Users who don't understand how to encrypt their emails won't do it

Focus on usability to avoid buyer’s remorse, Echoworx advises

Got Tips?

Sponsored In its raw form, email isn't the most secure channel for carrying national secrets. It was originally designed for plain text, and plenty of modern mainstream email systems still don't support encryption out of the box. So if you're someone like Edward Snowden, you'll want to make darn sure that your correspondent knows how to use encryption.

Snowden famously contacted journalist Glenn Greenwald asking for his PGP key, but Greenwald didn't have one. “I had no idea how to install it or how to use it," Greenwald says. Snowden didn't have time to get him up to speed, so he moved on to documentary film maker Laura Poitras instead. It highlights a problem that people often forget when dealing with encrypted communication: Technology isn't the only thing that matters.

"This is a very consumer facing product," says Jacob Ginsberg, senior director of market intelligence at Toronto-based email security company Echoworx. "It's something that your users, including sometimes your customers or business partners, must understand how to interact with."

Thinking outside the checkbox

Ginsberg sees many companies floundering after spending money on email encryption systems. In his experience, their problems stem from some common misconceptions. The first is that simply having encryption of some kind makes them safe. These companies tend to concentrate on technology, checking product features on a list. That approach to evaluating email encryption systems has been out of date for years, he warns.

"We'll do that all day long with anyone," he says, "but if you're a healthcare organisation mailing an encrypted email to a patient who has trouble opening it, you might as well not have invested in that solution."

Users who don't understand how to encrypt their emails won't do it. This leads to several problems. Secure information might not be sent, spawning a thousand Greenwald incidents where communications are delayed or don't happen at all.

Worse still are those situations where information is sent insecurely. Many users won't think twice about sending customer data or sensitive personal or company information in plain text.

Those who do want to do the right thing but can't make their email work might resort to third-party file transfer systems in a well-meaning bid to do things properly. This form of shadow IT takes communications outside the company's control entirely. That isn't always safe - just ask WeTransfer's users.

There's another danger for companies whose users do try to grapple with the internal email encryption system: rising support costs. If the interface for your email encryption system is geared for the IT department rather than the user, you can expect a torrent of support tickets.

Moving from risk avoidance to added value

The second big slip-up Ginsberg sees companies making is viewing email encryption purely as a compliance solution. The Ponemon Institute found that this was a major driver for 49 per cent of companies using encryption. It's certainly an important consideration, says Ginsberg, but it shouldn't be the first.

"If you're trying to build a cost benefit analysis around encryption and you're only looking at it to fulfil compliance requirements, then really the only benefit is the lack of a fine," he says. "It's really hard to build a business case around that."

Rather than looking for business benefits, compliance-focused buyers end up opting for the lowest bidder, he warns. The result is a solution that doesn't fit and isn't used.

Building better business cases

By all means pay attention to technology and legal requirements, but don't sacrifice the potential business value of an email encryption system. This shift in mindset from pure risk avoidance to business benefit has been a long time coming.

One such business case revolves around cost savings. Forrester has found that when done well, email encryption can shave a significant amount from the bottom line. Interviewing companies who took a user-focused approach to email, it found that they enjoyed savings of $2.7m over three years on implementation costs of $1.1m. That's a net present value of $1.6m, or an ROI of 155 per cent. All it took was for them to think of the system's possibilities, rather than their own compliance liabilities.

These cost savings tied into other potential business cases for encrypted email. One of these is an improvement in user experience.Enabling employees, customers, and business partners to exchange documents with you securely has knock-on benefits for your customer satisfaction and image.

"Any way you're communicating with your customers should be a part of your marketing strategy, and that includes emailing with them," points out Ginsberg.

It also saves money through more efficient workflows. The Forrester report noted a $1 saving for each document sent digitally, leading to a three-year cost saving of $1.5m. It also saw a $318,900 saving in contact centre productivity over three years.

Having the confidence to send documents digitally can slash the use of paper by up to 10%, according to the Forrester data. This carries a corporate social responsibility benefit for companies trying to green their operations. Or to put it another way: save a tree - encrypt an email.

<Another use case is better, faster, and ultimately cheaper user support. According to Forrester, user-focused email encryption cuts the number of encryption-related call centre tickets by 80 per cent as employees stopped sending first-tier 'what does this button do?' support tickets.

Reframing your communication strategy

Looking at possible business cases is fine in theory, but in practice many IT directors and CIOs are programmed to enumerating technology features and judge products purely on price. How can they shift the conversation to make email encryption more relevant for users?

The first step is not to think about this as an email encryption problem or a data protection issue, says Ginsberg. Instead, think about your broader communication strategy. Explore who's sending and receiving what kinds of information, and how it ties into your company workflows.

"You can split that up into two different analyses," says Ginsberg. "One focuses on the sending experience. What will its employees have to do differently? The other focuses on the recipient's experience. How do they pick up the emails?"

When considering each, look at the user's demographic profiles and capabilities, he says. If you're dealing with tech-savvy freelance software developers who communicate with your company regularly, then something like PGP or S/MIME might work. For the senior citizen trying to upload their identity documents to interact with your investment advisory firm, no so much. In that case, something like a secure online portal for exchanging documents might be more appropriate.

Ideally, your software should be able to support a variety of sender and recipient types. Echoworx's OneWorld encryption platform integrates into Microsoft 365 and supports several options for recipients: TLS, encrypted PDFs or other attachments (along with instructions for retrieving a password), certificate encryption, and a company web portal accessible via OAuth.

The system enables senders to automatically encrypt email without any extra interaction, or they can specify an encryption channel based on the recipient if they want.

Auditing your users and your communications and choosing an appropriate form of secure business communication is just the first step. The next part involves rethinking your communication strategy and looking at what can now be sent via these channels that wasn't possible before.

"When you gain the confidence that your online conversations are secure, then that opens up new types of conversation with your business partners and your customers," says Ginsberg. "So, you can overhaul and change a bunch of standing policies and ways that you work with people."

At this point, think about ways to integrate email into your existing workflows, or create new ones. Many companies treat email as a separate bolt-on to their other business processes. That means manually switching systems, transferring files, and then figuring out how to send them securely. Building event-based triggers into your existing systems that kick off automated emails could streamline your operations.

Integrating secure communications into your company could lead to profound changes. Automated email could remove some of the heavy lifting from call centres, leaving agents to focus on higher-quality conversations with customers.

Even if email technology had originally shipped with encryption, it's unlikely that it would have satisfied everybody. Once the technology hit the mainstream, the kinds of user accessing it and the delivery channels they used to send and receive email exploded. Old technologies must adapt, serving new users who will never knowingly touch a PGP key or understand what encryption is. They deserve safe, secure email communications along with everyone else.

Sponsored by Echoworx

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020