Email revolutionized communication, especially at the workplace. Distributing faxes and digging through piles of mail to weed out the unimportant junk are no longer issues. While spam still exists, employees can now categorize emails, block content/senders, and even send out automatic responses. But with this reliance on email comes a responsibility to maintain the integrity of electronically distributed information.
Do you need to send sensitive data through email? Learn about the benefits of email encryption to get started today.
What is Email Encryption
Email encryption ensures that the content of an email is only read by the intended audience. If emails are sent in “in the clear” (not encrypted) and intercepted, a hacker has access to any information in that email. However, if the email is encrypted, only those with the decryption key can access email. This is often called end-to-end email encryption. In end-to-end encryption, the sender uses the recipient’s public key to encrypt the message and then the recipient uses a private key to decrypt the message. Mailfence breaks it down this way:
- Alice (sender) and Bob (recipient) both generate their key pairs and share their public keys with each other. They keep their private key ‘private’ as the name suggests. You only need to generate your keys once when creating an encrypted email account.
- Alice encrypts the message using Bob’s public key in her device and sends it to Bob.
- Bob receives the encrypted message on his device and decrypts it using his private key.
Assess your cybersecurity
Why Use Email Encryption
The conversation around encryption often involves how companies store data. Do companies encrypt credit card numbers? Are health records encrypted? But as companies implement more security measures to protect data at rest, hackers will likely turn to target data in transit, making email accounts a prime target. Stealing sensitive data via email can severely impact a company because a compromised chain of communication limits a company’s ability to interact not only with customers but also with its own investors and employees.
Five Benefits of Email Encryption
Privacy – Encryption targets the integrity aspect of cybersecurity’s CIA (confidentiality, integrity, accessibility) triad. Every company and the government wants their information to remain private. Whether it be intellectual property or classified information, utilizing encryption protects information from being viewed by unauthorized individuals.
Cost-effective – Depending on how your email encryption service is set up, it could save money. If companies use an email service with encryption integrated into the server, they will not have to purchase another server for encryption purposes.
Compliance – Many compliance guidelines require encryption. HIPAA, CJIS, and CFPB require encryption, while the GDPR strongly recommends it. Not all regulations explicitly require encryption, but most state that if a risk assessment finds electronic Personal Health Information (ePHI), Personal Identifiable Information (PII), or Nonpublic Personal Information (NPI) to be at risk, companies should implement encryption.
Efficiency – If email is encrypted in the actual email platform, employees don’t have to use additional programs to secure their emails. Rather, the responsibility lies with the email provider. Instead of following a multi-step process to securely attach files, employees can type and send their messages more quickly.
Authentication – Spam is alive and well, but using encryption can help employees identify an authentic sender. Utilizing encryption in conjunction with digital signing shows the recipient that the sender is authentic and the message untampered. This method prevents spoofed emails from infecting a company’s system through an employee’s account.
Is Any Type of Encryption Acceptable?
Not all encryption methods are the same. When it comes to email encryption, end-to-end encryption should be the goal. So what kind of encryption should you avoid with email? SSL/TLS encryption shows up when you see https in from of the URL and indicates that the connection between you and the server behind whatever program you are using is encrypted. However, this means that the company running the server has the decryption key, not the user on the other end. For example, if a person is using Gmail, Google has the decryption keys rather than the recipient of the email. Thus, it is not end-to-end encryption. Another issue is SMTP over TLS (STARTTLS) encryption. Not all servers use the same type of encryption; thus, if a Yahoo user sends an email to a Gmail user, they have to accommodate for different kinds of encryption, like SMTP over TLS. This can become a hassle when working with multiple parties. Choosing a versatile service that is compatible with other email providers will be infinitely helpful.
Common Types of Email Attacks
Email attacks can affect people, data, and access. While encryption alone won’t tackle all of these threats, it’s good to understand what your security team is up against.
Identity Theft
Consider how your email automatically logs you into numerous platforms at work and at home. Email services often come in package deals with other work programs. This setup enables hackers to sift through personal and work files if your email is compromised, and from there, infiltrate coworker accounts or misrepresent themselves to your coworkers.
Phishing
Phishing attacks continue to grow in popularity, mostly because they are so successful and take minimal effort on the attacker’s part. Phishing manifests in different forms including pharming, deceptive phishing, and spear phishing. With pharming, a threat actor redirects a user to a malicious website by changing the IP address associated with the legitimate website. Deceptive phishing threatens people under the guise of a legitimate website and with the goal of getting money. Spear phishing, commonly associated with malicious emails, deceives people into revealing personal information. Moreover, spear phishing can trick employees into sharing intellectual property to unauthorized individuals. Using encryption can help employees identify fraudulent email addresses. In 2018, StaySafeOnline published an article on Five Ways to Spot a Phishing Email.
Viruses
Unlike phishing attacks, viruses involve more planning on the attacker’s part. Your email usually isn’t the direct target of a virus; rather, it is the door that lets attackers infiltrate and incapacitate a company’s system. For example, many malicious emails use attachments with viruses. When an unsuspecting user opens and downloads the attachment, it triggers the virus.
Spam
Nowadays, most people deal with so much spam they might even have a separate email account to field the numerous advertisements and subscription emails they receive. Not all spam is malicious in nature, but it can be used to overwhelm a system, debilitating a company’s communication chain. Another problem is if a threat actor uses a company email address to send out spam. This may result in a PR nightmare and legal repercussions.
Encrypted Email Software
In early 2019, Windows Report released a list with six recommended services for encrypting your email. Although there are many different options, below are three services to consider if you want to implement or change the email encryption service you use.
- If you’re interested in personal service, consider using Hushmail. Opening an account offers desktop, mobile, and web access as well as 10 GB of storage. It uses OpenPGP encryption, 2FA, email address masking, and blocks ads from being influenced by your email content.
- If you already use the Invisible Internet Project (I2P) peer to peer system, then the I2P-Bote encryption plug-in is a convenient choice. The email service requires no server as all emails are stored in distributed hash tables. Emails can be sent anonymously if desired and email delivery confirmation is available too.
- Sendinc offers military-grade encryption and can be integrated within Microsoft Outlook. Moreover, it integrates well with existing APIs. For an individual, the free service would be the best option, but Sendinc also has a PRO and Corporate subscription available. Lastly, Sendinc’s level of encryption makes it an ideal choice for companies looking to satisfy compliance requirements.
- ProtonMail – Protected by Swiss privacy laws, Protonmail has garnered a lot of users. It offers a free service as well as more comprehensive paid options. In addition to its encryption, Protonmail offers the option to use your own domain. ProtonMail gives users control over their keys, but the keys are linked to your password. This means if you reset your password, past emails cannot be decrypted.
- Tutanota – Tutanota, based in Germany, is an encrypted open source email service. In addition to end-to-end encryption, Tutanota markets the option of password protection encryption for emailing those without a Tutanota account.
- Mailfence – Based in Belgium, Mailfence uses OpenPGP public keys and allows users to manage stored keys. However, it is limited to email services that also use public keys.
While the above list contains some end-to-end encryption options, not all services out there do. It’s important to review the compatibility of an email service and make sure it fits with your company’s needs. Since end-to-end encryption is one of the best options for businesses implementing email security, particularly for securing an executive’s email, it’s beneficial to know services that specialize in it.
Small Businesses and Encryption
When it comes to encrypting your email, large businesses have different needs than small businesses. However, it is still important for small businesses to invest in encryption services considering attacks on small businesses continue to intensify. While many large businesses have the resources to pay for encrypted email subscriptions, not all small businesses do. There are some really good free services available that small businesses should take advantage of.
How to Approach Encryption as a Small Business
The options for encryption include TLS, enterprise email encryption, a DIY approach, or webmail service. TLS requires that the recipient and sender configure their encryption in the same manner, making it less feasible for small businesses. Enterprise email encryption, like Symantec or Microsoft Exchange, won’t work well for small businesses because the sender and receiver must coordinate certificates and private keys (it won’t work with companies using more common services like Gmail or Yahoo). These compatibility issues are major problems for small businesses that tend to use consumer email platforms. Working with other small businesses means the selected encryption service must be versatile. Finally, a DIY approach to encryption involves a good deal of technical knowledge and finances, something not all small businesses have.
That leaves uses an encrypted webmail service, like the ones listed above. Some services manage your encryption keys and others allow you to manage them yourself.
Self-Managed Keys
There are advantages and disadvantages to both options, so small business executives should take into account their habits prior to selecting a service. Likewise, encryption web services can be frustrating when working with partners who don’t have the same company email account. Recipients not using the same email provider will need a pass-phrase or key, communicate outside of an email (like over the phone), to decrypt the encrypted email.
ProtonMail, Tutanota, and LockBin offer some version of a free service, although each varies in storage capacity and the time limit for storing old messages. Hushmail offers a service for USD 49 per year, and SecureMyEmail also offers a low priced service.
Auto-managed Keys
In this case, the email provider controls the encryption keys. Sendinc, NeoCertified, and Encyro are just a few of the services that fall into this category. Service-managed keys can make it easier to interact with outside vendors or partners, allowing non-account holders to access an encrypted email via a link with a time limit after which email access will expire. Auto-managed key services provide options for non-account holders to reply with an encrypted email, although some still require a sign-up for an encrypted reply. The pricing varies just like the self-managed key email options.
Before choosing an email service for your small business, make sure to do some research and assess the pros and cons of the different services available.
Need Help?
Emails are important not just because they involve company information but also because they contain a diverse set of information. Whether it be work files, bank accounts, or Amazon shipping numbers, email accounts bring many parts of a person’s life into one platform. Thus, they are particularly vulnerable to phishing scams, intermediary attacks, and more. Without encryption, companies, families, and individuals can face severe repercussions. If your company needs help establishing an encrypted email system, contact RSI Security today.