How many times have you heard that email is not secure? But it was always too hard to do much about it.
Well, it’s still not secure: The security exposures are on the devices that have the account that sent the email (computer, phone, maybe a second computer), the network (which usually includes a number of switches and routers owned by different companies) where it may be intercepted, the email hosting company’s server and the recipients’s computers, phones, etc. 1 And if you think it’s unlikely someone will get hold of your or your recipients’s devices, one of the chief tactics of malware is to search for sensitive data in emails — because emails are low-hanging fruit, i.e. not secure. 2
One of the ways to address some of these points of exposure, including the switches and routers, the hosting company’s server and most email-scanning malware, is encryption.
Encryption turns the content of an email message into random characters to be decoded by the recipient. It’s always sounded good, but most implementations have been clunky and cumbersome, and most users feel the answers are more trouble than they are worth. So, the vulnerabilities remain.
Securing information — customer data, employee data, trade secrets — is a best practice for any business. Why take a more lax security approach to email than any other aspect of your IT strategy? And it’s often required. For instance, email security is not a choice to meet the compliance rules of GDPR, HIPAA, HITECH, GLBA and FFIEC. 3
The Key Problem
Typical email encryption works by public keys and private keys. You have your private key. Your public key is given to whomever you choose. When someone wants to send you a secure message, they encrypt it using your public key. Your private key is used to decrypt the message. To send an email to someone else you use your private key to digitally sign the message, so the recipient is sure it’s from you. 4
This can be inconvenient. First setting up each user’s encryption keys. And second how do you disseminate your public key? Or get a public key from someone trying to send you a secure email? You can’t email or text these keys … securely.
Sophos Reflexion Encryption is Different
Sophos Reflexion, a Bryley partner, is a solution that makes the reality of secure email attainable for your business, your employees, your vendors and customers. Reflexion makes use of ZixDirectory, a global key repository, that allows you to communicate outbox to inbox with no sender authentication required — an Encrypt & Send button is added to your email panes, and without the recipient needing the sender’s key. If the recipient is not a ZixDirectory user, he will receive an email stating you have sent a secure message. The first time he will need to create a password, but thereafter he’ll just log in, to decrypt and retrieve your email. If the recipient is a ZixDirectory user (the largest database of its kind), there is no login, he can read the email directly.
What If Someone Emails Sensitive Data Without Clicking Encrypt & Send?
Reflexion addresses that: built into Reflexion is automated message and attachment content-scanning. This means behind the scenes Reflexion employs filters that will encrypt for your business’s email senders. You can choose to filter based on content, sender, email domains, email addresses and recipient.
Compliance with governmental and regulatory standards was the basis for many Reflexion filters: “managed lexicons … automatically encrypt, reroute, or block email messages containing financial (GLBA) and healthcare (HIPAA)” 5 sensitive data. Social security numbers, credit card numbers and medical terminology are part of the managed lexicons that trigger encryption.6
Now That Wasn’t So Bad
Email encryption is a piece of the security puzzle that cannot be neglected. It protects your company, your customers and vendors, and is part of regulatory compliance. The question then is how to implement this business function. Bryley uses and endorses the Sophos Reflexion approach as the most user-friendly and intelligent implementation of email encryption. If you would like to discuss securing emailed data, give Bryley a call at 978-562-6077 option 2 or email ITExperts@Bryley.com.