One of the greatest weaknesses to an organization's cybersecurity strategies isn't technical at all. It's your employees — those who shortcut security processes in order to streamline communications or increase productivity.
When cybersecurity layers add extra steps to a task, deadline-driven employees are more likely to take the quick route rather than the secure one, believing that such circumvention is relatively negligible. But the fact is that self-sabotage is a serious vulnerability for all organizations, and it's one that's unlikely to go away easily or quickly.
Recently, for example, a Viacom server with a gigabyte of stored login credentials was found online
without any access controls. Though those credentials weren't stolen, such a huge amount of sensitive data left exposed reveals the depth of the problem.
As cyberattacks dominate headlines, organizations should understand that being aware is not the same thing as being protected. And protocols or security tools that are bent in even tiny ways can create great risk. Compound this risk with the tenacity of motivated hackers, and it's clear that human-induced, unintentional exposure is a threat all enterprises should be concerned about.
Understanding the High-Value Data in Email
Email is on the front lines of cybersecurity, but even so, many users underestimate how much valuable information is in the average inbox and how vulnerable this information is when being shared.
While the fundamental information that emails contain spans a broad range of sensitivities, a hacker's goal is to extract personally identifiable information (PII) or proprietary data. This information might have monetary value of its own, or it might help hackers gain access to separate and more secure data caches. In any case, sensitive information exists in most emails.
Here are a few examples:
- Healthcare information or financial records
- Titling information when someone is closing on a home
- Information on minors in education systems
- Elements of corporate strategy, earnings, customer data or intellectual property
PII and proprietary data has become so pervasive with the rising use of electronic communication, in fact, that most users don't think twice before sending it along. And though an information breach is a major problem in-and-of itself, organizations that don't tighten their email security standards and create better systems for employee management subject themselves to issues beyond cyberattacks, such as law suits, loss of customer trust, public relations problems and regulatory penalties.
Fortifying the Inbox
It would be much easier if all employees would follow the necessary protocols when communicating electronically, but with so many variables to employee knowledge and processes, organizations need to develop a more comprehensive and unified system of email security. That's why we developed ZixEncrypt, a multi-dimensional solution that's designed to secure email while mitigating the risk of user error.
Messages sent though our system are automatically encrypted through a technique known as Secure/Multipurpose Internet Mail Extensions (S/MIME). Emails that travel from organization to organization in the Zix Encryption Network travel from S/MIME to S/MIME, the most secure method of communication that we offer. Thus, the emailed information is rendered meaningless to anyone who intercepts it. And because the encryption is automatic, users aren't required to take any extra steps to ensure consistent security. Ultimately, these safeguards provide far more comprehensive email protection without inhibiting workflows or burdening operations.
Most importantly, however, our encryption solution doesn't stop at the point of travel. With our recent acquisition of Entelligence Messaging Servers (EMS), we're also able to secure email at rest. What this means is that we bolster standard encryption practices that protect emails as they travel from address to address by also encrypting messages lying dormant in an individual's inbox.
This heightened and multi-layered security measure is critical, because even if a hacker does gain access to an organization's system, that organization has this fail-safe in place. And yet, data-at-rest continues to remain a blind spot in many corporate security strategies.
While employee education and training is a great way to onboard a better security strategy, it's time for organizations to admit the inherent risks they face in the increasingly volatile cyber landscape and secure their communications so that employees aren't left bearing the brunt of responsibility. Because, ultimately, you need a cybersecurity strategy that works even when users don't.