Email Encryption: How and why to do it

Although most people take the safety of their emails for granted, anyone working in information security is aware that email is one of the weakest links in an organization's information chain. If a service defaults to leaving emails unprotected, transmitted as plain text, they're exposed to network eavesdroppers. Even when encryption in transit is the norm (Gmail does this, for example), business email addresses are often readily available, and once a would-be hacker has one, all they need to get in is the password. Depending on the savvy of the account holder, brute forcing one particular password may or may not be viable, but rarely is an entire business so well-protected that no one has a vulnerable password. From there, not only is the information in that person's emails compromised, but often addresses which may not be publicly available can be culled and allow the hacker to repeat the process. 

Businessman pressing messaging type of modern icons with virtual background.jpeg

Given all this, encrypting the emails themselves is a reasonable step for anyone privy to sensitive data that must not be placed at such risk. With encryption, an email can only be read from a device on which it was translated from cipher back to normal text, or by someone who has the decryption key (more on that shortly). Without encryption, the only email that is one hundred percent safe from prying eyes is one that nobody cares about.

The next question is, how do we encrypt emails? Or, for certain higher-level professionals, how do we apply encrypted emails to a business when we may be responsible for several dozen users who may not have particularly technical skill sets? In all cases, a certain level of education will be necessary, thus individual users will need to find a method they're comfortable with and security professionals will need a method they are comfortable teaching. While advice on which encryption methods are best is beyond the scope of this piece, we can make a list of options. 

1.) Client-based encryption. Apple email clients are the most used worldwide (iPhone, iPad, and Mac clients are measured separately), with Gmail at number two and Outlook at number five. Combined, these five make up how over three-quarters of emails are sent. Each of these clients have their own methods for encryption, options to encrypt single messages or encrypt all messages by default. In either case, the recipient will have to obtain a decryption key, digital ID, or decryption app in order to view it. This is the most likely option for users who are not IT professionals and whose businesses do not view widespread encryption as a priority, but want to protect certain (or all) messages, or smaller businesses who outsource their mail service and have no control over transit encryption levels.

For instructions on encrypting messages in the five major clients, follow these links: iPhone and iPad (iOS)Apple MailGmail (this requires a browser add-on), and Outlook.

2.) Specialized encryption software. This is the company-wide option, and should be considered suitable for any business large enough to have its own email services. A company of this size will almost always have sensitive data transmitted through email at one time or another, no matter their protocol for transferring such information. For companies that have stricter informational security requirements (e.g. health care-related industries that must follow HIPAA regulations, or certain types of financial institutions), this type of software becomes a baseline requirement.

The benefits of encryption software are twofold. First, such software is often less expensive and burdensome to deploy across a large company. A public key infrastructure (PKI), for example, is a hardware and software solution that revolves around digital certificates to maintain security. (If expense and complexity are not an issue, you can find more on PKIs here). A software-only solution is, by its nature, substantially less costly. Secondly, encryption software does most of its work out of sight. The main user base will see very little of it, which limits the amount of special training required to ensure everyone knows what to do with the new system.

PC Magazine created lists of encryption software that may be helpful for research. You can find the business encryption list here, and a list of personal encryption software here.

Email encryption is becoming more standard by the year. Find the method of protecting yourself that works best for you and your business interests.

Interested in learning more about encryption?