Email encryption has become a bigger and bigger topic among law firms in recent years. It has become a buzz word that “all the cool kids are doing,” but what does it mean?
Encryption works by creating a “handshake” between the sender and the recipient. The email is essentially jumbled like a puzzle in transit, and can only be pieced together once arriving at the intended recipient. A standard email is sent over an unencrypted port and in plain text. It typically bounces between multiple servers (think of it as having a layover while flying across the country) on the Internet before it arrives at the destination. There are millions of emails sending and receiving at any given moment.
The dangerous part is that someone with some knowledge can obtain access to one of these intermediary servers and if they can access the email. As if the email was addressed to them, the hacker can now see the contents and attachments. Users should encrypt confidential emails from start to finish. Remember, unless your IT department has specifically setup email encryption, it’s best to assume you are sending unencrypted, insecure email messages.
How Can You Encrypt Your Email?
TLS Connector: The first method is free (assuming you have an Exchange server, Office 365, or comparable system). A TLS connector can be setup from your server to ONE recipient (i.e. a trusted partner). The firm and the partner can now exchange encrypted emails. This involves configuration on your end as well as the partner with both IT groups working together. A TLS Connector is extremely secure but only helps with the email to and from the single partner.
Personal Certificate: The second method is to purchase a certificate for a user’s individual workstation. This user’s workstation can now send encrypted emails. A personal certificate is also very secure, but rather impractical as it would involve purchasing a certificate for each employee of a firm and maintaining them per workstation.
Third Party Service: The final option is to employ a third-party service, usually bundled in with an anti-spam solution. For example, Barracuda provides an on-premise appliance for anti-spam called the Email Security Gateway. This appliance can perform the outgoing email service for a firm once configured. On the user’s discretion, they can send an outgoing email as encrypted (via a keyword in the subject/body, or an Outlook add-in). The recipient then receives a notification email with a link. This link takes them to the spam filter and requires sign-in to prove their identity. Now, the recipient can download the email securely and reply as needed. Barracuda also makes a cloud-hosted product called Essentials that includes the same email encryption feature.