Decrypting Email Encryption
We’re asked a lot about email security, especially email encryption. Most of us kind of know what it is, but can’t get into details. We hear it’s used by government agencies to prevent hackers from stealing state secrets. We think it scrambles our data, so even if cybercriminals get a hold of it they’re stuck with a bunch of useless puzzle pieces that don’t fit together without a decoding key. We hope it’s used every time we send and receive email and files.
Today, we’ll do our best to make the details easier to understand. First, let’s agree on a definition.
Definition of Email Encryption
Email Encryption is the process of converting email messages and attachments into an unrecognizable form to protect the contents from being read by anyone other than the intended recipients.
Easy enough. Now onto the two main types of email encryption:
- Transit Encryption (aka Transport Layer Security or TLS)
- End-to-End Encryption
Transit encryption is everywhere. Whenever you see “HTTPS” at the beginning of a URL, you’re visiting a website that’s using transit encryption. This is hands-free and always on, requiring no action on the user’s part to activate, other than checking to ensure the URL shows “HTTPS” (encrypted) versus “HTTP” (not encrypted). Today, most sites you visit will be HTTPS. It’s pretty much ubiquitous. This is sometimes referred to as “server-to-server” encryption.
Transport Layer Security (TLS) provides a solid cybersecurity foundation, but it isn’t completely airtight. It’s security blind spot lives on the receiving end of your emails, messages, and attachments. When the destination service (e.g., Gmail, Microsoft Outlook, Liscio, etc.) receives encrypted email messages and attachments it automatically decrypts the contents. This has to happen in order for the received contents to be viewable and displayed. No decoder key needed. At first glance this may not sound like the smart thing to do, but imagine having to enter in a code for every email you want to read. That’s a ton of friction just to read an email. Not practical right? More on this later.
End-to-end encryption can be used with or without transit encryption. To really get under the hood of how end-to-end encryption works you should understand public key infrastructure and how public keys and private keys work in tandem. We’ll save you the mountain of technical jargon and boil down how it works as simply as we can:
- The sender encrypts message and attachments using encryption software.
- The sender sends encrypted message and attachments.
- The recipient receives encrypted message and attachments.
- To decrypt the data, the Recipient must: (a) Use the same encryption software as the sender, (b) Use the unique key (code) generated by the software to unlock the data.
- The recipient can now read the message and attachments.
We like to think of this as “person-to-person” encryption. In practice, very few professional service firms use end-to-end encryption with their clients. Here’s why:
- End-to-end encryption creates too much busywork for the client. Asking clients to encrypt files before sending, and to enter a lengthy password to open every single file received is more than most firms want to ask.
- Client communication is a two-way street. If a firm encrypts a file going to the client but the client doesn’t encrypt it before sending it back, the net security gain is minimal.
- It’s a spooky customer experience. Here’s a screenshot of how Gmail displays a received encrypted file:
From our experience, most clients don’t want to deal with the multi-step friction of end-to-end encryption. With that in mind, transit encryption (TLS) is a must. But it’s the bare minimum, so we added another substantial layer of protection.
Think of email as shark-infested waters. Phishing, ransomware, social engineering, spoofing all feed there. If you keep asking clients to communicate and share files with you in email, it’s just a matter of time before both of you get bit. Instead of building a bigger boat or sturdier shark cage, Liscio takes you completely out of shark-infested waters (email) and into a shark-free, members-only swimming pool (invite-only network)…and we hired a lifeguard (transit encryption).
For extremely sensitive content, end-to-end encryption is still the most secure way to go. And the good news is Liscio does accept encrypted content. Just encrypt the documents using the tool of your choice and attach to a message inside Liscio. This method ensures that the secure, encrypted message travels over a secure, trusted channel. Package secure, transit secure.
There are a lot of things you can do to beef up your security without spending a dime. Review all 7 simple ways to immediately boost your firm’s cybersecurity in our (see our “7 simple ways to immediately boost your firm’s cybersecurity” checklist for ideas).