Email Encryption in 2023
If you’ve been in security longer than fifteen seconds, then you’ve almost certainly heard the line: “Encrypting data strengthens its security”. Or something like that anyway. There’s certainly no denying it’s true, if it’s encrypted then it’s worthless to anyone who doesn’t have the key or ability to decrypt it, so that’s a win. It’s the exact same premise upon which Ransomware is based, if the miscreant (inevitably wearing a hoody in a darkened room) encrypts your data, you can’t use it. They’ll let you have it back of course for a nominal fee though which is nice of them.
Taking onboard the theory of encryption == good, why aren’t we slapping encryption on absolutely everything imaginable?
Well to some degree we have, since the early days of networks most transmission protocols have had an S tagged on the front or end of them to encapsulate the data in transit preventing it being altered or intercepted as it moves from A to B. But that’s easy, as applications and machines do that bit, their identities are always easy to confirm, and the process is managed without input from the user.
Sadly, once again it’s when users, human beings, homo sapiens, get involved it all turns to ruin. Humans have traits that no machine (ChatGPT included!) will ever possess: freewill, cognitive thought and laziness!
Email encryption isn’t particularly new; nearly everyone delivers email over SSL/TLS these days for good reason. But the email once delivered exists as clear text data for a person or persons to read/print/eat/forward or delete. If you think about how much data we share in email and the types of data then that isn’t necessarily a good thing.
Emails deliver things like insurance documents, payslips, invoices, and hospital appointments. That’s fine if they go to the correct people and are viewed only by those intended, but, suppose they don’t. If the email containing details on the embarrassing health condition is readable by anyone who gets hold of it, you probably wouldn’t be thrilled. Or the details of your pay, your credit card statement too?
The reason we don’t encrypt email at rest is because it’s a faff. S/MIME encryption has been around for years, but it’s complicated to get setup due to its reliance on PKI and certificates to be present to both encrypt and decrypt mails. It also means users either encrypt or sign emails to everyone about everything, which is unnecessary or they opt in or out of it for certain topics or recipients. That’s faff no one has time for.
For encrypting email to work we’ve got to let technology do the leg work, let technology identify and apply the security whilst the user goes about their business in the same manner they did before. Crafting a beautifully worded email that’s sensitive in nature, then on the pressing of send, technology looking at the language, the recipient and the attachments and figuring out if additional encryption or security should be applied, whilst our user starts to write the next one.
The good news is that this isn’t unthinkable, and it’s certainly not impossible. To get peace of mind around email delivery and email security talk to HANDD.
HANDD has a team of Email Security specialists who can advise on the best technology to assist your organisation with email encryption and more. If you’d like to discuss this further, call us on +44 (0) 845 643 4063 or email us at info@handd.co.uk