Thank you for your reply Svante.
Not all our staff need file-level encryption (all our systems use Microsoft BitLocker in case the hardware is stolen) but for those people who need to share files they use AxCrypt.
Some of our clients need confidential documents sent via email and we insist that they’re encrypted to protect us and them. We’ve suggested encrypted zips but not all of our clients will install third-party software. Because Windows compressed folders uses weak ZipCrypto it can’t decompress AES encrypted zips. They’re happy accepting encrypted EXEs. For the same reason they wouldn’t install AxCrypt 2 portable.
The relevant department have their own password manager with client passwords stored in; that’s a password that the client has agreed in person or split 50% over the phone and 50% via secure text (like WhatsApp). The department password database is backed up to our servers.
Our systems prevent external devices being connected, like flash drives, so there’s no chance of a rogue file being introduced by that method. We have UTM appliances which controls inbound and outbound access along with general firewalling of the network and virus protection. We allow executable files to be sent internally and externally although we’ve configured our rules to block inbound EXE files. We host our own Exchange services on premises.
It’s good that AxCrypt aren’t using Cloudflare and between me posting my original message, and me replying, I found this list of presently identified affected domains (it’s a work in progress and being updated as and when Google release more details).
It’s a huge list and I had to use Vim to open the text file.