The 11 Most Common Misconceptions About Email Encryption

Too expensive and too complicated - that's what many companies think about email encryption. But, is this really the truth? Here are the most common mistakes.

Almost 28 percent of small and medium-sized companies in Germany do not yet use email encryption. This was the result of a  study  commissioned by the Federal Ministry for Economic Affairs and Energy. The reasons given by those surveyed include that their communication partners cannot handle encrypted messages and that employees are not technically well-versed. Difficulties in managing certificates are often an obstacle.

Such concerns are legitimate but can be easily resolved with the right technology. Here are the 11 most common misconceptions about encryption - and how to refute them.

1. I Don't Need Email Encryption

Really not? Anyone who  sends messages with personal  data must encrypt them. This was already prescribed by the Federal Data Protection Act. With the GDPR, the regulations have become even stricter. Violations can now result in high fines. In addition, companies must report data protection violations to the responsible supervisory authority within 72 hours and even notify the persons concerned if there is an increased risk. Those who use email encryption, on the other hand, are exempt from the obligation to notify the data subjects.

    2. I Can't Afford That

The question is rather: can you afford to do without encryption? A violation of the GDPR can result in sanctions of up to 20 million euros or four percent of global annual sales, whichever is higher. In addition, there is the damage caused by the loss of image as a result of a data protection breach. A good email encryption solution is definitely cheaper.

3. Email Encryption Is Way Too Complicated

That's right if you want to do everything yourself. Because with OpenPGP and S / MIME there are different encryption standards that are not compatible with each other. You may have to install a plug-in in the email client. In addition, key management is complex. Today, however, there are solutions in which the user does not have to worry about anything. Such encryption gateways are usually easy to implement and are also available in the cloud.

    4. I Can Do This Alone

Yes, but that is very time-consuming. In addition, the user has to know what he is doing. If he makes mistakes, communication is no longer protected. It is therefore advisable to use a solution that does as much as possible automatically in the background for a certain number of users or for users who are less tech-savvy.

5. I Have to Convince My Communication Partners of "my" Solution

No need. A corresponding encryption gateway automatically recognizes which technology a communication partner is using. So everyone can use the standard they want. However, the prerequisite is that no proprietary technology is used. A gateway that supports common encryption methods should also be used.

6. It Doesn't Work Because My Communication Partners Have No Idea About Technology

In fact, email encryption is rarely used by private individuals and is usually perceived as too complicated. Showing a  study of GMX and Web.de . Anyone who communicates a lot with people who do not use encryption can offer alternative solutions. One possibility, for example, is a secure web portal where the recipient can pick up his encrypted message.

7. I Use Ssl / Tsl - That's Enough

TLS is just a transport encryption. The technology creates a tunnel between two computers through which the e-mail is sent. However, the message is available in plain text on the sending and receiving computers and can be read, manipulated or copied. In addition, the e-mail is forwarded from computer to computer on its way through the Internet before it reaches the recipient.

The sender cannot check whether each of the computers is actually establishing a new, secure tunnel. In addition to transport encryption, you should therefore use content encryption with  OpenPGP  or  S / MIME  . The content of the message is encrypted - except for metadata such as sender, recipient and date of dispatch. Together, content encryption and transport encryption ensure a high level of protection.

8. My Cloud Provider Is Already Encrypting

Do you have unlimited trust in your cloud provider? If he takes on both email management and email encryption, he'll also have your keys and read your messages. It's a bit like giving someone a locked cashbox to keep and taping the key under it.

Your cloud provider is most likely not interested in decrypting and using customer information. However, if the provider is an American company, it falls under the CLOUD Act of 2018. This is a tightening of the USA PATRIOT Act of 2001. Previously unclear facts have been specified and the CLOUD Act now also gives US authorities access on data stored on servers of US companies abroad, even retrospectively.

In addition, the fact that the ECJ has just declared the Privacy Shield Agreement invalid is causing additional concerns among European companies. So either you should separate email management and email encryption. Or you can use a solution that enables you to save your keys with you.

9. My Antivirus and DLP Solution Will Then No Longer Work

This is a problem with end-to-end encryption because antivirus and  data loss prevention solutions (DLP) cannot view the messages and consequently cannot examine them. However, there is also a hybrid approach: end-to-end encryption is used between the sender and the gateway. At the gateway, the message is made available in plain text, checked for malware and content, and then encrypted again and transported to the recipient's mailbox.

10. I Need to Install Plug-Ins on All Clients

No need. All e-mail clients available on the market today have already integrated e-mail encryption based on S / MIME. It can be triggered at the push of a button. However, the user has to take care of the key management himself. Not so if he uses an encryption gateway that does this job. Then only one click on the encryption button in the e-mail program is necessary to send a secure message.

    11. My Archiving Solution Will No Longer Work Properly

If an archiving system does not see messages in clear text, it cannot index them. This makes it difficult to find emails in the archive. However, this problem can be avoided by placing a proxy between the archiving solution and the e-mail system. E-mails can then be archived in encrypted form, but at the same time they are searchable because the content is indexed.

Conclusion

In fact, there is no longer any reason to do without email encryption. Because nobody wants to risk that plain text emails can be read along if they fall into the wrong hands. With regard to personal data, secure communication is a must anyway. Corresponding encryption systems, which are based on standards, offer interfaces to archive and security solutions and are user-friendly, can remove all concerns.