If sensitive data is being sent, it must be protected – no exceptions.
As organizations trend towards a zero-trust security strategy, they can't afford to leave email unaccounted for. While traditional email gateways do a decent job of blocking potential attacks, many exploits don't rely on phishing, BEC scams, or email spoofs to get sensitive information (or money) from an organization.
Some attackers use sophisticated methods to spy on your emails directly, which is why the very information contained therein needs to be encrypted. This is defense in depth, not only protecting your email from without but using Fortra’s Clearswift next-generation email security products from within using industry-standard encryption.
Why is it important to encrypt emails?
Attackers know the kinds of valuable information we hide in our inboxes, and email is still the most favored form of business communication, anecdotally and otherwise. That means when we have to send something sensitive (and we have to send it fast) we usually just trust our luck, maybe shoot the recipient a message to delete after reading (or create a "burn after reading" note) and send the email. Once it's out of our hands, we usually forget about it. If they ping us back that they've deleted it, that's even more peace of mind.
But that's not enough, as deleted files can linger in cyberspace and remain exposed to prying eyes. Encrypting them, on the other hand, ensures that even if a threat actor launched a sophisticated attack, the emails they'd obtain would be gibberish.
When emails remain unencrypted, disasters can happen like the infamous 2015 Sony email hack (in which full versions of unreleased movies were exfiltrated and exposed), causing immense and often irreparable reputational damages. And then there's the issue of regulatory fines, as numerous compliance standards (HIPAA, GDPR, PCI DSS, SOX, and others) require email encryption to minimize the fallout of a breach.
Best practices for implementing encrypted emails in business
Now that you've got this great new initiative – i.e., encrypting company emails – you need to make sure everything goes according to plan, and here are some tips to make sure that happens:
- Tell your employee base that encryption is the new policy by issuing an official new email usage policy stating this. The point is for all clients to expect that any emails coming from your enterprise will be infallibly secure, and for all your employees to understand that even, or especially, internal documents are at risk and worthy of encryption. Thus, as you roll out your new policy, a Security Awareness Training (SAT) program can give it a boost and show your employees more about the dangers of compromised email accounts and why encrypting communications is beneficial to them. They don't want to be the ones who accidentally leaked sensitive company information, and they don't want cybercriminals to use their unprotected emails to gain personal information on them. Leaving emails unencrypted can unfortunately lead to both outcomes.
- Make sure every single email is encrypted – not just some. Why does getting 100% fidelity in this category matter? Because the point is to make the job more difficult for attackers, not lead them directly to what matters. If you only encrypt emails with sensitive information, attackers will likely know precisely where to look. But aren't they encrypted? Yes, but determined threat actors will try to crack the encryption codes, and from time to time they succeed. You need to make it harder for them by forcing them to go through thousands of encrypted emails to find the important ones, not just a handful you've conveniently marked.
- Use industry-standard encryption protocols: Not all encryption methods are created equal, but you can find the ones best suited for your industry and needs. With Fortra's email security and anti-phishing solutions, organizations have access to a variety of policy-based encryption options, including:
- TLS (Transport Security Layer): Asymmetric encryption keeps emails safe in transit via a "TLS handshake," giving authentication between sender & recipient.
- PKI (Public Key Infrastructure) technologies, like S/MIME (Secure/Multi-purpose Internet Mail Extensions): This standard uses public key cryptography (PKI), or a public key (sender) and a private key (recipient) to let users encrypt and sign their emails.
- PGP (Pretty Good Privacy): Digital signatures and file encryption are used to authenticate, encrypt, and decrypt emails by combining PKI and symmetric key encryption at a basic level.
- Or web portals and password-protected messages and files are leveraged.
Conclusion
As threat actors continually step up their game, a single-tiered email security strategy has become less effective against advanced email-targeted attacks. Adding a layer of encryption to all internal and outbound messages will provide an additional defensive buffer and round out a complete email security strategy for modern digital enterprises. And securing email means securing business.
