Closing the e-mail security loophole
Find out how you can create a sound basis for secure and trusted e-mail communications in just five steps.
Five basics for secure e-mail communications
The risks that non-encrypted e-mail communications pose are quite clear: financial losses, legal disputes and, not least, negative impacts on image and credibility. Despite all of this, e-mails continue to be one of the biggest weak points in IT infrastructures and an opening for data theft and industrial espionage, even though the methods developed are mature, standards have been clearly defined and there are independent bodies in place to provide external support. Anja Pötzsch from Bundesdruckerei GmbH describes how the most important foundation stones for secure and trusted e-mail communications can be laid in five steps.
Step 1: Develop awareness for the problem at the company
"I have nothing to hide," is one of the main reasons that people use to explain why they pay little attention to the subject of e-mail encryption. The fact of the matter, however, is that 96 percent of all German companies use e-mails for business purposes. Confidential and sensitive business information is increasingly being sent by e-mail, such as invoices, patents and contracts. That's why it is not just the major players but also medium-sized companies who are being affected the most by cybercrime. A survey conducted by consultants PricewaterhouseCoopers (PwC) found that in 2015 every tenth medium-sized company fell prey to at least one Internet attack.
Mistaking Internet protection for e-mail security is another misconception. Firewalls, virus scanners and spam protection do not cover the most important protection areas in e-mail communications. In order to prevent unauthorised reading of e-mails, false sender data and the manipulation of e-mail contents, determined measures must be taken to encrypt e-mails.
Step 2: Analyse requirements and develop a concept
The requirements analysis identifies the processes that are essential for e-mail encryption. This also means identifying the decisive five to ten percent of data that form what is known as the company's 'crown jewels'. Encryption methods of the highest security level must be selected for this data.
Based on specific application cases, targets are set, suitable encryption methods are defined and then the software and required services can be selected. When implementing this step, it can be useful to call on the services of an external consultant.
Step 3: Find the suitable encryption solution
In the world of business, S/MIME format has become the firmly established standard for e-mail encryption. This format is based on asymmetric encryption methods with two keys. Client-based encryption makes sense for contents and documents that require a very high level of security, as it enables the e-mail to be encrypted during the entire transmission. The encryption tasks are carried out in this case by the sender and recipient's computers.
Documents that require a low level of protection can be encrypted and decrypted centrally on what is known as a secure e-mail gateway. All of the encryption tasks run automatically in the background on one server.
Step 4: Integrate certificates into the processes
With certificate-based encryption, a key pair is coupled with a digital certificate containing the holder's identity information (for example, name and e-mail address). This means that the e-mail sender named in a signature can be identified without a trace of doubt. The electronic signature based on a digital certificate is also a precondition for protecting e-mails against any later, unnoticed changes. All of this is carried out without the communication partners having to exchange passwords or other secrets.
The technical equipment used to issue, distribute and verify digital certificates is referred to as a public key infrastructure (PKI). Setting up and maintaining a PKI is a complex matter that is time-consuming and uses up considerable resources. That's why it makes sense to use an external certification service provider, also known as a trust service provider. Bundesdruckerei's Managed PKI solution, for instance, provides efficient certificate management that includes the issuance, management and verification of digital certificates.
Step 5: Use a trust anchor
Trust service providers serve as the trust anchor in the digital world by reliably confirming the identity of individuals who do not know each other and by securely managing the related data. At the same time, they provide the means and infrastructure needed to encrypt e-mails and sign documents.
D-TRUST – Bundesdruckerei's trust service provider
As a full-service provider, Bundesdruckerei can assist in all matters related to e-mail encryption, from advice to software, right through to comprehensive services.