Your business needs enforced email encryption! Here's why

| 14th Oct 2021

In any industry, trust is one of the most critical long-term success factors. That's why information security is a prerequisite to company success in the modern business environment. Business transactions typically require communicating sensitive information with customers and external partners.

Research shows that 80% of employees use email to share sensitive data internally with colleagues and externally with clients, partners and suppliers. Email encryption is the bedrock of securing sensitive business transactions by ensuring confidential information is only accessible to its intended recipient.

Every major cybersecurity incident emboldens attackers, who continually dream up newer, more sophisticated ways to compromise company information. These attacks also bring changes in legislation and tighter compliance regulations. Every company should maximize its use of email encryption in today's digital age.

Email encryption: enforced vs. unenforced

With headlines reporting data leaks and cyberattacks compromising emails, many end-users might assume their email providers use end-to-end encryption by default since it provides the most comprehensive security approach.

For most email providers, however, this isn't the case. Most emails use the Simple Mail Transfer Protocol (SMTP) to encrypt emails in transit, leveraging Transport Layer Security (TLS). Email services apply TLS based on configuration, and it generally falls into two categories: Opportunistic TLS and Forced TLS.

Unenforced email encryption (TLS)

Unenforced email encryption describes a policy where emails must be encrypted where possible, but not at the expense of delivery. Typically, this means using the most common form of TLS, called opportunistic TLS. This method uses an extension called StartTLS, which initiates a handshake that facilitates the exchange of encryption keys and establishes an encrypted tunnel for secure communications.

If the recipient's email server isn’t configured to support TLS, the sender may automatically use an unencrypted channel to complete the message's delivery. The tradeoff is that emails are delivered regardless of the recipient's email server configuration and at the expense of heightened security risk.

Enforced email encryption (TLS)

Enforced email encryption describes a policy where emails must be encrypted, even at the expense of delivery. With TLS, the basic procedure is similar to that with unenforced email encryption, but with one key difference. If the sender can't establish a secure tunnel with the recipient using the handshake process, it won't send the email.

The tradeoff here is significantly heightened security but at the expense of deliverability/reliability. Within networks of organizations that have close ties, like in the government or between institutions, this tradeoff is worth it. Administrators can ensure that all partner organizations have configured their services correctly, and so the “network” is established. However, for ad-hoc business communications, particularly with smaller organizations, enforced encryption with TLS poses a significant risk that could impact the company's ability to deliver their services and, ultimately, acquire and retain customers.

Both opportunistic and forced TLS have advantages and disadvantages because of TLS limitations. For most use-cases, opportunistic TLS provides a solid "everyday" form of encryption, allowing users to send and receive emails with the most security possible while still guaranteeing delivery.

That said, it applies a lowest common denominator form of protection. Meaning, it leaves information assurance at the mercy of the recipient's TLS configuration and leaves potentially sensitive information exposed to cyberattacks.

End-to-end message-level encryption

While some protection is better than none, it isn't easy to ensure secure communications while still guaranteeing message delivery with TLS. For organizations that want to ensure their sensitive data is always secure, and avoid the impractical tradeoff between security and delivery reliability, tools like Egress Protect provide end-to-end message-level encryption while also encrypting stored emails (data at rest).

Enforced gateway message-level encryption

Message-level email encryption can be enforced (or automated) at the gateway based on organizational policy. The gateway server can scan every outbound email (including attachments), looking for key words or phrases that the organization has included in their policy library. It can also inspect document classification, for example to ensure no documents classified as “internal only” are sent to external domains or to ensure the right level of protection is applied to a document marked “top secret” vs. one marked “confidential”. When the server detects a trigger, it can automatically apply encryption before the email is sent. Organizations can match their gateway encryption rules and policy library to uphold their wider data security program.

Enforcing message-level email encryption at the gateway means an organization isn’t reliant on a user to remember when to encrypt emails and ensures all sensitive data is encrypted before it leaves the organization.

The benefits of encrypting your company's emails

With security, companies often walk a tightrope between usability and protecting against data breaches and cyberattacks. As attacks grow in sophistication and incidents continue to erode consumer confidence in information security, companies must maintain reputations for security and regulatory compliance. Email encryption can be the cornerstone of a company's cybersecurity posture with the right solution and configuration.

Key benefits include:

  • Maintaining personal consumer data confidentiality and proprietary company information
  • Preventing account security breaches
  • Maintaining regulatory compliance in specific industries
  • Improving business efficiency by allowing business transactions to occur via email rather than exclusively in secure portals

Unencrypted email is a business risk

The true impact of an data breach is how it harms the business and its customers. Good cybersecurity eliminates or mitigates many of the worst outcomes associated with a data breach or intercepted communications.

Email encryption helps ensure messages remain confidential. It also reduces risks for identity theft and compromised accounts, and is a crucial factor in maintaining compliance in regulated industries.

FAQ

Should a company encrypt its email traffic?

Yes! Encrypting email traffic is the primary way a company can secure communications internally and with customers and external partners.

Do emails need to be encrypted?

Emails that contain sensitive data (such as personal details, protected health information, or payment information) need to be encrypted.

What should a business encrypt?

A business should encrypt all sensitive email communications with end-to-end encryption.

How do I create a secure email for my business?

Use an end-to-end encryption tool like Egress Protect to avoid tradeoffs between usability and security