Email is one of the most common channels used by hackers to gain access to accounts and vital information.
While Gmail is extremely secure, Google offers additional security over and above the usual protections for Google Workspace Enterprise Gmail users with client-side encryption (CSE). Recently, Google has made this available for all senders whether or not the receiver has CSE enabled.
Smaller businesses already enjoy multiple security layers with Gmail, and businesses of any size can get extra protection with the Google Advanced Protection Program.
New Rollout: End-To-End Encrypted Emails Can Be Sent to Anyone
Google Workspace Enterprise users can now send end-to-end encrypted emails to anyone, even recipients who do not have client-side encryption enabled. It was announced earlier this year, and it is now available for use.
You may want to use this feature for sending:
- Important contracts and legal documents
- Anything containing potentially sensitive information
You won’t want to use it for all emails as it does contain an extra step for the recipient of having to sign in to a guest account to access the email. They won’t have to do this if they have client-side encryption enabled, but most recipients won’t have it.
The feature does need to be enabled by an administrator by following these steps. It will be on by default for end users once an administrator turns it on. In order to access it, you must have Google Enterprise Plus with the Assured Controls add-on.
Google Advanced Protection Program
The Google Advanced Protection Program was introduced for accounts that require extra high levels of security, and requires use of a passkey to sign in to your Google Account.
While it is meant as a way to secure your overall account rather than just a specific security measure for email, it does prevent unauthorized users from accessing your email. Someone cannot access your account just by knowing your email and password, they’ll need the physical device in the account holder’s possession too.
Google recommends it for the following personnel:
- Business executives
- Any employees/volunteers in an active conflict zone
- Anyone working on a political campaign
- Journalists
There is zero downside to enrolling everyone in your business in the program, beyond your staff having to take an extra step to authenticate their account every day and the minor cost of having to purchase a physical passkey for each account holder. Passkeys are generally $20-50, and there is no cost on Google’s end to enroll an account. This small cost mitigates a massive risk, and it is a one-time line item with the exception of lost passkey replacements.
Full instructions for enrollment are available here for both individuals and Google Workspace administrators.
What Email Security is Available for Smaller Businesses?
If you don’t have a Google Workspace Enterprise plan, you don’t have to worry about your email being insecure - far from it. Client-side encryption is an extra layer on top of multiple measures that Google constantly uses to ensure the security of emails in transit and in storage.
Most small businesses don’t require client-side encryption or the additional measures that come with the Google Advanced Protection Program. Only companies that have to adhere to specific regulations or standards need CSE, while companies in sectors targeted by bad security actors (such as financial services) may require the protections offered by the Google Advanced Protection Program.
If you have a paid Workspace plan, Gmail will always use Transport Layer Security (TLS) where available to send secure emails. TLS is a protocol that prevents unauthorized access to emails in transit, and most email hosts use it.
The only way that your email won’t be sent using TLS is if your receiver’s email host does not use TLS. There are no extra measures you need to take, Gmail always works this way.
You can find out more about how Gmail protects your emails here. You can check how secure your emails are on your Google account here.
What Do I Need to Do for My Business?
This all depends on your unique risk profile, but these are our general recommendations.
Large or Sensitive-Sector (e.g. Financial or Healthcare) Business
Upgrade to Google Enterprise Plus with the Assured Controls add-on. This will give you access to the new client-side email encryption features as well as the entire feature set of Assured Controls that will bring you into compliance with multiple regulatory requirements, including FINRA. Enroll all regular staff in the Google Advanced Protection Program.
Small to Medium Business
Choose the Google Workspace plan that best suits your business and enroll business-critical employees and high-risk employees (those in active conflict zones, those engaged in political campaigns, etc.) in the Google Advanced Protection Program. If you don’t want to enroll in Advanced Protection, make sure multi-factor authentication is forced in your Google Admin console and change passwords once every 3-4 months.
Of course, there are nuances involved, such as having a smaller business in the financial services sector. Get in touch with us and we’ll make sure you get a customized Google Workspace experience that makes your company more productive and secure. As a trusted Google Premier Partner since Google started selling Google Workspace, UpCurve Cloud has upgraded countless businesses, nonprofits, and government organizations to Google’s superior ecosystem.
Contact Us to Learn More about Transforming Your Business