Email Encryption Software
Email is an incredibly convenient way for businesses to communicate, but email was never designed to be secure. Access controls are used to restrict access to emails on workstations, but emails are sent in plaintext, which means they are vulnerable to interception and can be read, altered, or stolen unless email encryption software is used.
There are several ways that email can be intercepted. If malware is installed on a workstation, it could allow received and sent emails to be exfiltrated to the attacker’s command and control server. Threat actors can also use DNS hijacking to steal emails if they are able to compromise the DNS server an individual uses to send mail. A sniffer can be used to intercept messages in transit over wireless networks, or emails can be intercepted using ARP-poisoning and evil-twin networks. The risk of business emails being intercepted has increased with the rise in popularity of remote and hybrid working, as employees frequently connect to unsecured public Wi-Fi and home networks to send work emails.
The consequences of intercepted emails can be severe. In regulated industries such as healthcare and financial services, the exposure of sensitive, regulated data alone is enough to warrant a substantial financial penalty for non-compliance with industry data protection regulations, even if the emails are not intercepted or stolen. While the General Data Protection Regulation (GDPR) and other consumer privacy laws may not specifically state that emails should be encrypted, the failure to secure personal data sent by email does create legal risk.
If hackers are able to compromise emails, they can change the account information for payments to suppliers, resulting in wire transfers being made to accounts controlled by the hacker. If consumer data are compromised, businesses may face legal action and the costs of litigation can be considerable. The exposure and theft of sensitive data could also affect share prices, damage a company’s reputation, and result in loss of trust in the company.
How Does Email Encryption Software Work?
Different approaches can be taken for encrypting business emails. For safety, some companies will implement encryption across the board and will encrypt all emails that are sent – internally and externally. Others only encrypt emails that are sent externally, although it is common for encryption to only be used for sensitive emails.
When emails are encrypted, either on the endpoint or at the gateway, the intended recipient of the message will be responsible for decrypting that message. Email encryption used to be complicated for both the senders and receivers of emails and often disrupted workflows. Modern email encryption software makes email encryption simple for the sender, and oftentimes the recipient needs to take no actions to read their encrypted emails.
Emails can be automatically encrypted, encrypted on demand by the sender, or it is possible to set up policy-based encryption which enforces the encryption of emails that meet certain criteria, such as emails containing a specific keyword, messages sent to certain email addresses, and emails that contain regulated data. Many email encryption software solutions are cloud-based and have a web-based interface where users can log in to retrieve encrypted emails, which makes it easy for recipients of messages to access emails if they do not use the same encryption software.
Email encryption software is generally the most cost-effective choice for encrypting emails for SMBs. Businesses choosing this option are required to purchase a software license and typically pay a per-user charge. This option is usually far easier and cheaper than setting up and maintaining public key infrastructure (PKI). Modern email encryption software looks after the exchange of encryption keys, so it is not necessary to send keys manually, which makes email encryption simple and there are often integrations that allow email encryption services to be seamlessly integrated with the likes of Office 365 and Google G-Suite.
There is considerable variation in the email encryption software market, no standard encryption architecture, and multiple methods of securely encrypting emails. There are web-based email encryption services, hosted encrypted email, applications, and email clients. These solutions use public-key cryptography and digital certificates to encrypt emails and attachments to ensure they can only be accessed by the intended recipients. Each solution has advantages and disadvantages, and there is usually a trade-off between the level of security, ease of use, cost, and maintenance overhead.