Have you ever clicked ‘Send Secure’ on an email and wondered what that actually means? Email remains one of the most common ways companies communicate internally and with clients. However, it’s also one of the least secure, leaving important data and private information vulnerable to nefarious actors. SMTP (Simple Mail Transfer Protocol) is the standard protocol used to send email. Unfortunately, SMTP was developed in the 1980s and was only created to deliver messages, and was never designed with security in mind.
What Does Email Security Really Mean?
Of course, no email platform is going to say that their product isn’t secure. However, the term “secure” is often used as a marketing buzzword rather than a confirmation that actual end-to-end encryption is in place when emails are sent.
There are a few key aspects of email security.
- Authentication confirms the sender’s identity.
- Confidentiality ensures that only intended recipients can read the message.
- Integrity prevents messages from being tampered with in transit.
Different types of email security happen at different points in the process of sending and receiving emails.
- At rest refers to a message being stored somewhere, such as a mail server or simply sitting in your inbox. Your inbox is secured because it is password-protected.
- In-transit security refers to the period after you hit the send button, when the message is being transferred from the sender’s server to the recipient’s server.
- End-to-end encryption ensures that, from the time it leaves the sender’s device until the recipient reads it, only the sender and the recipient can read the message.
Common Email Security Options
S/MIME
S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and it uses digital certificates to encrypt and digitally sign emails. These certificates rely on PKI, also known as public key cryptography, where a public key locks/encrypts your message and the private key unlocks/decrypts it.
S/MIME provides true end-to-end encryption and sender verification, but it is not widely available on or compatible with most consumer email programs. It can also be more complicated to work with because it requires the certificates to be installed on both the sender and recipient devices.
TLS
TLS stands for Transport Layer Security, which encrypts messages as they travel between email servers. It is provided automatically by most email platforms and ensures that no one is “eavesdropping” on your messages in transit, but they are not secured when sitting in an inbox.
Third-Party Email Security Services
If you work with sensitive data or are in a highly regulated industry, it may be beneficial to use a third-party email service. These services act as a secure relay or portal for email messages and are often adopted by companies with strong privacy needs.
Barracuda
Barracuda features a Secure Message Center, where recipients must log in to access messages. The sender receives a confirmation message, and the recipient receives a link to view the message securely. This is particularly helpful for compliance-intensive industries, such as financial institutions, healthcare providers, and law firms.
Mimecast
Mimecast is a cloud-based email security platform that offers tools, including encryption, threat protection, impersonation protection, and data loss prevention. It has a user-friendly interface that allows you to specify which emails require encryption or special handling based on content, recipients, or other criteria. These flexible policy controls make it a strong option for companies in high-compliance industries.
What Should Never Be Sent Over Regular Email?
Basically, regardless of your email security and encryption protocols, high-risk data should always be encrypted or sent via secure platforms. Specifically, included, but not limited to:
- Social Security numbers
- Bank account or credit card info
- Medical records (HIPAA)
- Legal contracts and documents
- Proprietary business information or trade secret
- Passwords and login credentials
The main rule of sending secure email is to match your security method to the sensitivity of the information. You know your data and understand what needs to be protected. As with all security recommendations, we recommend regularly testing, auditing, and updating your security policies. Reinforce those safety protocols with ongoing training and security awareness to enable staff to recognize phishing and social engineering.
Contact FSA Consulting to review your current email communications and develop a strong plan to keep your email and data secure.