Implementing effective ways to exchange sensitive information using encryption
Digital communication, whether it is by email, phone call, SMS or video, is part of every organization’s business process, and as such requires encryption to stay secure. It’s not essential just for the sake of protecting shared data, but also because of the many data privacy regualtions organizations must adhere to.
In this interview with Help Net Security, Chris Peel, VP Customer Engineering at Echoworx, who works with customers to define, develop and deliver secure messaging solutions, explains why email encryption is the way to go for organizations, what are the benefits and challenges of such strategy, and how to implement it without overburdening the user.
What are the main challenges of exchanging sensitive information using encryption?
At its core, user experience remains a primary root issue affecting effective exchanges of secure encrypted messages and documents. Ask any IT security leader whether employees at their companies can send an encrypted email and the response you get is almost always going to be ‘yes.’ Based on our research and surveys, over 90 per cent of this same group admit that they find the process of sending an encrypted email to be a difficult, even frustrating, experience.
For me, this flags user experience as imperative when it comes to choosing an email encryption solution. When it comes to sending a secure message or document, encryption is an important element in that you need to apply encryption as a usable feature. There are many factors which need to be considered to preserve a natural, and consistent, message flow anywhere on any device.
Different business relationships or business cases might require, even dictate, which secure delivery methods must be used. Your enterprise might use TLS, for example, to send and receive sensitive messages and documents. But what about instances where a TLS connection is not available? Or used, like we see in the EU where a reliance remains on PGP and S/MIME? You need to ensure seamless secure communication with all your business contacts, regardless of where they are located, how they choose to connect or what format the information they are sharing is in.
This takes us into a second challenge affecting the effective exchange of sensitive information using encryption – compliance. Any data you share outside your organization’s perimeter is probably subject to any one of a multitude of international privacy jurisdictions, rules and regulations. And you are responsible for it and anything that happens to it, including anything done in a subsequent third-party capacity, from the minute you click ‘send.’
But keeping tabs on our global patchwork of privacy regulations can be time-consuming, resource-intensive and expensive. Imagine you’re a major British bank, for example, still adapting to Brexit’s effects on your business under the GDPR. You might acquire another bank, and let’s say it’s based in Manila. Do you know if your business is protected in Manila? Do you know how data must be stored in the Philippines? What do you know about local jurisdictional privacy rules governing data sent to, within and from the Philippines? Does this new business warrant forming a dedicated IT team to set up, deploy and run a secure communications system?
These are just two, but two major, challenges we often see causing major headaches for enterprises struggling to implement effective ways to exchange sensitive information using encryption.
How can organizations avoid being burnt by a bad implementation process or failed solution?
To understand how an organization can avoid being burnt by a bad implementation process or failed solution, you need first to understand how enterprises find themselves in these situations to begin with. When searching for an email encryption, or any tech solution for that matter, it is always important to identify, outline and determine the business goals you are hoping to achieve. A common mistake enterprises make in this stage is not being inclusive with their buying teams, resulting in buying a solution which is not applicable to every business case, every department, every customer and, ultimately, is not adopted and therefore fails.
When setting down the foundation of a secure communications plan which works, enterprises need to identify all stakeholders, who should be heard throughout the planning process. You need to ensure all users and potential users are involved in searching for a solution. While a Security or IT team, for example, might favour a cost-conscious simplistic solution, like leveraging an email encryption feature of an existing bundled product, this solution might not be flexible enough to accommodate the business needs of say a B2C business enablement team. This could lead to issues such as potential increases in internal costs, like an increase in support calls, to external vulnerabilities, like adopting customer-requested workarounds to avoid over-complicated processes.
As a rule: The bigger the initial conversations regarding email encryption needs, the more accurate the searching process goes for an email encryption solution and the more likely a successful rollout and implementation of your secure communications program.
For those already stuck with a failed or failing email encryption solution, the worst thing you can do is add even more software, hardware or complexity to your existing system. Instead, look for a replacement solution which can address the sticky parts of the failed system without gobbling up more resources. A cloud-based SaaS solution, like Echoworx, for example, can help migrate expensive on-premises infrastructure to the cloud to unlock the additional flexible functionality you need to compete, without interruptions to existing business relationships.
How can CISOs define requirements for encryption when technologies and threats are ever changing?
Technologies and threats are always going to change with time, but to remain in control, you need to look for secure messaging solutions which are flexible enough to fulfill current business asks while preparing you for what’s around the corner. Otherwise, you might find yourself constantly playing catchup, which can be an expensive habit. As the saying goes: Money flows where the problem goes.
When planning your secure communications strategy, it’s important to think of securing data in transit not as a linear line, but rather a large series of expanding bubbles – each bubble requiring adequate attention. Because when it comes to security, companies often make the mistake of not observing every touchpoint and data lifecycle. You need to look for an encryption provider which is always updating to accommodate these ever-expanding usability and compliance issues, under consistent security review and certified to common industry standards, such as PCI or SOC2, for examples. In addition to this being the smarter approach to securing data in transit, this mentality helps reduce cost of ownership, without sacrificing security.
From a features and functionality standpoint, you should look for solutions which address your specific business needs directly. Many service providers, for example, offer email encryption as a supplementary add-on to a larger product or bundle. Without dedicated service, you might encounter less updates with a product like this, less support when you need it or even less functionality when it comes to snapping to different business cases.
What can organizations do to navigate business and usability constraints (e.g. compliance, cost, workarounds, etc.)?
Business and usability constraints are often part and parcel when it comes to their root causes and subsequent solutions. When businesses look to navigate these types of issues, they need to get as many people at the table as possible to understand what exactly they are dealing with.
When it comes to secure messaging solutions, for example, it’s often tempting to listen to your IT team’s recommendations based primarily on delivery and management needs. Can you send an encrypted message with this system? Yes. Is this solution easy to run on the backend? Yes. Does this solution comply with jurisdictional rules? Yes.
But you need to think more three-dimensional when approaching real business issues because, let’s face it -it’s not just about the email encryption – it’s about real employees needing to exchange real information with real customers. You need to get past the ‘does it work’ justifications and more into the ‘how will it work’ mentality. Once you involve usability stakeholders at the table, you’re going to get a solution which helps alleviate many adoption issues, which, in effect, should help you navigate through the very constraints which brought you shopping for a solution in the first place.
Consider, for example, you are looking to take your on-premises email encryption system to the cloud. IT specialists might caution exposing your data, or flag jurisdictional residency as a reason for keeping everything in-house. From an internal point of view, this might make sense and the conversation might end there.
But what if you look at it from a more outward business-looking lens? If you pick the right SaaS, for example, you unlock seemingly unlimited frontline applications, in addition to freeing up the expensive internal resources committed to running an in-house system. With clear value identified, it then becomes a conversation about how much you trust a third-party vendor, many of whom, like Echoworx, undergo rigorous and constant security reviews and data security programs, like PCI or SOC2.
In a nutshell? Navigating business and usability constraints usually comes down to having the right conversations with a larger, more inclusive, audience within your enterprise. If everyone is on-board, and everyone is heard, then there is no immediate reason why a solution should not be adopted.
How does Echoworx help prevent significant problems with access to and sharing of data via email?
Echoworx provides enterprises with the secure flexible email encryption solutions they need to snap to any business case while creating a smooth, seamless and consistent user experience for every user, internal or external, on any device. How do we do this? Simple: Email encryption is all we do, and we’ve refined and created a product which is so much more than its encrypted protection – it’s about enabling more effective secure exchange of messages and documents.
So how do we help prevent significant problems with access to and sharing of email via data? Easy. We pay special attention to usability and business practicality, in addition to security and encryption. This ensures your employees’ decisions to encrypt email are not influenced by a clunky, frustrating or over-complicated system. This makes protecting the emails they send the path of least resistance – improving adoption while protecting your organization at every datapoint in transit.
We offer a full, customizable system to empower your enterprise to control how secure messages and documents are sent by your organization. We present multiple ways to authenticate users to messages, for example, from seamless authentication methods, like biometrics or social logins, to more stringent methods, like 2FA. We provide multiple ways to send encrypted messages, from direct delivery methods like TLS, PGP and S/MIME to Push methods, like Secure PDFs or Encrypted Attachments, to Pull methods, available through our Secure Web Portal. We also feature multiple inbound secure communications options, like Guest Compose, to ensure you can extend your encryption capabilities to external users. And all these delivery channels offer full brand and locale support.
Echoworx helps prevent email encryption roadblocks by providing you with the tools you need to address them, overcome them and eliminate them.