Who has patented the encryption? Who now controls the encryption?

Security

Almost 28 percent of small and medium-sized companies in Germany do not yet use email encryption. This was the result of a study commissioned by the Federal Ministry for Economic Affairs and Energy in February 2018. The reasons given by the respondents include that their communication partners cannot handle encrypted messages and that employees are not technically well-versed. Difficulties in managing certificates are also often an obstacle.

Such concerns are legitimate, but can easily be resolved with the right technology. Here are the 11 most common misconceptions about encryption - and how to refute them.

1. I don't need email encryption

Really not? Anyone who sends messages with personal data must encrypt them. This was already prescribed by the Federal Data Protection Act. With the GDPR, the regulations have become even stricter. Violations can now result in high fines. In addition, companies must report data protection violations to the responsible supervisory authority within 72 hours and even notify the persons concerned if there is an increased risk. Those who use email encryption, on the other hand, are exempt from the obligation to notify the data subjects.

2. I can't afford that

The question is rather: can you afford to do without encryption? A violation of the GDPR can result in sanctions of up to 20 million euros or four percent of global annual sales, whichever is higher. In addition, there is the damage caused by the loss of image as a result of a data protection breach. A good email encryption solution is certainly cheaper.

Reading tip:FAQ Encryption - What you should know about PGP, SSL, RSA and co

3. Email encryption is way too complicated

That's right if you want to do everything yourself. Because with OpenPGP and S / MIME there are different encryption standards that are not compatible with each other. You may have to install a plug-in in the email client. In addition, key management is complex. Today, however, there are solutions in which the user does not have to worry about anything. Such encryption gateways are usually easy to implement and are also available in the cloud.

4. I can do this on my own

Yes, but that is very time-consuming. In addition, the user has to know what he is doing. If he makes mistakes, communication is no longer protected. It is therefore advisable to use a solution that does as much as possible automatically in the background for a certain number of users or for less tech-savvy users.

5. I have to convince my communication partners of "my" solution

No need. A corresponding encryption gateway automatically recognizes which technology a communication partner is using. So everyone can use the standard they want. However, the prerequisite is that no proprietary technology is used. In addition, a gateway should be used that supports the common encryption methods.

6. That doesn't work because my communication partners have no idea about technology

In fact, email encryption is rarely used by private individuals and is usually perceived as too complicated. This is shown by a study by Reddoxx. Anyone who communicates a lot with people who do not use encryption can, however, offer alternative solutions. One possibility is, for example, a secure web portal where the recipient can pick up his encrypted message.

7. I use SSL / TSL - that's enough

TLS is just a transport encryption. The technology creates a tunnel between two computers through which the e-mail is sent. On the sending and receiving computers, however, the message is in plain text and can be read, manipulated or copied. In addition, the e-mail is forwarded from computer to computer on its way through the Internet before it reaches the recipient.

The sender cannot check whether each of the computers is actually establishing a new, secure tunnel. In addition to transport encryption, you should therefore use content encryption with OpenPGP or S / MIME. The content of the message is encrypted - except for metadata such as sender, recipient and date of dispatch. Together, content encryption and transport encryption ensure a high level of protection.

8. My cloud provider is already encrypting

Do you have unlimited trust in your cloud provider? If he handles both email management and email encryption, he'll also have your keys and read your messages. It's a bit like giving someone a locked cash box to keep and taping the key under it.

  1. 1. Keep your emails concise and concise.
    Everything that is more than two pages belongs in an attached file.
  2. 2. Check your spelling and grammar.
    Most e-mail systems have this functionality. As this is known, corresponding negligence is resented. Suggesting mistakes: The author either didn't take the time for me or he is a sloppy man.
  3. 3. Reply to emails quickly.
    Responsiveness is one of the key advantages of electronic mail. In particular, expected messages should be replied to quickly. Unless you're extremely busy, check your inbox several times a day. However, it is not necessary to activate the automatic notification (Auto Notify) for every incoming e-mail - that distracts too much from the work.
  4. 4. Use the "Reply to all" function sparingly.
    It is possible to send the message to a group of which perhaps only one percent of the participants are interested. The effect is comparable to a trip on public transport in which one is forced to listen to a stranger's cell phone call. If you answer all of them without necessity, you also generate a lot of electronic garbage. Especially when attachments are sent, unnecessary sending to large mailing lists leads to resource problems.
  5. 5. Make your e-mail easy to read.
    Experton recommends composing the email in a style that is similar to a written document (e.g. a business letter). A greeting and signature (automatic signature) are a matter of course. In addition, short sentences and - for longer texts - paragraphs are recommended.
  6. 6. Adhere to the legal provisions for e-mail traffic.
    In Germany, a new case law has been in effect since the beginning of 2007, according to which mandatory information about the company (legal form, registered office, register court, management) is required in the appendix. In addition, it can sometimes be useful to attach copyright, reproduction or other legal notices. In addition, companies should formulate rules for e-mail traffic (e-mail policy), which must be circulated regularly so that new employees are also kept up to date.
  7. 7. Never reply to spam.
    Actually a truism, and yet a mistake that is made again and again. Many spammers equip their message with an opt-out function, in that the mail can be unsubscribed in the subject field ostensibly with "unsubscribe". For some spam programs that automatically send electronic garbage, such an answer means: the addressee is there, he can receive more spam.
  8. 8. Use blind copies to inform third parties.
    This leaves the distribution group in the dark about who has received the message.
  9. 9. Write the subject meaningfully.
    This is the only way that the message stands out from the plethora of spam messages that fill most mailboxes today.
  10. 10. Keep it simple.
    Today there are many ways to spruce up emails (emoticons, pictures, etc.). Senders should handle this carefully, as not every mail program can handle it and it also wastes resources. In addition, emoticons are sometimes infected with spyware. Therefore: Do not download anything from unknown sources!
  11. 11. Use the features of modern e-mail programs.
    Callback: An email that was sent incorrectly or without an attachment is called back. Use sparingly, rather double-check messages carefully before they are sent. E-mails are often opened quickly and cannot be called back.

    Automatic answer: The out-of-office function is really useful and should be used! However, you should quickly deactivate it when you are back in the office.

    Resending: Sometimes emails never reach the addressee, for example because the mail server fails. With the resend function, they can easily be sent a second time. Before sending, add a comment such as "second attempt" in the subject line.

    Confirmation of delivery: Nice to have, but not absolutely necessary. Also doesn't work with every email system.

    Read receipt: Also nice to have.
  12. 12. Use e-mails to confirm conversations and discussions afterwards.
    Electronic mail offers the opportunity to quickly record the results of conversations from conferences or telephone calls. In this way, the results can be saved for all those involved, and everyone is on the same page with regard to planned measures. What was set down in writing is taken more seriously by those involved.
  13. 13. Don't rely on email for urgent information.
    Better to use the phone for this. There is no guarantee that an email will be read. Often the message is overlooked, reading is postponed or the message is deleted as supposed spam.
  14. 14. Do not use email for inappropriate communication.
    Using email to spread spam is not only a nuisance, but it can also be illegal. And: In most cases, the sender can be identified quickly.

Your cloud provider is most likely not interested in decrypting and using customer information. However, if the provider is an American company, it falls under the CLOUD Act of 2018. This is a tightening of the USA PATRIOT Act of 2001. Previously unclear facts have been specified and the CLOUD Act now gives US authorities access on data stored on servers of US companies abroad, even retrospectively.

Reading tip:US CLOUD-Act versus EU GDPR - In the cloud, freedom is not unlimited

In addition, the fact that the ECJ has just declared the Privacy Shield Agreement invalid is causing additional concerns among European companies. So either you should separate email management and email encryption. Or you can use a solution that enables you to save your keys with you.

Reading tip:ECJ destroys EU-US Privacy Shield

9. My anti-virus and DLP solution will then no longer work

This is a problem with end-to-end encryption, because then virus scanners and data loss prevention solutions (DLP) cannot view the messages and consequently cannot examine them. However, there is also a hybrid approach: end-to-end encryption is used between the sender and the gateway. At the gateway, the message is made available in plain text, checked for malware and content and then encrypted again and transported to the recipient's mailbox.

10. I need to install plug-ins on all clients

No need. All e-mail clients available on the market today have already integrated e-mail encryption based on S / MIME. It can be triggered at the push of a button. However, the user has to take care of the key management himself. Not so if he uses an encryption gateway that does this job. Then only one click on the encryption button in the e-mail program is necessary to send a secure message.

11. My archiving solution will then no longer work properly

If an archiving system does not see messages in clear text, it cannot index them. This makes it difficult to find emails in the archive. However, this problem can be avoided if a proxy is placed between the archiving solution and the e-mail system. E-mails can then be archived in encrypted form, but at the same time they are searchable because the content is indexed.

Conclusion

In fact, today there is no longer any reason to rely on email encryption