What Makes Good Email Encryption So Challenging?

iQuanti: Email is everywhere, and everyone uses it. Almost every interaction on the Internet requires an email address, and yet email was never designed to be secure or private.

All efforts to increase email security and privacy are layered on top of an insecure base, which makes email security and email encryption challenging. Yet, with the rise of cybercrime, including identity theft, business email compromise, and fraud, email security is more important than ever.

How Email is Compromised

Email can be compromised in four basic places: on the sender's device, where it is written, on the networks as it is sent, on the servers where the email provider stores it, and on the recipient's device, where it is read.

A strong password and lock screen on devices offers physical protection from compromise, but most email programs do not encrypt the messages stored on the user's device, so email is still vulnerable to attack. Additionally, while email may be encrypted in transit, it isn't always, and it probably isn't encrypted while it is stored on an email provider's servers.

Most free email providers, and some of the paid ones, don't encrypt stored emails; if they encrypted their users' emails, the users wouldn't be able to search their emails and the providers wouldn't be able to scan emails for spam or malware, advertising purposes, or helpful shortcuts like predictive text or automatically generated calendar reminders. 

The Gold Standard: End-to-End Encryption

End-to-end encryption scrambles email messages so only a person with the correct password or credential can read the content, whether it's on the user's device, in transit, or being stored on a server. Encrypted email sounds great — so why doesn't everyone use it?

Because of the basic vulnerability of email, end-to-end encryption is complicated and requires not only fairly advanced technological skills but also buy-in from both sender and receiver. Encrypted email depends on the use of keys, which are essentially a way to lock an email that is sent and unlock it on receipt.

Both sender and receiver must agree to send encrypted email, must have their own keys, agree to exchange those keys, and have a secure method to do so. For two people, that's already complicated, but most people have hundreds of contacts, and companies may have thousands of contacts or more, all needing individual keys. Additionally, in some situations, both users may need to use the same email app to gain the benefits of encrypted email.

While encrypted email has become easier to implement with turn-key, enterprise-level solutions, the fact that it demands any level of buy-in from both parties can be challenging when exchanging emails with clients, patients, and other service-oriented exchanges.

Beyond Encrypted Email

Basic security steps such as having a strong password, not reusing the same password for different websites, and activating two-factor authentication can prevent an email account from being compromised. 

Not sending personal or sensitive information in emails, being thoughtful about forwarding emails, and limiting auto-responses to trusted contacts can limit the damage if an account is hacked. Finally, keeping devices updated and using antivirus protection and a VPN are all basic actions that dramatically improve email security and don't require a large financial investment or technological savvy.

If your organization is struggling to integrate end-to-end email encryption, looking out for turn-key solutions that bundle email encryption with other enterprise-oriented cybersecurity features can be a great place to start.

Source: iQuanti


Categories: IT Security

Tags: Cybersecurity, IT Security, Security Awareness