Email encryption in companies: Turning awareness into a real safety culture

Unencrypted emails: postcards that anyone can read

An unencrypted email is like a postcard: the content is exposed and whoever gets hold of it on the way to the recipient can read it. In times of digital communication, this sounds abstract – but it describes pretty accurately what happens technically when organisations communicate without adequate protection.

E-mails pass through several servers and network nodes on their way to the recipient. At each of these points, there is always the possibility of messages being intercepted, copied or manipulated. This is not always done by external attackers – incorrect configurations, compromised servers or insecure WLAN connections also open doors that are better left closed. It is worth taking a closer look at how exactly attackers go about this and what risks are lurking in everyday life.

Typical risks in everyday email

Before looking at solutions, it is worth taking a look at the real attack vectors that are repeatedly exploited in day-to-day business:

• Man-in-the-middle attacks: An attacker positions themselves between the sender and recipient and reads the communication or modifies it.
• Interception on mail servers: Compromised or poorly secured mail servers from providers or third-party providers can read messages in plain text.
• Phishing and spoofing: Without a signature, the sender of an email can be easily falsified. Employees can thus be tricked into handing over sensitive data.
• Insecure network connections: Anyone working from home or on the move on insecure Wi-Fi networks runs the risk of emails being read – especially if end-to-end encryption is not active.
• Misdirected or stored messages: Unencrypted mail is also available in plain text on the servers of your own email provider.

These risks cannot be eliminated by caution alone. They require technical protective measures – and this is exactly where email encryption comes in. However, not all encryption is the same: the scope of protection and intended use differ considerably depending on which level is being protected.

Two levels of protection in email encryption: transport encryption and end-to-end encryption

When people talk about "email encryption", they often mean different things. Two basic concepts can be clearly distinguished from each other – and the difference is crucial in practice:

Transport encryption (TLS)

Most modern mail servers today use TLS (Transport Layer Security) to encrypt the connection between the servers. This protects emails in transit, comparable to a secure tunnel between two postal stations. TLS is now standard and should be a prerequisite for all email communication.

The problem is that the message is available in plain text on the servers themselves. TLS protects the line, not the content. In addition, TLS is only effective if both mail servers involved support it and have configured it correctly – which is not always guaranteed. Anyone who has access to one of these servers can still read the messages.

End-to-end encryption (E2EE)

With end-to-end encryption, the message is encrypted on the sender's device and only decrypted again on the recipient's device. No server in between – not even that of the email provider – can read the content. This is true confidentiality, and there is no way around it for really sensitive content.

Two standards have been established for end-to-end encryption of emails:

• S/MIME (Secure/Multipurpose Internet Mail Extensions): A certificate-based standard that builds on a PKI (Public Key Infrastructure). Certificates are issued by certification authorities and can be easily integrated into existing company infrastructures and common email clients. S/MIME is particularly widespread in corporate and government environments.
• PGP (Pretty Good Privacy): An open standard in which each communication partner has a key pair: a public key for encryption and a private key for decryption. The sender and recipient must exchange their public keys. PGP is particularly widespread in tech-savvy environments and is natively supported by mailbox.

In addition to encryption, both standards also enable emails to be digitally signed – another important security feature that confirms the identity of the sender and makes tampering recognisable.

Why technical solutions alone are not enough

Even the best encryption standard is of little use if it is not used in practice. Many organisations have the technical possibilities, but employees do not use them in their day-to-day work. The reasons for this are usually the same: encryption is considered complicated, time-consuming or "not relevant to me".

Awareness of secure email communication can be built up in a targeted manner – and it pays off.

Creating awareness: how to make email encryption a lived practice

Step 1: Honestly assess the status quo

Before planning measures, it is worth taking an internal look: How are emails currently sent? Which systems are in use? Are there already guidelines in place and are they being adhered to? A brief internal survey or a security audit can provide clarity.

Step 2: Formulate clear guidelines

Organisations need binding guidelines on what type of information must be protected and how. A simple classification into "internal/non-sensitive", "confidential" (e.g. personnel data, contracts) and "strictly confidential" helps to decide whether transport encryption is sufficient or whether end-to-end encryption is recommended or even mandatory.

Step 3: Carry out targeted training on email encryption

One-off mandatory training sessions quickly fizzle out. Measures such as the following are more effective, as they have been proven to increase participation:

• Short, regular learning units (5-10 minutes) on specific scenarios
• Practical examples from your own industry, e.g. a simulated phishing attempt or a "what if" scenario
• Playful elements such as quizzes

Step 4: Provide the right tools at a low threshold

Willingness increases significantly when encryption simply works. This means:

• Organising key management centrally, not leaving it to each individual
• Ensuring integration into existing email clients
• Providing instructions that are really understandable for the workforce

Step 5: Involve managers as role models

Security culture comes from the top. If the management or head of the authority communicates in encrypted form – and makes this visible – the inhibition threshold in the team drops significantly. Managers should therefore be involved and trained at a particularly early stage.

Step 6: Test and improve regularly

Creating awareness is not a one-off task. Regular tests – such as simulated phishing emails or reviews of encryption practices – show where gaps exist and help to tighten up measures in a targeted manner.

Legal framework and affected sectors

The GDPR obliges organisations to protect personal data with "appropriate technical and organisational measures" (Art. 32 GDPR). Email encryption is one such measure and failure to apply it can be considered an omission in the event of damage.

Authorities in Germany are also required by the BSI baseline protection compendium to implement measures for secure email communication. The BSI expressly categorises end-to-end encryption as a recommended measure. In some areas, secure email communication is not only useful, but also required by law or regulation:

• In healthcare, the GDPR and Patient Data Protection Act require the protection of highly sensitive patient data.
• Legal and tax professionals are subject to a duty of confidentiality – unencrypted client communication can have consequences under professional law.
• Public administrations must protect confidential administrative processes on a daily basis.
• Banks and insurance companies are subject to strict compliance requirements such as MaRisk and DORA.
• Companies in research and development – for example in the pharmaceutical industry or mechanical engineering – are attractive targets for industrial espionage.
• The BSI Act prescribes increased protective measures for operators of critical infrastructure (KRITIS).

Conclusion: email encryption is not an IT issue – it is an organisational issue

Email encryption is a basic requirement for trustworthy digital communication: in companies, public authorities and wherever sensitive information is exchanged on a daily basis.

Transport encryption via TLS is standard today and should be taken for granted. For truly confidential content, however, there is no way around end-to-end encryption with S/MIME or PGP. Which standard is more suitable depends on the infrastructure, the requirements and the communication partners – both can be reliably implemented in modern mail environments. Find out in our blogs, how to use S/MIME and PGP for mailbox.

The real challenge lies not in the technology, but in the culture: email encryption must become a matter of course. This can be achieved through clear guidelines, practical training and tools that make it easier to use rather than more difficult. In this way, secure communication becomes the norm, not the exception.