Email security is often overlooked, yet it is one of the most critical security elements to employ. Securing email communications involves more than just encrypting data transmissions and is only partially within your control. No matter how hard you try, your ability to fully secure an email account is limited.
You’d think that using email from big tech providers like Gmail, Yahoo, and Microsoft would provide you with the highest possible levels of security. Unfortunately, that’s not true, and the damage can extend far beyond stolen emails.
Not only do these email providers get hacked frequently, but some incidents give hackers remote control over their victims’ machines. One such incident occurred in early 2023 when hackers used a Zero Day exploit to attack on-premises Microsoft Exchange Server installations. After gaining access to email accounts, hackers installed malware to gain remote control of the entire environment.
If you think your big tech email account is secure, think again. While you can employ several solutions to secure your account as much as possible, here’s why it won’t be enough.
Encryption isn’t enough
When you use a free email service provided by a tech company, your emails bounce across several servers and end up resting on your provider’s email server. When you encrypt your email communications, hackers won’t be able to read any emails they intercept or steal from the servers. However, you have no control over the email server that holds all of your emails.
Chances are, your emails are not encrypted end-to-end. For example, Gmail encrypts email in transit, but once your email arrives at its destination, it won’t stay encrypted unless the recipient supports encryption. This breaks the chain of end-to-end encryption.
You can use add-on services to ensure end-to-end encryption, but those services often fall short and require your recipients to either share your email provider or download software.
The other problem with encryption is that your email provider might not store decryption keys securely. If anyone gets the decryption key, your emails can be stolen and read.
A data breach might expose your login credentials
Almost all big tech companies have fallen victim to at least one data breach. For example, in 2014, at least 500 million Yahoo accounts were exposed in a major breach. In 2014, 5 million Google account credentials were leaked and posted to a hacker forum. These are just a couple of examples. The list of incidents is a mile long.
Insider threats can bypass most encryption efforts
While some hackers aren’t skilled enough to hack a decryption key from a tech corporation, that only applies to external threats. An insider threat – someone who works for the company and has access to decryption keys – will know exactly how to steal a secured decryption key.
The only secure email account is one whose provider doesn’t have the ability to access its own decryption keys outside of their intended use.
Encrypted emails can be deciphered by your email provider
Hackers might not be your only concern. For example, if you’re a whistleblower, encrypted email won’t make a difference if your email provider can decrypt and read your emails.
If your email provider is willing to read and report the contents of your emails, you can’t afford to use their email services.
While no email account is perfectly secure, some providers come close.
Start using a secure, encrypted email account
You know your email account is highly secure when you can’t recover a lost password. That means your email provider can’t access your account, either. Only you and your recipient will receive your communications.
If you lose your password for your Yahoo, Gmail, or Microsoft email accounts, there’s a process for recovery. That means hackers can also potentially reset or recover your password if they can gain access to that system.
Encrypted email providers like ProtonMail and Tutanota don’t provide password recovery options. If you forget your password, you’re locked out forever. These providers also don’t have access to their own decryption keys, which eliminates the possibility of insider threats.
While ProtonMail has slightly better security, they’re both equally good options. However, there’s one thing you should know before using encrypted email: encrypted content isn’t searchable on the email server. That means you need to file your emails meticulously because you won’t be able to pull them up in a search using keywords.
ProtonMail doesn’t encrypt subject lines, so at least those are searchable. However, Tutanota encrypts the body text and subject lines.
Free services always come with a price
Some free email providers offer features that are unrivaled by other providers. However, consider switching to a more secure email platform. You’ll pay a fee, but it’s a small price to pay for true security and peace of mind.