New York State puts the hammer down on cybersecurity for financial services – with global implications!

If you are a financial services firm operating in New York State as of March 1, 2017 your world has changed. Even those not operating in New York and not in financial services should pay close attention. Rules promulgated in New York have a way of spreading worldwide when it comes to financial services and public companies. I predict these rules will become standard for any company listed on the NYSE or Nasdaq eventually and from there to all public companies worldwide. The link to the rules is HERE.

There is a lot of implications in these rules. I will focus on just a few related to Evizone’s specialty of electronic communications in order to encourage you to read the rules and think about what it means for your business. The rules require (among many other things):

  • Encryption of Nonpublic Information held or transmitted both in transit over external networks and at rest;
  • Secure disposal on a periodic basis of any Nonpublic Information that is no longer necessary for business operations or for other legitimate business purposes, except where such information is otherwise required to be retained by law or regulation;
  • Multi factor authentication;
  • Audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of normal operations.

The Chairman or an appropriate senior officer of the firm is required to certify compliance, in writing, with these rules annually.

These rules have profound implications for electronic communications. Here are just a few:

  1. Use of regular or encrypted e mail for Nonpublic Information outside the firm’s networks is non-compliant (i.e. communicating with external auditors, law firms, consultants etc.) since multi factor authentication cannot be enforced, encryption at rest is questionable, secure disposal is not enforceable and audit trails once the information has been sent are non-existent;
  2. Comprehensive monitoring of all types of electronic communications is required to ensure Nonpublic Information is not being transmitted inappropriately. This monitoring system must have a strong governance model, maintain non-tamperable audit trails, be encrypted in motion and at rest, require multi factor authentication and ensure secure disposal in accordance with policy;
  3. Electronic communications records on laptops and mobile devices are subject to these requirements as well. If a laptop goes missing with megabytes of Nonpublic Information held in old e mails and documents on the hard drive that is a major fail under these rules;
  4. Compliance archiving systems must also ensure encryption in motion and at rest, require multi factor authentication, maintain non-tamperable audit trails and ensure secure disposal in accordance with policy;
  5. While not mentioned specifically there is an implication that encryption of documents at rest must be kept up to the latest standard. A five year old document using five year old encryption is effectively not encrypted as the old standards become vulnerable.

I could go on and on, but I believe the point has been made. Current methods of electronic communications and compliance archiving simply do not satisfy these rules. Firm Chairs or Officers who certify that they do are at great risk.

Fortunately at Evizone we have been working on these issues for years. Evizone’s Secure Communications and Communications Governance products do comply with these rules in every respect. Give us a call to find out how we do it. We will be happy to show you.

Bill Wells is the Chairman of Evizone. This blog originally appeared on Bill’s LinkedIn page.

Is cybersecurity dead? Not by a longshot

It’s a provocative title. An op-ed in Forbes declared that Cybersecurity is Dead. Author Mike Baukes writes that:

It is 2017, and we now have ample evidence proving that the false promise of so much cybersecurity — that risk can be entirely eliminated with one simple program — will, barring a technological revolution, never be realized.

The data is in: Cybersecurity is dead. Even as global cybersecurity spending is expected to balloon to over $100 billion by 2020, the frequency and severity of cyberattacks continue to grow, with seemingly no end in sight. While exploits and hacking tools become even more widely available and simple to deploy, there has been little commensurate progress in beating back attackers, who continue to find success striking at persistent, common weak points. How is this possible?

The answer is one that must chagrin any CISO spending exorbitant amounts of money on cybersecurity programs: The entire conception upon which cybersecurity rests — of constructing a castle, against which any marauding attackers stand little chance of breaching — is barely of use.

It would be mildly amusing but for a simple fact: The integrity of sensitive data, ranging from your grandmother’s medical records to your personal financial information, relies on its secure storage by a dizzying array of institutions. It is no exaggeration to say that cyber risk — the accumulated potential for the exposure of privileged data — is a matter of life and death, as seen in the frightening effects of cyberattacks on the healthcare industry across the world. The existing conceptions of how IT systems can be secured and protected must be discarded in favor of a new and more diffuse understanding of cyber risk.

He makes a good point. A chain is only as strong as its weakest link. If data isn’t stored on secure servers, even the most advanced software in the world won’t protect your information.

But to say cybersecurity is dead is hyperbole. What needs to be done is to radically rethink the general approach to online communications and data storage.

Thankfully, Evizone has already done the rethinking.

Our two products, Evizone Secure Communications (ESC) and Evizone Communications Governance (ECG) provide the strongest commercially available system for secure communication and document sharing.

Evizone has created the ideal proverbial digital castle: all data transmitted through Evizone is stored on servers protected with patented military-grade technology. Nothing is ever stored on external devices, meaning cellphones or computers will not compromise any information.

Evizone provides its clients with a closed-circuit system, the only way you can have true secure communications in the twenty-first century. What use is a castle if the drawbridge is always down?

Far from dead, cybersecurity just needed to be approached from a different angle. Evizone brings you to the forefront of this new way of thinking.

University emails at high risk of hacking

A new report from the Digital Citizens Alliance called Cyber Criminals, College Credentials, and the Dark Web demonstrates the enormous challenge that arises from unsecure higher education emails and the damage they can cause.

Over the past eight years, researchers have discovered 13,930,176 e-mail addresses and passwords belonging to faculty, staff, students, and alumni at the 300 largest higher education institutions in the United States available to cyber criminals on Dark Web sites. Anyone can purchase the data and use the emails to enact their fraudulent schemes.

While many of the accounts are hacked from staff and students, some of the emails available for sale in the digital underground are fake emails. While not attributed to a real person, these addresses utilize the institution’s domain name, taking advantage of the credibility often associated with a .edu address.

The non-profit’s press release notes that “fake e-mails can be used to scam others in the university and college communities. Criminals can also use fakes to take advantage of discounts offered to students and faculty on software and various other products.”

The University of Michigan-Ann Arbor led the pack with 122,556 credentials for sale on the dark web, but the Massachusetts Institute of Technology (MIT) ranked highest in terms of corrupt email ratio. For every legitimate email with an MIT domain name, there are 2.81 fake emails – a truly staggering number.

The report recommends universities share the following tips to reduce the risk of compromising emails:

  • Use a mix of uppercase, lowercase, numbers, and special characters
  • Make the password as long as the system allows
  • Think in terms of passphrases instead of passwords
  • Use a random password generator to avoid social engineering
  • Do not re-use university provided password for other systems
  • Change passwords at least annually or if exposure is suspected
  • Consider using a password vault to store passwords
  • Never share passwords with others
  • Report any suspicious activity to local law enforcement or the institutional IT incident response team

These are fine recommendations, but ignore the fact that there are still plenty of other ways to access the accounts. Email is an inherently flawed form of communication, and it’s time to look for safer and more advanced alternatives.

One of these alternatives is Evizone Secure Communications (ESC), our proprietary technology that offers the strongest commercially available system for the secure exchange and compliance archiving of electronic communications.

The Digital Citizens Alliance report should concern educational institutions everywhere. If they’re serious about their cybersecurity, they should reach out to us or sign up for a free trial at http://evizone.com/free-trial/.

WannaCry is why you should never store your data on an unsecure device

The breaking news arrived early Friday afternoon. Hackers managed to restrict access to important data files at Britain’s National Health Service, canceling surgeries and causing hell for emergency room doctors and nurses. By the end of the weekend, the unleashed ransomware affected hundreds of thousands of computers in over 150 countries. It was the largest ransomware scheme in history, affecting hospitals, banks, telecommunications companies, and a host of players in other vital sectors of our daily lives.

It’s still too early to know exactly who launched the attack that preyed on vulnerabilities found in Microsoft’s older operating systems (some are already pointing the finger at North Korea). However, what it clear is that the hackers stole the complex coding from the NSA, who kept files on Microsoft’s weaknesses. While Microsoft issued security patches for newer operating systems to avoid mass-scale breeches, they left everyone else – including those running the still popular Windows XP – unprotected. The hackers are now threating to take advantage of security gaps in Windows 10 and to expand their damage.

When it comes to internet security, you cannot rely on anyone but yourself. Governments like to flaunt cybersecurity strategies and claim that they’re preparing for the future. Yet when an attack comes, there’s little they can do. In this case, the coding for the global crisis came from a government agency. Similarly, Microsoft failed to protect their most vulnerable users, even after hints that a virus could exploit the issues in their platform.

When it infected a computer, the WannaCry ransomware warned affected users that files on a system would be erased if a bitcoin payment was not made. Decades of medical records in Britain were held hostage, as were financial documents and proprietary information around the globe. The destructive nature of this threat was catastrophic.

While Microsoft may not be able to protect all its users, there is no reason for people to be held at a digital gunpoint. The issue at hand here is the proper storage of files. If important files are not stored directly on a computer, that computer can be compromised without worrying about what happened to important files. Getting hacked is not ideal, but it’s much less worrying if you know that all your files are safe and cannot be held for ransom.

This is what using Evizone brings you. Whether your phone gets stolen, you get hacked, or you lose your computer, you can rest assured that all your files are stored in a single, secure server protected by Evizone’s patented encryption. Since no files are actually stored on any device you would normally use to access the data, there is no way for hackers or thieves to gain entry into your most sensitive information.

Who is Evizone right for? The answer is simple: everyone. Whether you manage a Fortune 500 company, run a hospital, work at a law firm, or head a small investment company, you stand to lose in the event of a systems breach, whether it’s indiscriminate or targeted directly at you. Don’t wait until it’s too late to take cybersecurity seriously.

Are cyberattacks in Canada ‘exploding’?

While cybersecurity issues have existed since the first days of connected computers, there is no question that hackers are becoming more sophisticated as every day passes. This has prompted many to ponder the consequences for the future of business. Warren Buffett recently told Berkshire Hathaway shareholders that cyberattacks are a bigger threat to the world than nuclear weapons. “I don’t know that much about cyber, but I do think that’s the number one problem with mankind,” he told them during their annual meeting.

Businesses have already been convinced to fork over billions to hackers to regain access to their data – $3 billion over the last 3 years, according to one estimate. Cyberattacks have also had a perplexing effect on recent elections around the world, most notably those in the United States and France.

Canada, of course, is not immune. Not by a longshot. Check our blog archives for proof. One American cybersecurity firm expects their business in Canada to grow 30% this year and double every year after that. FireEye Inc.’s president told Postmedia that “We’re starting to see Canada really start to explode … It’s a trend we’re going to see getting a lot worse before it gets better.”

Similarly, the Paladion firm in Ontario says that Canadian companies spend less than Americans on cybersecurity. While in the U.S. it is common to set aside two to five percent of an IT budget on these matters, Canadians routinely plan for less.

No one should wait for their data to be taken hostage by cyber criminals to take digital security seriously. Not even Canadians.

There are plenty of companies offering “email protection” and digital security services – though anything alluding to safer emails is a clear oxymoron. However, Evizone is the only company that offers full-circle control of all communications and content. If you’re using our Evizone Secure Communications (ESC) system, only one copy of each message and copy-protected document exists on a secure server with double layer military-grade encryption. Users never take possession of the data, so there is nothing to find on a lost device or to hack on a compromised device.

Cyberattacks may be exploding, but you can rest easy at night knowing that Evizone’s patented technology is keeping you safe.

Email generates $3 billion in spear-phishing losses targeting 400 businesses a day! Are you next?

When computer engineer Ray Tomlinson sent out the first email in 1971, there is no way he could have imagined how conventional this method of communication would be just 46 years later. Some estimates suggest that 2.4 million emails are sent every second, which translates into over 75 trillion emails per year.

Yet as revolutionary as email has been, it has propagated a slew of security issues.

Symantec Security Response recently published its Internet Security Threat Report, which seeks to bring insight into cybersecurity data collected over the past year. And by all accounts, 2016 was a doozy.

According to the software company, one in 131 emails contains a malicious link or attachment, the highest number tracked over the last five years. This presents an enormous security risk. Even employees in modest-sized companies get hundreds to thousands of emails daily. All it takes is one click on a corrupted link for the business’ data to be at risk. In fact, the report found that spear-phishing scams extracted more than $3 billion from businesses over the last three years, targeting over 400 businesses every day.

Cybercriminals love ransomware for this reason, and the U.S. is the most likely targeted country in the world. Cloud services are also making it easier for hackers to gain access:

“Symantec found 64 percent of American ransomware victims are willing to pay a ransom, compared to 34 percent globally. Unfortunately, this has consequences. In 2016, the average ransom spiked 266 percent with criminals demanding an average of $1,077 per victim up from $294 as reported for the previous year.

[…]

A growing reliance on cloud services has left organizations open to attacks. Tens of thousands of cloud databases from a single provider were hijacked and held for ransom in 2016 after users left outdated databases open on the internet without authentication turned on.

Cloud security continues to challenge CIOs. According to Symantec data, CIOs have lost track of how many cloud apps are used inside their organizations. When asked, most assume their organizations use up to 40 cloud apps when in reality the number nears 1,000. This disparity can lead to a lack of policies and procedures for how employees access cloud services, which in turn makes cloud apps riskier.”

Email served us well for a long time, but it is an inherently flawed and outdated technology. The vulnerabilities to personal and corporate security found in email are nonexistent in Evizone’s secure communication platform, which provides TELM electronic communications security.

No business should have to beg for mercy to criminal organizations using technology as a weapon. Whether you’re a small business or a multi-billion-dollar firm, it is time to switch to Evizone for all your communication needs.

You may have to cross a border, but your data can stay safely at home

With bipartisan support, the Protecting Data at the Border Act has been introduced in the United States House of Representatives and in the Senate. The bill would require customs and border officials to obtain a warrant based on probable cause before searching the electronic devices of travelers. It would also prevent “law enforcement from denying or delaying entry to the country if a person refuses to turn over PIN numbers, passwords, or social media account information”, according to Real Clear Policy.

But here’s the caveat: the bill would only apply to the devices of a “U.S. person”. For everyone else, the current unconstitutional vacuum would likely persist.

As the Electronic Frontier Foundation points out, non-citizens are already likely to face different treatment at the border:

“The consequences for refusing to provide your password(s) are different for different classes of individuals. If you are a U.S. citizen, [Customs and Border Protection] cannot detain you indefinitely as you have a right to re-enter the country. However, agents may escalate the encounter (for example, by detaining you for more time), or flag you for heightened screening during future border crossings. If you are a lawful permanent resident, agents may also raise complicated questions about your continued status as a resident. If you are a foreign visitor, agents might deny you entry to the country entirely.

But whatever your status, whether you choose to provide your passwords or not, border agents may decide to seize your digital devices. While CBP guidelines set a five-day deadline for agents to return detained devices unless a CBP supervisor approves a lengthier detention, in practice, device detentions commonly last many months.”

For citizens, residents, and foreign travelers alike, the best way to protect yourself at the border is if your sensitive data is not on your digital device when you cross the border. Whether you are coerced into giving up your information or a search warrant is obtained against you, your documents and communications can remain securely held within Evizone’s encrypted server, easily accessible world-wide, and yet never on your device. Your data will never cross a border.

This is true no matter where you are traveling. While the focus is often put on the United States because of its commitment to freedom, your data is even more likely to be searched everywhere else – often in places with fewer constitutional rights.

Next time you travel, save yourself some worry by signing up for Evizone Secure Communications. With our unique security architecture – which never stores information on your device – and military-grade encryption, you can communicate safely worldwide.

Evizone can protect you against the police’s Stingray devices

News that governments have been using IMSI catchers to collect mobile device data is not new. Back in September 2016, we shared information on our blog about how one correctional facility in Ontario used these devices to monitor cell phone transmissions within the prison. The repercussion was that prison guards were actually hacking their own phones and having their communications monitored as well.

Now we have more information: police forces across Canada are using these devices to monitor regular Canadians. The Ontario Provincial Police, the Calgary police, and Winnipeg police have confirmed that they are using IMSI catchers, according to the CBC. The RCMP had already confirmed to using Stingray technology to assist Toronto and Vancouver police with investigations. The CBC contacted 30 different law enforcement agencies, but only Calgary answered in full.

The CBC report states that “while Ontario and Winnipeg police refused to say whether they use the technology to intercept private communications, Calgary police and the RCMP insist they only deploy their IMSI catchers to identify — and occasionally, in the RCMP’s case, track — cellular devices.”

They also described the surveillance tool as vital when “used under warrant to help pinpoint suspects, and as a first step toward applying for wiretaps in serious criminal and national security investigations.”

Many are worried about what these devices can be used for. As the B.C. Civil Liberties Association expressed, “we want the police to have the appropriate tools.”  Yet at the same time, the public should care that they “don’t have the appropriate oversight and that those tools have the potential for abuse.”

As we wrote in September, IMSI catchers access information that is unprotected or only moderately encrypted. If you’re storing information directly on your phone, it can be accessed. If you’re storing information in an account that is always logged on your phone, they can likely access it too. It’s also unclear if criminal elements could have access to these types of monitoring systems.

With Evizone’s patented military-grade storage and encryption, there is absolutely no way for the government to access your data with this questionable technology. Evizone’s mobile app uses numerous security features to protect your data and always logs out when you exit the app.

We respect the work done by police forces across the country, yet we do not have a clear picture of what Stingrays are used for and it’s unclear if there are any oversights. For this and many more reasons, everyone should take precautions and protect their data today.

WhatsApp, encryption and public safety

Last month brought news of yet another lone wolf terror attack, in London this time, and yet another instance involving modern communications technology. It seems that the attacker was communicating on his smart phone just moments before the attack using WhatsApp. Naturally the security services want to know who he was communicating with and the content. The wrinkle is that WhatsApp is refusing to break their own encryption to cooperate with the authorities.

At Evizone we have thought long and hard about the dynamic tension between legitimate rights to privacy and the public good. It is technically feasible to build an encryption system so that not even we could break our own encryption. Possibly this is what WhatsApp has done. Is it the right thing to do however? We think not. There are circumstances, and the London attack is certainly one, where the public good must prevail.

Furthermore, Evizone’s secure communications and compliance systems are designed for use by enterprise and government. The need for transparency in the workings of the organization is just as imperative as the need for security. Imagine if employees or public servants are all communicating with unbreakable encryption so no one can monitor what actually is going on. This is why compliance regulations and the duty to provide “Proof of Supervision” exist. The need to maintain transparency and oversight while still preserving appropriate security of sensitive information is critical. Unbreakable encryption and “Proof of Supervision” are mutually exclusive.

It is a difficult needle to thread, but we have done it at Evizone. Information is secure when it needs to be, but transparency and control are maintained and “Proof of Supervision” is unquestioned. Give us a call and we will be happy to show you how we do it.

Bill Wells is the Chairman of Evizone. This blog originally appeared on Bill’s LinkedIn page.

Law firms should worry about their cybersecurity

It should be no surprise that law firms store vast amounts of confidential and valuable information in their digital networks. This makes them a treasure trove for hackers – and all too often, an easy target.

As the National Post reported in their March 22 issue, the potential for a breach has led many Canadian law firms to focus more on cybersecurity. Past intrusions – including recent reports that nearly 500 UK law firms and two in the U.S. were infiltrated by hackers – help make the case.

The National Post reached out to Miller Thompson LLP lawyer Imran Ahmad for comment, who said that “Law firms are fertile ground for hackers because they have precious financial information, like transactional information, client information, and human resource records, that allows hackers to build online profiles of individuals.”

The article continues:

“Canadian law firms have hardly been immune from cyberattacks. The most highprofile attack in Canada started in September 2010 when hackers compromised the security of seven major Canadian firms — Blake, Cassels & Graydon LLP and Stikeman Elliott LLP among them — involved in BHP Billiton’s proposed takeover of Potash Corp. of Saskatchewan. Both Blakes, counsel to BHP, and Stikeman Elliott, counsel to Potash, say that no client information was compromised.

An investigation revealed that the spyware responsible had been formulated on a Chinese- language keyboard and could be traced to servers in China linked to stateowned enterprises.

It was no secret that the Chinese government, worried about a global potash monopoly, opposed the deal. As the Chinese have long been accused of resorting to cyberespionage for various political and commercial purposes, the evidence implicating China was telling.

It subsequently emerged that an unrelated attack had targeted another major M&A, while a third was aimed at high-profile litigation.”

This issue is a big business problem for law firms. If clients can’t trust that their representatives properly secure their confidential information, they may consider leaving for another, more cyber-enlightened firm. Legal practices cannot ignore this issue in the twenty-first century.

Imran Ahmad also added that 2017 will be a big year because new privacy legislation “will require custodians of data, including law firms, to report information security breaches that pose a “real risk of significant harm.””

Luckily, Evizone provides the exact services law firms need to keep their worried clients at ease.

With Evizone Secure Communications (ESC), client and internal communications are protected by the strongest commercially available system for the secure exchange of messages and documents. Our patented technology ensures that client data is not exposed. Evizone Communications Governance (ECG) adds the benefit of complete transparency and accountability, giving law firms the tools to assure clients of their security. ECG’s powerful discovery tools can also automate discovery processes resulting in greater efficiency and happy clients.