Digital Communications Your Business Should Be Encrypting And Securing
Your business is responsible for securing all the data you possess, even if just for a moment. Your customers expect you to take their privacy seriously and keep their data secure at all times. With data breaches occurring at alarming rates, often unreported for long periods of time (even years), data security is more important than ever. That includes encrypting and securing all data.
To emphasize the vulnerability of data, here’s a visual representation of data breaches going back to 2005. You’ll recognize many of the businesses on the chart. It’s understandable (although not acceptable) that data breaches would occur so often in the beginning. However, end-to-end encryption technology has been available to everyone for quite some time, leaving no excuse for businesses choosing not to use it.
Data breaches cause customers to distrust using their credit cards online, wondering if they can trust the security measures of the business. Unfortunately, many customers don’t know to look for HTTPS when making online payments, so it’s up to each business to create a secure transaction.
The devastating effects of a data breach – it can happen to anyone
In 2013, Target announced their database of nearly 40 million customers had been hacked. This included credit card information.
In September 2017, Equifax dropped a more shocking bit of data: the personal data of 143 million Americans (about half the country) has been compromised. That data includes social security numbers, address, phone numbers, and driver’s licenses.
This article from CNN’s Money section describes more of the biggest (and recent) data breaches:
Yahoo! had two major breaches. In 2016, 500 accounts were stolen. Several months later, they disclosed a second breach that involved over one billion accounts.
Myspace reported 360 million usernames and accounts hacked by a hacker who calls himself “Peace.” This is the same hacker responsible for LinkedIn’s 2012 breach that wasn’t even disclosed until 2016.
How could some of the biggest corporations allow themselves to become susceptible to data breaches? More importantly, how can you avoid the same fate?
The first thing to understand about hackers is that most of them don’t care how small your business is, they just want your data. Some hackers only target large corporations but many target small businesses because they know security is weaker.
To make sure you don’t end up falling prey to the next big data breach, here are two communications your business should be encrypting and securing as soon as possible:
Customer support emails
At first glance, encrypting and securing all customer support emails seems unnecessary. They’re usually conversations about technical difficulties, unmet expectations, praise for good service, and so on. While it’s not technically necessary to automatically encrypt all communications, it could save you the hassle of dealing with data security issues later.
Reasons you should be encrypting and securing all emails
- Accidental disclosure of sensitive data. Your staff may never ask a customer for their credit card information. Still, some customers will send it in the body of their email when they’re seeking a refund or an exchange. This lines up several potential problems:
Each new email reply contains the whole of the conversation up to that point. The customer’s credit card information is flying over your network (and other networks), unencrypted, each time a reply is sent by either party. Hopefully, your support staff will delete the credit card information when sending their initial reply, but sometimes company policy doesn’t allow for that.
- Requests for sensitive information. If you’re a freelancer or running a small team without an accounting or payroll department, you may get requests from clients to send your bank account number over email. This makes sense, but sending your bank account number unencrypted is a risk.
- Your company might be bound by regulations. If your business is bound by compliance rules like PCI or HIPAA, you can’t send certain emails unencrypted. It’s tedious having to remember to encrypt some emails but not others. Encrypting and securing all emails takes the burden off of your memory.
How to secure your emails and maintain compliance
You’ve probably heard of Microsoft’s 365 Encryption service that comes as an add-on to the Office 365 package. Microsoft offers a host of robust security options, but according to Gartner’s research, 35% of their customers still use third-party email security solutions.
Microsoft’s services work for most people, they’re just incomplete for businesses that require a higher layer of security by law. For instance, businesses bound by regulations like HIPAA, CJIS, EAR, and PCI require end-to-end encryption that Microsoft doesn’t provide. If you’re using Microsoft’s services, your unencrypted data must scanned on their servers, which violates some data residency regulations.
The solution is to use a third party email encryption service for encrypting and securing data. It scans your data before sending. There are plenty of plugins on the market but few are easy to use cross-platform.
Azure RMS, which includes Microsoft Encryption, requires the user to include a specific line of text in the email being sent in order for that email to be encrypted. This isn’t a foolproof method due to the following potential circumstances:
- The user forgets to include the text in the body of the email.
- The user keeps the text in their signature but that signature only shows up when they use their main device.
Recipients who have configured Azure RMS on their email servers can read all messages without hassle. Recipients who don’t have RMS configured on their email servers will be required to download an HTML attachment in order to read the encrypted email. Then, they’ll need to authenticate using a Microsoft account. It works, but it’s a hassle for users who aren’t using the same configuration.
Supplement your existing security for easier encryption
An email encryption service like Virtru makes all of these tedious situations easier. As explained in a detailed breakdown of how Virtru’s services supplement Microsoft and Azure, “Virtru users can read emails directly from their inboxes. Non-Virtru users can read and respond to emails from a web-based Secure Reader after authenticating with their existing credentials. Reading an email secured by Virtru will not require a new password or new software.”
The difference is Virtru scans end-user content before its sent. This makes it compliant with regulations like HIPAA. Also, it prevents Microsoft from accessing your data. Unlike Azure RMS, Virtru’s usage and access controls are available to anyone that accesses your content. These controls include revoking message access, message expiration times, forwarding tracking, receipt reading, and PDF watermarking.
Video conferencing is a standard way for remote and overseas teams to communicate. With so much focus on improving the quality and outcome of conferences, there’s been little focus on security. However, encrypting and securing your video conferences is vital.
Most conferencing software encrypts all conferences as a standard feature, but if yours doesn’t, it’s a good idea to move to a platform that does. Video conferencing signals have been using AES encryption for a long time, and it’s not easy to hack. However, if you’re not careful with your call-in settings, you could end up with unauthorized attendees on the line. The end result is your sensitive data will be compromised.
Encrypting and securing are not enough protection for video conferencing
Security expert HD Moore from Rapid 7, a company that looks for security holes in computer systems, gained unauthorized entry into the boardroom meetings of high-profile corporations. These companies included venture capital and law firms, pharmaceutical and oil companies, courtrooms, and even Goldman Sachs. In total, he found over 5,000 open conference rooms.
The hacked video conferencing systems were expensive, high-definition conferencing units. They were for in-house use rather than as web-based solutions like Skype and Slack. However, web-based applications can be equally insecure.
The vulnerabilities Moore exploited allowed him to take control of multiple cameras, exploring the rooms in detail. The rooms weren’t freelancer bedrooms and coffee shops of freelancers. They were considered private rooms for top-secret company discussions.
No unauthorized persons can gain physical access to these rooms, so there’s no reason to think stacks of paperwork and sticky notes with passwords might be at risk during a staff meeting. Moore’s ability to take control of the camera – and see fine details – proves otherwise.
“In one room,” reports the New York Times, “he zoomed out through a window, across a parking lot and into shrubbery some 50 yards away where a small animal could be seen burrowing underneath a bush.”
If that level of detail can be seen remotely through a camera, it’s critical to be extra cautious about who you include in your conferences. However, that’s part of the problem. Without changing some specific security settings, people can join your conference undetected.
Why is it so easy to gain access to someone’s video conference?
Newer conferencing systems come with a feature to automatically accept incoming calls, making it easier for users to join. This makes sense for the user, but administrators need to be proactive and password protect the auto answer feature.
The reason Moore was able to hack these rooms so easily is that administrators set them up outside of the firewall. It takes effort to set up a conferencing system behind a firewall that allows incoming calls from other companies. Many businesses don’t want to deal with the complex task of network configuration.
By not encrypting and securing your video conferences, you’re putting others at risk
Another layer of concern, Moore points out, is that companies that do put their conferencing system behind a firewall are still accessible. It comes down to the company directory. That’s how he discovered the Goldman Sachs’ boardroom. Their room was behind a firewall. However, it was accessible from the law firm directory. Plus, the conference room was not behind a firewall.
You can find out more about how this security exploit experiment was executed by reading this article directly from Rapid7.
How to make your video conferences more secure:
- Either turn off or secure the feature that automatically answers incoming calls.
- Password protect all conferences.
- Set all incoming calls to automatically mute.
- If it works for your business, get a lens cap for your video camera.
- Hold your meetings in a neutral room that doesn’t house important paperwork or sensitive data.
- Create a standard for your meetings that requires attendees to remove sticky notes from their laptops and other items that can be read by zooming in.
- Have your IT team properly configure a gatekeeper to connect calls that come in outside of your firewall.
By encrypting and securing your communications, your customers see you care about their privacy. And, you earn their trust.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.