Striking a balance between cost and benefit for e-mail encryption (Part 1)

"We don’t encrypt our e-mail correspondence, as there is simply no solution that is acceptable for both the sender and recipient. Rather than spending money on a solution that is not used, we prefer to use the funds elsewhere…"

Have you heard this kind of reasoning before? This and similar statements are unfortunately far too common.

As is generally the case when it comes to the topic of IT security, the perception of e-mail encryption is usually the same; the higher the security level, the worse the user experience becomes. However, this viewpoint actually means that the discussion should be intensified, rather than avoided!

The following questions need to be clarified: Having identified the need for e-mail encryption, was a product evaluation started directly? And prior to this, was the need for increased IT security clarified and examined in detail?

Carrying out a simple product evaluation (as for standard software) for the procurement of an e-mail encryption solution (e.g. a suite for text and table processing) does not usually lead to a successful solution, because the acquired products are either too restrictive or broad in scope and often approach the problem from the wrong angle.

Instead, it is more sensible to clarify the requirements in detail beforehand. Several questions need to be answered in order to find the right solution for the respective user or company.

• Do we want to protect our e-mail correspondence or are we obliged to do so by law?
  • Why do we want to protect our e-mail correspondence?
  • How do we benefit from the encryption of our e-mail correspondence and how much is this worth to us?
  • Which requirements or which level of encryption are stipulated by law?
• Should/must all co-workers have the ability to encrypt the e-mail correspondence?
  • Or is there a small group of users that could perhaps be trained and made aware of a more complex solution?
• Does the encrypted communication take place in one direction only (from us to the customer/partner)?
  • Or should the communication partner, irrespective of its technical infrastructure, be able to reply in encrypted form without encountering any difficulties?

Possible answers will be discussed in more detail in the article «Auto TLS: Striking a balance between cost and benefit for e-mail encryption — Part 2».