Encryption for all messages?
Should you always enable email encryption for messages? That's doubtful, says Tony Anscombe, a Senior Security Evangelist at AVG. One argument against doing so is that it adds enough complexity that employees might circumvent it anyway – and you create more of a problem.
"The use of PGP requires both the sender and receiver to have keys and to exchange them before the email is sent or received – for most users other than the technically aware this may be a process that is beyond usability," says Anscombe. "Other solutions such as S/MIME have similar issues where the users need to have digital certificates, again adding a level of complexity that the majority of users neither fully understand nor would accept in everyday use of a communication tool.
"The upside to these mechanisms is that they are very secure, the downside is of course the complexity which means low adoption."
The solution, of course, is to train the employees who really need to use encryption, such as those in your legal department, HR, accounting, and business development. Those who need to encrypt messages will be more willing to learn the process and receptive. Those who don't need the encryption – say, those in marketing who are communicating about an ad campaign – will buck the system and likely figure out how to use a personal email account anyway.
There's also a bit of a loophole. If you've ever received a real notice from your bank that there is a message waiting for you, you know about the workaround. A bank or credit card company might use normal unencrypted email for all general communication. Then, when there is a need to use full encryption on a message, they will point you to the secure message.
"A single network approach is where you receive notification in your normal email that there is a message waiting for you in the secure portal and you will need to login through a web page to access the email. The email never leaves the single network and therefore is always under the control of one system that can control the encryption both at rest and in transit," says Anscombe.
In the end, that might be the best solution of all for staying secure.