Rick Goud, CIO of Zivver: why focusing on malware-proof email service is not enough
Email security stems from choosing a secure email provider who will protect you against malicious actors hungry for your data. Right? Wrong. You might be in for a great surprise as choosing a provider who cares more about outside threats than inside dangers can leave you empty-handed.
“Malicious actors involved in hacking, malware, and phishing, typically account for ‘only’ 5% to 10% of data leaks,” CIO and Founder of Zivver, Rick Goud, shared with CyberNews. Zivver is an Amsterdam-based startup focused on delivering secure communication solutions to companies throughout the world with over three million active users.
Where do data leaks mostly come from then? Surprisingly, mistakes made by employees are the main reason for company information getting in the wrong hands, according to Goud. But how can you really fight that? Is it possible to change the behavior of your workers or should you adapt the technology to prevent such “human error slips?”
To address these and more questions, we sat down with Goud to chat about email security, the latest trends, and the goals of Zivver.
What was your main incentive for starting Zivver?
Around seven years ago, I saw GDPR coming up. It was not yet announced, but you felt things boiling since Snowden, building up the momentum towards legislation. When I looked around, I saw everybody using email, Dropbox, WeTransfer, WhatsApp, fax, couriers, snail mail, insecure SaaS-tools, or non-user-friendly portals to share extremely sensitive information. And when I asked “why?”, people always answered: “because I don’t know how to share sensitive information securely AND easily.”
I thought that was probably untrue, but when I did market research, I found out that I could not find a solution in the world that, according to my standards, was secure AND user-friendly enough. Moreover, solutions that were available only focused on securing information transport using encryption, while I saw that they didn’t do that according to best practices.
More importantly, I saw that they didn’t focus on the problem they should have been focusing on. Suppose I ask a hospital, a council, a law firm, an insurance company, or an accountancy firm, “why do you want secure email?” (one of the solutions we provide). All of them will give me the same answer: “because we don’t want sensitive information ending up in the wrong person’s hands.” Or, to rephrase, because they want to prevent a data leak. Then I thought, if data leaks are the problem we are trying to solve, I need to look at the causes of data leaks.
And that is where data comes into play. Data leaks that occur before, during, and after sending of information were, for the most part, related to employees not being able to work in a secure way, rather than the actions of malicious outsiders. To summarise, I saw no other technology solution provider focused on enabling employees to work in a secure way, or helping them to make better and safer decisions in their entire communication process. That was the starting point of Zivver, a company built around the idea I had on how to combine decision support, encryption, authentication, and data leak prevention, all in a user-friendly way.
What makes Zivver stand out as an email provider in such a competitive market?
In summary, Zivver provides organizations with all the controls they need to help their employees prevent email data leaks before, during, and after sending sensitive information. As a communication platform, we support various business use cases, including secure file sharing, secure message portals, digital signing of documents, and secure email. We see secure email as the starting point of digital communication transformation for organizations.
However, secure email is to email as Tesla is to a normal car. It looks the same but is built with totally different technology. We have redeveloped email to be secure - not by being email but by disguising Zivver as email, so that people do not have to change their usual way of working. This approach allows us to overcome problems that cannot be dealt with using the old technology of email.
Also, none of the vendors we have seen in the UK are able to support that two-factor authentication. Without it, you cannot actually comply with the GDPR because you cannot prevent unauthorized access with email.
In addition, we allow senders to revoke messages, also showing who already had access to the email before doing so. This helps with the prevention of data leaks, as well as to identify the mistake and its impact. On top of that, we log all information.
We stand out from other secure email competitors because we make the entire communication process secure instead of being a point solution. Here are some examples:
- We involve employees in securing email instead of being a gateway solution.
- We can ensure that only intended persons have access to your email, while other providers cannot.
- We do not limit ourselves to ‘old and boring’ email like other email vendors but see email only as the use case where you need to start your digital communication transformation from. Being a secure communication platform allows us to support a broader range of different communication use cases, and to be a trusted partner to organizations now and in the future.
When it comes to cyber threats in the email sector, what are the main ones?
To answer that, we need to look at the statistics from European countries with a leading data leak reporting system, like the Netherlands, Germany, Denmark, and the UK. Those stats from over 250,000 data leaks reported since GDPR’s introduction reveal that around 80% to 90% of data leaks are caused by benevolent employees making mistakes and employees not following company policy. Think of misaddressed information, sending the wrong information, and forgetting to properly add security measures such as encryption and authentication by using ‘normal email.’ Malicious actors involved in hacking, malware, and phishing typically account for ‘only’ 5% to 10% of data leaks, which is surprising for most people.
What precautions would you suggest companies take to protect their emails against such threats?
Gartner recommends using tools they refer to as Email Data Protection Supplements to enhance the security of Outlook, Office365, Gmail, etc.
There are, however, various types of email data protection supplements. Ones like Zivver can tackle all the mentioned risks by putting decision support in place to help employees make better decisions, using encryption that ensures zero access by third parties, and authentication to ensure only intended recipients can access the data. These supplements are typically much cheaper than Microsoft E5 licenses and easily create a positive business case by reducing risks and costs for individual point solutions, snail mail, and fax.
Do you feel like different sectors (for example, financial, healthcare, etc.) should have email security features tailored specifically to them, or should such solutions be universal across industries?
Technology should be universal but configured according to each sector’s needs. Classification of sensitive information in healthcare is different from that in financial services, for example.
Healthcare data needs to be protected with the strongest encryption and authentication because personal medical information is categorized as a special type of information under the GDPR. However, the financial sector organizations sometimes opt for lower security in favor of sender and recipient user-friendliness. This is and should be possible using the same technology or platform, as these sectors also communicate a lot with each other.
According to your website information, most data leaks are easily preventable. What new features have you implemented to help combat cyber threats?
As described earlier, we prevent data leaks before, during, and after sending. Before data leaks is where we help employees avoid sending a misaddressed email by detecting ‘unlikely recipients.’ We help prevent that by warning senders about specific sensitive information included within messages and attachments. We also help employees select the appropriate security measures according to the company’s policy. All of this is done in a way that’s as non-invasive as possible, using colored warnings integrated into the email clients.
During sending, we apply encryption that ensures only intended parties can access the email data, as even we don’t have your decryption keys; something all other vendors we see in the UK cannot do.
After sending, we add recipient authentication and the option to revoke messages while also giving insight into the ‘read’ status of a message. These are additional features that no other UK vendor provides.
Share with us: how do you balance email security and user-friendliness?
Email stems from the seventies, and it was not built for the level of security we need today. It was not and will never be. That is why so many organizations have a policy that sensitive information should not be shared via email but, instead, via some sort of message portal. However, that is rarely successful. Those portals are expensive to set up and are - for the most part – unused.
That is why we believe that secure communication has to start with email. So we had to fix it. But similar to how Tesla had to reinvent the car to overcome the problems of gasoline cars – we had to reinvent email to overcome security and usability deficits and decided to disguise it as ‘normal’ email. The end result is that people don’t have to change their usual way of working and are actually helped in making better and safer decisions; email 2.0.
What are some of the challenges you have faced with implementing new email security solutions?
Many! To name some, for example, encryption: we really don’t have your keys. This sounds logical but comes with many challenges. Like, how do you support search, as searching in encrypted data is not possible. And updating our software takes much longer because we cannot easily migrate data, as we cannot access it.
When we started Zivver, we wanted to follow clean privacy by design, privacy by default, security by design, security by default, and a data minimization approach. Knowing it would be slowing us down significantly with innovations, but also knowing it would become a USP and a must-have. And with the recent European Data Protection Board recommendations that scream for encryption, which only we offer in Europe, this USP is certainly becoming more and more important.
Which company achievement are you most proud of?
I am most proud of the fact that we currently help over 4,000 organizations with their day-to-day secure communication and have an NPS score of over 40 consistently. For a security solution that is extremely good; because security never makes the lives of people easier, and because secure email will never be as simple or as normal as insecure email. However, we are good at making it as easy as possible!
Give us a sneak peek into some of your future plans for email security.
Our future plans include expanding beyond email. Let’s take large files, for example. Why do you have to go to Dropbox, WeTransfer, or SharePoint if you want to share a file of, say, 26 megabytes? You want to communicate, not worry about file size. Why do you have to change context when a file becomes bigger? We believe that users should not switch context but that technology should. That is why we support files up to 5,000,000 megabytes being added to ‘an email,’ where we’ll use different technology.
Another example: you share a concept contract via email and, once it is final, want to have it signed. Why do you then have to go to Docusign.com or Adobesign.com, login, create a sign request, fill in a lot of info, hit the send button, and then go back to your email? Again, why do you have to switch context instead of the technology adapting to your use case? That is why we are soon launching Zivver Sign, allowing users to sign or send out a sign request from Outlook, O365, Gmail, etc., within seconds.
And we have many more of these innovations around secure communications on our roadmap, where we help companies communicate more effectively and more securely from a single platform.