When you send an email, you might be more worried about spelling or punctuation than data security, but the unfortunate reality is that email is the gateway to many cybersecurity breaches. Although popular email providers try to keep one step ahead of threat actors, many clients still exhibit vulnerabilities; in fact, just this May, researchers identified major flaws in two popular email encryption protocols used in Apple Mail, iOS Mail applications and Thunderbird that could theoretically allow cybercriminals to intercept emails in transit and attach malicious HTML code. Once they’ve attached this code, hackers receive a plaintext copy of any ensuing email responses, effectively hijacking secure information sent via email.
In a nutshell, this shows that you can’t rely on your email client alone for protection. Although certain email providers offer encryption services, these may not be enough to safeguard email as it is composed, sent and then stored on servers.
This is where email encryption techniques and services come in. When emails are encrypted correctly, interceptors will see garbled text instead of your valuable information. However, because each technique has its pros and cons, you should familiarize yourself with the process before you commit to an encryption method—and keep in mind that you may even need to combine multiple encryption services to ensure the best security.
Making sense of these techniques and their limitations is not as complicated as you may think. Here’s a quick rundown of email encryption options that can help you stop worrying about security and get back to focusing on your grammar.
1. Transport layer security (TLS)
Transport layer security, more commonly known as TLS, is a popular method of securing communications as they travel between two points. You may have heard of secure sockets layer (SSL), a similar method to TLS that’s used a lot in web browsers. When you log in to a website (your bank account or Google Docs, for instance), a little lock appears in your address bar to let you know that any data submitted on the site is protected.
TLS, the email version of this protocol, encrypts email messages while in transit. If anyone tries to intercept your email as it’s being sent, all they’ll see is a jumble of characters, as the keys to decode that text are guarded by the email client and server.
This would be sufficient if email only traveled one way, like data submitted in a web form, but the fact is that email recipients tend to reply to messages! This means that if they haven’t secured their email server with the TLS protocol, the data you originally sent could still be intercepted.
Additionally, most businesses have some sort of spam or antivirus software installed on company computers, which can nullify TLS encryption. These services review emails on the recipient’s behalf and then deliver messages that pass the inspection, but they may or may not deliver messages over TLS.
One of the major advantages of TLS is that it’s open source, meaning any IT consultant or team member can set it up for free. However, given the limitations of TLS, you should really consider the tool as only one part of a complete email security system. Additionally, keep in mind that if you choose to use TLS protocols among your IT solutions, you should verify that any spam or antivirus software you employ delivers emails over TLS.
2. Enterprise email encryption software
The typical email exchange is more complicated than it may appear on the surface: the sender’s email client communicates with the sender’s email server, which, in turn, reaches out to the recipient’s email server. The email then goes from the recipient’s email server to the recipient’s email client. Once it is delivered, the whole process starts anew when the recipient replies.
Needless to say, there are many different points to secure in each email transaction, and enterprise email encryption software—such as Microsoft Exchange, Trend Micro, DataMotion and Symantec—uses a variety of encryption techniques to protect emails while they travel through all the points on their path. These products differ from secure webmail clients or web hosting services in that they work within your existing email service rather than providing alternative clients or web servers. The level of protection and encryption varies depending on the software, but most of these tools enforce company-wide encryption policies you make ahead of time. For instance, you might consider making a rule to encrypt all outgoing emails from your HR team if that makes sense for your business.
Despite the fact that this kind of software works within your existing email service, such tools are not necessarily the obvious IT solution choice for email encryption. Because encryption software is generally incompatible with free email services like Google Mail, it is only recommended for larger businesses that host their own email servers. That said, if you comply with initiatives like the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA), you will probably need to implement some kind of encryption software regardless of your company’s size.
3. DIY email encryption
If you want higher-level email encryption protection, you can always roll up your sleeves and do it yourself. This technique—known as public key infrastructure, or PKI—involves encrypting email messages using a public and private cryptographic key pair.
First, you’ll need to provide email senders with your public key, which they can then use to encrypt sensitive emails meant for your eyes only. When you receive a message, you can decrypt it by entering your private key, a unique identifier to which you alone have access.
To protect the emails you send, you’ll have to switch to an email client with an encryption option, such as Thunderbird. Before sending each email, you’ll need to manually turn on encryption and “digitally sign” the email to let senders know it’s coming from you and not an imposter. Once you select the encryption option for your email, you’ll be prompted to enter your private key, and the recipient will have to enter your public key to access the email.
As you might expect, there are some problems with this method. For one thing, you’re requiring senders to download a compatible PGP encryption tool and trusting that they’ll remember to use it—and use it correctly—every time. Furthermore, having to provide a public key before exchanging emails adds cumbersome administrative work to the process.
Lastly, if you don’t remember to digitally sign all your emailS—even the unencrypted ones—you essentially place a big neon arrow over sensitive messages. If a hacker should happen to gain access to your email account or server, they’ll know right away that these messages are worthy of their attention. That’s not to say the manual route can’t be implemented effectively, it’s just not perfect.
4. Secure webmail and secure web hosting services
The last option to improve your email security is to invest in a web-based encryption application like ProtonMail, HushMail or CounterMail. Although these services function a lot like any other email client, they use OpenPGP standards, TLS connections and advanced mail storage techniques to provide extra protection. That said, these web clients’ architecture varies, as does their level of security. For instance, CounterMail only effectively encryptS emails when they’re sent to other CounterMail users, while HushMail offers minimal free storage and require you to change your email address in order to use the service.
For small businesses looking to protect sensitive emails without investing in enterprise-level IT solutions, the services detailed above may be your best bet. An IT consultant or managed services provider can help you determine which options best fit your needs and budget, as well as ensure your existing protections are working as they should.
To get started, check out our Essential Cybersecurity Checklist for Businesses, which you can use to review your security options so you can get back to more important things—like agonizing over whether to add that comma…