What is email encryption? Encryption, when applied to data used for email or not, is a process which hides and protects plain text data from unauthorized access by encoding it.
How does email encryption work?
The internet email protocol standard, Simple Mail Transfer Protocol or SMTP consists of plain text communication between servers, which is insecure since the contents of the email can be read by malicious actors if they intercept the session. Encryption methods protect the content of the email, this is usually accomplished through encryption on either the transport level or end to end.
To date, Transport Layer Security (TLS) is the most prominent protocol to secure our web browsing, email instant messaging services and voice over IP, effectively replacing its predecessor SSL. In the initial setup of the TLS handshake, public-key cryptography is used to authenticate the client and server. From there, Symmetric key cryptography takes over for all further communication between the client and server session.
Due to the fact that the internet was not designed with security in mind, security has been appended to insecure protocols. An example of this is the protocol STARTTLS, which makes an insecure connection, secure. About 90% of Gmail’s incoming and outgoing email was encrypted using STARTTLS as of July 2018. End to End Encryption is a much more secure method of email encryption. These emails are encrypted at the source, which makes them unreadable in transit. The email is ideally decrypted only by the end user (you!) on your computer and remains encrypted elsewhere.
There is also person to person encryption which is implemented by you. The Secure/Multipurpose Internet Mail Extensions (S/MIME) method uses email certificates based on asymmetric cryptography to protect your emails. This form of encryption is an effective defense against many phishing attacks. Pretty Good Privacy (PGP) is an encryption program that originally didn't use certificates, instead it uses public keys. The more recent PGP development called “OpenPGP” uses trusted certificates. Both of these are good encryption methodologies for email confidentiality.
Why is email encryption important to your organization?
Your organization most likely uses email for communication every day. If you are storing information or using an online platform or software then your users' credentials may be at risk. When using email to exchange information, your client’s names and email addresses are on the front line of information at risk. Chances are you use or store other personally Identifiable information such as:
- Payment records
- Social security numbers
- Birth dates
- Employment information
- Medical information
If a hacker gains access to your email server, what information will they be able to steal? Yahoo reported a breach of 3 billion records stolen in August of 2013. Companies like Reddit, Equifax and Target have reported email breaches in the last two years. Remember - If encrypted data is stolen, then it is usually not considered a breach.
What is your risk when a client's email is hacked?
Instituting the proper safeguards is your first defense! Make sure you have a firewall that is properly configured. Have your IT department install and update antivirus and anti-malware software on all of your devices. Choose an email provider that uses email encryption to reduce the risk to you take with your data. This way your data is not compromised when a client's data is. In this case Ben Stukes, one of our Security Analysts, recommends instituting training for employees after a hacking incident. Don’t forget to review and update your policy for sharing protected information via email. Any client whose information will be transferred within an email should give their written permission so you are protected in case of a breach.