Email fraud is a growing problem. And it’s costly: Phishing schemes were the most frequently reported crime in the FBI’s latest Internet Crime Report, with losses from business e-mail compromise (BEC) costing $2.9 billion in 2023.
Email encryption can help safeguard sensitive corporate communications. That’s why most enterprise-level email platforms offer encryption of data at rest and in transit. Gmail, for example, encrypts email in transit and at rest using TLS (Transport Layer Security). However, it doesn’t offer end-to-end encryption (E2EE) by default.
That’s because E2EE isn’t necessary for all communications — and it hinders the ability of Gmail’s spam filters to protect users against phishing attempts and malicious emails (which requires scanning email).
E2EE is designed for highly sensitive communications and, back in the day, was only affordable to large enterprises with large IT budgets. But Google is changing that, making encryption available to organizations of all sizes by simplifying E2EE while addressing data sovereignty, privacy and security requirements.
However, it’s not the only option. If you’re looking to offer end-to-end encryption, what are your choices?
Encryption options for Gmail
With E2EE, the message is encrypted on the user’s local device before it’s sent to Google (or whichever messaging system is being used). It’s never converted into cleartext until it’s decrypted by the recipient.
While this significantly boosts security, E2EE adds complexity into the process, since it typically requires an encryption key. For highly sensitive data, this could be invaluable, but for everyday workers it can present challenges, from managing keys to system interoperability.
However, Google’s new E2EE feature for business users solves many of these issues.
Client-side encryption: Google is offering a new capability in Google Workspace, called client-side encryption (CSE), which allows organizations to protect sensitive emails and documents outside of Google infrastructure. CSE encrypts an email on the sender’s device, and Gmail sends the recipient an invitation to view and reply to the email in a temporary account on a restricted version of Gmail.
Data is encrypted on the sender’s device before being transmitted to Google’s cloud-based storage, so the content of the email never actually leaves the sender’s device — which means Google and other third parties can’t decipher it.
This is particularly beneficial for organizations that store sensitive or regulated data, such as including intellectual property, healthcare records, or financial data, or those that must meet data sovereignty requirements. IT admins can make E2EE messages a default setting in Gmail for teams who regularly deal with highly sensitive data via CSE Default Mode.
S/MIME (Secure/Multipurpose Internet Mail Extensions): IT admins also have the ability to enable S/MIME in Gmail, which encrypts and adds a digital signature to email messages. IT admins can control S/MIME settings for individual users or business units through the Google Admin console. While TLS is the only option for encrypting free Gmail accounts, S/MIME is an option for enterprise accounts.
Other useful security features for securing email communications
When it comes to Gmail and other Google Workspace tools, It’s important that security settings are configured properly, including user access controls and permissions, password protections, and multi-factor authentication.
Beyond E2EE, Google has other capabilities available in Gmail to boost security and compliance. These include:
Gmail confidential mode: This doesn’t actually provide end-to-end encryption, but it does add an extra layer of protection for email communications. IT admins can set controls such as preventing recipients from forwarding, copying, or printing certain messages, or setting an expiration date for emails. In some cases, they may even want to require a passcode to access the contents of highly sensitive emails.
Classification labels: These can help business users understand message sensitivity — so they can handle those messages accordingly.
Data Loss Prevention (DLP): IT admins can apply DLP rules that automatically apply classification labels to messages and take certain actions, such as quarantining or blocking delivery of emails with certain keywords or patterns that indicate thay may contain sensitive data.
Email security solutions for Google Workspace
Not every IT team has high-level expertise in Gmail. Start by asking your team a few key questions:
- Do we fully understand how Google’s spam filtering and email security settings work?
- Are we leveraging all available features in Google Workspace to secure our email environment?
- Is our domain properly protected against spoofing with a strong DMARC policy?
If any of those answers give you pause—don’t worry. A third party service can help you enhance data protection.
For example, Pythian’s Email Security Deep Dive service is a fixed-fee service that ensures you’re taking advantage of Google Workspace’s robust security features.
We’ll help to authenticate sources and protect against spoofing of your domain, while providing training to your team to maintain your security going forward. Our expertise applies to any email platform your organization is running, including Microsoft 365 and Gmail.
Want to learn more about how to secure your email communications or set up end-to-end encryption for certain users or groups in Gmail? Download our data sheet or contact us to learn more.
No Comments Yet
Let us know what you think