Despite the eroding myth of regular email as a secure communication tool for messages and files, most emails are sent unencrypted, and business emails with valuable content are certainly no exception to that. So why has email encryption still not gone mainstream? A closer look reveals that for most users the majority of encryption solutions are simply not an option because there is too much (technical) effort involved. The prime example: S/MIME and PGP.
For email encryption, S/MIME and PGP is typically the first thing that comes to mind. While it is not the only solution, it is the one that is best known. However, if S/MIME and PGP are used for encryption, numerous steps have to be taken before emails can be securely exchanged. Both sender and recipient have to go through every single step: software has to be downloaded and installed, key pairs (a public and a private key) first have to be created, and then protected (private key) or exchanged and installed into the respective email client (public key). In short, before any encrypted email can be sent or received, a lot of effort and considerable technical expertise is required. Regular users are completely left behind as this process is far too complex. This complexity eliminates the successful implementation of encryption because it is diametrically opposed to user acceptance. Users realise the importance of encryption for the security of their data, yet they do not apply it for the protection of their transfers nearly enough.
Also, while S/MIME and PGP ensures encryption for messages, they do not solve the problem of file attachments (especially of a larger size); file size limits imposed by email clients or email servers on the senders’ or recipients’ side still apply. Most time-sensitive and valuable information is contained in files that are attached to email, for instance spread sheets, business reports, invoices, personnel files, photos, videos, contracts, etc. The fact that this valuable data cannot be sent securely is highly problematic – and typically requires enterprises to employ yet another solution.
For the encryption of email, S/MIME and PGP use static key pairs: Once the pair is hacked, all correspondence is compromised. As ‘Efail’ showed last year, third parties were able to take advantage of vulnerabilities in S/MIME and PGP and gained access to encrypted messages. Potentially sensitive content could be viewed, modified, or even deleted – without the senders’ or recipients’ knowledge.
In times when data becomes ever more valuable and sought after by many different actors, reaching from governments and intelligence agencies to cybercriminals, the protection of valuable information is more important than ever before. Inaction is not an option. Encryption remains an important tool for security and the need for it is very transparent, today more than ever. However, for the mainstream encryption only works if it is extremely easy to use. It is imperative that a practical and workable solution is applied, not one that regular people simply cannot manage and that lets users who are “not in the club” fall by the wayside.
At Cryptshare we have recognised this problem. Usability has always been a key aspect, so effort for users is kept to an absolute minimum. Messages and file attachments of any size can be securely exchanged via email, encrypted, and with no prerequisites on the recipients’ side as far as IT infrastructure or technical expertise is concerned. Any exchange with Cryptshare is bi-directional and ad hoc, meaning no certificates have to be exchanged or user accounts created. Contrary to S/MIME and PGP, Cryptshare offers a full audit trail of all uploads and downloads, so senders can track when transfers have been received and by whom.
Newly released Cryptshare QUICK Technology takes this one step further and combines security for data in transit with convenience for users. Once activated with just a few clicks, it makes protecting regular exchanges between communication partners effortless. All transfers are secured with unique and system-generated keys, not just one set as is the case with S/MIME and PGP. Since these keys are automatically generated by the system and meta data such as subject lines can be sent encrypted as well, the risk of social engineering is reduced dramatically.
As can be seen, while S/MIME and PGP may be the first thing that come to mind when thinking about email encryption, they are certainly neither the most user-friendly nor the securest solution. For users who want to use encryption to protect their data in transit, they present too many obstacles for a successful implementation. For secure business communication, a reliable solution is needed that is transparent, removes barriers, and can be used by anyone straight away. Only then can encryption truly go mainstream.