Email encryption implementation can be confusing. We have answers.
By Andreas Brix, GlobalSign and Felix Schuster, Net at Work
Every day we hear about a new ransomware attack. Ransomware attacks now occur about 2,000 times each day, almost every 11 seconds around the world.
In Germany, where Net at Work is based, the wind energy industry has borne the brunt of some of the worst attacks, especially in the last year. While that may be true, ransomware attacks on German organizations were already problematic and the majority of attacks is attributed to hacker groups with strong government connections. Last year itDaily.net reported that Germany ranks fifth among countries impacted by ransomware.
The most common way a ransomware attack begins is through phishing. When someone clicks on a malicious link in an e-mail that leads to the intrusion of a company’s network. That is why companies must find a better way of securing their email to prevent a phishing attack, which usually leads to data breaches costing businesses tens of millions of dollars in damages.
With all this in mind, companies are increasingly turning to automated email encryption solutions as a way to harden their cybersecurity posture. But with numerous options available, what are the most important considerations? It can be confusing, especially when it comes to encryption. GlobalSign and Net at Work are here to help! These are our top seven factors.
As a first step, look for an automated solution. With so many parts of IT for a company to manage, automation is a savior. Not only does it save time and money, but automation also eliminates human error while increasing agility. Automation also instills confidence in the solution your company uses, making it one less thing to worry about it. There's no employee who handles that one specific item -- the automated solution does it for you. This is why using a solution to automate your email security makes sense. Don’t leave it to clients, client devices, mobile phones and desktops to put certificates there. Rather, look for centralized solutions you can automatically manage such as Net at Work and GlobalSign.
2. Seek out Trusted Solutions
The second step is to be sure to find a trusted solution. A new player might be appealing, but solutions from long-time vendors with a trusted, reliable product that is very well established, is where you should begin. Some companies also consider, and do, purchase free solutions. However free doesn’t always mean good (or “free”), nor does it mean you are getting a quality product or service. You must investigate closely critical factors such as a company’s track record and reputation within the IT community.
3. Use Open Standards
Third, focus on solutions that support Open Standards such as Secure/Multipurpose Internet Mail Extensions (S/MIME), a widely accepted protocol for sending digitally signed and encrypted messages. Encrypted emails are much safer since they can only be decrypted by the recipient’s email gateway or email client. While digital certificates ensure that emails are well-protected in transit to a server, emails at rest - or in transit elsewhere – are hackable. Knowing that cyber criminals will do whatever it takes to grab data, a stronger form of protection is necessary to protect email. That protection is S/MIME.
S/MIME is based on asymmetric cryptography that uses a pair of mathematically related keys to operate – a public key and a private key. It is computationally infeasible to determine the private key based on the public key. Emails are encrypted with the recipient’s public key and that email can only be decrypted with the corresponding private key, which is supposed to be in sole possession of the recipient. Unless the private key is compromised, you can be confident that only your intended recipient will be able to access the sensitive data in your emails.
4. Avoid Lock Ins
Step four and closely related to Open Standards is to avoid "lock-in" traps; There are many email security vendors offering solutions in the market, not all offer a product that is built on S/MIME. While other products may have merit, the solutions implemented using their own methods to encrypt on a transport layer cannot exchange information between systems. As a result they are not open to a third party system. Open Standards are essential because if every company decided to create their own encryption standards that would severely limit interoperability. Recipients would also need to obviously use their platforms and will require a decryption method. As a result, companies would have rely on multiple portals and systems – email invitations could end up becoming yet another spoofing vector. These are more reasons why open standards exist.
5. Publish public keys
Step five is to publish and distribute your public keys, so communication partners don’t need to request a public handshake to receive a key via meta searches. In order to be able to send an encrypted message, you need an email signed with your public key and once you receive that, your desktop or gateway has stored the public key. Then the sender can email an encrypted message along with a public key. That handshake is necessary. We must also consider the importance of Lightweight Directory Access Protocol (LDAP) here. Without LDAP, the initial email from the certificate owner cannot be encrypted. Having a public key enables encrypted communication to take place. The private key always stays with the certificate owner, making them the party capable of decrypting the message.
6. Educate users
Step six is not about technology. It’s more about communication, and in this case, reminding employees and business partners that a solution for encrypting email is available. With centralized and automated encryption/decryption there is no need for costly and time consuming trainings. The system is able to perform all of the necessary actions. Instead, the focus can be on standard information and on increasing sensitivity, e.g. to look for encryption/signing and check reports in emails generated by the gateway. This education can be part of an organization’s change management process ongoing security awareness campaigns.
7. Support for requirements and regulations in your industry
The final and seventh step is to look for innovation and speed. This is an important consideration for secure email especially when it comes to your gateway provider. Be sure to search for one out that supports the latest S/MIME standards. This is because you want the ability to have authenticated encryption to meet S/MIME 4 standard guidelines. In addition, it’s important that your gateway provider meets industry regulations shortly after they become published or become effective. In Germany for example, there are requirements such as the country’s Federal Office for Information Security (BSI) for federal projects. More broadly, there are many other industry-specific requirements, and it’s necessary to be aware of them. For example, beyond the federal projects, in Germany there are requirements for the automotive industry (TSX), the energy sector (EDI), GDPR and many more. Understanding all of your market requirements will be critical to a successful email encryption effort.
GlobalSign and Net at Work have partnered for nearly a decade to help promote email security. GlobalSign’s Enterprise solutions and Net at Work's NoSpamProxy provide you with the assurance you need to help your company in the long run. If you want to establish integrity, uphold privacy, preserve sensitive data and mitigate phishing and other email attacks, consider implementing S/MIME with GlobalSign and Net at Work. Together, we can deliver the trust and assurance your company is seeking.
This piece was written by Andreas Brix, GlobalSign in collaboration with Felix Schuster, Net at Work.
Felix coordinates the Product Marketing Management for NoSpamProxy at Net at Work. While taking care of the internationalization process and strategy of the product, he leads marketing campaigns and organizes the distribution channels.