Pratum Blog

Hands typing email on laptop with padlock overlaid

As a business, you have access to a lot of customer and vendor information. While many companies take this responsibility very seriously, not everyone is doing all they can to ensure security. One way that some businesses fall short is by not encrypting emails on a regular basis, or at all. In this article we’ll explain the importance of encryption, and how you can start securing your emails now.

What is Email Encryption

Email encryption is sort of a disguise for your correspondence with clients and coworkers. Encryption software turns your text, documents, and other data into scrambled code in the eyes of anyone trying to gain unauthorized access. Some describe the encryption process as creating another language. When a third party tries to open the document, all they will see is a jumble of letters, numbers, and symbols.

Encrypting emails ensures the only person who can read your message legibly is the person you intended to receive it. To anyone else who tries to intercept your email it will look like nonsense. Hackers will often try to intercept emails from businesses because they know those can contain very sensitive and valuable information. Without encryption, even the smallest companies are targets for criminals looking to gain information through this method of communication.

Rights management can also protect data within an organization by requiring a single sign on (SSO) account, such as a Microsoft 365 or Google login, to view and reply to emails. This can add a layer of protection by requiring users to have access to that account before having access to sensitive information. While this does include normal web encryption, it does not use typical encryption methods for the messages themselves. Therefore, this technique should be used in addition to traditional email encryption.

However, when used together, businesses can restrict access to sensitive information while also using string encryption to keep emails safe while in transit or while stored. If employees leave the company, businesses can have more confidence that emails can only be read with a valid account.

Risks of Not Encrypting

The dangers of not encrypting emails are numerous. Not only do you put your clients’ information at a higher risk of being leaked, but you also put your own business at risk. If a criminal were to access private information on your client or your company, they may try to use that information for extortion. They could also utilize certain details found to try and access other areas of your company. With the right data, a threat actor can gain access to systems that are configured securely.

Business owners also need to implement encryption when it is required by an agreement with a customer or vendor. Several compliance frameworks such as PCI-DSS and regulations such as HIPAA require the use of encryption. This is essential when the nature of the information requires a higher degree of security. Information such as personal information, bank data, and other private details about an individual can be used to attempt other scamming methods or hacks into private accounts. Even the smallest detail may be the information a criminal would need to figure out a username or password to a secured account.

It’s not just clients you should be considering. Encryption is also advised when handling private information of employees. Documents containing health insurance information or financial records need to be protected. It’s in the best interest of your entire firm to be cautious and secure when handling any private data.

Encrypting all email messages as a default, standard practice makes the task of finding sensitive information more daunting to hackers. Going through a long list of emails, one-by-one, will make the job of finding valuable information more time consuming. This tedious task could be enough to cause some hackers to give up more quickly.

Full Security

Creating a safe environment for your staff and customers means considering all aspects of security. Neglecting cybersecurity can be detrimental to your business. Taking the time to protect all data, especially that which is sent through emails, could be the layer of protection your organization is missing.

If you have any other questions about the cybersecurity of your company, contact the experts at Pratum today.

Multifactor Authentication on laptop and cell phone

Nearly every account online now requires a few extra layers of security. From receiving a code through text message for bank account access, to scanning your retina to log into an app, there are more and more efforts to protect your online accounts. While it may feel excessive to some, these extra steps are important layers of protection designed to help you called Multi-Factor Authentication (MFA).

Definition of Multi-Factor Authentication

Via National Institute of Standards and Technology (NIST):

MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account.

Your credentials fall into any of these three categories:

  • Something you know (like a password or PIN)
  • Something you have (like a smart card, phone or token)
  • Something you are (like your fingerprint)

Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.

Protecting with MFA

MFA is a simple way to boost your business’s cybersecurity strength. While other security programs and software can potentially be bypassed by a threat actor, a solid MFA is more difficult to hack. Not only will the hacker need access to your name and password, they’ll also need information from one of the other categories such as access to your smartphone or your fingerprint.

This sort of protection is especially important when dealing with business networks. Having access to things like client data, employee information, and proprietary documents can be extremely valuable to a hacker. That’s why MFA is essential for protecting your business information. When planning the implementation of Mult-Factor Authentication, each organization should do a Risk Assessment to determine their levels and sources of threats. Once you know where and how someone could infiltrate your system, the better prepared you’ll be to enable security, like MFA, in the proper places. You’ll also be able to see which members of your team need higher levels of security. For example, members of the executive team may need to have a stricter security access process than someone working janitorial services. It’s all about being able to examine the needs of your organization and working from there.

On top of protecting your business information from being stolen, you’re also protecting it from being damaged. Not all threat actors want to steal data. Some malicious attacks are done with the intent of destruction. Using a simple, extra layer of security with MFA can help protect your data from both.

Familiarity with MFA

The great thing about MFA is that most people are already using it! That includes most banks, credit cards companies, Amazon account, college savings accounts, investment and retirement accounts. Your employees have probably been using MFA for a few years now with their personal emails and through other accounts.

Since several large corporations are now requiring MFA, that should make the transition for your company even more seamless. People should already feel comfortable using MFA, since it’s been part of daily life for people using online services. The less confusion when introducing a new security program, the better!

It’s also something clients will recognize when you’re trying to explain the security of your business to help ensure confidence in working with you. When you are able to tell a potential client you have MFA set up within your organization, additional trust will be established.

It’s (Typically) Easy

Just because it works, doesn’t mean it has to be complicated. While much of cybersecurity can appear confusing and overwhelm people, MFA is pretty straightforward. There are even some free applications, like Google Authenticator, to setup MFA on personal devices.

When choosing an MFA program for your business, there are several options designed for organizations of different sizes. To choose the best option for your operation, talk with a cybersecurity consultant to determine what will work best for your needs.

Extra Security is Necessary

While anti-virus and firewalls are important, they’re not always effective alone. MFA can make your existing security measures even stronger. It may take a few extra steps and a little more time, but the benefits of MFA can greatly outweigh the additional work.

First decide where MFA is necessary in your organization, then determine which program is the best fit for your company. Once you have it established, continue to monitor the effectiveness of the MFA program and your cybersecurity as a whole. For more information on how to analyze your security strength and choose an MFA program, contact Pratum!

SOC 2® Illustration

How do you prepare for a SOC 2® audit? Many businesses look to Pratum for help with SOC 2®, so we put together this overview to help provide insight into our process. We also discuss what YOU need to do to prepare for a successful SOC 2® report.

Common SOC 2® Questions:

What is SOC 2®?

SOC 2® is an externally validated report. Companies are often asked by their clients to provide some form of cybersecurity compliance report to prove they have adequate security controls in place to protect data/information shared between the two organizations.

SOC 2® reports must be completed by an AICPA firm. The CPA will conduct the audit over several months and deliver the report at the end. There are two Types of SOC 2® reports, Type I and Type II. Type I examines the design of controls at a specific point in time. Type II assesses the operating effectiveness of controls over a period of time.

Where to begin?

Once you decide to pursue SOC 2®, there are a few things to keep in mind before getting started. You need to first determine if you want assistance preparing for the audit. Pratum offers readiness assessments to examine whether your business is adequately prepared for a SOC 2® engagement. And where businesses fall short of preparedness,we assistance them in getting there.

Timeframe for SOC 2®?

One big misconception about SOC 2® is the amount of time it will take. While this varies depending on your business’s size and the scope of the audit, the typical Type II audit usually takes a minimum of 8 months for the entirety of the engagement. This includes the opinion period, audit fieldwork, and time for the auditors to develop and deliver the report. The readiness process with Pratum before the audit can also take an additional 2 to 3 months, depending on the preparedness of the company. If your company is looking for a quicker turn around, starting with a Type I audit may be the best path.

SOC 2® Readiness Steps:

At Pratum, we have a process established to make the experience smoother for you. Here’s a brief overview of what you can expect from the first call to the final report.

Step 1: Initial Inquiry & Discovery Call

During the initial conversations, our Client Engagement team will get to know your business and walk you through the basics of a SOC 2® report. A consultant may also join the call to ask more detailed questions and help with scoping the engagement. Some initial questions include:

  • What cybersecurity requirements are your clients/prospects demanding in the contracts you are attempting to fulfill?
  • What is your timeframe?
  • What areas of your business need to be within the SOC 2® scope?
  • How many employees have access to the areas being audited? Which employees are involved?
  • Where is your data stored and how does it flow through the organization?

Step 2: Statement of Work

After we compile the information from discovery, we build the customized SOC 2® completion plan for your business. This includes the details for the readiness process, the cost, and a timeline for the work.

Step 3: Pre-Engagement Forms

Once the Statement of Work is signed, we can begin the process of preparing your company for a SOC 2®. This includes gathering more information that will be included in the SOC 2® and a list of who within your organization needs to be prepared for the process. Your lead consultant will hold a kick-off call with your team to discuss the process, set expectations and answer any initial questions. Pratum will request any supporting documentation you have at this time. And a consultant will be assigned to your project based on your SOC 2® needs and their expertise.

Step 4: Readiness Fieldwork

The fieldwork during your SOC 2® preparation is how we get a first-hand look at the work ahead. During the fieldwork phase, interviews are conducted with your staff, and current security controls are reviewed to determine maturity level. Where any gaps are identified, the consultant will provide guidance on what should be in place, and how to get there. This is more than just a yes or no Q&A; it is a conversation. Your consultant will ask detailed questions to fully understand the operations and needs of the organization. At the end of the engagement, Pratum will deliver a control listing with the status of each control, supporting documentation and audit evidence needed, as well as recommendations where appropriate.

Step 5: Contact Auditor & Set Up Audit

After preparation for the audit is complete and your company and Pratum feel confident in your readiness, the ‘as of’ date for a Type I audit can be set or the opinion period can begin for a Type II. Most audit firms prefer a minimum of a 6-month opinion period for a Type II audit. If you haven’t selected a CPA firm to perform the audit yet, Pratum can provide recommendations of firms with whom we have close relationships. If you already have a firm in mind, we’re happy to work with the auditor of your choice as well. The earlier you can get the auditors involved, the better.

Step 6: Audit Fieldwork

During fieldwork of the audit, your Pratum consultant will engage with the auditors to answer any questions and help mediate any concerns that may arise. Your consultant is there as a representative for YOUR organization and will ensure the auditors stay within scope and reason. The fieldwork for the audit can take several months to complete. The more prepared and dedicated your team, the faster the process will go and the sooner you will receive the report.

Maintaining Your SOC 2®

Once you complete your SOC 2® report, the work isn’t finished. You will need to keep up with yearly audits to re-validate your controls. The best way to ensure continual compliance is to maintain your security standards and evaluate and adapt to any changes within your business. SOC 2® isn’t a one and done. Continual monitoring and activity are needed to ensure success.

Preparing for a SOC 2® may seem daunting, but it doesn’t have to be! Pratum is ready to help make the process less stressful for you. To learn more, contact Pratum today.

What to Expect with SOC 2®

What to Expect with SOC 2 Paper

Pratum has years of experience assisting companies with their SOC 2® process, and this document provides an overview of what we’ve learned about helping companies get a favorable report on the first try.

Get it Now
The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.