Pratum Blog

As a business, you have access to a lot of customer and vendor information. While many companies take this responsibility very seriously, not everyone is doing all they can to ensure security. One way that some businesses fall short is by not encrypting emails on a regular basis, or at all. In this article we’ll explain the importance of encryption, and how you can start securing your emails now.

What is Email Encryption

Email encryption is sort of a disguise for your correspondence with clients and coworkers. Encryption software turns your text, documents, and other data into scrambled code in the eyes of anyone trying to gain unauthorized access. Some describe the encryption process as creating another language. When a third party tries to open the document, all they will see is a jumble of letters, numbers, and symbols.

Encrypting emails ensures the only person who can read your message legibly is the person you intended to receive it. To anyone else who tries to intercept your email it will look like nonsense. Hackers will often try to intercept emails from businesses because they know those can contain very sensitive and valuable information. Without encryption, even the smallest companies are targets for criminals looking to gain information through this method of communication.

Risks of Not Encrypting

The dangers of not encrypting emails are numerous. Not only do you put your clients’ information at a higher risk of being hacked, but you also put your own business at risk. If a criminal were to access private information on your client or your company, they may try to use that information for extortion. They could also utilize certain details found to try and access other areas of your company. With the right data, a threat actor can hack into systems you may believe are secured.

Business owners also need to implement encryption when it is required by an agreement with a customer or vendor. This is essential when the nature of the information requires a higher degree of security. Information such as personal information, bank data, and other private details about an individual can be used to attempt other scamming methods or hacks into private accounts. Even the smallest detail may be the information a criminal would need to figure out a username or password to a secured account.

It’s not just clients you should be considering. Encryption is also advised when handling private information of employees. Documents containing health insurance information or financial records need to be protected. It’s in the best interest of your entire firm to be cautious and secure when handling any private data.

Encrypting all email messages as a default, standard practice makes the task of finding sensitive information more daunting to hackers. Going through a long list of emails, one-by-one, will make the job of finding valuable information more time consuming. This tedious task could be enough to cause some hackers to give up more quickly.

Full Security

Creating a safe environment for your staff and customers means considering all aspects of security. Neglecting cybersecurity can be detrimental to your business. Taking the time to protect all data, especially that which is sent through emails, could be the layer of protection your organization is missing.

If you have any other questions about the cybersecurity of your company, feel free to reach out to the cybersecurity experts at Pratum.

Does your business have security, compliance, or both? While some believe having one automatically results in the other, the two are independent and need individual attention. Despite common misconceptions, compliance is not security. Knowing the difference and why it matters could mean better, long-term protection for your business.

To understand the difference between compliance and security you need to have a clear picture of what each one means for your organization.

What is Compliance

Compliance is the process an organization goes through to adhere to a minimum set of security requirements. In some industries, these requirements are required by law. For others, it’s an expectation from business associates and vendors in order to do business together. There are different types of compliance, which means different auditors who carry out the compliance process. Depending on the type of audit being done, auditors are typically looking for controls that are designed efficiently and operating effectively.

For example: Do the controls in place meet the objectives of the selected compliance framework? Are they operating as expected?

While compliance has its place in many business security programs, it can also be misleading. Here are a few pros and cons to show how compliance can be useful, but also deceptive for businesses at times.

Pros:

  • IDS/IPS Testing
  • Formalizing Processes – Compliance is an established set of guidelines. That means becoming compliant will help a business create a more structured security portfolio.
  • Maintaining Security Commitments – Ensuring security is upheld for both the client and legal requirements.
  • Initiates Security Conversation – For some businesses, security is not a top consideration until it’s required by law or a vendor. Being required to become compliant can be a first step to more security measures being implemented in a company.

Cons:

  • IDS/IPS Testing
  • Blanketed Approach - Compliance frameworks are often not comprehensive enough to ensure security is uniquely applied to all business use cases and needs.
  • Limited Scope - Compliance reports only cover a scoped environment; oftentimes, they do not include all business systems or controls.
  • Lacks Customization - Most importantly, compliance does not assess environments on the fundamental principle of risk. It simply cannot answer the question: what is the risk posture of my organization?

Now that you have a better idea of what Compliance is, and how it can help or hinder a security program, it’s important to understand why Security is important.

What is Security

When we use the term “security” at Pratum, we are referring to the clear and unique set of technical controls and business processes that define how data is stored, processed, transmitted, consumed, and accessed at an organization in order to ensure verifiable protection from evolving cyber security threats. Security is based on the risks facing your organization’s specific needs.

There are two major components in an effective and mature security program: Strong Governance and Comprehensive Technical Controls.

For strong governance you need to have a few key components including:

  • IDS/IPS Testing
  • Proper oversight and reporting
  • An accurate policy set
  • Ongoing and routine risk assessment/analysis process
  • Effective user awareness training

A comprehensive set of technical controls should protect business-sensitive information and needs to include:

  • IDS/IPS Testing
  • Network protection devices and software
  • Employee workstation protection policies
  • Sensitive data security safeguards

When these components all work together, the security posture of your organization will be equipped with customized protection that can better protect your business’s unique security needs.

Security and Compliance Working Together

While security and compliance can work together, having one does not guarantee the other. Compliance alone does not make your business entirely secure and having security measures may not meet compliance standards. The key is figuring out what your business needs to meet industry and business expectations, while also going further and establishing a strong security program to protect your company’s assets.

It can be easy to focus primarily on compliance and “worry about those security problems later”. After all, many organizations need to meet compliance requirements in order to win certain contracts, remain competitive in their industry, or conduct business altogether. However, ignoring security beyond compliance has long-term “disastrous” effects. It introduces complexity as the organization grows, and it does not develop a strong security culture.

Security culture is important because it involves the entire organization. With compliance it’s a one-size-fits-all structure. There’s no need to involve every member of the team with most compliance audits. Compliance alone cannot change a company’s security culture. Educating staff on security measures and enforcing policies and procedures needs to be a custom process designed to fit your business’s risks.

Where to Go Next

There is some overlap between compliance and security, but one does not imply the other. Compliance can help to further mature an organization’s information security program, but it does not guarantee a strong security posture. Having security in place won’t guarantee you’re ready for compliance.

If you feel your organization needs compliance, security, or both this is a great time to examine your current information security program. Reach out to a Pratum representative to learn more about where to go next with your security and compliance needs.

Cybersecurity is possible for remote employees. Here's how.

Whether it was already part of the company structure or has recently been added due to COVID-19, many companies are offering employees the option to work from home full-time. No matter the size of the organization, this sort of shift comes with some challenges. That includes cybersecurity. Even if a business has a well-established security program for the office, they may not have the same protection set up for those working from home.

Increased Cyber Threats

When the pandemic hit, many companies were in a rush to get employees up and running with at-home offices as quickly as possible. While this may have prevented loss in business for the short-term, the long-term cyber risks could become a detrimental problem very soon. According to some cyber experts, the potential for large-scale attacks is rising as more and more employees work from home.

There are also many threat actors with time on their hands, out there looking for these prime opportunities. One of those heightened risks may come from people using personal devices for work while at home.

Using a personal device for business purposes can introduce several new threats that may not exist on a work computer in the office. For instance, many corporate devices are set up to not allow personal use. That can include private emails, social media, and other browsing that is not deemed necessary for the job. These restrictions help prevent potential threats like phishing or malware. When someone is using a personal device and does not take the proper safety measures to separate business and personal use, new threats are being introduced through that personal device into the business network.

Think of it like this: Your company’s network is similar to a home. When you leave or go to bed you are able to lock the doors and windows for basic safety. If you want to be more cautious, you add security cameras or alarm systems. When you allow an employee to work from home on an unprotected device this opens the house windows and doors. The threats are not necessarily new, but they are much more likely with less protection in place.

1. Educate Your Staff

So how can you begin to protect those remote workers if your company cannot afford to buy everyone a device with built-in protection? One way is to educate employees. Making sure your staff understands how surfing Facebook or Twitter could lead to a potential threat, or how opening Spam emails may put the entire company in jeopardy by risking loss of revenue or intellectual property. Education is a good place to start.

2. Offer Extra Protection

Next, offer protection. If you have an expectation of security for your business, you need to be sure to provide your employees with the tools to meet those standards. Consider looking into firewalls or extra security monitoring that will help protect your employees’ devices the same way you would protect a computer at the office. If you expect a certain software or device protection, you should be the one to provide it to the employees.

3. Establish Separate Profiles

Another simple way to protect the network while using personal devices is to establish separate profiles. If an employee can separate their work activity from their private internet use, there will be more protection for the company. Talk to your IT department about how to communicate that process to your staff and give your employees clear guidance on what the expectation is for these separate profiles. While one may be used for business emails and company documents, the other can access social media or online shopping. Separation of the two could help prevent unnecessary risk.

4. Setup Safeguards

As for the company’s responsibility, on top of providing education and security programs for remote workers, businesses can also set up systems to safeguard the network on the company’s end. One way to do that is to collect the IP addresses of all remote workers. This list can then be used to create restricted access to the company network.

With these IP addresses a business can allow access to only those addresses approved by the company. This approved list will allow remote workers the access they need, while limiting any outside intruders. Restrictions can also be placed on the time of day IP addresses are allowed into the network. If you prefer workers only see company data during business hours, set the limits and let your staff know their restrictions.

5. Review Old Habits

Now is the time to go over the current security measures in place. Whether it was a rushed decision to send employees to work from home, or a long-standing option for your business, this is a good time to be going over your policies and work from home procedures. Everything from VPN access to firewalls, and even the latest updates on software are important components of your security posture. Be sure everything is up to date and meets the same standards, if not higher, than what you expect from employees working within the office.

Security is Possible at Home

Working from home may be the best option for your employees at this time, and that can be done securely if you take the time to establish a proper cybersecurity program. Just because you may have rushed to make remote work possible does not mean you need to leave it as is now.

Educate your staff on cybersecurity practices. Provide the proper equipment and tools needed to keep their work secure. Setup extra security measures on the business network. And go over old policies and procedures to see what needs to be adapted to fit the changing times. With the right approach your staff can be more secure when working from home.

If you’re unsure of where to start with your business’s cybersecurity needs, reach out to a Pratum representative today to help guide you!

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.