Despite the growth in the use of instant messaging, email remains the most common form of online business communication. In 2019, there were over 3.9 billion email users worldwide, a number expected to reach 4.48 billion by 2024. Any business operating online must use email services, it is impossible to avoid it.
But email was never intended to be a secure method of communication used daily by billions of people around the world. Although there have been many attempts to improve the security of email protocols, email is one of the less private ways to communicate online.
Some email service providers attempt to strengthen some of the inherent weaknesses in email security by offering strong encryption. In this article, we take a look at why a business might consider a secure email provider.
What’s wrong with email?
Email was developed as a basic way to send messages back and forth over the internet, so little attention was paid to security, privacy, or encryption in the beginning. Everything was transferred in clear text, and the emails could be read by anyone monitoring network traffic. Although emails are a little more secure today, much of the data is still sent unencrypted.
There are many places where email conversations in a business can be compromised. For starters, the messages are stored on your devices, so anyone with physical access to your computer or smartphone can read them. Or, a malicious application can read emails and easily access attachments. Even if you personally ensure that your devices are stored securely and free from malware, not everyone in the business may be so diligent.
In addition, each email must be forwarded through your connection to the email provider. The reality is that even though all of your company’s email is stored on the same server, any remote access to email requires the data to be sent through a chain of routers and switches operated by many different companies. If the sender and recipient of an email are using different email servers, there are even more intermediary ISPs involved. At every link in the chain, it’s pretty easy to eavesdrop on email conversations.
Why most mail servers are not secure
Consider the overall security of your mail server, where e-mails are stored. Some companies run their own email servers that are completely disconnected from the Internet, but most use an email service provider like Gmail or Outlook.com because it’s simple and the costs are low.
Attackers can gain access to emails by guessing, stealing, or cracking your employees’ email passwords. Weeks, months, or years of emails can be exposed, including emails that you thought were already deleted.
Most email providers store emails on their servers in plain text. This means that if there is a security breach, hackers can easily access all of your company’s emails and attachments. Unfortunately, security breaches are all too common.
Your email is used for advertising
One of the reasons why most email providers don’t store email in an encrypted format is to reduce performance overhead and make email search faster. More importantly, it allows them to automatically analyze your emails so that they can target advertising to you.
Even businesses that don’t use your emails to create personalized ads will analyze them for other purposes. In a high-profile move, Google removed email-based ad personalization from its Gmail product in 2017, in an effort to appeal to more business customers, but it still scans emails. After all, the Google app knows when your next flight leaves, and the Google Calendar app automatically adds restaurant reservations for you!
For privacy-conscious citizens, having these email service providers pass your email data to governments without hesitation is incredibly problematic.
Secure email providers are better
Email providers that focus on security and privacy eliminate some, but not all, of the inherent problems with email.
Services like ProtonMail and Tutanota encrypt all emails on their servers, so that no one else can read them. Your data is never used for advertising purposes, and there is no tracking or logging.
Some of the best secure email providers support end-to-end encryption. This means that messages are encrypted on the sender’s device and can only be decrypted on the recipient’s device. No third party can read the content of emails while they are in transit.
Secure email providers also have more robust two-factor authentication and strong password rules to help reduce the chances of password cracking or theft.
Even with end-to-end encryption, emails are not secure
Even with end-to-end encryption, email metadata is not encrypted, so all servers relaying your emails can read certain information about the emails. Email metadata includes sender, recipient, date, and subject line. With just this information snoopers can learn a lot about the conversation.
Businesses that need absolute privacy should double their efforts with additional layers of security, like using a professional VPN or Tor. With that said, you can’t expect everyone who interacts with your business through email to go through so many hurdles. Instead, it’s best to treat any email you send and receive as low security, and you should research better options than email for internal communication.
Email is an old, insecure protocol. When you use a basic email service provider, your company’s emails are vulnerable to attack. Secure email providers improve the privacy and security of your emails, but they can’t completely overcome the inherent flaws of emails.
Businesses should strive to make email as secure as possible, while treating it as an insecure method of communication. For internal communication that needs to be secure, it is better to avoid emails altogether and use a more modern solution, such as Signal or Wire.