ZIXCORP The Criticality of Email Security Kevin Cloutier 781-993-6221 kcloutier@zixcorp.com Oct 2015 1

ABOUT ZIXCORP Founded in 1998 as an email encryption company, now with DLP and BYOD security More than 11,500 active customers including: Six divisions of the U.S. Treasury All of the FFIEC U.S. federal financial regulators (incl. FDIC and OCC) The U.S. Securities and Exchange Commission 24 U.S. state financial regulators More than 2,000 U.S. financial institutions 25% of all banks in the U.S. 20% of all hospitals in the U.S. 32 Blue Cross Blue Shield organizations 2

YOUR BIGGEST SOURCE OF DATA LOSS 3

Your organization is sending PII out today Analysis shows an average of 5% of outbound volumes include PII, NPI, PHI, SSNs, CCs, etc. You need to know who sent, who received, what was sent, why it was sent, and how it was sent Even one email violation, depending on your industry, can cost you thousands of $$$$ and public data breach exposure Your organization has a mobility risk Employees are using mobile phones to download email Data proliferation on mobile devices is a huge risk, even with an MDM solution in place KNOW YOUR EMAIL 4

Data Loss Prevention (DLP) Encryption EMAIL SECURITY TOOLS TO MITIGATE THE RISKS Data Loss Prevention (DLP) Encryption Mobile Device Management (MDM) / Bring Your Own Device (BYOD) Security Compliance Reporting 5

Enhanced Email DLP Enhanced Email DLP allows organizations to: Detect outbound emails that violate corporate policies Capture and analyze email violations Filter, search and report on email violations Quarantine sensitive emails that contain sensitive information based on wide range of parameters 6

Email DLP View of Sensitive email 7

You now have the sensitive email, but what do you do with it? AFTER DLP, THEN WHAT? You now have the sensitive email, but what do you do with it? If authorized to be sent, encrypt it But not all email encryption is equal Do not deploy Email Encryption to just: 8

Policy based email encryption A USABLE EMAIL ENCRYPTION SOLUTION Policy based email encryption Integrates with email DLP to auto encrypt sensitive content Transparent email encryption Auto encrypt to other organizations using the same solution/protocol with no logins/passwords needed Automatic Key Management Encrypted Delivery to “Non” encryption users A system that delivers the encrypted email to anyone regardless of what technology they have on receiving end Encrypted Delivery to Mobile Devices 9

WHY ARE WE ALL SPEAKING A DIFFERENT LANGUAGE? How can we connect with so many roadblocks? Portals Passwords Secure attachments Password resets Extra steps

Shared Public Key Directory THE POWER OF EMAIL ENCRYPTION TRANSPARENCY An elegant solution is one that works without you even knowing it. No portals No passwords No extra steps Shared Public Key Directory

WHAT ABOUT DELIVERY OF ENCRYPTED EMAIL ON MOBILE DEVICES? Typically, recipients are unable to open encrypted email on mobile devices. The result: User frustration Interrupted workflow Reduced productivity

EMAIL ENCRYPTION SOLUTION SHOULD MANAGE MOBILITY EFFECTIVELY AND EFFICIENTLY Senders and receivers using the solution should experience encrypted email like any other email on their mobile device. Accessing encrypted mobile email should be as easy as one click.

WHAT ABOUT ENCRYPTED EMAIL TO RECIPIENTS WHO DO NOT HAVE DECRYPTION TECHOLOGY? The email still has to go, but how? Solution should auto recognize the recipient does not have technology in place but still delivers the email encrypted via a secure messaging portal (pull) or via an encrypted HTML attachment (push) Registration to receive these encrypted emails must be simple and non-invasive Allow for the recipient to reply back encrypted AND to compose brand new emails encrypted Consider impact of delivery method on mobile devices 14

Good News. I am NOT going to describe to you what BYOD is Good News! I am NOT going to describe to you what BYOD is. What I will confirm is that with the time we have together, I will be referring to employee owned devices rather than to corporate-owned, personally enabled – C.O.P.E. devices. Quick straw poll. Please may I ask those of us here who have at least one BYOD device to raise their hand. Thank you. [Comment] 15

Most Popular Mobile Business Apps Email, Calendar and contacts As we all know, most employees work in your company buildings. They don’t go out to your customers. They don’t talk with industry analysts or investment funds. In fact, as you can see form this chart, 86% of employees really only need access to their emails, their calendar and their contact list. So why would we pay to give everyone MDM if only 14% - sales teams and senior staff - need it. MDM may have sufficed in the past, however nowadays – especially in this less secure world - we need a multi-tiered strategy. Let’s talk security for a moment. Source: BYOD and Mobile Security Report, 2014, Holger Schulze, Information Security Community on LinkedIn 16

Market response to BYOD Survey results indicate 45% of respondents report that within the previous 12 months, one or more employees lost a mobile device containing company data InformationWeek’s 2014 Mobile Security Report 3.1 Million smartphones were stolen in the USA during 2013 - sixty per minute Consumer Reports’ Annual State of the Net survey, 2014 72% of respondents say their top mobile security concern is data loss from lost or stolen devices As you can see from the slide, InformationWeek’s 2014 survey on Mobile Security found that in 45% of companies, one or more employees lost a mobile device containing company data within the previous 12 months. In fact 3.1 million smartphones were stolen in the USA in 2013 – possibly 5 million in 2014 - with approximately half of them never being recovered despite “find my phone” type GPS location applications. So that’s why the top concern around BYOD is securing company data on mobile devices. 17

Mobile Device Users’ Frustration “In their quest to do their jobs, mobile device users are offered comparatively sophisticated communications platforms that they're often untrained to effectively use, control, and make productive. - Tom Henderson, IT World And if these figures weren't bad enough, most employees find MDM solutions cumbersome or difficult to use. So they’re LESS inclined to maintain security, LESS inclined to stick to your Company Security policy. 18

Adding to BYOD Challenges These figures come from the Ponemon Institute The survey found that a large proportion of employees have disabled the auto-lock function – the time out function – on their tablets and smartphones. And that an incredible 93% anonymously admit to violating corporate policies designed to prevent data breaches. With a complex MDM solution, your employees are driven to circumvent the security hurdles. You see BYOD devices were never designed for corporate use. They are consumer products. They are specifically designed to share information between applications – to give the user a seamless experience. In implementing MDM solutions, the vendors are trying to undo this seamlessness. Trying to put up barriers in a device designed to have no barriers. And that introduces all kinds of complexities both for IT and for the users. 19

TYPICAL MDM SOLUTION Data Proliferation EMAILS ARE RETAINED IN PERMANENT MEMORY Data Proliferation Here is MDM… and this is how emails are handled. Just as with a desktop computer, the emails are being downloaded and stored in the device’s permanent memory. 20

TODAY’S APPROACHES ARE MISSING THE POINT MDM & CONTAINER VENDORS Assume Data on the Device Too Complex and Too Expensive Too Invasive For Users Too Difficult To Implement Creates Corporate Liability Concerns Overkill for Email Problem Getting Worse Manage access, not devices!

Brooklyn gives IT the security they need and The state of byod USERS WANT EASE OF USE WHAT THEY DON’T WANT IS: Company monitoring their personal activities or restrict apps Interruption of their calendar, contacts, phone and texting functions Invasion or deletion (wiping) of their personal data COMPANIES WANT SAFE DATA WHAT THEY DON’T WANT IS: Corporate data distributed on hundreds of devices Users resorting to personal email or other insecure means of maintaining productivity Brooklyn gives IT the security they need and .

EMAIL BYOD SOLUTION Full email functionality, but NO data on the device, so no need to manage the device Data Proliferation 23

EMAIL BYOD DELIVERS THE BEST OF BOTH WORLDS Companies benefit from Enhanced Data Protection Productive employees and improved morale Minimize Corporate Liability One copy of corporate data Compliance Reporting License by user, not device Employees benefit from Convenience of using their own devices Control of their devices and personal data Protected privacy without employer access to personal data

On Demand and Scheduled Reports Graphical and Detailed Drill downs EMAIL COMPLIANCE REPORTING Who sent, Who Received, Top Domains, Delivery Method, Time Stamps, Subject, Policy And Content! What sensitive data was sent! On Demand and Scheduled Reports Graphical and Detailed Drill downs Includes Reporting on all delivery methods Including TLS Exportable to formats usable by you Allows you to know what email was viewed on a mobile device and when it was viewed 25

To See How ZixCorp Provides Email DLP, Encryption, and BYOD Security come to our booth or contact me Thank you Kevin Cloutier 781-993-6221 Kcloutier@zixcorp.com