Email encryption helps protect sensitive information from hackers or unwanted parties by only permitting specified users to access and read your messages. Email encryption uses public key infrastructure (PKI) technology, the gold standard for digital identity authentication and encryption, to secure stored or at-rest emails as well as in-transit ones. As all email content and attachments are sent encrypted, attackers will not be able to intercept communications. Additionally, in the event an attacker successfully steals a mail server password, no sensitive information will be lost since the content and attachments stored on the server are encrypted.
How Email Encryption Works
Email encryption uses key pairs based on public key infrastructure (PKI) technology to provide a secure and scalable method of authentication and encryption. The core technology enabling PKI is public key cryptography, an encryption mechanism that relies upon the use of two related encryption keys, a public one and a private one. These two keys are used together to encrypt and decrypt a message. The public key consists of a string of random numbers and can be used to encrypt a message. This encrypted message can only be deciphered and read by the intended recipient using the associated private key, which also consists of a long string of random numbers. This private key is a secret one, and must remain known only to the recipient. The key pair is mathematically related so that whatever is encrypted with a public or private key can only be decrypted by its corresponding counterpart.
Options for Encryption
There are several options depending on the level of security you require. Fortunately, most of these email encryption software solutions work regardless of the email provider you use.
- The most secure email encryption methods are secure/multipurpose internet mail extensions (S/MIME) certificates. S/MIME certificates use PKI to protect your emails by digitally signing them to authenticate the identity of the sender and by encrypting content and attachments in transit and when stored on an email server. S/MIME is built into most Microsoft Windows, iOS, and Android devices and most large web-based email solutions such as Gmail, Office 365, and Apple Mail.
- If you choose PGP/MIME (Pretty Good Privacy/Multipurpose Internet Mail Extensions), you will have a decentralized approach that is designed to secure plain text content. This option offers you more control over the encryption of your emails, but you’ll need to use a third-party tool.
- Using Transport layer security (TLS), you’ll be able to encrypt the channel, but the message will remain unsecured. This means that encryption will be out of your control once the message is in the inbox of the recipient.
- There are other email encryption services that can ensure end-to-end encryption, such as ProtonMail or hushmail. However, in order to use these secure email services the sender and the recipient must be on the same third-party domain (for example, both emails are @hushmail.com). This detail creates challenges for many businesses since customers all have different email services.
How to Encrypt Email Messaging with S/MIME Certificates
Clearly, IT professionals must rethink their strategies for securing email communications and systems. To truly protect messages from today’s sophisticated attacks, enterprises need a complete security approach that enables both encryption and authentication of digital identities for all employees and devices.
Leveraging numerous sophisticated security features, S/MIME certificates give users the confidence to trust their digital correspondence and avoid many of today’s attacks on enterprise email users and infrastructure. They are an indispensable part of the enterprise’s complete email security strategy.
These certificates enhance the security profile of your email communications in three primary ways:
- Authentication of sender. Each certificate includes the sender’s authenticated email address, giving receivers a mechanism to confirm that all communications are genuinely from authorized parties by displaying a check mark icon that identifies the sender as authentic and the email as unmodified.
- Encryption of content and attachments. Sending and receiving mail clients use the certificates to encrypt and decrypt content, including attachments. This prevents attackers from intercepting communications in transit and from reading content stored on servers.
- Assurance of integrity. If a signed email or its attachments are altered in any way, it will fail validation and the user will be warned by the email client.
S/MIME certificates protect employees against spear phishing attacks, even when they use smartphones and mobile devices to access email. By encrypting/decrypting messages and attachments and by validating senders’ identities, these certificates assure users that emails are authentic and unmodified.
How to Send an Encrypted Email in Gmail
There are three levels in Gmail email services: Basic, Business, and Enterprise. According to the site, all of these use TLS server-to-server encryption. Hosted S/MIME encryption is only available to Enterprise users (G Suite Enterprise and G Suite Enterprise for Education).
Within the G Suite Google Admin console, your administrator installs your certificate to Google’s server in order to enable S/MIME. Then, you’ll be able to encrypt and digitally sign emails through these steps:
- Prepare your email with recipient email address, content, and any attachments.
- Click on the lock icon in the top-right corner next to the cc and bcc options.
- Click View Details to see if the recipient has encryption; you can also change your S/MIME settings here.
- Click on Settings.
- Select Enhanced Encryption with digital signature and click OK.
- Click Send.
Google uses color codes to indicate the different levels of email encryption visually in Gmail:
- Green - S/MIME encryption is keeping information safe; it can only be decrypted with a private key.
- Gray - Transport Layer Security (TLS) is protecting your email, but it’s only safe if both the sender and the recipient have TLS.
- Red — The email has no encryption security. Red - This email is not encrypted.
How to Send an Encrypted Email in Microsoft Outlook
It’s easy to encrypt emails in Microsoft Outlook so that you can send secure messages. Upon installation of your S/MIME certificate, go through these steps to encrypt an outgoing email in Outlook:
- Prepare your email with content, and any attachments.
- In the Options tab, select More commands, which is indicated by three dots.
- Select the Message Option menu item
- Click the Security Settings button
- Select Encrypt message contents and attachments.
- Click Okay. Then you can send your encrypted email.
To setup the S/MIME for all Outlook emails, complete the following steps:
- Install your S/MIME certificate. To do this, you’ll need a certificate or digital ID from your organization’s admin team. The installation can be also completed automatically for you by using a certificate management platform, like Sectigo Certificate Manager.
- Next, open the File menu. Then select Options.
- In the Options menu, select the Trust Center menu item.
- Then click the Trust Center Settings button and select the Email Security menu item.
- Now you can set all messages to be encrypted through the S/MIME settings by selecting "Encrypt contents and attachments for outgoing emails."
It’s important to note that if the recipient doesn’t have S/MIME enabled, they may not be able to read your email. Simply deselect the “Encrypt this message (S/MIME)” to disable encryption.
How to Encrypt Emails on Apple iOS
S/MIME is a built-in feature in iOS devices, including Apple iPhones. iOS uses the device’s global address list to identify contacts in your environment that have a valid S/MIME certificate. To activate S/MIME support in your iOS device, follow these steps:
- In Advanced Settings, switch S/MIME on.
- Choose yes for Encrypt by Default.
- Look for the lock icon near the recipient field when writing a new email. If the lock is blue, the email can be encrypted. If the lock is red, the recipient needs to turn on their S/MIME setting.
- Then click the icon to lock in order to encrypt the message.
Note: If the lock is blue, the email can be encrypted. If the lock is red, the recipient needs to turn on their S/MIME setting.
Avoid Common Pitfalls
Even with encryption in place, there are numerous pitfalls that can expose a business’s emails to malicious actors. To avoid these problems, follow these email security best practices:
- When encrypting emails, encrypt all of them, not just the ones with sensitive information. If only some are encrypted, you provide hackers with a direct roadmap to your critical messages. Though not easy, hackers only have to break into a few emails to find any valuable data as opposed to the massive task of sifting through hundreds or thousands, most of which will prove worthless. The advantage of automated installation of S/MIME certificates is that employees send encrypted email by default, removing the need for them to choose which to encrypt and which to leave unencrypted on a case-by-case basis.
- To ensure proper email encryption throughout your company, ensure all employees are in alignment. Establish and communicate an email usage policy. Encryption is most effective and user adoption is highest when a consistent company standard is applied to all employees.
- Another security tip that also applies to data protection in general is to be sure that computers are always locked when unattended. This may sound like common sense, but stepping away for just a moment without locking your computer can open the door to risk. In addition to password protection, put a company policy in place for screen locking every time an employee leaves the computer.
How to Automate Deployment of S/MIME Certificates
Traditionally, S/MIME solutions have required end users to acquire a trusted certificate from a public CA and install it on their own system, all on their own initiative. But the steps required to manually issue and configure these certificates can be difficult for the average enterprise employee. Since email clients continue to function even when certificates are not in place, user compliance with company guidelines for S/MIME deployment can be lacking.
Unlike traditional S/MIME certificate deployments, Sectigo Zero-Touch S/MIME is designed to be invisible to the user. This approach enables broad employee adoption as IT professionals can seamlessly deploy and maintain email certificates for employees without requiring action from them. By automating configuration and issuance of certificates using a management console, you are reducing the risk of noncompliance while simplifying deployment across a large number of computer and mobile devices and reducing help desk calls.
Sectigo issues a single certificate for a user, which can then be deployed to multiple devices used by that employee, including their computer/laptop, tablet, or mobile device. Plus, certificates can be provisioned to mobile devices using an MDM like Microsoft Intune or Apple.
Why Email Encryption Is Important
News of cyberattacks and data breaches through email is constantly making headlines. Unfortunately, the protocols and infrastructure on which email is built have roots that go back decades, and for the most part the way we secure email identities, content, and systems has not changed. Messages and attachments can be spied upon, altered, or faked, opening the door to a variety of attacks, such as malware injection, that can result in the data loss as well as loss of funds, company secrets, credit card numbers, or other confidential customer information. And with increased use of mobile devices and decreased face-to-face communication, it’s easier than ever for attackers to prey upon employee-related vulnerabilities and weak email security stances. IT teams have long turned to basic security measures to protect users and sensitive data, but these cybersecurity measures are not as effective as they once were.
The cost to business is high. The FBI reported a financial loss to businesses of $1.2 billion in 2018 due to business email compromise alone, an increase of 78% from the previous year. Additionally, high-profile email breaches can impact brand image and lead to senior executives’ job losses. In 2015, Sony’s CEO was forced to resign after hackers leaked the company’s email store, releasing full versions of unreleased movies and damaging conversations. In 2016, the Democratic National Committee left unencrypted content exposed on its server, making it easily accessible to bad actors.
Not only can insufficient security leave organizations at risk of attacks and breaches, but it can also put enterprises in jeopardy of noncompliance with regulatory mandates. To guard against business email compromise and information theft vulnerabilities, regulations such as HIPAA/HITECH, GDPR, and the U.S. federal government’s DFARS define instances and use cases that require email encryption to mitigate or minimize the consequences of a breach. Not meeting compliance requirements can result in substantial fines. For example, the EU recently charged GDPR-related fines to Google for €50 million, to Marriott for £99 million, and to British Airways for £183 million. Further, GDPR mandates that fines are not only based on the scale of an individual breach but also on the level of negligence. So applying a strong security solution to your email systems, such as S/MIME certificates, not only helps reduce the risk of a breach itself but also the amount of the fine should a breach occur.
To learn more about the importance of email encryption and for a deep dive into automating deployment of S/MIME certificates, download the Protecting Enterprise Email with S/MIME Certificates whitepaper.