How Not To Communicate With Customers

e-Share Blog

This week our CEO received an email message, apparently from his bank. And he couldn’t really tell if it was a phishing attack. What do you think?

Email from a bank - was it a phishing?

The email certainly appears to be from the credit union. But the email sender and URL show a different company’s URL. That’s the hallmark of a phishing attack.

A trip to the website of the domain name in question shows that it’s an add-on to a popular email marketing system. Produced by a company with yet another name.

This could absolutely be a phishing attack.

The question now is – what to do? Call the credit union? Do we think they’ll even know what that third-party is? Their own website implies that this email didn’t come from them.

i.e. email should come from [our] email address, not another address

Their site further suggests:

Website links: The safest approach for dealing with email links is to not click the link at all. Logging directly into Online Banking […] is the best way to access your account and any messages pertaining to your account.

Assuming the credit union is following their own guidelines, we can definitely conclude this is a phishing attack. They’ve said very clearly there should not be links in email messages they send, and not to click them, in any event.

Wouldn’t it be easier to tell them just to make sure the link is also under the credit union’s domain?

e-Share - Smart URL

With e-Share Trusted Sharing and Secure Mail you can communicate securely and compliantly with anyone, anywhere – using your own domain name and SSL certificate.

Recipients can instantly know they’re not being phished, because no third party URLs will appear. And our 100% cloud platform keeps documents and conversations out of insecure email infrastructure while providing fine-grained sharing options from requiring login to insisting on access codes, automatic expiration and much more. And it’s entirely enterprise class, supporting SSO, auto-provisioning and full integration with O365, OneDrive, Dropbox, Box, GSuite and GDrive.

Register for a demo to see how you can communicate with customers without freaking them out.

The Security of Expiration

e-Share Blog

This week’s breach involved a medical services company’s FTP server which allowed “uncontrolled access to its patients’ protected health information”.

“This uncontrolled access permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline.”

The company ultimately “agreed to pay $3,000,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security and Breach Notification Rules”.

So-called File Transfer (or “FTP”) servers are a venerable approach to sharing data. FTP was one of the first digital publishing platforms, used widely for software distribution and file transfer since the early days of the internet. SSH FTP (or SFTP) adds encryption and thus makes it compliant for transferring sensitive information, including PHI data which is regulated by HIPAA. So long as the client and server encrypt the transferred files at rest.

The problem is, compliant is not the same as secure.

Once a file transfer server is up and running, it will reliably and consistently serve files. If access is incorrectly or incompletely configured, as appears to be the case here, every minute brings added exposure. This is why all access to shared files should be limited to a period of time by default, something file transfer servers were unfortunately not designed to support. This could have prevented the breach, despite the questionable configuration.

A second issue, is that FTP is all about TRANSFER. As long as it remains up and running, authorized clients will have unfettered access to download data and then do whatever they like with it – print it, publish it, transfer to others… worse, clients become compromised over time. People leave companies – and transfer their user credentials to their replacement, hopefully not a third-party service – or they may be compromised through phishing or malware attacks.

The longer the server is up, the longer your exposure lasts.

e-Share - Sharing policies

The good news is, FTPs days are numbered. Migration to the cloud is finally happening – and companies are discovering the mechanisms built-in to cloud file storage services are only intended for internal collaboration.

Solutions like e-Share’s Trusted Sharing offer fine-grained sharing options – like automatic expiration of shared material. This can, as shown above, be set at the organizational level. For many shares, one-time or 1 day is entirely adequate. For longer collaborations, the expiration should likely match the engagement level.

Sharing can also be limited to view or edit-online only, with no download, printing or copy/paste. You can optionally require participates to sign in with OpenID, enter an access code, accept terms of service – and more.

e-Share - Policy options

Register for a demo to learn how mandating share expiration is a critical first line of defense for all information – especially regulated data like PHI.

Portal Updates, Sharepoint Bot Support, OpenID Tweaks

e-Share Blog

This week, e-Share updated our client web portal, removing our venerable “Collaboration Management” navigation option and replacing it with direct links to “My Shares” and “Shared With Me”.

Here’s a screen shot from our alter-ego, Bank2Trust – because our service is always re-branded:

B2T MS updated

Additionally, the portal now highlights shares that will expire in 3 or fewer business days. e-Share users can access that here. In the near future we’ll add an option to allow you to receive notification via email as well.

Now, when accessing shared content via the new design, secure conversations can now be sorted by date or conversation. You can also size the conversation pane however you’d like:

BT SC updated

The account settings page has also been updated. Among other things, the “Notifications” tab has been removed, and the “Notifications” toggle option is now located under “Preferences”.

B2T - Settings updated

We also added support to our External Collaboration Bot so it can share content from SharePoint, if you use that as the storage mechanism for Teams.

e-Share - Trusted share

You can optionally copy SharePoint content to OneDrive prior to sharing. This allows you to send a snapshot of a document to an external recipient, and continue internal collaboration (and updates) to the internal copy.

We also made a number of updates to our OpenID support, going directly to the login provider instead of pausing at our re-branded portal page.

e-Share - OpenID pick account

Users are taken directly to the web portal after logging in.

If you have questions about any of these updates, please send us a comment. Thanks.

Viewer ! = Downloader

e-Share Blog

Today let’s look at the “share” dialog from a large cloud file storage provider:

Box share options

Why would you give someone Editor vs. Viewer access?

The reality is, they’re basically the same, excessively permissive set of rights. While technically the viewer can’t edit the shared material where it was shared from, they can download it and modify it and share it back with you. So the net difference is really upload.

A “viewer” should be limited to viewing the document. Downloading, editing online or offline, copy/paste, printing, should all be disabled.That’s how you share sensitive information compliantly.

There isn’t even an “advanced” option!

The good news: you can use e-Share to share in real view-only mode, right from the enterprise applications you already use – like Office 365, GSuite, Microsoft Teams or Slack. As easily as you can send an email.

e-Share - Email confidential design

Among other things, e-Share’s enterprise-class platform offers alternatives to requiring full registration, including login with OpenID, use of access codes, and more.

e-Share - Fine grained sharing options

You can configure these centrally, and choose to allow users to override only when appropriate and authorized.

Schedule a demo to see for yourself!

Secure Mail Gateway: Simple & Reliable

e-Share Blog

What comes to mind when you think of Secure Mail? A rare message from your bank, possibly lost in a spam filter? A confusing registration process?

Maybe you think of how you always forget your password.

The reality is that secure portals expire after 30 days and only intended to facilitate deliver of data to the large institution – bank, regulator, insurance company, etc. Few people worry about the experience. Because, they know the burden is on the customer to complete the transaction. Support call volume is a side-effect of having a lot of business… it’s not an urgent problem, is it?

It is. And it doesn’t have to be like this.

e-Share Secure Mail Gateway (SMG) is a next-generation take on a venerable communication staple. Simply put, it’s the first enterprise-class product that allows you to share sensitive information in a fully compliant and controlled way without compromising on the user experience, creating a burden for your organization’s support staff, or motivating people to share in a non-compliant way.

Senders and recipients will love it.

e-Share - VDR email

For starters, there’s no painful web portal for senders to use. They just send an email right from their current system, including Microsoft Outlook, Office 365 and G Suite – without installing any software or plug-ins. When Secure Mail Gateway receives this message from your organization’s email system, it automatically manages the collaboration from there on your behalf, in full and automatic compliance with your organizational policies.

e-Share - How secure mail works

Recipients are invited to the e-Share portal, which is fully re-branded with your company logo, colors, text and sub-domain (“sharedby.yourcompany.com”). Recipients will feel good about that, instantly realize that the experience is authentic. They’ll trust enough to collaborate without concern. All content is protected at rest and in motion using e-Share’s patented, state-of-the-art key management and industry standard, military grade encryption algorithms.

B2T - VDR

Email administrators will love our message tracking console, which allows full audit and forensic examination of each secure mail message, along with the usual reporting and metrics. The solution supports all existing e-Discovery solutions as well.

SMG console

Secure Mail Gateway can also support non-regulated use cases in style, offering support for use of PIN codes or SmartURLs instead of full registration.

Register for a demo to see SMG in action.