Email is still by far the most important form of communication for organizations. An average employee spends about 25% of their time sending or receiving emails, managing around 130 emails per day, and those numbers are pre-COVID-19, so they are probably higher now; the enforced shift to remote working causing an even greater reliance on digital data exchange.
The use of email is, however, under scrutiny in many organizations. This is partly due to data leak reports showing that most reported leaks (by far) originate from the use of email. This is of course logical, as it is the most used form of communication. The problem, however, lies within the protocols email is usually associated with - of which SMTP is best known. Such protocols lack a lot of features that are essential from a security and privacy perspective.
SMTP, for example, uses opportunistic encryption; is without fall-back mechanisms in case of recipients lacking encryption; still has a low adoption of DANE (TLS alone is not enough to have transport security!); lacks zero-knowledge encryption of data stored at rest; does not provide strong authentication of recipients; is without retraction possibilities and also lacks insight into message read status, etc. Not to mention the absence of functionality to prevent human error, which, in ninety percent plus of cases, is the actual cause of a data leak.
So it is safe to say that the email protocol is not secure enough. It is, however, what almost everyone in the world has, uses, knows and is familiarized with. Changing peoples’ way of working within organizations is one of the most challenging, time consuming, cumbersome and frustrating tasks. Let alone if, in order to change your own way of working, you also have to change the way of working for everyone you communicate with… ouch.
That is why the adoption of ‘alternatives’ like Slack and Microsoft Teams amongst bigger companies is still low and most of the time only used for internal communication.
With the above in mind, trying to change the tools people work with should be considered a last resort option, when there are no alternatives. So is it possible to improve email security? The answer can be both ‘yes’ and ‘no’. It all depends on what your goal and/or approach is. The answer is ‘no’ if you think of email in terms of the protocols. Because SMTP is just what it is; old, limited, not built for security and hard to improve because of the need for backward compatibility. But the answer is ‘yes’ if you think of email as a ‘use case’. Let me explain what I mean by that.
If people in general talk about email, they do not refer to the technology or protocols. They refer to the tools they currently use, like Outlook; the information they share, such as free text and ‘attachments’; the people they share it with, including colleagues and people outside of the organization (who have an email address) and the functions they currently use, like ‘Cc’ or ‘Bcc’, forward and reply. They don’t care about the technology. What they do care about is not having to change their habits, i.e. being able to continue with their familiar way of working (to get the job done as quickly and easily as possible).
I believe that in this ‘use case’ approach lies the solution to securing email. Secure email solutions should act like, feel like, have the same functions as and ideally fully integrate with the tools people currently use for email. This means integrating with Outlook and Gmail because users know them. It means supporting ‘Cc’ and even ‘Bcc’ (whoever thought of the name ‘blind carbon copy’?!) and being able to communicate with everyone in the world who has an email address.
This should also be in a way that uses modern technologies, which can help people make better decisions before, during and after sending, and in such a way that SMTP is only used when it adds value. Not as the starting point of the solution.
I refer to this approach as ‘backwards compatible, forward looking’. You have to adapt technology to fit the needs of people today, even if aspects such as ‘Bcc’ feel like something from the past. You should use technology that is also ready for the future; ready to take users step by step, feature by feature, to the next, new era of digital communication. Only in this way can we solve the security challenges of today, while also being ready to tackle the cost-efficiency challenges of tomorrow.