7 Drawbacks of Encrypted Email
Office 365’s encryption feature can easily be hacked.– ITPro.com, 2022
Email’s convenience comes at a price
There’s no disputing the fact that email is one of the easiest and most convenient ways to transmit your business data. Everyone in your organization has an email account. No one needs extensive training on how to use it. And employees can use your company’s email system to quickly and easily send and receive important documents from anywhere.
It’s precisely this convenience that has led to the ubiquity of email — with 347 billion messages a day traversing the internet in 2023. And, unfortunately, email’s ubiquity is precisely what makes it such an attractive target for cybercriminals.
As bank robber and FBI fugitive Willie Sutton said, he robbed banks “because that’s where the money is.”
With that in mind, here are seven reasons that email — even with encryption — is not the best method for exchanging your organization’s sensitive or regulated data.
1. Encrypted email can be hacked.
Study after study shows that a committed, knowledgeable cybercriminal can find a way around or through most organizations’ email encryption programs.
The headline at the top of this post — “Office 365’s encryption feature can easily be hacked” — comes from a 2022 ITPro article summarizing one such study, conducted by research firm WithSecure.
The technical details of the vulnerability that the researchers found aren’t important here. If you’re curious (and don’t mind some depressing reading), you can find them in WithSecure’s report: Microsoft Office 365 Message Encryption — Insecure Mode of Operation.
The takeaway for our discussion is that if you’re using encrypted email to transmit sensitive client or patient information, those transmissions might not be as secure as you think. Here’s a key statement from the article:
“Microsoft says the function is useful for sending sensitive data such as medical records, but WithSecure contends the service uses an insecure method of operation for encryption, allowing threat actors to infer the structure of encrypted messages.”
And keep in mind, this study focuses on only one security weakness in one email provider’s encryption system. As we’ll discuss below, there are several other reasons that encrypting your corporate email doesn’t necessarily mean keeping it confidential and secure.
2. Your emails are only as secure as the keys encrypting their contents.
In 2020, hackers breached the US Treasury Department’s email servers and stole the messages of many of the department’s highest-ranking officials. Yes, these messages were all encrypted — likely using the most advanced encryption protocols available.
But as Reuters reported, the cybercriminals were able to decrypt and read the messages because they also stole the email accounts’ encryption keys.
You can invest the time and budget to deploy the most sophisticated email encryption on the market. But if hackers can access any of those keys because an employee failed to store them securely, you might as well be leaving hackers the plaintext versions of every message and attached file on that employee’s account.
3. Email messages should be treated as an insecure method of communication.
As a TechRadar article points out, businesses should take pains to secure emails as much as possible but still treat it as an insecure method of communication. The article explains that encrypting your email serves only one purpose: It stops unauthorized third parties (anyone without the required decryption key) from reading the contents of your messages.
But it won’t stop a determined cybercriminal from grabbing an email message in transit, at one of the many nodes the message passes through on its journey to the recipient’s inbox. Once hackers intercept an email in-flight, they can apply their skills and resources to converting it from encrypted text to plaintext.
And remember, as we saw above with the US Treasury breach, smart hackers’ preferred option is to steal an email user’s decryption key. Then, they can intercept encrypted messages sent or received by that account and read them in plaintext.
4. Even encrypted messages can be stolen.
Just because your company sends an email with encryption doesn’t mean the message will arrive at its recipient’s account in encrypted format, or that it will remain encrypted at rest on that recipient’s email server.
Even Google — which proudly highlights the security and encryption features of its Gmail service for businesses — admits that unless both parties to an email transmitted over Google’s system use the same encryption protocol, Gmail doesn’t promise encryption all the way through to the recipient’s inbox.
Here’s the relevant statement on Google’s Email Encryption FAQ’s page:
Why isn’t all email sent to or from Gmail encrypted in transit?
For decades, the default has been for email to travel across the Internet unencrypted — as if it was written on a postcard. Gmail is capable of encrypting the email it sends and receives, but only when the other email provider supports TLS encryption. In other words, encrypting 100% of all email on the Internet requires the cooperation of all online mail providers.
5. Encryption won’t keep out emails with malware.
Unless you are augmenting your email encryption with other cybersecurity measures —including anti malware apps, firewalls, and employee training — you won’t stop a malicious email containing ransomware or some other nefarious programme from landing on your company’s network. All your encryption software will do is encrypt the malware contained in the email message or attachment.
In fact, here’s an infuriating irony: Your encryption programme could prevent your malware-detection app from spotting and isolating a malicious email before it reaches your employee’s computer.
Then, theoretically, the hackers could access your employee’s entire email inbox. Among the many horrible things that could happen next, the hackers could steal your employee’s decryption key (if the file is stored or copied in an email), then decrypt and steal all messages and file attachments stored on that account.
6. Encryption won’t stop hackers’ favorite technique: phishing.
A 2023 ZDNet story points out that email phishing remains one of the most common techniques hackers use to gain illegal access to organizations’ networks — where they can then launch attacks such as ransomware.
As you know, one of the greatest threats to any company’s digital assets is employee error.
Let’s say you’re using an email encryption programme. Your employee receives a message, decrypts it, and reads the contents. If the message contains a link to a malicious site, or has malware embedded, your employee erroneously taking whatever action the message asks could trigger the malicious code.
And at that point, sophisticated hackers could gain access to your decryption keys, launch a ransomware attack locking the entire company out of your networks and email programmes — or simply steal the emails in encrypted format and save stealing the decryption keys for another day.
7. There’s no guarantee your employees will use it.
This might be the most important reason to think twice about allowing a company culture where employees regularly send and receive confidential or legally regulated data by email. And here’s a recent real-world example of the dangers.
As a 2023 TechCrunch article explained, “Sensitive US military emails spill online.”
If you had to bet, would you say that those Department of Defense email accounts are protected by advanced encryption? Yes, of course you would.
But one of the most commonly cited reasons for successful email data breaches is cybercriminals’ ability to exploit human error. And in this case, the TechCrunch article points out, the DoD personnel in charge of keeping these emails secure stored them on a government cloud server without a password.
If federal officials — even those responsible for the security of confidential US military emails — can make the mistake of failing to apply all possible security measures, what are the chances your employees won’t do the same?
Secure cloud fax: the simple solution for sensitive data exchange
The easy answer to keeping your organization sensitive transmissions secure is to use an enterprise-caliber cloud fax solution. eFax has been providing this mission-critical service for literally millions of businesses around the world — including many of the world’s largest healthcare, financial, and other regulated organizations — for 30 years.
Let us show you how quick, easy, and affordable it is to roll out the world’s most trusted secure cloud fax system.
And if you haven’t thought about faxing in a long time, that’s okay. In fact, it underscores another reason to consider it for your secure data exchange: cybercriminals don’t think about faxing either.