Email encryption is essential because surreptitious reading of email is easy. That is why regulatory agencies demand the encryption of email that contains sensitive information.
I’m sure you’ve heard of all the regulations governing the secure transmission of sensitive information; terms like - HIPAA, HITECH, PCI and GLBA. The important question is why are more and more regulatory agencies requiring email encryption?
It’s a simple and sometimes overlooked fact that email is not secure; anybody can read it. This idea has been discussed since the beginning of the Internet. In the past, email has been compared to sending a post card. Unlike sending a sealed letter, anybody can read the content of a post card.
For the average person, it’s difficult to conceive of people reading email that is not theirs. After all, who has the time to do that? I argue there is a problem with the analogy of a post card. It doesn’t do justice to the intense risk posed by email. We imagine picking up a post card, reading it, finding nothing interesting and then putting it down. Email is very different. Email is relied on as a critical communication platform for businesses and often contains valuable information, such as sensitive customer data or company intellectual property. Email is also different, because it can be automatically and invisibly searched for relevant information without the knowledge of the sender or receiver.
In April 2010, a Chinese Telecom was successful in routing 15 percent of the Internet so that traffic flowed through its data centers in China. That traffic could easily have been copied and methodically searched. If there was encrypted email in that message flow, the Chinese company would not have been able to read it.
Regulators insist on encryption of email, because the Internet is not secure. Hackers are taking advantage of that to access sensitive information that can be used to make money or give foreign countries a strategic advantage.
There is certainly a market for credit card numbers and social security numbers, resulting in very strong motivation to hack. If email contains sensitive information, it could be easily detected, stolen and sold by people who have an unscrupulous profit motive.
For more information on how the China Telecom attack worked, I recommend this site: http://bgpmon.net/blog
So whether you’re a veteran or not, by now I’m sure the need for encrypted email is obvious. Encrypted email is the only reasonable means of ensuring compliance with regulations while maintaining the confidentiality and privacy of sensitive information.