}

Archive for category: Email Security

Email Encryption Systems for Canadian Data Residency Requirements

/0 Comments/in , /by

History of The Privacy Act

Email encryption, worrying about where data was stored, was not a concern when every company kept paper files in locked cabinets.

Canada has been regulating the management of personal information privacy for almost 35 years, ever since the Government of Canada enacted the Privacy Act in 1983.

This Act applied to departments within the Government of Canada as well as each provincial government system.

Twenty years later, in order to address the privacy issues that accompanied the development of online commerce, the 1983 requirements were broadened to include private sector organizations that electronically maintain personal information.

What Is PIPEDA?

Email Encryption for Digital Privacy Act RequirementsThese new parameters were established in 2004 under the Personal Information Protection and Electronic Documents Act (PIPEDA).

PIPEDA originally applied only to the federally regulated private sector.

For example, banks, airlines, and telecommunications companies were required to follow the guidelines, but businesses, such as retailers, were not subject to its conditions.

More recently, PIPEDA was amended to include provincially regulated organizations, such as many businesses within the retail sector, service industries, manufacturing, and more.

However, the requirements do not apply to personal employee information; rather, they apply strictly to personal consumer information.

On June 18, 2015, the Canadian Parliament passed the Digital Privacy Act (DPA), thereby amending PIPEDA.

There are numerous additional requirements within the DPA, but we place an emphasis on the stipulation that Canadian citizens’ digital information stored within the Canadian border can only be distributed by means of email encryption systems.

The Issue

In an earlier day, even that of advanced computer storage and information housing, the handling and storing of digital information would not have been a major issue.

Information was housed almost universally on computers and networks located in the areas where organizations were headquartered or in regional or local offices.

However, advancement of wireless technology, cloud storage (with its tendency to blur data residency lines and fuel fears of hacking) broke down the previous technological barriers and created a critical need for careful, intentional, and proactive implementation of compliance protocols in line with PIPEDA and DPA regulations.

The Solution

The ITeam can provide email encryption and storage compliance by using Microsoft’s Office 365 and Azure Rights Management (Azure RMS).

Azure RMS includes a strong email encryption system and is now available through local datacenter regions in Toronto and Québec City.

Furthermore, Office 365 has the capability of providing in-country data residency.

Thus, The ITeam can offer a combination of Office 365 and Azure RMS that meets the encryption and data residency requirements of the DPA. 

Key Questions & Answers

The following is a brief Q&A regarding some of the central issues involved in DPA cloud compliance:

Does any encrypted document ever reside on the US or foreign soil?

No. If you use a Canadian billing address for your data, the Microsoft Office 365 will be hosted automatically in a Canadian data center.

Does all information remain in Canada?

Yes. Microsoft hosts data based on geographic location, so all information remains in Canada. More specifically, as described above, the data is stored regionally in Toronto and Québec City.

What are the most important elements of encryption?

Regulated information is encrypted both while it is “at rest” and while it is being transmitted between a data center and a user. The level and type of encryption used to protect files and emails can be customized by end users and administrators. This allows maximum data security and management flexibility.

How is in-country data center integrity ensured?

Azure Rights Management uses separate security worlds for its data centers in North America, EMEA (Europe, Middle East, and Africa), and Asia, so security keys can be used only in the region of residency.

Is data ownership and control compromised in any way?

No. Both Microsoft Office 365 and Azure Rights Management leave data ownership and control in the hands of the individual organization. Neither data ownership nor data control is ever compromised.

Microsoft Azure provides organizations with a reliable, scalable, and secure infrastructure environment, allowing organizations to improve customer experience, drive innovation, and manage costs. With the availability of Canada-based data cloud services and storage, it is worth considering shifting your organization to the cloud and evaluating solutions like Microsoft Azure.

The ITeam is a Microsoft Certified Partner committed to helping Calgary- and Alberta-based businesses develop proactive IT strategies that keep them competitive. Contact us to learn more.

Improve IT Security with Multifactor Authentication

/5 Comments/in , , , /by

Improve IT Security with Multifactor Authentication

Security breaches are a daily occurrence, making headlines on a regular basis.

Costly incidents are happening more and more frequently across all industries and businesses.

Every business leader is charged with beefing up IT security and protecting both proprietary data and customer information, but network security alone is no longer enough.

Multifactor authentication is one of many new layers of security that businesses must consider, to help thwart additional attacks.

What Is Multifactor Authentication?

Multifactor authentication (MFA), sometimes called two-factor authentication, is a crucial security layer requiring more than one authentication method to verify a user’s identity.

It blocks all access to a device, network, or terminal unless two of three factors are provided: something you have, something you know, or something you are.

These independent identity authorizations include a password, a security token, and often, a biometric verification.

How Multifactor Authentication Works

MFA makes it virtually impossible for someone to hack into a user’s devices, the network, or a database.

Most consumers use multifactor authorization all the time without realizing it. When you use a bank’s ATM machine, you swipe a card and enter a pin.

That is multifactor authorization.

But businesses need to begin recognizing the significance of containing security breaches by implementing MFA as a part of their overall IT security strategy.

The combinations for multifactor authentication are limitless:

Card swipe + pin

  • Username + password + texted access code
  • Card swipe + fingerprint + security question or password

Cyber Attacks Costs Everyone

The average cost of a data breach in Canada is $6 million, and half of all cyber-attacks on Canadian businesses are successful, with more than 51 percent of businesses reporting losses.

Multifactor authentication technology should not replace existing security (firewalls, malware detection, hosted email exchange, offsite backup and recovery).

Instead should be used to augment security, making it far more difficult for anyone other than the intended party to access sensitive information.

Combined with other security measures, such as stronger employee passwords, robust email security, and secure hosted services, multifactor authentication is an essential element of your organization’s overall security efforts.

MFA can prevent hackers from achieving a brute force entry into your network.

It’s much harder to breach a network using a fingerprint or a one-time-use access code texted to a single mobile device than it is to guess an employee’s password that is likely written on a sticky note under their keyboard.

As technology fundamentally changes how we do business, serve customers, and meet compliance standards, business leaders must re-evaluate whether their current IT strategies are meeting their needs.

The ITeam is committed to helping Calgary- and Alberta-based businesses develop proactive IT strategies that keep them competitive. Contact us to learn more.

Closing the Security Gaps: Employee Passwords

/1 Comment/in /by

Closing the Security Gaps: Employee Passwords

In our lives, passwords are the keys to everything we do, from logging in to our personal online banking to paying our bills.

Infоrmаtiоn about our реrѕоnаl lives, buуing hаbitѕ, credit ԛuаlitу аnd lifеstyle are valuable tо those whо саn рrоfit frоm it.

For corporations, that data hаѕ еvеn greater wоrth.

Intangibles such as intеllесtuаl рrореrtу, сliеnt liѕtѕ, mаrkеt ѕtrаtеgiеѕ, pricing and соmреnѕаtiоn, along with copious amounts of personal data on each customer, often account for the majority of the vаluе оf thе mоdеrn enterprise.

Therefore, the passwords we use at work – to access email, data files, and networks, are crucial protection points between us and hackers.

Wеаk оr compromised раѕѕwоrdѕ are the easiest wау fоr hackers to gаin еntrу intо a system.

Simрlе оr short раѕѕwоrdѕ саn bе еаѕilу diѕсоvеrеd through brutе force or “diсtiоnаrу”  attacks which concentrate intense соmрutеr роwеr to break through.

A two letter раѕѕwоrd, fоr еxаmрlе, hаѕ оnlу 676 соmbinаtiоnѕ.

A password with еight lеttеrѕ оffеrѕ mоrе safety with 208,000,000 combinations.

Enterprise Security Starts with Personal Password Requirements

Anyone who accesses your network, whether employee, client, vendor or other stakeholders, should be required to use complicated passwords to access everything from databases to email.

Idеаllу, a password ѕhоuld соnѕiѕt оf 8 or more characters and should be comprised of a mixture of uрреr аnd lower case lеttеrѕ, ѕуmbоlѕ аnd numbеrѕ.

Miсrоѕоft security hаѕ еnсоurаgеd the concept оf thе “Pаѕѕ Phrase” as аn аltеrnаtivе.

A рhrаѕе such as,”TheLastGoodBookUBoughtCost$25!” hаѕ all of thе needed еlеmеntѕ but is also еаѕу tо rеmеmbеr, since being able to remember the password is the key reason employees tend to create simple passwords.

Human Failsafes

Policies should be in place to govern passwords used to access company data of any kind that prevent:

  • Sharing passwords
  • Writing them down
  • Storing them on a computer or phone

It might seem like it would be common sense, but having a policy in place that spells it out is worth the effort.

People are the biggest security risk.

We are wired to respond to phishing attempts to gain access that play on our fears and worries.

We also are busy, forced to remember many passwords, and tend to use the same ones again and again. We’re also trusting and apt to share a password.

Layered Security

To mitigate the risk, lеаding firms аrе аdорting a dеfеnѕе strategy utilizing thrее еlеmеntѕ tо bеttеr ѕаfеguаrd thеir infоrmаtiоn.

Thе thrее lауеrѕ оf аuthеntiсаtiоn consist оf:

  • A strong password or passphrase
  • A crypto-key, smartcard, or token
  • Biometrics (fingerprint, etc.)

Protecting data is a never-ending battle as hackers become more and more sophisticated.

Companies must take strong stances on every point of entry that might create risk, including employee passwords.

Employee password security policies are essential to business continuity.

Phishing and Spoofed Emails Threaten Corporate Email Security

/2 Comments/in /by

Phishing and Spoofed Emails Threaten Corporate Email Security

Twenty years ago, corporate email security was not an issue that business leaders had to contend with.

Today, phishing and spoofed emails account for nearly half of all emails sent – and that’s a 12-year low!

As technology becomes more prevalent in every part of our business and personal lives, cybercriminals have become more and more creative in finding ways to con employees into clicking on links or taking actions that put companies at risk.

This has collectively cost businesses in Canada more than $19 million in 2014.

Email Security Threats Become More Sophisticated

A new wave of spear phishing – highly targeted, researched emails that are even more likely to deceive your employees because they look so legitimate – has been targeting Canadian companies.

Alberta businesses are not immune.

Last fall, 75,000 members of the Alberta APEGA were the victims of a spear phishing scheme.

The ITeam recommends that every organization take immediate steps to improve email security, including these steps:

1. Provide Ongoing Training to Employees 

According to the 2015 Verizon Data Breach Report, employees are one of the biggest risks, with 23 percent of recipients opening phishing messages and 11 percent of those clicking on the links.

Ongoing training, reminders, and even phishing email tests can help educate your employees on how to better resist the deceptions.

As business leaders and industry professionals, we must provide constant reminders about being more cautious.

Institute policies that govern what actions can be taken from an email.

Encourage employees to verify with the sender (in person or over the phone) if they were really the ones to send the email before opening attachments, wiring money, or clicking on links.

2. Implement Multi-Layer Security 

To prevent some of these targeted emails from getting through, you must implement tough, layered security protocols.

Every organization should have firewall protection, virus protection, and malware detection software.

In addition, email encryption solutions can protect data and limit access, and additional policy-based email security can be implemented to detect keywords that are likely phishing triggers, such as “credit card,” “wire,” “bank transfer,” and others.

3. Establish Robust BDR, MDM, and BYOD Protocols 

To mitigate risk, in case the worst does happen and an employee clicks on a link that leads to malware or ransomware infection, be sure you have stringent Backup and Disaster Recovery (BDR) protocols in place to protect your data.

It’s necessary to ensure that every device being used by employees is protected. Develop Mobile Device Management (MDM) and Bring Your Own Device (BYOD) policies that require the devices to have protection and allow you the ability to remotely delete them from your network.

4. Adopt Sender Policy Framework (SPF) Best Practices 

To prevent even more spear phishing attempts, implement Sender Policy Framework (SPF).

Sender policy framework is an easy-to-implement email validation tool.

The SPF communicates with email providers and tells them that the email is coming from an approved domain (the company website, newsletter service, or approved third-party sender).

The ITeam will work with your Alberta business to customize a cost-effective solution. We offer a comprehensive email security plan that will protect you against email security threats. Contact us for a free consultation.