Encrypt emails: Why sending is not secure

Companies need to encrypt emails. Unfortunately, many solutions are difficult to install and inconvenient to use. We show the best alternatives.

Why is normal emailing not secure?

A major advantage of the Internet is its decentralized structure, which guarantees a high level of reliability. But this structure also brings disadvantages. E-mails pass through many different servers from different companies around the globe on their way from sender to recipient. This means that electronic mail can be read and even manipulated by unauthorized persons. In addition, data breakdowns at providers and hacker attacks on e-mail servers further exacerbate the problem.

To make emailing more secure, various techniques emerged to encrypt emails. However, email is a multi-link process and each link requires its own approach to solving the problem. For example, data transmission between e-mail programs such as Outlook and the providers’ mail servers is now secured almost everywhere with TSL/SSL transport encryption. However, this prevents neither the unencrypted sending of e-mails between mail providers nor the unsecured intermediate storage of mails on the servers.

End-to-end encryption techniques such as S/MIME (Secure Multipurpose Internet Mail Extensions) and PGP (Pretty Good Privacy) can be used to encrypt the contents of e-mails. However, there are often usability issues for senders and receivers when using these techniques.

What risks do companies run without email encryption?

Emails now cover the entire range of corporate communications – from appointments and memos to contracts and invoices to internal documents and strategy papers. They contain a large amount of personal and sensitive data as well as security-relevant and business-critical information. Accordingly, data leaks and information theft pose numerous and serious risks.

The recent data protection scandals at companies such as Facebook show that customers and users are taking the issue increasingly seriously. The damage to the company’s image caused by careless handling of personal data leads to a loss of trust and ultimately to the loss of customers. In addition, trade secrets can fall into the hands of competitors due to data breaches.

In addition, companies are no longer always free to decide whether to encrypt their e-mails.
The GDPR requires far-reaching protection of personal data. In this context, the often read claim that the regulation requires an unconditional encryption of all e-mails is not entirely correct. According to Article 32 of the GDPR, whether encryption is required depends on factors such as protection needs, potential risks, and feasibility. Deciding that, however, can be legally difficult. To avoid warnings and fines, companies are therefore well advised to encrypt their e-mails in any case.

Encrypt emails: How can companies make emailing secure?

Secure email communication can be set up in several ways. When selecting a suitable solution, in addition to the protective effect on different areas, the effort required for users and administrators plays a major role. Equally critical are implementation costs, which are significant for some approaches.

Traditional client-based encryption with PGP or S/MIME uses plug-ins for applications such as Outlook. They provide end-to-end encryption, so the message is encrypted all the way, from sender to receiver. However, this approach burdens users with the complicated management of cryptographic keys, which can significantly affect usability.

The administrative burden on users can be reduced with a public key infrastructure (PKI). Here, central keyservers take over the cumbersome key exchange. This method can also be combined well with server-based encryption. However, setting up the encryption gateways and PKI is too time-consuming and expensive for many companies. In addition, the route between the sender or receiver and the server is unsecured, which is especially problematic for external providers.

Password-based encryption takes a different approach by not encrypting and sending the actual emails. Instead, they notify the recipient of an incoming message via email and redirect them to a website. The addressee provides a password once, which a server uses to convert the e-mail into an encrypted PDF file. Then the recipient can download the PDF from the website, decrypt it in the PDF program and read it. This method is suitable as an additional measure if e-mails are to be sent to external partners without their own encryption technology. However, the ease of use for the transmitter and the receiver can also be classified as quite low with this variant.

How can providers of end-to-end encryption solutions help?

All the solutions mentioned in the previous section that can be used to encrypt e-mails are either complex to set up, expensive, or have usability weaknesses. In addition, some methods do not guarantee consistent security across the board. Providers of end-to-end communication platforms offer an alternative.

At PIPEFORCE, we provide a central platform that enables the secure exchange of information at all levels. PIPEFORCE delivers an end-to-end, DSGVO-compliant solution with an easy-to-install and convenient-to-use Outlook plugin. This secures documents of any size during transfer, including storage on the servers with AES encryption. Furthermore, it is possible to use password protection for very sensitive documents or to additionally activate end-to-end encryption. This makes the exchange of documents via e-mail not only more secure, but also easier and more convenient for all parties involved.

Conclusion

Today, no company can avoid the topic of data protection. The risks posed by unsecured communication are many and can have serious consequences. Companies that encrypt their emails avoid legal difficulties, data loss and damage to their image. PIPEFORCE provides a secure, reliable and convenient solution that saves time and money not only for a company’s employees, but also for its partners and customers.

---