Article
Are Your Electronic Communications Secure? Encryption Is a Simple Solution
Email messages are incredibly vulnerable to threat actors, as they can intercept messages in transit and easily gain access to in boxes. Sending sensitive or private data via regular email systems greatly increases the risk of a data compromise or breach. To avoid this, encrypting messages and attachments is key. This may involve using an outside service.
Simply put, encryption is a process of turning readable content (plaintext) into encoded content (ciphertext) that only users with the cipherkey can decode.
Encryption can be used in a variety of places to ensure that only verified, authorized users can access data, particularly sensitive data.
Employing encryption for emails allows an organization to take advantage of this convenient and efficient communication method for sending and receiving sensitive and private data, just like they do for general information.
E-communications Vulnerable to Threat Actors
Even if an organization’s messaging systems are secure, it cannot control the security on the recipient’s end. Encryption can protect messages in transit and in both the sender’s and receiver’s accounts.
When threat actors intercept an encrypted message, they see scrambled, unreadable text. The authorized recipient of an encrypted message, however, has a unique private key that unlocks the message and decodes the ciphertext and converts it to plaintext.
Messaging encryption can block a significant avenue of attack for threat actors and protect the privacy of those who have entrusted the organization with their sensitive information.
In addition, encryption can help prevent threat actors from learning information related to the organization and its employees, including log in credentials, that can be exploited to gain access to the entity’s network, systems and files.
When to Use Encrypted Email
Encrypted messaging should be used whenever an organization sends or receives sensitive or private data.
Some examples of when to use encrypted messaging include:
- Data classified as private or nonpublic under the Minnesota Government Data Practices Act
- Confidential health records covered by the Health Insurance Portability and Accountability Act
- Any payment card industry or other banking information that could be used to make fraudulent purchases or for identity theft
- Personally identifiable information such as names,
- Social Security numbers, and date and place of birth
- Other information deemed sensitive by the organization, such as log in credentials
Options for Email Encryption
The process to use encrypted email varies depending on the service provider. Keep in mind, that the easier encryption is to use, the more likely that employees will use it.
Some common examples are:
- Adding an “encrypt and send” button
- Requiring users to add a keyword to a subject line (such as “encrypt”) to encrypt an email
- Automatically screening emails for certain combinations of words, numbers or pictures that indicate sensitive information and encrypt the data automatically
The above are just samples of options.
Regardless of the options chosen, retrieving encrypted messages almost always requires the recipient to log on to a website to access the message.
More Best Practices
- An organization should carefully consider encryption options for its systems and applications, including email and text messaging (see “Encrypt Data at Rest, Too”), to ensure encryption provides the level of security that the organization needs and wants
- Employers should develop policies for sending and receiving sensitive and private data through electronic communications
- Staff should be trained on the encryption policies and about when and how to send and receive encrypted messages
Beyond sending and receiving private or sensitive data via encrypted electronic messages, an organization should consider encrypting its data at rest. This encrypts data when it is saved on a hard drive, flash drive, database, server, cloud storage, backups, etc.
By encrypting at-rest data, the organization makes it gibberish to unauthorized users (e.g., threat actors) if the storage device is lost, stolen or compromised.
Remember Security for Texting, Too
Text messaging is vulnerable to threat actors in the same way as email. The same precautions that a member uses for securing transmission and storage of sensitive data in email should be applied to texts:
- Providing end-to-end encryption of text messages
- Establishing a text messaging policy that restricts texting to approved apps, and includes when and how sensitive data can be sent via text
- Educating their employees about the policy and enforcing it consistently
Choose Apps Wisely
Although some text messaging apps have end-to-end encryption, including Google Messages, iMessage, Signal and WhatsApp, others do not, such as mobile carrier text plans.
And among those apps with encryption, they are not all the same. Some encrypt the message so even the messaging app provider cannot access message content while others do not have this security feature.
Lesson Learned from Signal-gate
A significant leak of military intelligence data about plans for a U.S. strike on Yemen occurred in 2025 when a journalist was inadvertently added to a group chat of top U.S. national security officials within the Signal app.
Signal is operated by a nonprofit and provides end-to-end encryption for users’ messages.
At the time of the leak, it was considered one of the safest messaging systems for the public but was not recommended (or approved in some circumstances) for government officials’ communication of sensitive information.
Despite the app being “secure,” what is important to take away from this situation is that human error created the leak (including an unauthorized person in the chat). No amount of encryption could have prevented this data breach.
When sending sensitive data via text, employees should always double check that the recipients are in fact the intended and authorized ones before hitting “send.”
Topics
