If you turn on any national news channel throughout your day, it’s practically guaranteed that they’re going to cover a breaking story about an organization suffering a cybersecurity breach.

That might seem like a bold statement but, as it stands today, bad actors hack around 30,000 websites every day. That’s almost triple the amount of breached sites over the course of a year than the average annual salary of a professional baseball player.

In other words, it’s no wonder that we hear about global companies and government agencies getting hacked all over the media. With breaching trends like the statistic above, there’s so much content to cover that even the biggest networks can’t keep up.

Ultimately, the malicious groups or individuals who wreak havoc across the net aren’t just trying to slow down businesses because they have nothing better to do. The majority attack organizations’ network infrastructures for financial gain.

Over half of all cyber attacks were financially motivated in 2018. Yet, how can hackers make any money from getting into an organization’s system? You most likely know the answer to that question, bad actors target sensitive information.

Whether it’s protected health information (PHI) or financial information, a hacker group can scam their way into a fortune if they get their hands on any little morsel of data from either of those categories.

As a result, organizations of all sizes have no choice but to pour money into ways to protect their most valuable asset’s (customers) data. If they don’t they risk hemorrhaging revenue due to a loss in trust and fines from the government.

That scenario likely describes a similar situation you’re facing right now.

Yet, if you Googled anything about how to protect the sensitive information your organization works with, it wouldn’t take long before you come across encryption as a recommendation.

I went ahead and did that Google search for you. The answer to the third related question, “What is primary method of protecting sensitive data?” at the top of the search results recommended encryption. 

It’s recommended so often because it slows down hackers tremendously. For example, it would take 10.79 quintillion years at 1 trillion attempts per second to break modern-day encryption methods.

It's great that it works so well, but how do you use it to your advantage? More importantly, is there a way to encrypt the emails you send out?

After all, if you’re an organization that handles PHI daily, you don’t want to have an unintentional HIPAA violation on your hands because you attached sensitive data to an unencrypted email.

But, is activating encryption as easy as typing the word “secure” in the subject line of your email? It could.

• Emailing is a Risk

• “Secure” is Sometimes Used as a Trigger

• How Do I Know if My Email is Secure

• Conclusion

The reality is that emailing keeps your IT department heads up at night. 95% of IT managers agree that their client and organizational data is at risk on email.

If it’s such a massive risk, why not find an alternative?

The obvious answer is that email isn’t a replaceable communication method. Imagine if you stopped all electronic communication at your organization and went back to paper memos and mail. Although a tried and true method, your business wouldn’t be able to function properly without instant messaging between your team and your clients.

So, how can you mitigate the risks associated with email?

Most individual email accounts don’t natively use encryption. Yet, the majority of popular email providers offer a paid service that encrypts your team's electronic messages.

The price table above is for Gmail Enterprise. The top-selling point across all tiers is that it provides “Custom and secure business email”.

Although generic-sounding, further research confirms that Gmail Enterprise provides the ability to encrypt all the emails from your organization via S/MIME encryption.

But Google isn’t the only organization to offer encrypted emailing capabilities.

Microsoft 365 also offers message encryption via OME, S/MIME and IRM.

Most IT departments realize that your email providers can encrypt all of your messages, which eases their anxiety enough to get some sleep.

Certain encryption methods are more secure than others.

Transport Layer Security (TLS) is the standard, yet it only secures the message, not any additional data that’s included or attached in an email. 

End-to-end is a step above TLS message encryption as it encrypts both the message and the data by requiring the recipient to decode attached data using a private key.

Of course, every organization that handles sensitive information wants to use end-to-end encryption. If you have an option to choose the best, you’re going to do it. But end-to-end encryption usually comes at a higher price point than the standard, or TLS. 

As a result, the organizations that purchase end-to-end encryption services from a cybersecurity vendor are usually charged by volume.

To ensure that it’s not overcharged for using end-to-end for every message, most organizations work with their vendors to implement a keyword that triggers a higher level of encryption for a message.

Usually, that trigger is providing the word “secure” in the subject line.

The screenshot above comes from a document found on Google from The University of Massachusetts Lowell (UML). The document explains how users can send encrypted emails. In their case, they have to provide “[secure]” in the subject line, without any differences.

As another example, the image above comes from Stanford University’s IT department. They use a similar approach to UML in that they have a subject line trigger in place. Yet, Stanford’s trigger isn’t case-sensitive and doesn’t require brackets. Furthermore, the university provides more details about what type of data requires the encryption trigger.

The point I tried making in the section above was that typing the word “secure” in an email might encrypt your message. However, it depends on whether or not your organization has a vendor that provides encryption and if that’s the subject line trigger.

If you don’t have an encryption vendor, typing “secure” won’t provide any additional protection to what you’re sending. If you do, typing “secure” might not be the right word to signify the need for added security.

In any case, before you send anything that has the potential to cause a cybersecurity breach, talk to your IT department first.

The last thing you want to do is send sensitive data over an unsecured medium. That leads to disciplinary action from your manager and potentially massive fines from the government.

In the meantime, a best practice is to assume that your email communications aren’t secure. That way you and your team understand the line between what they can and cannot send among each other and outside of your organization.

I imagine when you asked the question, “Does typing ‘secure’ in the subject line encrypt email?” you didn’t realize how long of an answer you’d receive.

Yet, the fact of the matter is that it’s not a black and white question. The true answer is that it might encrypt your email if your IT department has encryption and a trigger in place. But electronic mail providers won’t natively encrypt your messages unless you have their paid service.

If you don’t have the encryption process in place that protects your messages with a subject line keyword trigger, adding the word “secure” to your subject line won’t bring you much benefit.

It might make you and your recipient feel like the conversation is private. But a hacker could easily barge their way in and steal any data that you’re sending to each other.