The business world is a dangerous place. When it comes to email, things can quickly go from bad to worse. While most companies use security for data at rest, the connection into a server, and as a login to the end-user client, it's not as common to use encryption for the actual message.
But without encryption, a hacker could gain access to an important business document or project plans, accounting information, or even login details for a server just by guessing a password. At the same time, using encryption for every message might seem excessive – and cause slowdowns and extra security steps for end-users.
So techradar pro decided to find out from experts exactly when it's a good idea to use full encryption on messages, not just for the connection or the mail client. It's a way to add an extra layer of protection, and it makes sense for certain types of businesses and communication, although the experts observe that it might not be needed for all email.
When to use encryption
There are times when the entire chain of communication should be encrypted, including the SMTP or IMAP/POP into the server, the client, the transmission, and the message itself. The last part of that security measure, while the most effective, also adds some confusion and consternation, because you can't just pop into Gmail and read an email from the boss.
Giovanni Vigna, PhD, is the Co-Founder and CTO of Lastline, a malware and breach detection company based in California. He mentioned how all messages should be protected at the server and client, but only sensitive messages should be fully encrypted at all times.
"The major benefit is that if the mailbox of a user is compromised and its contents leaked, the world cannot see what the messages contain, unless they have access to the secret key of the people involved," Vigna says. "Therefore, it is very useful to use encryption for sensitive emails, as it protects organisations and individuals against unauthorised disclosure."
Christian Lees, CTO and CISO at the identity protection firm InfoArmor, agrees that sensitive emails should be encrypted because of the risk of compromising intellectual property, key strategic business practices, and the threat of interception on public networks. By using encryption for the actual message, you ensure that the message can transfer over any network, not just the ones you know about.
"The goal of email encryption is to protect your messages with included content over an untrusted network," Lees observes. "Protection should be the goal across all areas of the business from operations in communicating with partners, customers and vendors, C-level executives guiding the organisation in strategy, to Human Resources safe harbouring employees' personally identifiable information."
Lees argues that this approach to sensitive information means there is a smaller overall attack surface. Email encryption can also be linked to other security strategies, such as single sign-on for data loss prevention, all spam filtering, and antivirus protection. It's an approach that covers all fronts, although he does advise using a trusted encryption platform for email.
Liz McIntyre, consumer privacy expert and spokesperson for StartMail.com, says another reason to encrypt email messages themselves and not just rely on authentication has to do with compliance regulations such as HIPAA (Health Insurance Portability and Accountability Act). This usually means healthcare organisations, hospitals, and clients.
At the same time, McIntyre says every company has private information and trade secrets worth protecting. Ironically, many companies don't know that email can be encrypted with a few clients. For example, with StartMail, you can enable PGP encryption for messages in one click. With Gmail, you can add extensions like SafeMail to digitally 'sign' all messages.