Should your business only allow encrypted email?

Page 2 of 2:

When you shouldn't use encryption

Encryption for all messages?

Should you always enable email encryption for messages? That's doubtful, says Tony Anscombe, a Senior Security Evangelist at AVG. One argument against doing so is that it adds enough complexity that employees might circumvent it anyway – and you create more of a problem.

"The use of PGP requires both the sender and receiver to have keys and to exchange them before the email is sent or received – for most users other than the technically aware this may be a process that is beyond usability," says Anscombe. "Other solutions such as S/MIME have similar issues where the users need to have digital certificates, again adding a level of complexity that the majority of users neither fully understand nor would accept in everyday use of a communication tool.

"The upside to these mechanisms is that they are very secure, the downside is of course the complexity which means low adoption."

The solution, of course, is to train the employees who really need to use encryption, such as those in your legal department, HR, accounting, and business development. Those who need to encrypt messages will be more willing to learn the process and receptive. Those who don't need the encryption – say, those in marketing who are communicating about an ad campaign – will buck the system and likely figure out how to use a personal email account anyway.

Best solution?

There's also a bit of a loophole. If you've ever received a real notice from your bank that there is a message waiting for you, you know about the workaround. A bank or credit card company might use normal unencrypted email for all general communication. Then, when there is a need to use full encryption on a message, they will point you to the secure message.

"A single network approach is where you receive notification in your normal email that there is a message waiting for you in the secure portal and you will need to login through a web page to access the email. The email never leaves the single network and therefore is always under the control of one system that can control the encryption both at rest and in transit," says Anscombe.

In the end, that might be the best solution of all for staying secure.

The silent web: Is encryption here to stay?

Current page: When you shouldn't use encryption

Prev Page Introduction and when to use encryption

Contributor

John Brandon has covered gadgets and cars for the past 12 years having published over 12,000 articles and tested nearly 8,000 products. He's nothing if not prolific. Before starting his writing career, he led an Information Design practice at a large consumer electronics retailer in the US. His hobbies include deep sea exploration, complaining about the weather, and engineering a vast multiverse conspiracy.