Disjointed tools aren’t just inconvenient—they’re a disaster waiting to happen.

When systems like Microsoft 365, S/MIME, and Symantec PGP don’t play nice, email encryption fails. Sensitive data leaks. Compliance violations pile up.

Here’s the reality: poor interoperability is your weakest link. Every misstep in your multi-vendor setup is a chance for failure—risking trust, compliance, and critical workflows.

Jack Pollard (Enterprise Strategy Group), Chris Peel (Echoworx), and Jules Martin (Mimecast) get straight to the point: seamless email security isn’t optional anymore. Smarter encryption and integration can take your chaos and turn it into a system that actually works.

Introductions

Chris: Echoworx specializes in message encryption. We've been innovating in the field of message encryption for over 20 years. Our focus is on helping organizations undergo digital transformation, especially as part of modernizing their encryption processes. Email encryption is indispensable—it’s not going anywhere. Echoworx supports this transformation for enterprise clients across industries like healthcare and finance to meet regulatory requirements. Beyond meeting regulations, we strive to integrate encryption into business success by making adoption seamless. Recently, we’ve partnered with Mimecast, a leader in message security, to enhance these capabilities.

Jules: That's a great question. Mimecast boasts over 200 integrations with technology partners, and Echoworx is one of the easiest, if not the easiest, to deploy. It's straightforward, focused on business needs, and about making the best choice for your business. To provide some context, email remains a massive communication channel, with 306 billion emails sent daily worldwide. Such a volume comes with significant risks, including accidentally sharing sensitive information. The beauty of our partnership lies in its simplicity and flexibility for customers—it gives them the choice of robust encryption to prevent mishaps while supporting large-scale enterprise solutions.

Mail flow: Echoworx integration with Mimecast email security

Let’s Talk About Ease of Adoption

Chris: Encryption solutions have been in use for about 15 years, but we now see a "second wave" of implementations. Initially, message encryption was mainly about regulatory compliance. Today, it’s an essential business tool. If encryption isn’t user-friendly—whether for senders, recipients, or IT implementers—adoption suffers, and people find workarounds, which introduces risk. At Echoworx, we’ve addressed these adoption challenges by streamlining processes. For example, one Irish banking client doubled their sender adoption rates post-implementation and quadrupled recipient engagement. It's proof that usability and integration are paramount.

Jules: Exactly. With tools like Microsoft 365 and Google Workspace dominating the market, our recent Mimecast survey found that eight out of ten CISOs worry about inadvertent data leaks. And while these platforms provide some basic security, 94% of respondents felt their out-of-the-box capabilities were insufficient. That's where seamless and automated solutions like ours come in—they integrate easily and elevate security without complexity.

Chris: We see a similar trend with message encryption. Many vendors, like Microsoft, offer a basic, one-size-fits-all approach that doesn’t adapt to specific business needs. This became especially evident with Mimecast in sectors like legal within the EU, where specialized encryption solutions such as PGP or S/MIME are essential—needs that standard Microsoft technology cannot meet.

Jules: It's a really great point. And if you think about the way our life has actually evolved as well, where we used to have a work-life balance, now we just have "life." We've got extended days and everything else. It’s very difficult to train a zero-trust mentality inside an organization when you're flipping between looking after the children, answering business emails, and handling personal tasks all in the same day.

And when you talk about 365, another great point I'd like to make is that it's the number one collaboration tool globally from an adoption perspective in email services. But it's also the same tools that threat actors use to try and infiltrate and break into systems. So, having a mix of best-of-breed products has always been the best approach. And with this relationship, it proves to be so.

Anytime, Anywhere, Any Device Approach

Chris: The ubiquity of secure message delivery is critical.

Organizations today need to meet diverse business requirements, and Echoworx’s multi-channel, policy-based encryption engine ensures they can do just that. We support six different delivery channels, including opportunistic TLS, encrypted portals, PDF encryption, and more. This means businesses can programmatically embed specific data classification and compliance needs into their encryption policies.

For example, TLS might be the optimal channel when it's available due to its seamless recipient experience, but we ensure fallback options like encrypted portals or PDFs to maintain security when TLS isn’t viable. This eliminates the risk of defaulting to insecure channels. Beyond delivery options, Echoworx provides highly flexible authentication mechanisms to balance security and usability. This includes social connectors, allowing users to authenticate via Gmail or O365 accounts, or two-factor authentication for increased security. We’ve even introduced SMS verification to simplify the process further, enabling recipients to authenticate through their mobile number without requiring full registration.

Echoworx’s adaptability shines in real-world applications. A UK-based insurance company, for instance, uses our platform to meet varied business needs—including sender-set encryption policies and user self-authentication through social connectors.

This flexibility ensures they comply with diverse data requirements across different use cases. Similarly, we see legal firms leveraging PGP for high-security B2B communication while using our portals for frictionless, client-facing interactions.

At Echoworx, we focus exclusively on encryption, delivering best-of-breed solutions tailored to meet organizations' unique needs. Unlike other providers offering basic push-pull models, our platform is designed to flex into any scenario, providing secure, seamless, and user-friendly encryption options.

Jules: And if you think about where we come from in protecting communications, people, and data, it’s clear why this alliance works so well. Mobile devices are a big part of this—whether it’s laptops, tablets, or phones, we’re always on the go.

These devices often hold sensitive data alongside personal apps like music players or messaging tools, creating multiple avenues for potential compromise or data leakage. That’s why having a multi-channel, secure approach is absolutely essential.

Chris: And one of the key things about the Echoworx-Mimecast relationship is the ease of integration. As Jules mentioned, it’s one of the simplest integrations they’ve implemented among hundreds. Since it’s boundary-based, features like shared folders and shared mailboxes are easily supported.

More importantly, this approach allows Mimecast to scan outbound communications for content, ensuring compliance with policies like DLP. If there’s a compromised internal user, you can prevent their outbound communication from being encrypted and sent out. This adds an additional layer of security, ensuring both compliance and protection against potential threats.

Jules: Absolutely.

If we see anything, we can take a number of actions through to our policy engine, where we can block a user, literally from sending any emails. We can quarantine, we can reject because of DLP policies, etc. And that really covers both, you know, if it's a malicious actor, if it's employee error—which is typically a bigger problem here than anything—or even technology fallibility, where they're trying other means to communicate because it's just not working for them. We can trap everything, being gateway-based as well.

Chris: We worked recently with a financial institution that, from a message encryption perspective, had been encrypting content at the desktop in a zip file before sending it out. That caused two major issues. One, as Jules mentioned, if there was compromised content or a virus, it would have bypassed AVAS on the outbound.

Two, DLP couldn't monitor data leakage. Echoworx helped modernize their process by allowing content to go through normal scanning—AVAS, journaling—and then applying encryption in a secure outbound format.

We also discovered another use case: if inbound communication includes encrypted zip files, they can be routed back to the sender to use the Echoworx portal. There, the encrypted file is decrypted securely, and Mimecast can scan it for viruses before delivering it over TLS. This eliminates quarantine delays by securely managing decryption and ensuring compliance.

Jules: Yeah, that’s a great point.

It’s about addressing a multifaceted problem, not just focusing on encryption but blending two solutions for greater security. With ongoing supply chain issues, credential theft, and advanced persistent threats, organizations need that additional layer of data and business security. Since around 2018, we’ve seen an 81% increase in adoption of integrated solutions like this. Of our 40,000 customers, over 60% are on 365.

But it’s not about putting everything into one expensive license—it's about choosing best-of-breed solutions and, more importantly, ensuring they work seamlessly together for maximum business impact.

Leverage all the encryption functionality with support for any device and full secure replies.

Driving Recipient Side Adoption

Jack: You mentioned something that I hadn't really thought about before, but I think it helps drive adoption from the recipient's side. One point was about how someone outside an organization can send a secure email into the organization.

I've experienced this personally with my tax accountants. When I need to send them my tax information, the first step is usually emailing them to ask how I can send it securely—without just blindly emailing all my personal information in plain text. Then they send me a message through a secure portal, giving me a login to transfer my files securely.

Chris: That solution is a coordinated capability between AVAS, Mimecast, and Echoworx. We're providing the inbound communication, while the SEG gateway handles detection and sends notifications back.

Echoworx offers 2 or 3 mechanisms for ad hoc inbound secure communication. For example, in the O365 world, message encryption is limited to replying to messages that were sent to you. Echoworx, however, provides features like guest compose, a direct open portal message, and self-registration. These options allow organizations to extend secure ad hoc inbound communication.

If, for instance, I’ve asked you for tax information or you want to send it in securely, Echoworx provides a mechanism for that. All communication is secured inbound while still passing through Mimecast AVAS, journaling, and archiving. This ensures all mail hygiene and workflows remain intact while offering flexible options based on organizational needs and requirements.

I face this challenge personally when filing taxes. My tax agent doesn’t provide a secure way for me to share information. As someone in the security space, I’m very uncomfortable sending anything over email and would never do so. This is a high-demand requirement.

For example, we worked with a Scottish bank that digitized its entire onboarding process. They eliminated paper and post by sending applications as encrypted PDFs, and we provided a secure reply mechanism. This is a common use case we see with many customers.

Jules: Absolutely.

As I mentioned earlier, 95% of breaches are due to human error. In our mixed environments, it’s easy to attach the wrong file to the wrong person, which is a perfect example of why secure communication is so important.

Verifying Identity—Using Social Login

Chris: Really, the organization determines that. The short answer is yes.

Echoworx operates as a configuration platform, meaning we don't do customizations but instead enable flexibility through configurations. What's happening is the organization delivers the message to you via a portal or pull functionality and can choose to enable one or multiple social connectors.

These connectors authenticate you through OAuth, verifying that you own your email address—whether it’s user@gmail.com or user@echoworx.com. It’s similar to logging into Spotify with your Gmail account. Under the hood, it’s a widely known standard ensuring you own that email address.

This setup provides enormous value from a usability perspective. For example, if you're already logged into Gmail on your device, clicking the Gmail icon will seamlessly verify and log you in. It’s like federation—simple and frictionless.

Echoworx also supports other standards like FIDO2, allowing users to log in with their fingerprint or facial ID for added convenience. These features are optional and configurable by organizations, and everything remains brandable for a seamless user experience.

The key here is creating a frictionless process without compromising security.

Driving Frictionless User Experience

Chris: Absolutely.

Another big driving factor is user support.

Password-related issues are often the top concern with portals and technology. Echoworx streamlines this with self-serve functionality, but enabling social connectors reduces that pain point even further. Users are already familiar with logging into their Gmail or Hotmail accounts every day, often through saved credentials or password managers. That eliminates the need to manage yet another account, reducing friction for users.

For example, an Irish bank recently implemented this, and one of our tier-one global banking customers—sending upwards of nine million messages a month—is adopting this structure today. Lowering user support calls is a key factor in the success of these projects.

Let’s Talk Sender Side

Jack: If I'm going to send an email—let's use the example of filing taxes. If I'm the tax preparer sending the taxes back to the client with instructions to review, sign on the dotted line, and file with the government, do I have to manually encrypt that email as I send it out?

Chris: In my experience, most organizations train their users to be mindful of what they're doing. Tagging sensitive information at the endpoint is a key part of that education because security starts with the end user.

As Jules has mentioned repeatedly, the human element is the primary facilitator of attacks. So, training people to recognize when encryption is needed is crucial, and that doesn’t change across organizations.

However, many organizations also implement DLP (Data Loss Prevention) on top of this. DLP can identify PII (Personally Identifiable Information) and ensure it’s flagged for encryption. For example, with tools like Mimecast and Echoworx, a well-integrated system can identify sensitive information and route it to encryption automatically.

So, while user training is essential, DLP acts as a safety net for when users forget to encrypt sensitive data.

Jules: The key here is having an integrated architecture to keep up with the growing demand and evolving threats. New risks emerge constantly, whether from geopolitical shifts or increasingly accessible ransomware and malware. A gateway solution that monitors both inbound and outbound traffic is critical.

And the question is, why wouldn’t you want to integrate that with your other security solutions?

If we detect a threat at the gateway, why not use that intelligence across your entire security stack to take coordinated, remedial action?

The Value of Integration

Jules: If you look at it from a years-of-experience perspective—I've been with Mimecast for 15 years, and I've seen many changes. We used to target the IT team, those email admins, the engineers looking after messaging, archiving, e-discovery, backups, etc. Now, we're talking more and more to either a combined infrastructure team with a director or CISO, or security teams. We're engaging with engineers and analysts because they're now combining the two together.

The whole conversation has shifted. People now see this as a business issue, not just an IT issue. It’s not just about having something at the gateway to look for specific patterns or strings, like phone numbers or credit cards. It’s about taking a holistic approach to ensure the best solution is combined with other best-of-breed solutions.

Making it easy for the user is absolutely critical, but we also need to think about how multiple solutions can work better together. What more can you achieve through integration? That’s really the key message, isn’t it, Chris?

Chris: Yes, I agree. And I echo what you said there as well.

In my recent projects, it’s the business leaders driving the demand to modernize and rejuvenate operations. Security teams are in the room for verification, while IT supports the solution. It’s become a business decision, not just a technology decision. The best solutions often come from getting the best-of-breed tools to integrate seamlessly. That’s where the customer truly wins.

Read our brief on how Echoworx and Mimecast simplify email encryption.

 

For the IT Folks Out There

Jules: From our side, it's as straightforward as updating an MX record.

We essentially become the recipient of your email traffic, monitor it at the gateway, and deliver clean, secure emails to the user. Echoworx integrates seamlessly with a simple routing policy—email gets sent to Echoworx, they work their magic, pass it back to us, and we deliver it securely. It’s a very simple process, whether you’re adopting one solution or the integrated version.

Chris: Exactly.

We’re using standard deployment models, so there’s nothing here you haven’t seen before. In fact, we can often set up a proof of concept (POC) in just a few days. In many cases, we spend more time on paperwork than on the technical execution. The integration is straightforward and easy to implement.

Jack: That’s sort of a marker of our times that the contract effort is much longer and harder than the technology itself. I think that’s a testament to the simplicity and ease of use that the solution provides, both from the Mimecast side and the Echoworx side.

Jules: We have a team of people who can help you onboard, but we’ve also got a network of partners between us who specialize in both solutions. These are highly respected and trusted advisors who are skilled at deploying this kind of technology. So there’s plenty of support available. But just to reiterate, it’s not complex, and bringing the two together is as simple as it could possibly be.

Let’s Talk Complex Environment

Chris: That’s an interesting question.

One of our largest customers is a tier-one international bank. They were running an on-premise message encryption solution, which they replaced with Echoworx in the cloud. Their SEG gateways are running either on-prem or in the cloud, but the integration with us was straightforward. They implemented specific routing where any messaging requiring encryption was routed to Echoworx. We handled the encryption and routed it back.

We started with about 4 million messages per month around five or six years ago, and now that’s grown to 9 million messages monthly. Due to the size of the customer, we broke it into two encryption queues: one for application-based messages, with large applications dropping hundreds of thousands of messages, and one for end-user encryption to ensure faster processing.

The integration itself was pretty straightforward once the routing was defined. Most of the complexity came from internal discussions about routing and infrastructure, which is standard with any customer. The only additional layer of complexity comes when supporting technologies like PGP or S/MIME encryption. For those, Mimecast’s SEG gateway detects inbound PGP or S/MIME messages, routes them to the Echoworx engine for decryption, and sends them back to Mimecast. This adds about three or four implementation rules at most, even in the most complicated setups.