Should your business only allow encrypted email?
The business world is a dangerous place. When it comes to email, things can quickly go from bad to worse. While most companies use security for data at rest, the connection into a server, and as a login to the end-user client, it’s not as common to use encryption for the actual message.
But without encryption, a hacker could gain access to an important business document or project plans, accounting information, or even login details for a server just by guessing a password. At the same time, using encryption for every message might seem excessive – and cause slowdowns and extra security steps for end-users.
So techradar pro decided to find out from experts exactly when it’s a good idea to use full encryption on messages, not just for the connection or the mail client. It’s a way to add an extra layer of protection, and it makes sense for certain types of businesses and communication, although the experts observe that it might not be needed for all email.
When to use encryption
There are times when the entire chain of communication should be encrypted, including the SMTP or IMAP/POP into the server, the client, the transmission, and the message itself. The last part of that security measure, while the most effective, also adds some confusion and consternation, because you can’t just pop into Gmail and read an email from the boss.
Giovanni Vigna, PhD, is the Co-Founder and CTO of Lastline, a malware and breach detection company based in California. He mentioned how all messages should be protected at the server and client, but only sensitive messages should be fully encrypted at all times.
“The major benefit is that if the mailbox of a user is compromised and its contents leaked, the world cannot see what the messages contain, unless they have access to the secret key of the people involved,” Vigna says. “Therefore, it is very useful to use encryption for sensitive emails, as it protects organisations and individuals against unauthorised disclosure.”
Christian Lees, CTO and CISO at the identity protection firm InfoArmor, agrees that sensitive emails should be encrypted because of the risk of compromising intellectual property, key strategic business practices, and the threat of interception on public networks. By using encryption for the actual message, you ensure that the message can transfer over any network, not just the ones you know about.
“The goal of email encryption is to protect your messages with included content over an untrusted network,” Lees observes. “Protection should be the goal across all areas of the business from operations in communicating with partners, customers and vendors, C-level executives guiding the organisation in strategy, to Human Resources safe harbouring employees’ personally identifiable information.”
Lees argues that this approach to sensitive information means there is a smaller overall attack surface. Email encryption can also be linked to other security strategies, such as single sign-on for data loss prevention, all spam filtering, and antivirus protection. It’s an approach that covers all fronts, although he does advise using a trusted encryption platform for email.
Liz McIntyre, consumer privacy expert and spokesperson for StartMail.com, says another reason to encrypt email messages themselves and not just rely on authentication has to do with compliance regulations such as HIPAA (Health Insurance Portability and Accountability Act). This usually means healthcare organisations, hospitals, and clients.
At the same time, McIntyre says every company has private information and trade secrets worth protecting. Ironically, many companies don’t know that email can be encrypted with a few clients. For example, with StartMail, you can enable PGP encryption for messages in one click. With Gmail, you can add extensions like SafeMail to digitally ‘sign’ all messages.
Encryption for all messages?
Should you always enable email encryption for messages? That’s doubtful, says Tony Anscombe, a Senior Security Evangelist at AVG. One argument against doing so is that it adds enough complexity that employees might circumvent it anyway – and you create more of a problem.
“The use of PGP requires both the sender and receiver to have keys and to exchange them before the email is sent or received – for most users other than the technically aware this may be a process that is beyond usability,” says Anscombe. “Other solutions such as S/MIME have similar issues where the users need to have digital certificates, again adding a level of complexity that the majority of users neither fully understand nor would accept in everyday use of a communication tool.
“The upside to these mechanisms is that they are very secure, the downside is of course the complexity which means low adoption.”
The solution, of course, is to train the employees who really need to use encryption, such as those in your legal department, HR, accounting, and business development. Those who need to encrypt messages will be more willing to learn the process and receptive. Those who don’t need the encryption – say, those in marketing who are communicating about an ad campaign – will buck the system and likely figure out how to use a personal email account anyway.
There’s also a bit of a loophole. If you’ve ever received a real notice from your bank that there is a message waiting for you, you know about the workaround. A bank or credit card company might use normal unencrypted email for all general communication. Then, when there is a need to use full encryption on a message, they will point you to the secure message.
“A single network approach is where you receive notification in your normal email that there is a message waiting for you in the secure portal and you will need to login through a web page to access the email. The email never leaves the single network and therefore is always under the control of one system that can control the encryption both at rest and in transit,” says Anscombe.
In the end, that might be the best solution of all for staying secure.
Source | TechRadar