What Is Email Encryption? Definition, Best Practices And Need-To-Know Statistics

Email encryption is the encrypting, or disguising, of email content to protect it from being intercepted. It is a key piece of outbound email security.

Encryption is often coupled with identity authentication in secure email solutions to make sure email contents can't be read by anyone other than the intended recipient.

What is email encryption?

Email encryption is a security technique that involves encoding the content of an email message to prevent unauthorised access or interception during transmission.

Encryption essentially scrambles the message so that it is unreadable without the appropriate decryption key.

When an email message is encrypted, its content is transformed into a cipher text that cannot be understood by anyone who intercepts it without the decryption key.

The recipient of the email can use a private key to decrypt the message and read its original content. This could be a permanent key they hold or one that they access by proving their identity through a process called recipient authentication.

There are various encryption algorithms and technologies of differing strengths that can be used to secure email communications depending on their level of sensitivity.

Email encryption is an important security measure for anyone who needs to transmit sensitive or confidential information over email. It can help to prevent data breaches, identity theft, and other types of cyber attacks.

Who needs to encrypt emails?

As businesses go through digital transformation, sensitive data is no longer kept in on-premise servers within an office building.

Information is transmitted between individuals no longer sat within the same four walls. Threat actors look to exploit these periods of disruption, when a password, account number, or sensitive document is sent by open-risk email giving them an entry point from which to carry out their attack.

What's wrong with email?

Email has been around as long as the internet has, and it was never designed to be highly secure. When you send an email, just like with any other data on the internet, it travels through multiple nodes in a network.

At any one of these points, a bad actor could be present. It could be at your mail server, your recipient's, or somewhere in the middle. If your email contents are not encrypted, they can be accessed, even manipulated, on their journey.

What data needs encrypting?

Whether by accident or negligence, sending the wrong data over open-risk email can be damaging. Regulators have the power to levy hefty fines against companies breaching data protection guidelines, not to mention the reputational damage.

If an email contains personally identifiable information, documents, or data that could harm your company if intercepted or manipulated in transit, then it should be encrypted. It's not just public-facing comms - internal emails are also a risk, with GDPR guiding how we store and process customer information. Even emailing a customer's address to a colleague could put your business at risk.

Encryption best practices

An estimated 333.2 billion emails are sent every day. There are certain types of information that employees know should not be sent "in the clear" but whether by ignorance, accident, or negligence, cybersecurity best practices can fall by the wayside. How can you make sure the right emails are always encrypted with the appropriate security? Here are some email encryption best practices.

Matching setup to needs

Depending on the volume of sensitive emails, there are different ways to initiate encryption.

You can encrypt individual emails using a button in your email client. This is a flexible option for one-to-one confidential email situations but is reliant on the sender.

Rule-based encryption recognises particular triggers for when there are types of information that should be encrypted company-wide. This takes the security responsibility out of the hands of the individual.

There are also situations where a business may need to encrypt documents in bulk, for example bank statements, using automation.

Outlook, Gmail, iOS, M365

The most common email clients including Outlook, Gmail, and iOS provide a level of basic encryption on delivery.

They all offer optional S/MIME encryption as standard, and a Microsoft 365 E3 licence gives users additional functionality in the form of Microsoft 365 Message Encryption.

The key difference between the S/MIME encryption standard and the encryption available with 365 Message Encryption is compatibility. Whereas the encryption offered as standard by providers requires the recipient's email client to be S/MIME compatible, 365 Message Encryption keeps emails secure when delivered to recipients using any email provider.

The encryption provided by email clients can protect most emails on delivery, but they may not be protected when your recipient hits "reply".

What email clients don't cover

It's important to ensure the level of encryption that you use suits your business' and your customers' needs. One key element in this is the volume at which you will need to exchange sensitive documents.

Are you sending documents to be filled in and returned? The optional encryption offered by most email clients (S/MIME) protects documents in transit on delivery. They will only be encrypted on the way from you to your recipient. On the way back, they'll be open to interception.

Equally, if someone can gain access to your recipients' inbox, they will be able to download and access any sensitive attachments.

Adding authentication to the mix

A layer of encryption is important, but it doesn't protect against the #1 cause of data leaks - human error. If you send a sensitive email to the wrong person, encryption won't protect you.

Secure email solutions combine identity authentication with email encryption, so even if you send an email to the wrong address, that person can't gain access. Authentication methods can include device checks, challenge questions, or third-party certificates.

If sending sensitive data to the wrong person is a concern, choosing an email encryption solution with authentication capabilities is the answer.

Are misfired emails a concern to your business? Choose a secure email solution with authentication to protect against human error.

Key statistics

The latest email encryption statistics, from the most reliable sources.

Misfires

Emails sent to the wrong person were the #1 cause of reported data breaches in the UK in Q3 21/22, according to the Information Commissioner's Office (ICO).

Interception

A 2017 study conducted by researchers from the University of Michigan and California found that between 4% and 10% of internet traffic is intercepted.

Volume

In 2021, an estimated 316 billion emails were sent and received each day according to research provided by Statista.

Conversations

The average office worker sends 40 emails a day and receives 121 emails a day according to research vetted by The Guardian.

Error

A survey conducted by Egress indicates that 52% of people have unintentionally sent an email containing sensitive information.

Reputation

CSO Online reports that 46% of businesses who suffer from a data breach see negative repercussions affecting reputation and brand value.

Essential reads

• Does Microsoft Outlook Use Email Encryption? (FAQ Answered)
• Complete Guide To Enterprise Outbound Email Security
• Secure Email User Report 2021: How Are Customers Using Mailock?