Most small businesses lack the IT staff to implement encryption processes for outgoing and incoming emails. But after the revelation early this month of the Heartbleed bug, many and perhaps all businesses can make a case for encrypting email.
Heartbleed leverages a vulnerability on the Heartbeat extension of a commonly used cryptography library OpenSSL, which allows hackers to read private information such as passwords.
"OpenSSL has an encryption library that allows Web servers to create secure transactions in a browser or in email," said J.D. Sherry, vice president of technology and solutions for antivirus software company Trend Micro. "Heartbleed exposes a pervasive vulnerability that impacts not only Web sites but [also] email." [Is Email Encryption Right for Your Business?]
Encryption encodes messages to decrease the likelihood that hackers can read those messages. But Sherry pointed out that even email services from widely used platforms like Microsoft Exchange may offer only limited encryption capabilities from sender to sender. Gmail and Yahoo encrypt their messages, but these emails may pass through parts of networks which are vulnerable to Heartbleed, said Chester Wisniewski, senior security advisor at cloud security solutions provider Sophos.
Small businesses must reach out to their email and providers and ask what impact Heartbleed has on them, and what remedies or patches they offer.
"Encryption can be the sort of thing you don't think you need until something happens," said Neal Smith, CEO of email cloud service provider Privato.
Healthcare, finance and government businesses have the most-pressing email encryption needs due to federal regulations that protect consumers' financial information and health-related privacy. Companies that interact frequently with health care, finance and government institutions, or work with intellectual property or legal services, have the highest need for email encryption.
If you're concerned about potentially hacked emails or future data breaches, there are many easy-to-use, low-cost cloud and software solutions for companies with limited resources. There are also hardware and a hardware-software hybrid options for small and medium-size businesses that have critical encryption requirements.
[For a side-by-side comparison of the best email encryption software visit our sister site Top Ten Reviews.]
The most secure, but most expensive email encryption options are based in hardware, said Sebastian Munoz, CEO of encryption solutions provider REALSEC. Small businesses may purchase hardware or combinations of hardware and software to adhere to "best practices," or find providers whose own services are based in hardware. Email encryption hardware ranges from $25,000 and $100,000, with the average cost running between $30,000 and $40,000. Munoz also pointed out that these products take several days to implement.
Cloud services in the range of $100 per year often require no expertise or time on the part of the small business to implement.
"Ease of use is far and away the number one tenet of email encryption," said Bob Janacek, CTO of email encryption service DataMotion. "The encryption needs to work where you work, [on mobile devices, desktops and laptops]. The more encryption is able to be integrated into your normal workflows, such as a ‘send secure’ button inside your email client, then more end users will take advantage of it."
Other ease-of-use issues include coordination of passwords among multiple senders and recognition of keywords to ensure some content is always encrypted, said Peter Firstbrook, VP at IT research and advisory firm Gartner.
Small businesses should also consider bundling email encryption with other security services, like data-loss prevention, anti-spam and antivirus protection, said Mark Schweighardt, senior director of product management at Voltage. Many cloud-based email encryption providers can add additional security services at modest fees.
For more information about the Heartbleed bug and how it may have affected you, visit our sister site, Tom's Guide.
Originally published on Business News Daily.