Email encryption is an important way to protect sensitive data. However, many companies still do without it. They find the technology too expensive, too complicated, or even unnecessary. It's high time to get rid of these stubborn myths.
Email encryption? – I don't need it! This may be what some small or medium-sized companies think. What do I have to hide? Who argues in such a way, goes into dangerous terrain. Because in fact it is legally prescribed to encrypt e-mails with personal data - and not only since the new EU data protection basic regulation. This was already laid down in the (German) Federal Data Protection Act. With the GDPR, however, regulations have become stricter. Now there is a threat of drastic sanctions of up to 20 million euros or four percent of the worldwide annual turnover for data protection violations. In addition, companies must report incidents to the responsible supervisory authority within 72 hours. If there is an increased risk for the persons concerned, they must also be notified. Anyone who encrypts e-mails is released from this obligation to notify and is immune from sanctions. This is because Article 32 of the GDPR expressly mentions encryption as an adequate state-of-the-art measure to protect personal data.
E-mail encryption does not have to be complicated
However, email encryption still has the reputation of being complicated and cumbersome. This is particularly detrimental to companies whose employees are less technically experienced. It's true: With OpenPGP and S/MIME there are different encryption standards that are not compatible with each other. Key management also overwhelms many users. Nonetheless, there are solutions that do all this automatically in the background. Such encryption gateways master the common encryption methods and take over key management. If a user wants to encrypt a message, he only has to click on the corresponding button in his e-mail program – everything else happens automatically. This does not even require the installation of a plug-in. Because the common e-mail clients already have integrated encryption based on S/MIME.
Encrypted communication with external partners
And what if my communication partner uses a different encryption method than I do? Many companies think they need to convince their external partners of their own encryption method. But that's not necessary. If an encryption gateway can handle all the established encryption standards, each partner can use the method they want. Even those who communicate a lot with private individuals or companies who cannot or do not want to use encryption themselves do not have to do without secure e-mails. In such cases, for example, it is possible to provide messages via a web portal. There, the recipient can read the encrypted e-mail after having authenticated himself.
Transport encryption and content encryption
I already use SSL/TLS – I don't need another encryption solution. This is also a widespread mistake. TLS is a transport encryption. It establishes a secure tunnel between two computers through which the e-mail is sent. This means that the message cannot be read while in transit. At the start and end point, however, it is available in plain text. In addition, the e-mail is routed through many stations on its way through the Internet. The message is only secure if each computer involved re-establishes an encrypted connection. But the sender has no influence on this. For this reason, content encryption is important in addition to transport encryption. There are two standards for this: OpenPGP and S/MIME. They encrypt what is written in the e-mail. Only a recipient who has the appropriate key can read the content. However, metadata such as sender, recipient and date of dispatch remain in plain text. Only the combination of content encryption and transport encryption makes communication truly secure.
Do anti-virus, DLP and archive solutions work despite email encryption?
This is another question that occupies many companies and makes them sceptical about email encryption. Protection against viruses and malware is indispensable today. Solutions for data loss prevention also ensure the implementation of guidelines and thus support compliance. Both can only perform their function if they are able to examine the content of e-mails. They are blind to encrypted messages. However, there is a way to allow such security systems access to plain text. This works through a hybrid approach with an intermediate gateway. Similarly, an archive solution can be connected via a proxy. It is thus able to index the content of a message, but can then store it in encrypted form. Encrypted e-mails can then also be searched in the archive and can be found quickly if required.
Trust is good, own control is better
If you use e-mail in the cloud, you might think: My cloud provider already encrypts, that's enough. That's true, if you trust your cloud provider limitlessly. But companies should be aware that a provider who manages both email and encryption has the keys to it. This means he can read all messages. If you want to avoid this, you should either separate e-mail management and encryption or use a solution where you store the keys yourself.
Conclusion: Doing without encryption can be expensive
Most of the reasons why companies do not use encryption can be disproved with an appropriate encryption solution. An encryption gateway that relies on standards that remove complexity from the user and provide interfaces to archive, DLP and anti-virus solutions makes secure communication simple and practical. One final argument remains: such an encryption solution naturally costs money. However, it is much cheaper to invest in security than to risk a data protection incident. Because then not only drastic sanctions become a threat – the damage caused by the loss of reputation can also be immense. So the question is not: Can I afford e-mail encryption? But rather: Can I afford to do without it?
We would like to thank Marcel Mock, CTO and co-founder of totemo, for providing this article. totemo AG is a provider of solutions for e-mail encryption, secure data exchange and secure communication in companies.