How to encrypt emails: What to consider

With data hacks on the rise, email encryption is a must for businesses across the globe


Methods for end-to-end email encryption have been around for many years, but they are still used only to a limited extent across businesses.

However, with cyber attacks on the rise, particularly within SMBs, companies are taking high risks if they neglect email protection. If you don't use encryption yet, you should do so as soon as possible.

cyber istock elen11

These tips will help you find the right email encryption solution for your needs.

Rely on standards

There are two groups of standards for email encryption. One is transport encryption using 'Transport Layer Security' (TLS), the other is its predecessor 'Secure Socket Layer' (SSL), where the sender and recipient set up an encrypted tunnel for email communication.

To ensure data is secure for both the sender and the recipient, two protocols could be used: S/MIME (Secure / Multipurpose Internet Mail Extensions) and OpenPGP (Pretty Good Privacy).

Another possibility of content encryption is provided by Microsoft Rights Management Services (RMS). Although it is not a standard, but instead used by some companies to encrypt emails. RMS is available in two versions: as Active Directory RMS (AD RMS) for on-premise use and as Azure RMS in conjunction with the Microsoft cloud.

However, not all transmitted information is made illegible to third parties during encryption. The so-called metadata such as sender, recipient and subject line are transmitted in plain text, which can pose a security risk. The combination of transport and content encryption, therefore, offers the greatest possible security.

Standards guarantee you the greatest possible compatibility with the email software used by your customers and business partners. Encryption standards are also typically integrated into many email solutions.

Alternative methods

Although technologies such as Pretty Good Privacy (PGP) have been on the market for more than 25 years, they are still relatively underused. This is probably because certificates and keys are a prerequisite for use. This, in turn, requires an appropriate infrastructure or at least technical know-how.

So, you can't necessarily assume that all your email recipients can also communicate on the basis of PGP or S/MIME. That's why you should offer them alternatives. In principle, there are two ways to do this, pull or push:

In 'pull procedures', the recipient logs on to the sender's system and receives the messages after they have authenticated themselves. Typical examples are secure webmail portals. With the 'push method', however, the email is converted, encrypted and sent to the recipient as an attachment to a carrier email. Formats such as Zip, PDF or HTML are particularly suitable here.

Secure your internal communications

The methods previously mentioned are primarily designed for communication with external partners. However, you should also rely on maximum security in internal communication.

You should support the encryption of email messages within your company - ideally using standards that already exist in your email client. This saves you the installation and maintenance of additional plug-ins and add-ons.

Data flow and content control

End-to-end encryption of email communication poses a challenge. Security systems such as virus scanners, anti-spam software or DLP solutions (Data Leakage Protection) can no longer analyse the content of messages and thus, no longer work correctly.

Therefore, you should use a solution that provides interfaces for these central data flow and content control systems or ones that can even filter out malicious code from encrypted emails.

Keep emails private as well as secure

Although detection of malware, spam and other harmful or unwanted content is important, it can interfere with your email privacy.

It is still important for only the senders and recipients to be aware of the content of an email. This where end-to-end encryption can help, because the central data flow and content control is not possible.

Think about automated emails

It's not only people that send emails, applications also use this way of communicating. Applications can hold sensitive data that is worth protecting. For example, when payslips, delivery notes or invoices are sent automatically. Therefore, you should use a service for these automated emails that also supports encryption since most applications themselves are not designed for this.

Another point to consider is email archiving. If messages are stored in encrypted form, they are very difficult to find, since information can only be extracted via metadata and not via content. An encryption solution should therefore also provide interfaces for archives and journal systems.

What about attachments?

Email is often used as a medium for sending files, although it was not originally intended for this purpose. This leads to considerable problems, especially with large attachments, for example, if the recipient's system does not accept the attachment.

To get around this you should choose an encryption tool that also supports sending emails with large attachments without overloading and clogging the mail servers.

In such solutions, these attachments are not physically transported via the mail server, but via systems that are designed for this purpose.

Mobile security

Of course, secure email communication must also work with all mobile devices. The encryption solution of your choice should support the methods that are already available in the native mail clients of the device platforms or the mail clients of your Mobile Device Management (MDM) system.

Don’t commit to just one tool

To remain future-proof and flexible, you should rely on a system that can run on a wide variety of operating systems and platforms.

It should also give you the choice of operating the system internally, or in a hybrid environment. Of course, all current email clients and servers on all platforms should also be supported.

Think about usability

Every project stands and falls with user-friendliness. If you use an encryption solution that is difficult and laborious to use, users will not use it.

Therefore, the used one should neither hinder nor restrict the user in his daily work.

"Recommended For You"

Security experts: Avoid LinkedIn app for Apple iPhone Yahoo puts email encryption plugin source code up for review