Businesses rarely encrypt their email messages because good encryption is too hard to use. That’s changing.
By Randy Battat, PreVeil
Most business-to-business communication involves sensitive information – stuff that the parties really don’t want others to know about. Whether it’s contracts, customer communications, supplier information, dialog with consultants and contractors, or other things, there’s a lot of sensitive information that travels via plain old email.
These emails really should be protected, i.e. encrypted. But the vast majority of B2B communication remains unencrypted, despite wide availability of very good technology and tools. Why?
The answer is that good encryption is too hard to use – there’s too much friction involved in encrypting an email versus sending a message unprotected. The bad news is that huge amounts of important business communication is at risk. The good news is that apps are starting to emerge that provide both excellent usability and strong encryption.
The risks are real
Many people think that it’s only necessary to protect information that’s obviously sensitive or private – credit card information, social security numbers, medical records, etc. But consider the opposite: try to think of email messages which, if plastered all over the Internet, would not cause concern. The conclusion is that almost every message really should be protected.
If this thought experiment isn’t convincing, consider the impact of several well-publicized attacks:
- In November 2014, Sony Pictures was attacked, resulting in leaks of emails between employees, information about executive compensation, copies of unreleased films, and personal information about Sony employees and their families. Some of the leaked emails contained Hollywood gossip that embarrassed the authors and harmed the relationship between the studio and some of its actors and agents. Ultimately, Sony co-chairperson Amy Pascal stepped down from her position to take responsibility for the leaks.
- Throughout 2014-2016, hackers believed to be associated with Russia attacked Yahoo’s systems, compromising a billion user accounts. Four Russian nationals were indicted in this attack – two hackers, and two agents employed by Russia’s Federal Security Service. The hackers’ targets included journalists, U.S. government officials, and employees of targeted companies. The attackers could read the email messages of their targets as well as gain access to credit card and other information to commit financial fraud.
- In 2016, the Democratic National Committee was attacked, leaking approximately 20,000 emails from people across the organization. The leaked emails included DNC staffers’ “off-the-record” correspondence with media personalities. As The Washington Post reported, “Many of the most damaging emails suggest the committee was actively trying to undermine Bernie Sanders’s presidential campaign.” The leak was extremely embarrassing to the DNC, and its wake resulted in the resignation of DNC Chairman Debbie Wasserman Schultz as wells three other senior leaders.
Proper encryption would likely have prevented much of this damage.
A brief overview of encryption technology and apps
The basic technology behind encrypted email has been around for 40 years. The idea is to encrypt a message using a key that’s known only to the sender and recipients. The message can be sent over a public medium, i.e. the Internet, because it appears to be gibberish to anyone except those who possess the decryption key.
The usability issues arise not from encryption itself, but from key management. There must be secure ways of getting keys from sender to recipients. This is accomplished through something called Pubic-key Cryptography, where each user is assigned a pair of keys. The first is called a public key, and it’s given to anyone who wishes to send a message to a particular user. The second is called a private key, it’s kept only by the user themselves as it’s the key used to decrypt messages sent by some using the corresponding public key.
The complexity lies in creating, distributing, and managing all these keys. It usually takes a sophisticated user or an IT administrator to do this. Managing keys for email users within an organization is complicated enough; doing so for users across organizations is even more so. As a result, encryption is used only in limited circumstances where critical information must be protected.
Encrypted email and messaging that people can actually use
New apps are emerging that combine ease-of-use with end-to-end encryption. End-to-end encryption means that only the sender and recipient can see a message. The information is never made visible to anything in-between, including network routers or message servers.
Mobile apps started the trend. Facebook’s WhatsApp is a great example of an app that’s extremely easy to use, encrypts all messages end-to-end, and manages keys automatically and transparently for the user. WhatsApp shows how key management complexities can be hidden so that encryption doesn’t interfere with users sending and receiving messages.
What about plain old email? Well, this is the problem we’re trying to solve at my company PreVeil. The app uses end-to-end encryption and is compatible with mail programs like Microsoft Outlook and Apple Mail, and can be used in PC browsers and on mobile devices. There are no passwords in the system, and keys are managed for the user. It offers the protection and usability of WhatsApp, but for email. We’re excited about making encryption usable for anyone who uses email, and expect continued innovation in this market to solve the email security problem.
With strong encryption that’s easy to use, businesses and individuals will soon be able to encrypt all of their communications. After all, the most precious resource to an organization is its information. It’s time we started protecting it a lot better.
Randy Battat is founder, president and CEO of PreVeil, the application for end-to-end encrypted email, file sharing and storage for people and organizations that want to protect their data.