In promoting zero-trust security, the company focused on e-mail security, which is the exchange of information outside the company, and succeeded in preventing several thousand e-mail risks every month with HENNGE One.
BitKey, Inc. aims to make people more free by connecting them. The company’s unique business is to create new value by connecting people, products, services, individuals, organizations, and everything else in the world to enhance the value of each. The company has been studying the connect-tech technology necessary for this purpose, and is advancing its business using digital technology across the board, from apps, SaaS, and platforms to device development.
We interviewed Mr. Wataru Hiura, Executive Officer VP, General Manager of Information Systems and Assistant to CEO (in charge of BCP and security).
Why did you decide to strengthen e-mail security as the next step after Zero Trust Security?
— Why did you decide to take measures to prevent information leaks via e-mail?
We are a start-up company that has been in business for six years, so we do not have on-premises file servers, for example, and we were able to think about our security model from a zero-based approach. We developed an approach for each risk, such as IDaaS, EPP/EDR, MDM, CASB, etc., while assessing the priority of each risk.
We then created a document that mapped out the tools and services we had already implemented in order to understand the current security risks, and focused on e-mail security, which is the exchange of information with the outside world.
Due to the nature of our business, which involves communicating with many people through projects such as building construction and office relocation that handle highly confidential information, we send a great deal of files by e-mail. Therefore, from the perspective of security risk, we needed to take some kind of countermeasure.
— What were the security issues in e-mail and what were the key points you focused on in strengthening the system?
We did not want to thoroughly enforce so-called PPAP because it would go against the times. Furthermore, if we allowed free use of external large file delivery services, the company would not be able to track them and they would become uncontrollable. Therefore, we decided to use the shared drive function of Google Workspace as a method of sharing with external parties. However, inviting people outside the company to the shared drive would require management by the IT department, and employees would have to make a request to the IT department each time, increasing the workload for both parties.
The employees would have to request or apply to the IT staff to do something, and the IT staff would have to do the work on their behalf. In addition, this kind of process, in which work cannot proceed without a request from the department in charge, may lead to communication friction and personalization, which is not very desirable. Therefore, we wanted a system that is basically self-managed by employees and departments, can be completed entirely on the Web when approval is required, and allows for auditable records of work performed.
In addition, while security enhancement is generally a trade-off for employee productivity, I believe that it is the mission of an information system administrator not to let that happen, and I wanted to make sure that both security and convenience were achieved at the same time.
— Please tell us about the process from consideration to selection.
We are a very speedy company, so we decided to strengthen e-mail security and create a new external file-sharing system, and after comparing other companies and conducting preliminary testing, we completed the company-wide deployment 1.5 months later.
HENNGE One was selected based on its “unchanged employee experience.
— What were the deciding factors in your final selection of HENNGE One?
In selecting HENNGE One, it was a matter of course to meet our security requirements, but what was particularly important to us was that the employee experience would not change. With HENNGE One, the operation of attaching an attachment to an e-mail remains the same as before, and the server automatically processes and sends the attachment.
Also, when sending large files, there is no need to use additional cloud storage, etc., and the expiration date of the file is automatically deleted after a set number of days with HENNGE One, which is a relief. HENNGE One automatically deletes files after a set number of days, so there is no need to worry. From a management perspective, I found the manuals to be open and complete, and the speed of response from the sales staff to be very trustworthy.
And the ease of use by the recipient was also important, and the fact that the service is widely used and recognized was also appealing. In fact, when we took a simple survey within the company, we found that a great many employees had experience using HENNGE One for e-mail attachments received from business partners. For example, when a customer asks for advice on how to receive an attachment, it would be difficult to explain if they had never used the system themselves. The fact that employees could explain based on their own experiences was also a deciding factor in the end.
E-mail misdelivery prevention, large file transmission, and PPAP deactivation functions are also implemented.
— How are you using the system in your company? What do you find attractive about it?
We use HENNGE Email DLP as an anti-message solution, HENNGE Secure Transfer for large file transfers, and HENNGE Secure Download for PPAP removal.
HENNGE Email DLP is attractive for its approval function and audit log function, which help prevent misdirected transmissions that can lead to information leaks.
HENNGE Secure Transfer is used for sending large files. Users can upload the files themselves, create a link and send it, and the trail can be securely managed by the IT department. I especially like the ease of use. Drag and drop files” is displayed on the screen, and I don’t think there is any UX that is so easy to understand.
HENNGE Secure Download’s “system expressiveness” and flexibility in configuration were decisive factors in our decision to adopt the system. After the introduction of HENNGE Secure Download, most of our employees use it to exchange files, but in the unlikely event that we have a business partner who says, “We cannot use HENNGE One,” we can set that domain alone not to go through the conversion by HENNGE One. The ability to respond flexibly in case of emergencies was a point we emphasized in the operational design. HENNGE One matched the direction we were aiming for.
— Did you have any difficulties in preparing for the introduction and deployment of HENNGE One ?
There were no major difficulties in implementation. We created and published an internal manual at Notion that covered how to start using the system and the expected points of uncertainty, using the manual published by HENNGE as a reference.
The greatest result is that risks related to the approximately several thousand e-mails per month can now be deterred.
— What are the effects after the introduction of the system?
I realized the effect of the introduction of HENNGERA on the various projects in the field, and communication such as “At what time did the other party download the materials you sent? The fact that the operation of checking the history of HENNGE One for project progress management has become widespread within the company is an indication of the high effectiveness of the introduction.
In the first month after the introduction, tens of thousands of e-mails were sent, and several thousand were sent via HENNGE Secure Download. This is a much higher number than we initially anticipated, and without the implementation, that many uncontrollable files could have been created each month. On the management side, we see the elimination of this risk as a major achievement.
Aiming to create an environment where employees can continue to improve their work productivity and focus on what they need to do.
— What are your thoughts on future security enhancements?
We have made progress in addressing email security at this time. We continue to work on creating an environment where we can focus on what we need to do without making a trade-off between our security risk posture and improving our employees’ work productivity, always using the latest technology. We are currently recruiting new colleagues, so if you are interested in joining us, we would like you to take on this challenge.
— Finally, do you have a message for those in charge of companies that are considering joining your company?
If you are so inclined, you can introduce the system in less than a month, and you can permanently reduce the risk of uncontrollable email attachments, which amount to several thousand every month, to almost zero. Generally, when a file is attached to an e-mail, the entire e-mail must be inspected by a superior, and only after approval is it allowed to be sent. If you consider that all of these man-hours can be automated by the system, it would be very cost effective.