Email as a security risk | SwissSign
A data security specialist by Swiss Post

Main section

Email as a security risk

Email is one of the main methods of digital communication. Every day, more than 300 billion messages are sent and received around the world. Naturally, such numbers make this arena an attractive proposition for attackers. Additionally, emails are relatively easy to intercept and read – especially if they are not encrypted. This lack of protection is often only noticed after the fact, when it’s too late. We therefore recommend tackling the topic of email encryption early on. Even if this means having fork out a little bit of money: in this case, it pays off to invest in security, rather than run the risk of incurring damage.

Known cyberattacks via email include phishing or malware mails, such as trojans, ransomware or spyware. But digital messages are more than just a gateway for malware. The actual contents can also be exploited by attackers. And this is where encryption comes into play.

What risks are associated with unencrypted emails?

You can draw a comparison between emails and postcards. Neither reach their intended recipient through a direct channel. For example, emails have to pass through various servers and networks. And it’s impossible to determine or control which ones will be used. Just like it’s impossible to know how often they’ll be read and by whom. That’s why attacks often go undetected initially. Unlike postcards, however, key terms can be used to search through emails and those emails considered most suitable can be selected for attacks.

Postcards with confidential information can be sent in an envelope. As a result, unauthorised parties can no longer view the contents or at the very least, access becomes much more difficult. An email certificate works in a similar way. In this instance, emails must always be encrypted separately. Here, more is needed than just an SSL certificate for encrypting e.g. websites. In this case, SSL can be viewed as encrypting the transport route. However, to ensure that the message contents are also protected, an S/MIME certificate is required.

Confidentiality cannot be ensured if an email certificate has not been installed. Contents cannot only be read by unauthorised parties, but they can also be manipulated. Depending on the type of content or data captured, companies in particular run the risk of having their image damaged or even being put out of business. This is especially true if the content in question is considered confidential information, e.g. personal data, contracts or similar. Such events may even constitute a breach of a company’s obligation of secrecy. According to the Swiss Federal Act on Data Protection (FADP) and the European General Data Protection Regulation (GDPR), appropriate technical and organisational measures must be taken to protect data against unauthorised manipulation. In this instance, encryption is considered an adequate measure according to the state of the art (Art. 32 GDPR).

Good to know: Combining encryption and signatures enables you to achieve maximum security and trust. Continue reading this article to learn more.

S/MIME certificates for secure communication via email

Benefits of S/MIME certificates

An S/MIME certificate guarantees both the authenticity of the sender and the integrity of the message. It makes communication secure and confidential.

All benefits at a glance

  • Protects against phishing
  • Provides secure, encrypted transmission of emails
  • Ensures that message content has not been modified (integrity)
  • Unique, verified sender (authenticity)

SwissSign: Email ID Silver

Order your S/MIME certificate with validation level DV from our webshop today. Certificates are validated and issued automatically within minutes.

How S/MIME works

Unlike SSL certificates, S/MIME certificates are not automatically published. This means that senders and recipients first have to exchange their public keys before encrypted communication is possible. This process involves the following steps:

  1. The sender encrypts the message with the recipient’s public key and signs it with their private key.

  2. The recipient decrypts the message with their private key – that is, the equivalent to the sent public key. And to verify the integrity of the message, they check the public key of the sender.

  3. Good to know: The email sender’s signature is created based on its content. This makes it possible to detect whether the message has been altered afterwards. 

Side note: How encryption works

Symmetric encryption

The sender and recipient use the same key. They exchange it securely on just the one occasion and then keep it confidential.

Advantage: Large data volumes can be encrypted and decrypted quickly.

Disadvantage: Not suitable for large, open user groups due to problematic key distribution.

Asymmetric encryption

Each sender has a private and a public key. The private key is confidential, while the public key is provided to recipients.

Advantage: No private (confidential) keys need to be shared and the digital signature is supported.

Disadvantage: Requires more effort and private keys cannot be restored if lost.

Hybrid encryption

Hybrid encryption combines the speed of symmetric encryption with the security of asymmetric encryption.

Here, senders and recipients exchange their keys using asymmetric encryption methods. Symmetric encryption is then used in communications.

S/MIME vs. OpenPGP

S/MIME and GnuPG based on the OpenPGP standard are the two encryption standards for email. They are not compatible with each other. There is no difference between the two in terms of security. Which method is deemed more suitable therefore depends on practicability, among other things. However, there is no consensus on this matter.

The alternative: email gateways

If you do not want to install an S/MIME certificate yourself, you can instead use an email gateway. This ensures efficient, centralised signing and encryption of all emails intended for external recipients within an organisation. The signature is provided automatically. If a public key is present, automated encryption can also be configured.

Your benefits

  • Gateways can handle pretty much all of the established encryption methods.
  • They are compatible with other email gateways, i.e. senders and recipients do not need to use the same one. 
  • They look after key management (public and private keys).
  • And in some cases, they can be used without the need to install a plug-in.

SwissSign: partners for email gateways

With SwissSign, you benefit from an attractive partner network. The partners support you in integrating certificates into your existing environment or have already integrated SwissSign certificates into their own solutions.