Home Tech News Expensive and complex: the 11 most common mistakes about email encryption

Expensive and complex: the 11 most common mistakes about email encryption

by Tejas Dhawan
Email encryption has not yet reached all companies.
Photo: Myimagine – shutterstock.com

Almost 28 percent of small and medium-sized companies in Germany do not yet use email encryption. This was the result of a study commissioned by the Federal Ministry for Economic Affairs and Energy. Among the reasons, the respondents stated that their communication partners could not handle encrypted messages and that employees were not adequately technical. Difficulties in managing certificates are also often an obstacle.

Such concerns are justified, but can easily be removed with the right technology. This is where the eleven most common mistakes about encryption come from – and how they can be refuted.

Really not? Anyone who sends messages with personal data must encrypt them. This was already prescribed by the Federal Data Protection Act. With the GDPR, the regulations have become even stricter. Violations can now result in high fines. In addition, companies must report data breaches to the relevant supervisory authority within 72 hours and even notify the data subjects if there is an increased risk. However, anyone who uses email encryption is exempt from the notification obligation of the data subjects.

Anyone who sends messages with personal data must encrypt them.
Anyone who sends messages with personal data must encrypt them.
Photo: totemo

The question is rather: can you afford to do without encryption? A violation of the GDPR can be punished with sanctions of up to 20 million euros or four percent of global annual sales, whichever is higher. In addition, there is the damage caused by the loss of image as a result of a data protection violation. A good email encryption solution is certainly cheaper.

That’s right if you want to do everything yourself. Because with OpenPGP and S / MIME there are different encryption standards that are not compatible with each other. You may have to install a plug-in in the email client. Key management is also complex. However, there are solutions today in which the user does not have to worry about anything. Such encryption gateways are usually easy to implement and are also available in the cloud.

If you want to encrypt emails, you don't have to do everything yourself.
If you want to encrypt emails, you don’t have to do everything yourself.
Photo: totemo

Yes, but it is very time-consuming. In addition, the user must know what he is doing. If he makes mistakes, communication is no longer protected. It is therefore advisable to use a solution from a certain number of users or with less technology-savvy users that automatically does as much as possible in the background.

No need. A corresponding encryption gateway automatically recognizes which technology a communication partner is using. So everyone can use the standard they want. However, the prerequisite is that no proprietary technology is used. In addition, a gateway should be used that supports the common encryption methods.

In fact, email encryption is hardly common among private individuals and is usually perceived as too complicated. This is shown by a study by GMX and Web.de. Those who communicate a lot with people who do not use encryption can offer alternative solutions. One possibility is, for example, a secure web portal in which the recipient can pick up his encrypted message.

TLS is just a transport encryption. The technology creates a tunnel between two computers through which the e-mail is sent. For the sending and receiving computer, however, the message is in plain text and can be read, manipulated or copied. In addition, the email is passed from computer to computer on its way through the Internet before it reaches the recipient.

The sender cannot check whether each of the computers is actually building a new, secure tunnel. In addition to transport encryption, you should therefore use content encryption with OpenPGP or S / MIME. The content of the message is encrypted – except for metadata such as sender, recipient and sending date. Together, content encryption and transport encryption ensure a high level of protection.

Do you trust your cloud provider without limits? If he takes over both email management and email encryption, he also has your keys and can read the messages. Either you should separate email management and email encryption. Or you can use a solution that allows you to store your keys with you.

This is a problem with end-to-end encryption, because then the virus scanner and data loss prevention solution (DLP) cannot view the messages and consequently cannot examine them. However, there is also a hybrid approach: end-to-end encryption is used between the sender and the gateway. The message is made available in plain text at the gateway, checked for malware and content and then encrypted and transported back to the recipient’s mailbox.

No need. All e-mail clients available on the market today have integrated e-mail encryption based on S / MIME. It can be triggered at the push of a button. However, the user has to take care of the key management himself. Not so if he uses an encryption gateway to do this. Then you only need to click the encryption button in the email program to send a secure message.

It is not necessary to install plug-ins on all clients.
It is not necessary to install plug-ins on all clients.
Photo: totemo

If an archive system does not see messages in plain text, it cannot index them. This makes it difficult to find emails in the archive. However, this problem can be avoided if a proxy is placed between the archiving solution and the e-mail system. Emails can then be archived in encrypted form, but are also searchable because the content is indexed.

In fact, there is no longer any reason to forego email encryption today. Because nobody wants to risk that emails in plain text can simply be read if they fall into the wrong hands. With regard to personal data, secure communication is a must anyway. Corresponding encryption systems, which are based on standards, offer interfaces to archive and security solutions and are user-friendly, can remove all concerns. (hal)

Related Posts

Leave a Comment