Is Email Secure Enough to Send Your Sensitive Documents?
Can you believe that email is 50 years old? And it's still one of the most common ways that we communicate online.
In fact, over 300 billion emails were sent and received in 2020 and the average office worker in the United States receives 121 emails per day, according to these statistics.
But how secure is email? We're going to find that out in this article.
How Do Mail Servers Work?
When you think about email communication, you probably think about the sender and the recipient.
However, while email is made to look like it's a direct communication channel between two people online, the fact is that there is a lot more going on there.
So what happens when you compose an email and hit send?
Email works pretty much like regular mail.
Say you want to send an email to someone. Once you hit "send", the email will first go to an outgoing mail server, or SMTP (Simple Mail Transfer Protocol)
The purpose of the SMTP is to act like a post office and transport emails. However, it can't do that if it doesn't know where to send the email and it can't read the domain name.
Instead, it needs an IP address of the domain, which it gets from the DNS (Domain Name Server).
A DNS server acts pretty much like a phone book of the Internet, where it's able to translate the domain name or email address such as www.example.com or [email protected] into an IP address like 12.345.67.89.
Once the DNS can translate the email address into an IP address and it sends it to the SMTP, the latter now knows enough to send the email message to the recipient's MTA server.
Now the MTA, or Message Transfer Agent server needs to decide whether the recipient's email client is using IMAP (Internet Message Access Protocol) or POP (Post Office Protocol) before the message appears in the recipient's inbox, ready to be opened.
Of course, all of this happens in a moment and when we're sending emails, we don't have to think about the email servers, protocols, DNS or IP addresses. We just hit "send" and voila!
Are Email Services Safe?
Emails travel through the Internet just like any other data, using the TCP/IP protocol (Transmission Control Protocol/Internet Protocol).
Here's how this goes:
- You compose and send an email
- The TCP protocol then breaks your email into packets, with each packet containing the sender's information and the email recipient's
- The IP protocol takes over and sends the packets to their intended destination over the network
- As all packets arrive at the intended destination, the TCP protocol takes over again and assembles them back into the format they were sent in the first place for the recipient to read the email
But can you see the problem?
Look at how many systems and protocols are involved in this, from email clients to email servers. All of them can see and record your email data.
Sure, this isn't a problem if the contents of the email are not very important, but what if we're dealing with sensitive data?
Things That Should Never be in Your Emails
There are several things that you should NEVER send in an email, at least not without proper encryption and other protective measures.
- Log in information, passwords, PINs...
- Credit and debit card information
- Social security number
- Checking account number
- ID, passport and driver's license numbers
- Protected health information
- Attorney-client documents
If you absolutely must send any of these sensitive data it's better to do so in person.
However, this won't always be possible.
For example, let's say an employee in your company has lost the login information for the chat you're using internally and needs the password.
If they are working remotely or from home, you can't deliver it to them in person. Maybe you won't even be able to phone it to them.
You could send it using Google Drive, Dropbox, or a similar service, but these aren't 100% secure either. These services are not end-to-end encrypted for one, which means they have access to your sensitive data and can relay it to the government, advertisers, or another third-party.
How to Exchange Sensitive Emails?
So how to exchange sensitive data via email?
We're going to show you a couple of things that you can do to ensure that your email is secure along with the data within it.
Encrypt the File
If you are using Office 365 or a similar system, you can encrypt your Word, Excel, or PowerPoint files.
To do this:
- Open the file you want to encrypt
- Go to the File menu
- Open the Info tab
- Select Protect Document
- Click Encrypt with Password
- Enter the password
- Click OK
- Re-enter the password and click OK to confirm
- Microsoft Word will now indicate that your file is protected and you will have to enter the password every time you need to open the document
If you have a PDF Adobe Acrobat file, you can do the following to encrypt it:
- Open the PDF file you wish to encrypt
- Go to Tools > Protect > Encrypt > Encrypt with Password
- Click Yes
- Check the Require a Password to Open the Document box
- Enter your password in the Document Open Password (a bar next to it will indicate how strong your password is)
- Select your Acrobat version from the dropdown menu next to Compatibility. This should be equal or lower than what the recipient has. For example, Acrobat X and later versions are using AES 256, while older Acrobat 7.0 and 6.0 use AES 128 and RC4 128-bit encryption
- Select the radio button for Encrypt All Document Contents
- Click OK to confirm
Encrypt the File With WinZip or a Similar Program
Another option is to encrypt the file using WinZip or a similar program like WinRar, 7-Zip, or Unarchiver for Mac
- Download WinZip if you don't already have it
- Put the sensitive information you want to send into a Word document instead of sending it directly via email and save it
- If you right-click on the document, you should see WinZip in the dropdown menu
- Hover over the arrow to expand and click Encrypt
- This will open a new window. Enter a password (must be 8 characters long at minimum) and click OK
- The document is now encrypted
Now, whether you are sending a zipped file or not, if you need to send sensitive data to someone that requires a password to open, always send the document itself and the password separate from each other.
Use the Right Email End-to-End Encryption Type
Popular and free email providers such as Gmail do use encryption, but only in transit. The transport layer encryption, or TLS. This, however, will only provide data security while the email is traveling from the sender to the recipient.
TLS does not protect data from hackers when it's on the email server, or "at rest" and this is actually more important for email security.
Instead, to make sure that your data security is up to par, you need an email provider with end-to-end encryption.
There are two main types of end-to-end encryption - S/MIME and PGP.
What is the Difference Between S/MIME and PGP Encryption?
Both S/MIME and PGP are end-to-end encryption standards that rely on a pair of different keys to encrypt (public key) and decrypt (private key) email data.
There are, however, some key differences between these two types of encryption and knowing them should better inform your decision to choose an email service.
- In PGP, users exchange keys between themselves, while in S/MIME, a certificate authority like GlobalSign or Comodo is needed to exchange them
- S/MIME is better for industrial use and enterprise email, while PGP is more suited for private and office email
- PGP can only process plain text and S/MIME works with multimedia files as well as email
- S/MIME contains only 1024 public keys, PGP 4096
- Pretty Good Privacy can be used in VPN, while S/MIME is not used in VPN
- Secure Multipurpose Internet Mail Extension is more expensive
- PGP relies on Diffie-Hellman digital signature, S/MIME on the Elgamal digital signature
Is email secure enough to send sensitive data with?
If we're talking about a regular email service like Gmail or Yahoo Mail, then the answer is no.
However, even then, you can still make your data safe from attackers, at least to a degree, by encrypting files or using WinZip.
To make your email inbox truly secure, though, you should switch to a secure email service that offers end-to-end encryption for your email account.
One such email provider that includes a host of security features to protect your data from attackers is CTemplar. We've built CTemplar to get privacy back to you. Sign up today to secure your email data.