It’s Tax Time Again: Protect Client Data with Email Encryption

Tax season isn’t my favorite time of the year, but for identity thieves determined to grab a tax refund in your name, it is Christmas all over again. By filing fraudulent tax returns, they can not only falsify your return or the returns of your clients, but also they can prevent honest citizens from being able to file their legitimate tax returns on time, leaving them each with an identity theft mess to clean up, while the thieves maTax-Seasonke off with thousands of dollars in refunds.

Tax refund fraud in the U.S. is expected to top $21 billion dollars this season. Thankfully many people are taking precautions: they are safeguarding their Social Security numbers by not responding to phishing emails or texts, and treating attachments from unknown senders with great caution; and shredding any unneeded documents rather than just putting them into the trash. However a group that remains at high risk is middle income families who use tax specialists to handle their tax affairs. Studies from the Federal Financial Institutions Examination Council (FFIEC), the Consumer Financial Protection Bureau (CFPB) and others indicate that a large proportion of financial professionals of all kinds continue to send and receive documents containing Non-public Personal Information (NPI) via insecure email, thus exposing their clients’ most precious family and financial information to the public Internet. Whereas in the past, families would go to the office of their tax professional bringing all their documents in paper form, these days we have become used to using email to exchange documents. Using traditional email is like sending a postcard through the mail — anyone can read it en route. Let’s face it, a criminal could open your mailbox, read the postcard and then return it to the mailbox and you would never know; and it is the same with unsecured email.

This is why I say to tax professionals that a prerequisite for being in your business is to protect your clients’ tax information. And unless you wish to go bankrupt by paying for client documents to be couriered back and forth, you need to have a secure, easy-to-use email encryption solution. One that keeps all email data safe, but is easy for your clients to use; both to receive emails from you – knowing they are from you – and to send emails and attachments to you.

At Zix, we understand you and your staff don’t have the time to deal with complicated encryption, so we take care of it for you. Your emails are scanned automatically and any email containing NPI is automatically encrypted in the background. If the email goes to a recipient in the Zix community, the email is sent transparently – no passwords or extra steps. If the recipient doesn’t regularly use Zix, an automatically generated email is sent to your client with a Web link to click on, with simple instructions on how to see your protected email, and how to download the secure documents. All through a branded portal tailored to your business and for your clientele. When your clients know you are protecting their data, they are far more likely to keep coming back to you, year after year, at tax time.

Tax preparation professionals still have the luxury of being respected and trusted by their clients. Let’s deserve that trust by protecting them with modern email encryption.

Posted in Email Encryption | Tagged , , , | Leave a comment

The Worst Passwords of 2015 Revealed

By now, our regular readers know how much I love to study the follies of the human condition: how intelligent people sometimes do the silliest of things. For example, the police who searched the home of Adam Magee for a robber and, when finding no-one, declared the house clear and then left – the robber was hiding under the bed.

coinsThen there is poor Gregorio Iniguez, once the general manager of the Chilean mint. The agency that presses Chilean coins minted 1.5 million 50-peso coins with Chile spelled “CHIIE.” The blunder cost Señor Iniguez his job, and the coins remain in circulation to this day.

Then there are the improbably obvious passwords that people use to “protect” their on-line accounts. You may remember this blog from last February when I reported on SplashData’s list of the worst passwords of 2014. It caused so much frivolity around the office here at Zix Central, I thought I’d review SplashData’s new 2015 list.

Still at Number One this year, we have the world’s favorite password: 123456. While at number three comes 12345678, closely followed by 123451234567891234 and 1234567 – can you see a pattern emerging here?

More interesting entries, still in the top 25 worst passwords of 2015, are password, qwerty, login and that other old favorite, baseball. And I am particularly pleased to see new entry, starwars, being a big fan myself.

It is all well and good agreeing on the importance of security, but people need access to their accounts, their information, their data NOW! For most employees in the workplace being productive means there is no time left for complex, non-value-adding tasks. Tasks such as keeping a list of difficult to crack passwords. This is why, as much as possible, security should be automated.

In general, users are getting better at creating passwords. Brute force attacks used to go through the dictionary – aardvark, abacus, abandon and so on – and people’s names such as Abagail, Abbi, Aby etc. We countered this by adding a special character and a number to create passwords such as Joseph$3. The trouble is that password cracking algorithms now routinely break these passwords too. They expect a word or name followed by a character followed by a one to four digit number, hence to protect yourself you need to rearrange your passwords.

For example, bring the numbers to the beginning instead of the end, salt the password throughout with special characters; and don’t use names, place names or English words. But do pick something that is easy to remember. For example, pick a favorite song for which you know some of the lyrics – Pharrell Williams, Taylor Swift, Andrea Bocelli, it’s up to you. Pick a memorable date too and go from there.

For my example, I am picking the U.S. National Anthem, adopted in 1931. I shall put the numbers at the beginning, but substitute the character ! for the ones to give !93!. Next I’m going to take the first letter of the first few words: O say can you see, by the dawn’s early light. However you need to insert a factor unique to you – something on-one else can guess. As an example, when I was very young, I’d mishear the national anthem being sung on television. I thought people were singing about a young man named José who had vision problems. Hence I thought I heard: José can you see, by the dawn’s early light.

Thus for my example, the password I will never forget is !93!Jcysbtdel.

And now it is your turn……

Posted in Privacy | Tagged , , | Leave a comment

Securing Data Three Ways: At Rest, Use and In Motion

Sensitive data, both personal and corporate, is more vulnerable today than ever before. Pick up any recent newspaper, and odds are that some sort of data breach or vulnerability has occurred. Social Security and credit card numbers, corporate trade secrets, financial news – any data that is stored, used and transmitted online and through connected devices can be exploited and monetized by a skilled and motivated hacker.

But these threats aren’t just external. The threat of a  disgruntled or even rushed employee is as real as the threat from outside attackers, especially if the proper tools and safeguards aren’t in place to prevent the accidental (or intentional) release of sensitive data.

And if that’s not an indication of why security and data protection have become mission critical, PWC reports that 91% of organizations have adopted some sort of security framework.

Online Data Security Concept

Data can be attacked when in three states – at rest, in use and in motion – and the costs and complexities of securing the data varies between these states.

At Rest

Firewalls and antivirus solutions can be used as perimeter defense mechanisms, but unfortunately these barriers are not impenetrable. That’s why organizations will need to implement additional layers of defense, like encryption, to protect sensitive data in the event that the network is compromised. Encryption is the front-line defense for data at rest – it limits access to only those with the right keys, locking out anyone who doesn’t have them (aka the hackers).

In Use

Data in use is more vulnerable simply by definition – it must be accessible to those who need it. And the more people and devices that need access to the data, the greater the risk that it can fall into the wrong hands. The key is controlling access to the data as tightly as possible. This is where a Bring-Your-Own-Device (BYOD) security comes in handy. If employees are out on-the-go and need access to corporate data, look for a solution that keeps sensitive data off the device. In the event an employee’s device is ever lost or stolen, an administrator can simply disable access to the device. Because the data doesn’t actually reside on the device, it doesn’t hold the risk of falling into the wrong hands.

In Motion

Data in motion is perhaps its most vulnerable state. In this digital age, data in motion often means the digital transmission through email. With over 100 billion emails sent and received each day, that’s a lot of data to protect. When an email is sent, it often travels a long journey through electronic infrastructures before it actually reaches the intended recipient. As we’ve previously demonstrated, any motivated hacker with the right tools can tap in to that infrastructure and intercept your email. The best way to ensure your email and its attachments remain confidential is to utilize email encryption. The best email encryption solution will automatically encrypt email on its way out and decrypt email for the recipient. In the event that it is intercepted along the way, it’s unreadable.

There is a long (and growing) list of organizations that have learned the tragic lesson of what happens when data is left vulnerable and unprotected. This year, make sure your organization isn’t one of them.

Posted in Data Protection Trends | Tagged , , , | Leave a comment

Zix Webinar featuring Forrester Research looked at Hosted Email Encryption

Kelley Mak - Forrester Research

Guest Speaker Kelley Mak of Forrester Research

“The use of email encryption…shows your business partners, your customers, your employees that you take security seriously.” These are the words of Kelley Mak of Forrester Research during our live webcast last Thursday. During our one hour webinar, I posited that many organizations are choosing hosted email and hosted encryption that reduce costs due to organizations not needing to maintain in-house infrastructure any more. The costs are predictable and manageable.

One of my takeaways from Kelley’s presentation was that customers are now expecting their providers to secure their data. In Kelley’s words, “Apathy is no longer the dominant public sentiment…..Customers are actively concerned about their on-line privacy.” I asked Kelley if consumers expect businesses to protect their personal data. He replied that clients now choose to do business with an organization – or with its competitors – based on the security these organizations have in place.

There is also differentiation between organizations who only try to meet their compliance obligations versus those that wish genuinely to protect their customers’ sensitive data. He said “the sad truth is….that it is really compliance driven.” However he went on to predict “I think you’ll see a new crop of businesses that start to understand the whole aspect of consumer trust, [who] develop really a risk based approach rather than just simple compliance.”

Zix’s key takeaways:

  1. Understand your regulatory environment.

Know your data. This will inform DLP and encryption.

  1. Reinforce the human firewall.

Employees should be familiar with importance of security over the web and email.

  1. Enforce automated policy with DLP.

Automated enforcement will assist in prevention and user awareness of data exfiltration.

  1. Enable encryption to succeed.

Automated policy-based encryption should seamlessly eliminate the vulnerability of human error. Encryption should work transparently.

A recording of the entire webinar can be found here.

[Disclaimer: The above represents my views and not those of Forrester Research]

Posted in Email Encryption | Tagged , , | Leave a comment

Data Privacy Day 2016

Following the wave of security headlines from 2014 (think Sony), 2015 was set up to be “year of encryption” — the year when people got serious about security. With the spotlight on these high-profile breaches, it was supposed to be the year security would take center stage. One year later, it’s clear that while some forward steps have been taken, there is still much progress to be made. So with 11 months left in the year, what will 2016 be known as?

We hope it’s the year of security and privacy.

Today marks the annual Data Privacy Day (DPD). Coordinated each year by the National Cyber Security Alliance (NCSA), DPD is an international effort centered on respecting privacy, safeguarding data and enabling trust.



While we applaud the fact that data privacy is now “mainstream” enough to be celebrated on its own day, every day offers a chance to reinforce the importance of privacy awareness. Thanks to all the media headlines, people are starting to pay closer attention to how they protect themselves and their information. Similarly, it’s important that businesses take protecting customer and client information seriously and take the necessary steps to ensure that sensitive information is protected when it is in their possession. After all, there’s no such thing as being too safe with sensitive information.

As a business, that means first and foremost taking the time to train employees. Your employees are on the frontlines dealing with sensitive information and consequently experiencing the threats firsthand. It’s vital that they understand the importance of protecting this sensitive information and are able to recognize some the potential threats they might face.

Investing in the right security solutions that meet an organization’s needs is the knock-out punch when it comes to thwarting potential data breaches. Businesses need to be aware of any compliance or regulatory bodies their industry is held to, such as HIPAA, and look to implement solutions which not only fulfill regulatory requirements, but are also effective and easy to use. Outdated and complicated solutions can make everyday tasks difficult, and ultimately they don’t get used. Employees will resort to working around these hassles (read: security measures) to skip the frustration and simply get their work done.

It’s vital to keep employees informed, keep solutions simple and keep data safe.

Stay safe out there!

Data Privacy Day logo


Posted in Privacy | Tagged , | Leave a comment

Human Error – Avoiding Corporate Embarrassment

whoops - covered - mouthI am constantly amazed how intelligent people manage to cause harm through silly lapses involving email. The Office of Civil Rights – part of the U.S. Department of Health and Human Services – reports that in 2015, no less than 39 healthcare providers and insurers suffered email related breaches where more than 500 patient records were exposed. In almost every case, human error was the primary factor causing the breach.

Another most embarrassing incident occurred at Carnegie Mellon University last February when the University apparently broke the hearts of 800 applicants to its master’s program in computer science. The applicants all received an email that ran:

“You are one of the select few, less than 9 percent of the more than 1,200 applicants that we are inviting. … Welcome to Carnegie Mellon!”

The only trouble was, the 800 people were on the list of rejected applicants, and Carnegie Mellon soon followed up with a Dear John email, crushing the dreams of these recipients. And that same kind of human error occurs over and over again – to Drexel University, MIT, UC San Diego, UC Berkeley, Cornell, University of North Carolina at Chapel Hill, New York University, Kellogg School of Management and many more. Similar human errors occur at state agencies, hospitals and corporate businesses covering the length and breadth of North America. It is fact: humans are constantly committing email gaffs, accidentally sabotaging their own efforts and damaging the brand image of their employers.

ZixDLP is a solution from Zix, the market leader in email encryption. Whereas Zix Email Encryption protects emails when transiting the Internet, ZixDLP protects your employees from themselves. ZixDLP works in the background, twenty four hours a day, automatically scanning every outbound email – in real time – to detect sensitive information being sent to the wrong people. When ZixDLP detects a suspect email – perhaps addressed to the wrong person, or containing company confidential information – it quarantines that email and sends an alert both to the sender and to your designated security manager, protecting your organization and employees against human error. Thus ZixDLP gives your business a second chance to check that the information being sent is the right information and that it is going to the right recipients.

Read our new ZixDLP eBook here.

Posted in Data Breaches | Tagged , , | Leave a comment

The Director of the NSA Endorses Encryption

Admiral Michael S. Rogers

Admiral Michael S. Rogers

Over the weekend, I caught up with the recent activity at the Atlantic Council in Washington, D.C. They’d managed to entice Admiral Michael S. Rogers, who is not only the Commander of U.S. Cyber Command, but also the current Director of the National Security Agency (NSA) to appear. During a live presentation followed by an hour long interview, Admiral Rogers displayed great passion about a number of issues, including the “increased apertures of exposure” created by the constant connectivity provided by mobile devices; describing the Internet of Things (IoT) as a “double edged sword,” and listing – very succinctly in my view – many of the pros and cons of IoT. However what really stood out for me was his firm belief in encryption. In a clear rap on the knuckles for the naysayers, Admiral Rogers stated:

“Encryption is foundational to the future. So spending time arguing about [it is] a waste of time to me.”

So just why has email encryption taken such a long time to be adopted by mainstream businesses? It is to do with perception, based on old ideas. For many years, a browser search on email encryption would bring up PGP (Pretty Good Privacy), a then groundbreaking computer application created by Phil Zimmermann back in 1991. PGP was arguably the best implementation of public-key encryption, a system where two key parts, a public key and a private key, could be utilized to encrypt and decrypt messages respectively. However, unless the sender and receiver worked out a way to exchange their public keys, third parties were required to become certificate authorities who would vouch for the authenticity of each and every key. Hence well-funded organizations needed to volunteer to become certificate authorities, and even then, how could the lay-person know that a self-proclaimed certificate authority was legitimate. Consequently, PGP became either the hobby of engineers and IT specialists, or was adopted by large multinationals who could afford the IT personnel and infrastructure to support it. It remained out of reach for most businesses.

And there it stayed until recently, as breaches – large and small – repeatedly hit the headlines. Many companies have been looking at modern day email encryption solutions and, as well as finding that some email encryption solutions are easy-to-use and seamless to integrate, they’ve discovered that there are only a few major encryption vendors offering solutions that are truly usable by their non-technical employees. One of these vendors, Zix, is well known for several state-of-the-art functions that make the exchange of encrypted email both secure and easy to use. Firstly, transparency means that for the majority of users, emails are sent by simply pressing “Send,” and appear in the recipient’s inbox already decrypted. It’s a completely frictionless process for both sender and receiver. Secondly, ZixDirectory is the largest shared infrastructure of public email encryption keys in the world: it is accessed automatically whenever the sender presses “Send.” Thirdly, Zix invented and trademarked Best Method of Delivery (BMOD), a method for ensuring that every secure email is not only delivered securely, but also is presented to the recipient in the most easily accessible way.

If like Admiral Rogers, you believe that encryption is foundational to our future, have a look at Zix Email Encryption and then give us a call.

Posted in Email Encryption | Tagged , , , | Leave a comment

Initial Thoughts from Our Newest Team Member, President and CEO Dave Wagner

Dave Wagner joined ZixCorp on January 19, 2016.  The following post contains his initial thoughts.

I am very excited to be selected by the Board of Directors to lead ZixCorp through its next phase of growth. Lots of people have asked me, “What about Zix is attractive to you?” There are lots of things, but the three that I would like to highlight are: the enduring nature of the innovative founding vision, the strength of the company today and its opportunity for future growth.

David Wagner (Zix) 1 (2)

First, the founding innovation of Zix – that you can transparently enable secure communications by securely sharing keys in the cloud – is still the best way to enable the wide spread adoption of secure communications. You don’t have to work in Information Security to know that cyber attacks continue to grow at an alarming rate.  A recent estimate suggests that the global cost of cybercrime is $445 billion annually. It is further estimated that global investment in Information Security reached $75.4 billion in 2015, growing at 4.7% over 2014. Best-in-class Information Security teams are aware of the risk of data in transit and the need to encrypt sensitive information. Yet our nation only encrypts a small fraction of its most sensitive data. Zix’s solutions, built and improved upon for over 20 years, offer the most transparent, easiest to deploy encryption solutions available in the market today. In addition, the Zix Encryption Network enables this transparency between every user of the service. Therefore, the more users we add to our service, the more valuable our service becomes for our end-users. This network effect of the Zix founding vision remains a key strength and is at the core of why we are forming strong partnerships with leading companies like Cisco and Google.

Second, Zix is a strong company today. I watched Rick Spurr and the team with increasing admiration over the past 12 years as they focused the company and delivered profitable growth. We are a $50+ million revenue cloud-based security company with more than 13,000 customers and 49 million email addresses in our community. We are growing, we are profitable and we are returning cash to our shareholders through our share repurchase program. But the real strength of the company is its people. Our people understand how to simplify security and compliance, and deliver it transparently to our customers. That customer value results in our strong retention and revenue growth.

Third, at Zix we have a tremendous opportunity for growth in the future. The Information Security market is in a time of incredible transition. Computing is moving to mobile devices and to the cloud, and we are in the earliest stages of solving the security challenges of the Internet of Things. These market transitions necessitate the transmission of exponentially increasing amounts of sensitive data. Zix’s innovative cloud-based secure communications service – founded in the ‘90s and honed over 20 years by a team that understands how to deliver encrypted communications easily and transparently for our customers – provides a great platform for growth.

I look forward to working with our customers, partners and colleagues to deliver on the next stage of growth at Zix.


Posted in Company News, Growth | Leave a comment

The Email Encryption Placebo Effect – A Bitter Pill

Truth is often stranger than fiction and I love reading about bizarre true facts. For example, did you know that the unicorn is the national animal of Scotland? Or that Saudi Arabia imports camels from Australia, or that Alaska is simultaneously the most northerly, westerly and easterly state in the USA?

placebo effectOver the holiday, I read about a study that found that branded placebo pills are more effective than, and have fewer negative side effects than, generic placebos. That is, if you give all the patients placebos, the ones who receive placebos labeled Tylenol, Advil or similar will not only feel better, but will also suffer fewer if any side effects. I called up my friend Dr. Jennifer Helms of the nursing school at Arkansas Tech who I know has studied the physiology of pain. I asked her, is this serious research? She told me yes, and that “placebo studies are absolutely fascinating. One study even found measurable hair growth on bald men who were taking placebos.” She went on to tell me that “approximately 30% of people are what is known as ‘placebo responders.’” In other words, some people feel better just because they think they have a solution, even when that solution has no substance.

This reminded me of several of the so-called email encryption solutions floating around just now. They either encrypt every single email – even the ones containing no sensitive information – or they trigger encryption on the basis of a limited set of policy filters. Let’s look at both types. With the first kind of email encryption, most emails are delivered via “push” or “pull” methods. This means that the emails are easy to send, but a real pain in the rear to receive. Imagine having to jump through hoops and waste a couple of minutes to read every single email? The recipient would soon start ignoring these emails and either your productivity or your customer base would soon begin to shrink. The second kind of email encryption attempts to utilize policy filters, however these filters are usually restricted in scope: they only detect a limited number of sensitive data types and formats. This means that a great many false negatives get through and are sent in clear text. It means that you think you are protecting your clients, but often are not. This is like a placebo. You believe you have an email encryption solution, and you can check a box believing you are fulfilling regulatory requirements, but in reality a proportion of your business emails containing sensitive customer and employee data are traversing the public Internet in clear text – easy prey for hackers.

There is still only one solution that has the most effective, most granular policy filters in the email encryption industry, and that utilizes Best Method Of Delivery (BMOD) to deliver secure email in the most user friendly, convenient way. It is Zix Email Encryption and you can read more about it here.

Posted in Email Encryption | Tagged , , , | Leave a comment

Zix Webinar Features Independent Analyst Discussing Cloud Based Email

Many organizations are looking to ensure the success of their migration to cloud-based email, either now or in the next few months. While the transition offers cost and time savings, you may soon come across a few limitations, and email encryption is one of them. With the increase in the number of data breaches and external threats, this is not an area of your business operations that you want to overlook.Kelley Mak

I am delighted to announce that Kelley Mak of Forrester Research will be joining us for our January 21 webinar. He and I will be discussing how Zix Email Encryption interoperates with many cloud email providers, giving users an easy-to-use, yet secure, email experience. Kelley will be answering not only my questions, but also questions submitted by the audience about how secure email encryption can complement an already capable suite.

During his early career, Kelley spent time at Boston College studying the electromagnetic properties of metamaterials, specifically investigating metamaterials for use in levitation: If you think I’m kidding, just do a web search on “Epsilon-Near-Zero Metamaterials.” Kelley then went on to become a senior research associate on Forrester’s Security and Risk team. In that role, he conducted research on network and data security adoption trends, benchmarks, and organizational models. He has also worked with various Forrester analysts on teams covering a wide range of security topics.

These days, Kelley is a researcher who supports security and risk professionals. His research concentrates on network and data-centric security, data protection, and privacy. He is a regular attender at RSA and at Black Hat events.

Please join me on Thursday, January 21, at 2 pm, Eastern as I interview Kelley on the topic of protecting your cloud-based email. You can register here.

Posted in Email Encryption, Email Encryption Trends | Tagged , , , | Leave a comment