Secure e-mail isn’t really e-mail. Is it really secure?

Most e-mails are not encrypted.  What this means is that if someone intercepted your email message, they would be able to read it.  This is, of course, a big concern to those sharing sensitive information.

One solution is to avoid e-mailing any sensitive information. Many online apps (such as Box and Cisco’s Sharefile) offer secure alternatives to email. While these work well, many of our clients find that when they’re in a rush, they end up e-mailing sensitive information regardless.

Another option, one that has been in use for many years, is known as secure or encrypted e-mail.  Secure e-mail applications work directly with your e-mail system. For instance, Microsoft Office 365’s Message Encryption (“OME”), which is included in some Office 365 subscriptions, works seamlessly with Microsoft Exchange and Outlook.

Microsoft Office 365 Message Encryption (Source - Microsoft (c))

Microsoft Office 365 Message Encryption (Source – Microsoft (c)

When a user puts a code word into the subject line (e.g. ‘PRIVATE’) and presses send, Microsoft’s OME converts the e-mail message into a web page.  Instead of the message, the link to the web page is then sent to the recipient.  The recipient can then open the message in a browser, but first must confirm her identity through a one-time code, which is autotically sent to her e-mail address.

Since the message is encrypted end-to-end, Microsoft’s OME is a substantial improvement over standard email.  However, as you might expect, secure e-mail has some vulnerabilities.  For example, if someone can access the recipient’s mailbox, he can decrypt any secure message using the code that is sent subsequently.  In addition, a sophisticated hacker can “listen in” over a network, wait for an encrypted e-mail, and then wait for the code.  The code, however, does expires after 15 minutes, severely limiting an attacker’s time window.

Even though it’s not a perfect solution, secure email’s ease of use, in-transit and at-rest encryption, and expiring codes, make it a useful tool for those sending sensitive information over email.