What To Look For In A Secure Email Service Provider (And Three to Consider)
With cybersecurity increasingly in the news these days, you may be taking a hard look at your existing security measures and IT systems. Perhaps your business, like many others, continues to implement a remote or hybrid remote staffing model, with employees more dependent on wireless communications systems like email than ever before. Cyberattackers continue to exploit weaknesses in these systems, invading networks, seizing and encrypting data, and extracting ransoms from unprepared companies.
Evaluating Email Service Security
Perhaps you’ve been wondering about whether your email service provider (ESP) is the safest option or if there is a safer one out there that can provide the same or better enterprise-wide email services. First, it’s important to understand what factors comprise a secure email system to understand how best to evaluate your current and prospective ESPs.
You’ll want to find an ESP that practices end-to-end encryption. End-to-end encryption ensures that email messages are encrypted during transmission and only decrypted on the receiving device. This practice ensures that if messages are intercepted, they won’t be readable. It also prevents the ESP itself from being able to read your messages.
Major ESPs like Google, Hotmail, or Yahoo, while being quite secure, do not practice end-to-end encryption by default. They do have options to enable it; however, email recipients will also need to have these options installed to read your messages.
PGP stands for Pretty Good Privacy and refers to an encryption method that uses public and private key pairs to send emails securely over insecure networks. The process is a little complex, but when using an email service that uses PGP, the email sender emails their message encrypted with their public key, which the recipient decodes with their private key in practice.
When communicating with users outside of a service that natively supports PGP, you’ll need to send them your public key first. Again, the major ESPs do not support PGP by default. But you can enable options and add-ons that allow you to decrypt emails secured by PGP encryption you may receive, as long as you have the sender’s public key.
Ideally, your next ESP is located in a country with strong data privacy laws. Despite its pioneering technological history, the U.S., for example, does not have a central national data privacy law, reliant instead on a patchwork of state and industry regulations, many of which vary greatly from each other. The U.S. also has laws that permit it to collect certain data from its citizens under certain circumstances.
By contrast, European Union countries are bound by the General Data Protection Regulation (GDPR), an overarching set of data privacy laws that strictly regulate and limit companies from sharing individual or corporate data. Other countries have similar laws, such as Brazil’s Lei Geral de Proteçao de Dados (LGPD), Japan’s Act on Protection of Personal Information, and South Korea’s Personal Information Protection Act.
Employees don’t always choose the most secure passwords. And passwords can be guessed, obtained through a data breach, or otherwise compromised. It’s best to use a provider that utilizes two-factor authentication. Such a system will require email users to enter their username and password and enter a code they receive on their cell after. Hackers usually only have access to an employee’s username and password, not their physical cellphone, making this option more secure.
You may also want to consider an open source option. When you use one of the major ESPs, you rely on them and their staff to be competent, vigilant, and good-faith actors when it comes to network security. However, because open source software is transparent, you can see the mechanics of the system. When bugs are identified, dedicated volunteers and paid staffers make them public and get to work fixing them, which may not occur as quickly with an established ESP if management prioritizes other tasks.
Breach history and security track record
The unfortunate truth is that despite the security measures a company may have on paper, a company still must execute them consistently day-in-and-day-out. And even if their staff don’t miss a critical update or fall for a phishing attempt, there’s always a new, more sophisticated attack in the offing. Given the time and money you’ll spend transitioning to a new ESP, you should evaluate each potential provider’s track record regarding data breaches and attempts.
If you’re thinking about making a switch, consider one of these three secure options.
Start your search with ProtonMail. While it may not be a household name, it is one of the world’s largest secure email service providers. The Swiss-based firm offers end-to-end encryption, OpenPGP, and other encryption protocols. It also offers users the option to enable a self-destruct feature on their emails and employs a policy prohibiting the retention of permanent IP logs.
This ESP offers similar encryption services to ProtonMail for its email, calendar functions, and address book functions. Tutanota users can take advantage of cross-platform apps for easy access. As the firm is based in Germany, its services are compliant with GDPR. And Tutanota is sharply focused on client data security, with email components like attachment names and subject lines encrypted as well. One feature allows clients to reset their passwords securely in such a manner that not even Tutanota will have access to the new one.
A Belgium-based company, Mailfence also utilizes end-to-end encryption, OpenPGP, and other encryption protocols along with features like calendars and document sharing. Clients seeking privacy and data security benefit from Belgium’s strict data privacy laws and its broader range of cloud collaboration tools. This browser-based platform allows clients to avoid the need to download any software. And Mailfence, like other secure ESPs, is committed to data privacy, so much so that Mailfence donates 15 percent of its profits to organizations advancing data security measures and laws.
Moving from an established ESP to a relatively lesser-known but more secure one takes time and resources. And thoroughly evaluating the merits of each option can be complex. Before you take a step further, reach out to us at On-Site Computers Inc. We have the years of experience and expertise necessary to guide you through a successful enterprise-wide ESP transition. And we can help you identify and remediate other vulnerabilities in your existing systems as well. Contact us and let’s explore your email and cybersecurity needs today.