 Hey, good morning and welcome to the ThinkTech studios. This is Security Matters and I'm your host, Andrew, the security guy. Today, we're going to be talking about how risky emails become and is it too risky for your business. I've got a guest in the studio today, a subject matter expert on this exact topic, by the way, so I'm going to get bailed out. Hewala Grievous here, Hawaii guy, Hewala, welcome. Thanks for coming in, man, glad to have you in here. I know you've been on Hibachi with us a few things over the years, so I'm glad to see you in Hawaii. I know you grew up here, why don't you give our crew a little bit of your background and then how you escaped to California and then you're coming back permanent. Yeah, so probably kidney graduate, been doing emails since 1999, so if you do anything for 19 years, you better be good at it. That's all we're saying. And I'm a founder CEO of Powbox and we're a startup based in San Francisco, a team of 12, 1200 customers in all 50 states and our thing is HIPAA compliant email. So we're the easiest way to send and receive HIPAA compliant email. That's our thing. Awesome. So I remember when it was Pow Spam, remember, and Pow was like Stop Spam. Yeah. Stop Box. Can we have how Pow Box evolved out of Pow Spam real quick? Well, shucks, I figured we'll keep the Pow and then Box. Check the Box. Check the Box. Pow Box, a cloud-based product. And then when you've got this kind of made up word, you can own the space, which is good to do. So if you type that in as long as you spell it right, you're only going to find one thing as opposed to other products out there that are competing on common words and stuff. I like how it has the Hawaii roots in it still, too. You know what I mean? So Pow, I don't think they use that anywhere else on the main line. They know the word if they've been here, but... Well, that's funny you mentioned that. In Hindi, I mean, bread. Oh, okay. Yeah, you already spelled it for me, okay. And unfortunately, I learned later in Brazil it's slang for something else. So we're not going to talk about it. But it's breadboxing. Yeah. Wow. Okay, well, and something else. Interesting. Cool. Well, I have, you know what got me on this topic in particular, I've been at a lot of conferences this year and everybody's really talking about the inside earth bread and how the training of their staff to not click on things. And you know, there's been a lot of work going on in that space for quite a while now. And ultimately, even with, it seems like really persistent training, a lot of organizations struggle to get those take rates, you know, those people who are clicking just absentmindedly or negligently on bad attachments or bad links or clicking on things they shouldn't click on, down into the low percentages, you know, two, three, four percent. So, you know, one out of 20 or 25 people in your organization is still quite a bit of a risk. Well, I have some thoughts on that. Yeah. I think when it comes to a business setting, yeah, one to two percent of your workforce, because it's a work email account, they're, they just subconsciously try and click any link that comes in because they subconsciously think it's for work. Yeah. So they'll, no matter how much training you give them, they're just going to be like, well, this is work. I need to open this. Yeah. Like the company's protecting it somehow, so it must be safe. It can be a company or via a company associate or whatever it may be. Yeah. They're not aware of spearfishing and how the game works. Or even if they are, they just forget and they just want to open stuff. Yeah. So we've, there was some discussion that those, those ones who keep forgetting after training, that becomes an HR problem actually, you know, once you become a risk to your organization because you don't seem to be able to absorb the training or you don't seem to be able to stop yourself or at least examine the link or whatever it may be first, you know. And those, those training issues, I don't think that they're going to go away. And I know that businesses are very concerned. The discussion at the higher level in, in DOD and in regulated industries is that the supply chain, you know, the small SMB, small and medium sized businesses who don't have necessarily the expertise in house. Maybe they don't have the funds to train their people persistently. They don't really have any way to monitor that data are going to continue to be vulnerable for this. And you know, what you don't want is to get, you know, a service guy's, you know, laptop or service equipment infected and then he's coming into your organization, bringing malware inside the enterprise somehow. And that's kind of the fear that they have. And so, you know, this is what prompts me to say these things. Well, maybe, you know, organizations shouldn't use email, you know, and there's a lot of, a lot of things that can be done to secure email. So I know you guys have worked along and hard on that your business is in providing secure email and HIPAA compliant. Why don't we talk just briefly about the, the scrutiny that goes into HIPAA compliant email because that's a high level standard. Yeah. So it's a U.S. It's a federal regulation that applies to health care. And at a high level, HIPAA compliance when it comes to data is you need to encrypt your data at rest and encrypt in transit. So our product, we focus on the transit encryption of email. OK. And email is such an old protocol of the internet. It was built with deliverability as the highest priority in the SMTP protocol. I see. So it has, it's trying to get there. It's not trying to not get there. Yeah. And message encryption is a lower priority. So if either the center or the recipient are not set up to accept a TLS transit connection, start TLS, the connection downgrades to clear text, unencrypted, without either party's knowledge or approval. And that's why other solutions out there introduce a tremendous amount of friction. And we've all seen it, right? Andrew sent you a secure email, click here to pick it up. They're forcing you to a portal, which they can encrypt using HTTPS. But unfortunately, the introduction of friction makes these solutions a very cumbersome and inferior. Yeah, they're inconvenient as well. And so to go back to TLS, what, what I was talking about is that the actual channel provides for encryption of while that is in transit and that information is in transit. And if you on the receiving end can't handle that level of encryption, your system may offer a lower level of receipt of that, which is clear text again. So now this information is exposed and it can be taken or whatever, maybe right off the wire. And what we've seen, ironically enough, there's an ocean of email security appliances out there, specifically Barracuda appliances that come shipped by default with TLS disabled. So how would they do that? So you've got this email security appliance providing you spam and malware protection, you most likely have an exchange server in your office. But ironically enough, that same thing most likely is having all your emails sent and received in clear text. And that because it's misconfigured. They should have shipped it with TLS on. They don't. A lot of people don't configure it. And so our product solves that issue where we become, we insert ourselves in the middle of the email transit and we guarantee that every email sent for our customers is encrypted in transit. So that's the value we provide without the friction. Sure. So if they're using Office 365, then they're sending their email through you from Microsoft, right? So we know it's encrypted leaving Microsoft. To you, it's encrypted and then you've got it the rest of the way. And then if it tries to get delivered to someone who can't handle it, then what happens? We've got a clever workaround where our product detects that on the fly or if the recipient is only accepting low levels of security encryption like SSL2 or SSL3, then we're also automatically upload that to our secure web app and then it's just an extra click for the recipient to read and reply to go get it. So at least they're not exposed to that vulnerability because their system per se hasn't been upgraded or something. No one should be running SSL2 anymore, things like that. You'd be surprised. I know your team does a lot of research. You publish a lot of blogs on looking at these solutions. Is that related only to HIPAA or have you come across other like PCI, FERPA? There's a lot of the organizations that require certain protections for the data that they're sending back and forth. So what have you seen when you're looking around out there? So FERPA, it doesn't have much teeth to it from the regulatory standpoint. So as a business decision, I think HIPAA is a better place for us to be. And it's not quite as strict as HIPAA. And then PCI for credit card compliance, there's some stricter standards on that, more or less. And then recently, we've been getting pulled in with GDPR inquiries. I think on May 25th, that goes live. So we're carefully evaluating whether we want to be in that market or not. Is it more strict than HIPAA from your first glance or your early research? You know, we're worried about the data sovereignty for one. We just can't be setting up data centers in every country in the EU to service a small account. We like HIPAA because, you know, you've got one market, one currency, one language, and US, right? Yeah, that's a North American standard HIPAA. It's a US. Yeah, US only. So, you know, and the whole industry is 10 to 15 years behind. It's just crazy. Like we're fighting the fax machine. That's our true competitor. Really? Amazing. Yeah. So people are still, well, because they thought it was, because at least they didn't have to worry about it being stolen off the wire. Well, but I mean, it's just sitting on the fax table at that point, too. So the HIPAA regulations, according to the Department of Health and Human Services, fax is compliant. So that's why these people are still using fax. Wow. They consider it a compliant, secure channel, which it may or may not be, especially when you introduce these eFax solutions where it gets converted to your email. Is that transit encrypted from fax to email? Sure. That don't seem like that. I mean, if it is encrypted, I guess it's OK. But what level of encryption? And then how do you know that the fax machine is not doing the downgrade like you talked about? Yeah. And then if you've got the paper in the tray, that's definitely a HIPAA violation waiting to happen. If you have an onsite audit and you've got protected health information sitting on that tray, that's another. They're sending PHI via fax? Oh, tons. Millions. That's a HIPAA compliant way to transfer. Is these like small offices trying to send to big hospitals, or is it big hospitals trying to? You know, this is one of the big learnings I've found since starting Powbox. The level of fax usage in the United States health care system is mind-boggling. I haven't had a fax machine. Well, I shouldn't say that. I have one of those multifunction Xeroxes, but I don't know if we get faxes. I guess we do. Let me ask you a question. So I was at a conference last year, and there were three CIOs on the panel. So I get my question in. I say, all you CIOs of these hospital systems, how many faxes do you send a month, and do you think that's normal? And they all agreed the level of faxes they send are just abnormal. None of them knew, except one guy, and he's the CIO for about a six hospital system. Wow. So would you care to guess how many faxes they send in a month? For this one hospital... How do you say it's like a thousand? Seven million. Seven million? One hospital system. Back and forth? Seven million. Or like I send it to you, and you send it to someone else? Like is it chained? Just coming out of their enterprise, seven million. How can that be effective? Yeah. And how could it be secure? Or probably not. So they will go unnamed. So for us, HIPAA is just this huge opportunity. Seven million. That's one page. As if it's seven million pages, that's a lot of faxes anyway. No, that's one fax, four pages, whatever. So we'll be like 15 million pages. Who knows? Oh my gosh. It's just mind boggling. Yeah. A lot of opportunity. Is that... That was the legacy means of transferring in. Is that just... It's like survived. Like they can't get rid of it. Like this is what we do, so this is what we do. That kind of thing. Or what's the attitude? It's just... It's compliant. It's just... They're just stuck behind the times, man. That's 10, 15 years old. Are these encrypted fax connections? No. Of course, yeah. They're not, but according to HHS, they consider that compliant. Simple compliant, yeah. Okay. We're going to take a short break. We're going to ponder PHI going out over fax. This is worrisome. And when we come back, we'll get into maybe some of these other mechanisms for protecting data. Give you some options if you're not sure about your email security or the training of your folks and their ability to handle secure email. So we'll be right back. Aloha. My name is Mark Shklav. I'm the host of Think Tech Hawaii's Law Across the Sea. Law Across the Sea comes on every other Monday at 11 a.m. Please join us. I like to bring in guests that talk about all types of things that come across the sea to Hawaii, not just law, love, people, ideas, history. Please join us for Law Across the Sea. Aloha. Hi, my name is Bill Sharp, host of Asian Review, coming to you from Honolulu, Hawaii right here in the center of the Pacific Ocean. Asia Review is the oldest of the 35 or so shows broadcast by Think Tech Hawaii. We've been in production since 2009. Our goal is to provide you, the viewer, with information, breaking information about events in Asia. Asia being anything from Hawaii west to Pakistan, from the Russian Far East south to Australia and New Zealand. We hope to see you every Monday afternoon at 5 p.m. Hey, welcome back to the Think Tech studios and thanks for joining us on Security Matters. Today we've got Huala Grivi in the house, CEO of Powbox. We are talking about email security. We're trying to decide if it's too risky for business to use email as a means of sending information and we were just talking about the fact that the healthcare industry has a legacy problem with using fax and that fax is actually an approved method for them to transmit documents. So if they get out of the Stone Age and they stop using those fax machines and want to use some secure email like Powbox provides, talk about some of the things that can happen there. What kind of services can we do for them and how are we helping? Well, I think the fax machine is the culprit behind a lot of the inefficiencies in healthcare, data errors because it's on a piece of paper. You've got to retype it. Yeah, data entry problems. Yeah, I mean it's behind I think a lot of issues in healthcare. We recently released our HIPAA compliant email API, so you can think of it like a HIPAA compliant send grid where you can transactionally use our API to deliver HIPAA compliant email straight to the inbox of the recipient. So we're very excited about that and we think it directly addresses attacks the fax machine. So a company, if you have an app or a portal that no one logs into, you can hook into our API to deliver those meaningful messages, lab results, prescription reminders, what have you, straight to the recipient's inbox and still be compliant. So we're really excited about that. That's awesome. And I know you guys have been working in the healthcare space for quite a while. Is that the big boys paying attention or are they still using faxes? Obviously, I would think the small businesses, the small dentist office, doctor's offices, those would need a lot of help because they still have IT people on staff and things like that. So where have you been able to penetrate and get the most support out in the community? So we started off targeting small SMBs. You got a shorter sales cycle, easier buying decision, keep the lights on, we get the money in, keep going, get more customers. And now we're moving up the food chain, going to mid-market. And then we have some discussions with some enterprise customers. But those are longer sales cycles. So we've got a few Fortune 100s that we're talking to. And we're going to make it happen. Yeah. Can you imagine just the savings in fax paper might support the purchase of your solution? You've got to have a little overlap for them there. Just spent three months writing a white paper on that very issue. Excellent. How much does it cost to send a fax? Yeah. And we'll be marketing that quite heavily in the weeks to come. And coming in some shows coming up. So the fax machine is a nightmare for my brain. Let's talk about what else you've seen. What else have you been able to mitigate? Obviously, you've probably seen attacks coming through your filters and the stuff that you guys are doing for these folks. So what's been happening in your side of the world? So ransomware is still a big issue. Especially for health care. Yeah. Last year it was a big issue. It's still a big issue now. We have verified accounts that these ransomware attacks are getting through the G Suite, Office 365 filters. They're getting through. These customers on these platforms are getting breached. Department of Health and Human Services has declared as of last year that a ransomware breach is also a HIPAA breach, regardless of how many records were. Yeah. Because it used to be really late. What was it before? A thousand records. 500. 500. They had to advertise that they had been breached and provide protection for those customers. By the way, a health care record on the dark web is probably 50, 60 bucks these days versus everybody's worried about their credit card. You can get probably 100 credit card numbers for a dollar. That's correct. It's very inexpensive. But health care records have all the information someone needs to emulate your identity. So that's why they're such a target. That's correct. Yeah. And recently, we've been seeing some pretty sophisticated attacks for ransomware. So the latest one, well, we all know about the word attachment or office document that's laid in with a macro that injects into your computer, launches code, and you're screwed. And so we can analyze an attachment and look for ransomware in the macro. These signatures change less than every 60 seconds. So the old school approach of downloading a virus signature file no longer works around somewhere because they're changing the code on the fly. So that doesn't work anymore. But now they took it one step further and they're sending a link. So the email does not have an attachment, but it has a link. And they'll insert careful wording to make you want to open it. Either you owe me money or here's some money, basically invoice. And that link auto downloads and auto opens the macro with the office document. And so now what we've done is with these links, we're for our customers because we provide inbound security and inbound email encryption. We are unpacking the link on the fly in memory, searching for presence of an attachment with macro. And then we're able to find if it has malicious content or not. And then we'll just prevent that message from being delivered. It's computationally expensive, but that's what we need to do to stay on top of things. So we've done that. And these macros are fairly insidious. You wouldn't necessarily even see them if you were to get the Adobe document or the Word document and open it yourself. It's going to run in the background. It's going to go try to hide itself, depending on what it's for. And you're not going to even know that you've done that. You may know that the document's fraud, something you've gotten. But by and large, the user may not know it. Sometimes they're sending in just crypto mining software, things like that. There's all kinds of things people would like to use your computer for. They really want your credentials. Don't get me wrong. So can you tell us? So you said computationally expensive. So you've got stuff coming through. You're in the AWS environment, Amazon environment. So you've got scalable CPU, scalable memory, scalable storage, all this stuff's dynamically happening. How do you budget for that? You know, how do you know what it's going to cost you on the day when the ransom world goes nuts? Does your computation cost go up double? Our bill is getting up there. We've got probably 50 instances in two data regions with auto scaling in place. It's getting to be a bit complex now. Is there much of a delay when you perform that service for the customer? I mean, because obviously it's worth whatever delay, better than getting the bad macro. So if we're doing it right, we're doing it under a minute. That's pretty good. So yeah. And we're doing, I think about seven or eight million encrypted emails a month now. So that's some decent traffic. Wow. The market leader is doing 30 million a month and we're doing eight. I hope to catch them by the end of this year. That's awesome. Congratulations. I'm glad to hear Powbox is growing. I'm kind of wondering if, is that a, so let me ask you a question. Is that sort of a bolt-on service? Do you have a, when you come in and talk to somebody about the problems that can occur, do you have a sort of a tiered offering or do you do all of that scanning for everyone that's a customer? Yeah. So well, it's for all customers. So we'll change the MX record, which routes all inbound email through our system first. Okay. And we scan for malicious content and we encrypt the message if an encrypted connection's available. And then we'll set the outbound gateway for the customer. So all that, all remote email goes through our system as well. And of course, we enforce AES 128 or 256-bit encryption on all up on email. That's how we do it. That's awesome. So do you have any data on the percentages of stuff that you're seeing come through as 5% of it bad, 10%? Remember back in the POW spam days, remember the POW spam was your first one and spam was going nuts. And I think you stayed up and did it in one night is what I recall. You climbed out from under the desk and POW spam was born. I was like, he's like, I built a spam filter. I'm like, really? I was at your office. You remember that? I mean, so and so and back then it was like spam was starting to become 10 or 20% of all traffic. He's like, oh my gosh. And spam is probably still really bad. But do you guys have metrics on what you see? It's still 80%. Spam. Or garbage. Spam, virus, ransomware, phishing attack. So stuff that you reject. 80% of the email on the internet just rubbish. When you detect that, do you know if it's from, is it because someone's been compromised and then someone's trying to send stuff with their email? Or so do you alert them? Hey, looks like you've been compromised. Like how would I know if I was sending, if I sent bad a virus attached to email through your system? Would you know, hey, Andrew, someone's on your computer that's infected you or something? Or has there feedback from me? Or do you just, you don't want to deliver it obviously? Do you send a message this is not going to be delivered because it was found to be infected? What do you, how do you alert people? The level of sophistication now is pretty impressive. We were previously looking at domain names. This is something we built in house. So we'd say, hey, this domain name was created four hours ago. Why is it sending email? We don't want to talk to you. So that worked pretty well. Well, now these spammers, they're using domain names that they bought like six years ago. That they just have on file. Because everyone's forgotten those were bad. Yeah, and then their IP is legit. It's on a neutral IP, neutral domain name. It's pretty sophisticated. I wouldn't be surprised if these are nation-state-based attacks. I mean, just, I'm sure. And then they'll- Especially in our healthcare system. I mean, I'm confident that they want in there. And then on these malicious links, they'll actually, we've seen them hack into, say, a university website and in a subfolder, plant all the malicious content. So now this link is pointing out a legitimate website of a .edu. But in one specific subfolder, it's been compromised and they haven't figured it out yet. So the link is legit. And then people are going there and pulling down malware. Yeah, I mean, it's just unsuspecting. It's pretty sophisticated. Yeah, the nation-state actors. So we had DHS, NSA, a big conference here just in Hawaii, just on Wednesday this week. And the basically the nation-state actors, China, Russia, Iran, North Korea, basically NSA can deal with them. The rest of us can't. It was kind of how they left us. Now, those guys are sharing their intel with FBI, DHS, that they're pushing out to the consumer space. But we're almost indefensible, right? I mean, against those. I've seen DHS present. They're too slow. Yeah. This information sharing, they're too slow. I've seen it. They're too slow. Yeah. The former DHS head, I think it was Jay Johnson. He's on record saying email is the number one threat factor on the internet. Sure. And I strongly agree with him. Yeah, I mean, these signatures are changing every 58 second. And these guys are taking a week to exchange information. It's too slow. So the lesson learned here today, get some encrypted email if you don't know how. Get ahold of Powbox. Let them help you out. It's really important that you pay attention. These are the things everyone's talking about. Your employees are a problem. You yourself may be a problem with your cyber hygiene, your cyber insurer, your handling of email. So get some help because security matters. Thanks so much. We'll see you next week.