Email Security

What Is Email Security? How To Protect Your Enterprise Email

Email security is the main line of defense to keep hackers from accessing sensitive content that is sent inside and outside of your organization. Email security also keeps spam from slowing down your email system and degrading the productivity of your employees.

What is email security? Email security is software, procedures, and techniques put in place to protect email accounts and communications from potential hackers and spam.

What Are Common Threats to Email Security?

Email is still one of the top forms of business communication in the world. It’s cheap, ubiquitous, and built on robust, open technology that is easy to deploy and scale. Furthermore, it is flexible—emails can be long and descriptive and contain images, attachments, and even HTML formatting.

Accordingly, the most used form of communication is also one of the biggest vehicles for security threats and attacks. A recent Kiteworks survey shows that businesses are well aware that email is their most significant risk vector: 68% stated that email communications is their #1 or #2 security risk.

Enterprise email is perhaps one of the more prominent targets for some of these threats, and for a good reason—email isn’t inherently secure. In fact, email is used for sharing most forms of personally identifiable information (PII) or protected health information (PHI).

And that’s the crux of the problem—most people, including patients in the healthcare system, use email.

But the threats are too great to ignore. Some of the more prevalent and relevant threats are as follows:

  • Accidental exposure: This is probably the most common vulnerability. Email simply isn’t protected information once it reaches its destination. Once an email is in an inbox, anyone with access to that email account, or any device connected to it, can read the information.
  • Data integrity at rest: Once an email is on a server, either the sender’s or recipient’s, it must be protected from hacking. For the most part, this data isn’t encrypted.
  • Accountability: Businesses with regulatory requirements will often have criteria to ensure that only the data owner (the consumer, patients, et al.) receives their information. Outside of accidental exposure, the business has no control over who receives information after it is sent via email.
  • Social engineering: Phishing, spam, and other scams are common with email. While this isn’t often a direct concern for businesses sending messages, it is a problem for users receiving messages who may find themselves the subject of a business email compromise attack or something similar.

What Sort of Technologies or Solutions Can Secure Email?

Generally speaking, there are three different potential attack surfaces for securing email:

  • Mail servers: Mail servers are where received messages and drafts are stored, and outgoing emails are sent from. Essentially, they control activity and contain all the emails sent and received by users on that server.
  • Email transmission: As emails are sent, they could fall victim to theft through man-in-the-middle attacks. Most email compliance standards require some form of security for emails during transit alongside server security.
  • Mail clients: Anyone who uses a client (like Outlook or Thunderbird) essentially pulls copies of emails to a local machine. There would be additional security requirements at that point.

With that being said, there are some standard security approaches that providers may follow:

  • Transport layer security (TLS): TLS encryption, a descendent of secure sockets layer (SSL) tunneling encryption, protects information during transmission between one email server and another. Since TLS is an open protocol that obfuscates data between servers, most email providers will use TLS to protect emails between servers.
  • End-to-end encryption: E2E is the process of encrypting an email message from the moment it is sent from the sender’s client to its final destination on a recipient’s client. Unlike TLS, end-to-end solutions also include encryption for messages at rest and allow for securing messages on a server so that only the recipient can read them. Some popular forms of end-to-end encryption include S/MIME or PGP public-key cryptography.
  • Multi-factor authentication (MFA): Most popular providers (and almost all providers following email compliance standards) include MFA to protect access to user accounts.
  • Email gateways: Gateways are a security screen where an automated system literally screens emails to catch threats. This includes removing disallowed attachments, raising alerts for emails from external domains, and blocking emails from other domains or ranges of IP addresses.

Many types of email security are deployed in most providers (MFA, TLS), while some are selectively deployed in enterprise email (gateways). End-to-end encryption, however, isn’t typically included with general-purpose email because incompatibilities between internal encryption standards can be problematic and incur complexities and inefficiencies. According to Kiteworks research, 79% of respondents said that they spent 20+ hours per month dealing with encrypted files from third parties, with 41% of respondents stating they spent over 30 hours per month on that problem.

That inefficiency is a problem, and not just because it wastes time and money. Of those participants we surveyed, a full 60% reported that, when given an encrypted email that they don’t have the technology for, they simply ask the sender to resend that message or file unencrypted.

Additionally, these providers wouldn’t be able to scan or otherwise read a message with end-to-end encryption because the decryption process would only occur when the user opens the email.

What Are Some Best Practices for Securing Email?

Securing email involves coordinating your technical capabilities with the needs of your business. Not every enterprise needs a complex gateway or encryption standard to make their email secure. On the other hand, other companies may eschew email altogether in lieu of other solutions to share information without breaching privacy or confidentiality regulations.

Some best practices organization needs to follow for securing email communications include:

  • Protect employee emails with encryption and MFA: Whether organizations are working with either on-premises email or a third-party provider (most likely the latter), they need to ensure they are using TLS encryption for data in transit and have encrypted servers using AES-256 to protect information at rest. Using MFA, including biometrics, prevents attackers who have stolen a user’s credentials via phishing from successfully accessing that encrypted email, since they don’t have the second authentication factor.
  • Implement a secure email gateway: A gateway can help protect emails by creating a contained, secure channel between multiple parties through which secure emails can be sent, with email encrypted at the sending through the one receiving the email. This approach also minimizes social engineering attacks, specifically by limiting how people send emails over the channel.
  • Use secure portals: Secure portals, often called webmail, allow organizations to store attachments locally on encrypted servers protected with MFA rather than in the email server. Emails direct recipients to create accounts and log into the portals to securely download and decrypt the attachments in full regulatory compliance.

Email Encryption Gateway With the Kiteworks Platform

The Kiteworks platform delivers secure, compliant email that doesn’t compromise enterprise usability. It provides enterprise grade encryption and uniform security controls via a Microsoft Outlook plugin, a web app, mobile apps, and enterprise application plugins for Google Workplace, Microsoft Office, iManage 9 and 10, and Salesforce Service Cloud. Recently, Kiteworks acquired totemo to integrate automated email encryption supporting the S/MIME, TLS, and OpenPGP encryption standards in users’ existing email clients, with end-to-end and gateway encryption options.

Further, with Kiteworks, organizations can deliver a private content network (PCN) across all their sensitive communication channels, including email. Kiteworks-enabled PCNs allow organizations to:

  • Unify secure content communication technologies like secure file sharing, SFTP, managed file transfer (MFT), and secure forms for ease of use and standardized content audit trails. This includes natively extending standard email clients to promote a seamless user experience and protecting every email containing sensitive content sent through these clients.
  • Track content, metadata, user activity, and system events to boost security operations center (SOC) effectiveness, report on third-party access, and easily meet regulatory compliance reporting requirements.
  • Control content access and functional rules matched to risk profiles and user roles. Leverage centralized administration to cover emails alongside web forms, managed file transfer (MFT), and secure file sharing for a comprehensive administration experience.
  • Secure data through encryption of content at rest and in motion, protecting against unintended exposure of sensitive information to malicious actors.

Email is a major security risk, and a lack of comprehensive end-to-end encryption is a significant contributor to that problem. Kiteworks enables organizations to mitigate this risk through the creation of PCNs that employ innovative email encryption.

Schedule a custom demo to see how Kiteworks can enable your organization to protect sensitive content sent and received over email while leveraging a platform model to extend privacy and compliance of sensitive content across numerous digital channels.

Additional Resources