At least once, you’ve probably hit the send button on an email and then been struck with panic because you sent it to the wrong person. We’ve all been there, but what happens when that email contains sensitive personal information and someone maliciously attempts to view it? At work, that information is generally kept under lock and key in the HR office, so shouldn’t that hold true when you send it across the inter-webs? The answer should always be a loud “YES.”
Email encryption, as the name suggests, gives users the ability to protect and conceal email data from prying eyes. If you work for a mortgage/title company, you are probably already familiar with the need for email encryption, as you must meet federal and state regulatory compliance laws regarding the protection of sensitive, non-public information in emails. These regulations include HIPAA (Health Insurance Portability and Accountability Act), GLBA (Gramm-Leach-Bliley Act), SOX (Sarbanes-Oxley Act), and PCI-DSS (Payment Card Industry Data Security Standard).
My top 3 email encryption go-tos
Email encryption solutions come in many shapes and sizes, so I have put together a list of the providers I have dealt with and would recommend:
- Office 365 Email Encryption: Your business probably already uses one or more of the services under Microsoft’s Office 365 umbrella, but you may not know that Office 365 offers email encryption as an additional feature with the Enterprise E3 license subscription, which includes Exchange, SharePoint, OneDrive, the Office 2016 suite and more. If you don’t need everything the E3 plan provides or you already have an Office 365 license that meets your requirements, you can just add the $2-per-user-per-month Azure Rights Management license. Note: Setting this up will require knowledge of the Office 365 Admin and Exchange Centers, PowerShell, Data Loss Prevention Policies, and other elements NOT covered in this blog.
- Sendinc: I like to recommend this encryption provider specifically for its Outlook add-in, which is ideal for a company that may only have a handful of users who need to send sensitive information over email. With just a click of a button, the add-in provides military-grade encryption, and the setup is also pretty easy and straightforward.
- ZixCorp (ZixMail & ZixGateway): ZixCorp is a big player with large businesses, providing encryption services for more than 13,000 organizations across the U.S. It has a desktop application similar to Sendinc’s, but the main prize is the ZixGateway service. Without getting too deep into the technical jargon, the ZixGateway can be on-premise or hosted. Plus, with the correct configuration and policies in place, users won’t have to worry about considering whether the email they send needs to be encrypted or not – ZixGateway does it for them automatically.
Note: This setup will require working with ZixCorp’s technicians, who will walk you through using the services.
Simplifying the process
Truth be told, the process of sending and accessing an encrypted email can be annoying. The end user will not actually receive the email itself, but an unencrypted message with steps explaining how to access the encrypted content. The good news is that there is a way for recipients to view encrypted emails without constantly hitting the barrier of the company’s encryption provider. The best workaround is to set up a “centralized location,” which is typically a web portal. Although these web portals require registration in order to authorize the recipient, they ultimately give access without limiting the protection of sensitive, non-public data.
To help make the process less confusing, encryption providers such as ZixCorp and Office 365 allow you to brand the content with which senders and recipients interact, and also give a visual indication if a message has been encrypted. If both the sender and the recipient use the same provider, there will be no middleman and the provider will do all the encryption and decryption work.
The bottom line
If any users at your company have to send sensitive data via email communication, don’t risk it, encrypt it! That said, it’s important to take the time to pick the right provider and service that fits your organization. If you are interested in a particular solution, give the provider a call or let your current managed services provider know so they can proceed on your behalf. Given the potential for human error and malicious cyberattacks, always strive to be proactive, not reactive!
The purpose of this blog is to answer the questions you ask! For more information about cyber security, check out our related posts. We encourage you to contact us with any questions, comments or if you just feel like talking managed services (hey, it happens)!