 2012, http://newsroom.fb.com/content/default.aspx?NewsAreaId=22
  • McKinsey Global Institue Report July 2012, http://www.huffingtonpost.com/2012/08/01/email-workday_n_1725728.html
  • Osterman Research Market Trends 2005-2008, http://www.ostermanresearch.com/
  • Pew Internet Study 2011, http://pewinternet.org/
  • Radicati Group Email Statistics Report 2012-2016 , http://www.radicati.com/wp/wp-content/uploads/2012/04/Email-Statistics-Report-2012-2016-Executive-Summary.pdf
  • Radicati Group Email Statistics Report 2009-2013, http://www.radicati.com/wp/wp-content/uploads/2009/05/email-stats-report-exec-summary.pdf

You Have Encryption, but Data is Still Walking out the Backdoor

Your encryption solution could be the best-of-breed technology, have the most advanced features for tracking messages—it might even have won a shiny award from analysts at some firm, but you may still be at risk for data leakage. Why? Because your employees aren’t using it. In fact, 69% of organizations surveyed by the Ponemon Institute last year indicated they believe employees frequently violated policies for email encryption, while 61% indicated that employees use insecure email channels, such as personal Web-based email to send confidential data. So why are employees failing to encrypt sensitive company emails? Are they dumb? Lazy? Resentful they missed a bonus this year?

While it’s easy enough to blame the user, the truth is that email encryption software has become a commodity that’s fairly easy to obtain, but often difficult to use and manage. Over half of email encryption users are frustrated with their encryption solutions being inflexible difficult to use, according to a recent email study. With the average business email user sending and receiving 115 emails per day, it’s no wonder they avoid the 8-10 steps necessary to send or receive a message using antiquated, commoditized encryption technology. But with a high volume of emails being exchanged, potentially unsecured, users are exposing the organization to the very real risk of data leakage.

So what do you do? Do you bite the bullet, keep your 10-step process and hope the losses from productivity outweigh the alternative of a data breach? Evidence would suggest that users would continue to fumble with and avoid such a system—leaving your organization still at risk to a data breach at the email gateway.

True Security Has Usability

It doesn’t matter how secure the technology is if it’s too difficult to use, employees will avoid and circumvent it. Security needs everyone to adopt it, and every change of behavior, additional step or extra click is a hassle that makes a solution more difficult to use and adopt. To encourage adoption solutions must be flexible and simple enough to compliment the email, mobile and tablet solutions users are already comfortable with.

For more information on how encryption can work seamlessly with your existing email and encourage user adoption, visit the Email2 Product Page.

Data Leakage: 5 Mistakes Email Users Make and How to Prevent Them

Email remains the vital tool for exchanging vital and confidential business information ranging from trade secrets to customer information. In fact, Osterman Research estimates as much as 75% of a company’s intellectual property is contained within emails floating around in employee inboxes and corporate email systems. Organizations put a lot of faith in their employees by putting that much valuable data in their hands. But no matter how much trust you put in your employees–they’re human and mistakes happen.

It comes as no surprise then that 69% of organizations surveyed by the Ponemon Institute last year indicated employees violated security policies frequently and send confidential and sensitive information via non-approved, unsecured email methods. It should be even less of a surprise that email is the leading source of data loss/leakage according to that same study, and many others.

5 Mistakes Email Users Make

User actions that appear as trivial mistakes or lapses in judgement can become heinous and costly incidents when they result in data loss or unauthorized exposure. So we’d like to point 5 overlooked mistakes email users make that can result in data leakage:

1. Failing to encrypt sensitive emails    ”That was supposed to be encrypted?”

Maybe they didn’t think it was sensitive information, or maybe they didn’t care. Either way, users who fail to encrypt emails transferring sensitive information open the possibility that an email may be accessed by someone other than the intended recipient, leading to potential data leakage and exploitation of information that should have been sent securely.

2. Sending email to the wrong people   “A trigger -happy ’reply all’ can be dangerous” 

We’ve all done it. Maybe you meant to tell your co-worker how you hate your boss, or the details of last night’s party but hit “Reply All” instead telling everyone. Oops. Now when that email contains confidential company or customer information rather than the dronings of your worklife, and it just got sent company-wide, or outside the company… ‘Oops’ doesn’t cut it.

3. Sending corporate information from personal (unsecured) email accounts  ”I’ll just use Gmail…”

Work email is for work, personal is for at home… or whatever right? Using company email accounts to send company-related  information is necessary because personal accounts often lack the safeguards (such as encryption, automatic backup, etc) necessary to protect company information against loss of leakage.

4. Failing to backup/save/archive emails    “It didn’t seem important at the time…”

If you diligently  backup your emails to the server, you’re golden. For the other lazy half of email users who just save emails locally in their folder, on the desktop, or not at all, the possibility of data loss is just a computer crash or email glitch away.  With 75% of corporate IP floating around in email boxes, it’s important for users to backup, backup, backup their emails.

5. Believing you’ve won the lottery or other scams  “Just enter your credit card information to claim your prize!!”

You’d like to think that luck has finally come our way when we see an email announcing we’ve won the lottery, tickets to Disneyland or luxury getaway to Bora Bora. Though there’s something fishy about them asking for your credit card information, your address and your social security number, you push on because the thought of relaxing on a sunny beach is just too much to stop you from realizing you’re getting played. For the un-discerning user, a phishing scam can mean giving up all sorts of sensitive information, and if its company information you’re giving out, some scammer might just use it for a sandy escape of their own.

Catch Mistakes Before They Happen

While human error may be inherent in our nature, it doesn’t mean data loss is unavoidable simply because we’re destined to make a few bad calls. Instead, all 5 of these user mistakes and many more can be avoided with effective employee training and a powerful data leakage prevention (DLP) solution that can catch mistakes before they happen.

With data leakage centering on users, it’s obvious that an effective DLP policy begins with employee training and management. Educate users on policies for acceptable email use; emphasize that data is essentially money and that employees are responsible for losing company money when they violate policy and clearly articulate consequences for violations. When users understand proper workplace email usage and the consequences, they will be less likely to make mistakes.

While employee training and management can help reduce the potential for costly email errors and snafus, mistakes are bound to happen no matter employees’ good (or bad?) intentions, so training alone isn’t enough to ensure policy. The potential for data to be leaked or lost through email user mistakes underscores the need for organizations to enforce email policy with a data leakage prevention solution to pre-empt user snafus and stop data leaks before they happen. For the best protection against data leaks, businesses should implement a DLP solution that can stop users in their tracks before a damaging email is ever sent.

The best protection is prevention

At Email2 we recognize that user-mistakes are prone to happen and are costly when they do. That’s why we’ve developed a powerful DLP feature for secure email that pre-empts user-error by prompting users of potential data policy violations before the “send” button is hit. If a questionable email still makes it out of the email gateway, additional tools allow total recall of sent messages and attachments even after the message has been read by a recipient.

For more information on how Email2 prevents data leaks, visit the DLP product page.

When Complying With HIPAA Is Not Enough: Tough New Medical Privacy Laws Are in Effect in Texas

By Jacqueline Klosek, Julia B. Holczer, Achal Oza While many covered entities and business associates are still adjusting to the changes to the Health Insurance Portability and Accountability Act (“HIPAA”) ushered in by the Health Information Technology for Economic and Clinical Health Act, new privacy requirements that are more stringent than HIPAA recently entered into force in Texas. Last June, Governor Rick Perry signed into law Texas House Bill 300 (HB 300), a measure that amends the state’s medical records privacy laws by strengthening privacy protection for protected health information (“PHI”) and increasing penalties for violations. The amendments, which took effect September 1, 2011, provide for health privacy protections in addition to and more stringent than those protections offered HIPAA. The Texas Attorney General will be responsible for enforcing the new requirements and may seek injunctive relief and civil penalties up to $1.5 million annually for violations. Because of the broad scope of Texas health privacy laws, these changes are likely to have significant reach, impacting not only HIPAA-covered entities in Texas, but also governmental entities, schools and universities and other entities in Texas that process PHI. REQUIREMENTS AND LIMITATIONS IMPOSED ON COVERED ENTITIES. HB 300 will primarily impact “covered entities.” However, while the definition of covered entity under HIPAA is limited to health care providers, physicians, health insurers and health care clearinghouses, existing Texas law defines covered entity more broadly as any entity that engages in “assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information,” or that “comes into possession of” or “obtains or stores” PHI. This means that the new requirements of HB 300 could impact a broad group of entities – beyond those subject to HIPAA. The key new obligations imposed on covered entities are discussed further below: A covered entity is required to develop and administer a training program for its employees that covers the details of both the state and federal laws concerning PHI. The training session should specifically be geared towards how these laws relate to (i) the nature of such covered entity’s business and (ii) each employee’s scope of employment. There is no explicit language exempting from this training those employees of a covered entity that do not come into contact with PHI in the scope of their employment. An employee of a covered entity must receive such training within 60 days of such employee’s date of hire, and on a continual basis, no less than once every two years. Each employee who attends a training session must sign in (electronically or in writing) to verify their attendance at such training and the covered entity must maintain records of such attendance. Subject to limited exceptions, a covered entity may not indirectly or directly sell an individual’s PHI. The new measures will generally restrict covered entities from selling PHI. However, a covered entity is permitted to receive a payment or fees from another covered entity in exchange for access to an individual’s PHI solely for the purposes of treatment, payment, health care operations, the performance of an insurance or health maintenance organization function or as otherwise authorized or required by state or federal law. The payment or fees obtained in exchange for the PHI may not exceed reasonable costs of preparing or transmitting the PHI to such covered entity. A covered entity is required to (i) provide notice to an individual (for whom such covered entity creates or receives PHI) when such individual’s PHI is subject to electronic disclosure and (ii) obtain prior (written or orally documented) authorization for such electronic disclosure from the individual. The form of notice is up to the covered entity, as long as the individual is likely to see it (e.g., written notice at place of business, posting on Internet website, or both, etc.). The prior authorization requirement is not applicable if the disclosure is made to another covered entity for the same purposes as outlined above relating to the sale of PHI (e.g., treatment, payment, health care operations, etc.). The new law indicates that the Attorney General will adopt a standard authorization form, which will comply with HIPAA standards. ENHANCED ENFORCEMENT MECHANISMS AND PENALTIES. The new law places its enforcement authority in the hands of the Texas Attorney General, who may pursue an injunction, monetary penalties and disciplinary actions against covered entities that are in violation. In addition to injunctive relief, the Texas Attorney General may institute an action for civil penalties ranging from $5,000 for each negligent violation that occurs in a given year up to maximum of $1.5 million annually. The penalties increase when the acts are deemed intentional and for financial gain. If a covered entity is deemed in violation of the new law and is licensed by a state agency, a disciplinary action may include revocation of the covered entity’s license. HB 300 also provides that the state may conduct audits of a covered entity to determine its compliance with the state’s health privacy requirements. Covered entities and other entities processing the PHI of Texas residents should take note that the new far-reaching obligations have recently entered into force in Texas. Because the law goes beyond the requirements of HIPAA in a number of significant ways, even entities that have very well developed HIPAA compliance programs will likely need to make changes to comply with the Texas law.

When creating Email Policy – Include Guidelines for when Staff must use Encrypted Email

The importance of guidelines to ensure Efficient and Effective email Use

“Most companies are grappling with email overload,” says Monica Seely, an email management expert at Mesmo and author of Brilliant Email. “Companies are losing up to 20 days per person per year, dealing with email poorly.” Most of us would not disagree with these statements. But how many organizations have you encountered that have email guidelines in place – that are actually enforced?  The answer is likely none. Having no email charter (that is adhered to) is like having no HR policies for staff (that are adhered to).  Payroll expenses and the inefficient use of email are some of the most costly expenses in most professional services organizations.  Implementing guidelines around managing these resources are not nice-to-haves, but rather fundamental business rules - and applicable to any size organization.  Having these guidelines in writing is not good enough. In order for them to be effective, they must be enforced and become part of the operational culture and house rules and become as second nature as, well,… sending an email.  Sending a flaming email or an unwarranted ‘reply to all’ with the dreaded ”thanks!” should become as unacceptable and ‘yesterday’ as scotches for lunch and smoking at our desks. One can’t assume that staff ‘just know’ how to use email. Most individuals’ email training is simply non-existent and ends with opening their MS Outlook application and composing their first email.

Guidelines for when Secure Encrypted Email must be used

If you are on vacation and you want to send something generic to a friend such as “wish you were here”, you send a postcard. If the message or letter is more personal and you would prefer that only the intended recipent read it, you would send it in a sealed envelope.  The same principle applies in the business world.  Encrypted email is your sealed envelope (+). It can be more like a signature-required guaranteed delivered package, depending on the encryption service used. Rarely covered in an email policy is the inclusion of guidelines around sending sensitive or client-confidential information. The sending organization or the sender who is including sensitive business, client, or employee information in an email is unequivocably responsible for ensuring that the information is secure and only seen by intended recipients. If a sender does not use email encryption, all information sent over the internet can be intercepted – and leaves the organization open to high risks of data leaks and breach of privacy and other regulatory compliance. It’s like sending a postcard into cyberspace. Sample Encrypted Email Guidelines Here’s just a sample of general guidelines that can be included in your email charter to address the use of encryption to ensure that sensitive content is only seen by intented recipients. Encrypted email must be used:
  1. When sending or discussing confidential, strategic, non-public, or classified business information.
  2. For Board of Directors discussions.
  3. When sending or discussing any type of client confidential, priviledged, or private information. Clients could include students, patients, citizens, or customers.
  4. When emails include credit card numbers, social security numbers, passwords, logins or any recognizable format for sensitive information.  The use of data leak prevention tools here, is also key. Data leak prevention tools will recognize the format of email content, such as xxxx-xxxxx-xxxxx-xxxxx for credit cards, and prevent sending of the email or at least warn the sender to encrypt the email.
  5. When attaching any kind of sensitive document to an email. Encryption is much more secure than including a password to open the document, which can be hacked.
  6. By all legal and accounting staff working for the organization, or any staff who frequently deals with confidential information as part of their regular duties.  This may include IT, and Sales.
  7. When communicating outside the organization with firms dealing with sensitive information such as legal, accounting and IT firms. In many sectors, such as the healthcare industry or public sector, guidelines would include a long list of external or partner agencies.
  8. By HR staff when communicating sensitive employee information, AND when communicating with potential new hires and candidates – particularly when discussing or sending employment offers.
  9. As an aside, secure email guidelines should also include guidelines for the topic of email delegates. How to communicate which staff members have delegates, and alternative communication methods to reach staff with delegates when ultra-sensitve emails are exchanged.  Navigating the sensitivities of email delegates can be challenging if guidelines are not in place.
Once communicated, email rules or guidelines should be adhered to and enforced like any other organizational policy.  With minimal training and reminders, email can be a highly effective communication tool. There may be a lot of talk recently about  rogue companies abolishing email all together as a way of dealing with the ineffective use of email. But the reality is that email is not going anywhere for the unforeseeable future. It’s not the medium that’s the problem. It’s who uses it and how. Contact us here if you would like to receive a complete email policy or guidelines template. Ariane Laird works with Email2. Email2 provides straightforward secure email encryption and data leak prevention solutions for various sectors, and uses the same security technology as Internet banking. From your desktop to mobile, securely send, receive, control, track and automate delivery of confidential email and large attachments outside the organization. Brilliantly simple, anytime anywhere encryption – without requiring staff or recipients to change their existing email.

Is your bank using encrypted email to communicate with you – the customer?

It occurred to me in November that I have been using basic email to communicate with my (wonderful) banking representative for years. The topics sent back and forth on email could not be more sensitive in nature. The information included requests to transfer funds, bank account numbers, mortgage renewals, line of credit requests, social security numbers, passwords, credit card information – and gulp! -> income information and income tax statements by way of file attachments. Not once did the Senior banking representative alert me that we should not be transferring this type of information when corresponding by unsecured basic email.  Nor did he provide me with an alternative secure email solution. He tends to be very customer-service oriented and understands and respects that my preference by far is to use the asynchronous communication method of email.  This way I can email him at midnight when it’s convenient for me, and he can respond when it’s good for him. However, convenience and customer preference should never override the fundamental right to privacy or securing my ultra-sensitive information.  It’s also important to note that I bank with one of the 2 largest (and most profitable) banks in the country.  It is unequivocally the banking institution’s responsibility to 1) ensure that my confidential and private information is only seen by intended recipients and 2) accommodate my preference for email communication.  In that order, but preferably both. When this uneducated and naive customer (me) finally understood that my emails were not secure and could easily be intercepted once it leaves my computer and travels through various nodes in the world ‘wild’ web en route to its final destination, I brought the subject matter up with my rep.  My aha occurred after 313 emails were sent to my banking rep - yes, I counted them – which does not include emails received. After my inquiry, my banking rep advised in November of last year that he ‘did’ have access to an encrypted email solution, but did not seem to be that familiar with it.  He would get back to me.  I reminded him about this again the following January - after sending him 10 additional confidential emails during the 2 month lag. He finally sent me a link to a web page for accessing their secure banking email. It was a one-page badly laid out and confusing user interface. It looked like a school project from a comp sci first year student. And that student would have undoubtedly received a ‘C’ for that project.  But the worst part of this experience is that the password for accessing the secure email site was created and sent to me by my banking rep using basic email! I tried to respond to his encrypted email, but the ‘solution’ sent me a canned email requesting my ‘encryption certificate’ and to include my ‘digital ID’.  It read: “The easiest way to do this is to apply a digital signature to your reply using your e-mail software.”  Huh? The comp sci first year student who developed this tool clearly did not speak my language, which is English.   I emailed my banking rep to find out what this meant, and he replied that he may not have followed the process correctly. And that was the end of that. (true story) I came up with 3 conclusions as a result of this experience.

1.  Lack of Confidence that Humongous Bank cares about securing my Confidential Information

I have very little confidence that my humongous and well-established bank cares about securing my private and confidential banking, personal or financial information. It has not trained its staff to understand the importance of securing customer communication and passwords.  Does encrypted email only become a recommended option when a customer inquires about security?  I’ll also clarify that my banking rep has been with the bank for at least 20 years and is not a junior account rep.

2.  Banking & Financial Services 101: User-Friendly Email Encryption Solutions that work

Providing me with a secure and user-friendly email encryption solution without requiring a technology dictionary and a 10-page instruction manual to use it, is NOT a difficult task for an extremely profitable banking institution.  After all, they have figured out the technology and user-interface for Internet banking? The email encryption solution that I was provided has to be an embarrassment to any successful or progressive organization – but particularly one that provides financial services. And let’s not forget about policies regarding basic email.  If financial services organizations are permitting their staff to communicate with customers using an unsecured email system, at minimum, data leak prevention policies and tools must be in place to ensure that if/when confidential information is included in a basic email such as bank account numbers, passwords or credit card numbers, then the sender would be alerted – if not prevented from sending the email. It appears as though even humongous bank does not have to adhere to basic and fundamental principles in securing customer information and privacy.

3.  Banking & Financial Services Customers are Unaware that Basic Email is not Secure

My banking rep does not often use his email encryption solution and doesn’t seem to be familiar with it.  I am left to conclude that his hundreds of other banking customers are clearly not clamoring for their private information to remain secure, likely because most have no clue that email is not secure and that straightforward alternatives do exist. To all banking or financial services customers, or any customer of an organization where your confidential information is exchanged:  Using unsecured email or fax is like shouting something across a crowded room.  If you are willing to take the chance that your private, confidential or financial information is intercepted and seen by the occupiers of a crowded room, then by all means, carry on with the status quo.  How about a nice order of identity theft with that email?   Ariane Laird works with Email2.
  • Email2 provides straightforward secure email encryptiondata leak prevention, and e-statement solutions for the financial service industry using the same security technology as Internet banking.
  • Email2 enables financial services organizations to securely send, receive, control, track and automate delivery of confidential email and large attachments outside the organization – without requiring staff or recipients to change their existing email.

Healthcare Breach Prevention & Email Encryption – Apparently Not a High Priority

The Second Annual Benchmark Study on Patient Privacy & Data Security was just released by Ponemon Institute, a privacy and security research firm based in Traverse City, Mich. Some of the findings are surprising, if not shocking given the attention and legislation put in place to deal with this topic. Lip service? One is really left to wonder.

The Data

When looking at the data, let’s also keep in mind that the survey targeted data protection professionals, with 43% of respondents holding the title of chief security officer, chief information security officer, chief information officer, chief privacy officer or chief compliance officer. Additionally, the sample was skewed toward larger healthcare organizations, “excluding the plethora of very small provider organizations, including local clinics and medical practitioners,” the report said. There’s a lot of interesting (and highly disturbing) data in the report, but I’ll focus on only a few highlights according to healthcare organizations responding to the survey: 1.  96% have had at least one data breach in the past 24 months. On average organizations have had 4 data breach incidents during the past two years. Breaches increased 32% from the previous year. (96%?  Does that not sound a lot like 100%?) 2.  The top 3 causes for a data breach are:
  1. lost or stolen computing devices
  2. third-party snafu
  3. unintentional employee action.
Even more troubling is the data in regards to what appears to be the prevailing and unsettling mind-set surrounding security as a priority. 3.  Staff do not understand the importance of patient data protection
  1. 66% agree medical billing personnel do not understand the importance of patient data protection
  2. 58% say IT personnel do not understand its importance
  3. In contrast, 58% say administrative personnel do understand the importance of protecting patient data.
4.  Protecting patient data and privacy is not a priority for healthcare organizations
  1. Only  29% of respondents agree that the prevention of unauthorized access to patient  data and loss or theft of such data is a priority in their organizations
  2. Less than one-fourth (23%) said their organization has “encryption solutions  installed.”

Email Encryption – a minimum in healthcare prevention for breach of patient data and privacy

Let’s focus for a moment on the last piece of data shown in 4(2) above. Less than one-fourth (23%) said their organization has “encryption solutions  installed.”  This also means that healthcare organizations are not using email encryption (secure email) to communicate patient information securely. Which also ties into 3rd party snafus as one of the top reasons for patient breaches. It seems that email encryption and secure communication should be at the top of the priority list as one of the first steps in securing patient information. The report cites the following types of compromised patient data:
  • Medical file
  • Billing and insurance record
  • Scheduling details
  • Prescription details
  • Payment details
  • Monthly statements
While the report does not provide details about how this information was intercepted, I think it’s a pretty good guess that the breaches were not related to the use of encryption technology. Using phone, unsecured email, fax, couriers, mail, or in-person visits to transfer or share private patient information is not secure and can easily be intercepted. At the very least, healthcare organizations must adopt email encryption to communicate medical, insurance, scheduling and billing statements information with patients and other healthcare organizations.  Email encryption is well positioned to become the way of the future in healthcare communication, and it has the teeth to back up that privilege since it also addresses regulatory compliance with HIPPA and other technical security safeguard standards.  Its adoption must become as routine and pervasive as any other fundamental business practice in the healthcare industry. 51% named inadequate budgets for privacy and security as the top weakness in their healthcare organization’s security program.  Encrypted email is also a highly efficient and cost effective way to prevent patient privacy and data leaks – as well as providing enhanced patient services.  For example, sending monthly e-statements by secure email to patients and other healthcare providers is associated with significant cost savings, efficiencies, as well as the added bonus of a reduced environmental footprint. If email encryption were adopted by the surveyed organizations today, the survey results would show significant improvements next year.  Guaranteed. Ariane Laird works with Email2.