 [Becky Bracken, Senior Editor, Dark Reading](/author/becky-bracken)April 4, 2025 5 Min Read  Source: Anton Dos Ventos via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/application-security/gmail-not-secure-way-send-sensitive-comms)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/application-security/gmail-not-secure-way-send-sensitive-comms)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/application-security/gmail-not-secure-way-send-sensitive-comms)[](https://www.reddit.com/submit?url=https://www.darkreading.com/application-security/gmail-not-secure-way-send-sensitive-comms&title=Gmail%20Is%20Not%20a%20Secure%20Way%20to%20Send%20Sensitive%20Comms%3A%20A%20Friendly%20Reminder)[](mailto:?subject=Gmail Is Not a Secure Way to Send Sensitive Comms: A Friendly Reminder&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Gmail%20Is%20Not%20a%20Secure%20Way%20to%20Send%20Sensitive%20Comms%3A%20A%20Friendly%20Reminder%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fapplication-security%2Fgmail-not-secure-way-send-sensitive-comms) A couple of developments this week might have left lingering questions about the information security of Gmail, Google’s ubiquitous email platform. Here’s what cybersecurity experts say is the appropriate way for enterprises to secure their Gmail communications and what should be left off the platform altogether.On April 1, The Washington Post reported that US National Security advisers were [using Gmail for official communications](https://www.washingtonpost.com/national-security/2025/04/01/waltz-national-security-council-signal-gmail/), including ‘highly technical conversations with colleagues at other government agencies involving sensitive military positions and powerful weapons systems relating to an ongoing conflict.’ The National Security Council pushed back, stressing Gmail was never used to send any classified materials. However, the news drew scrutiny in light of the recent revelations of the team’s [Signal leak of classified military information](https://www.politico.com/news/2025/04/02/waltzs-team-set-up-at-least-20-signal-group-chats-for-crises-across-the-world-00266845).The same day, Google announced its email service would implement a new Google Workspace feature and provide [end-to-end encryption in Gmail](https://www.darkreading.com/data-privacy/google-end-to-end-encryption-gmail).While enterprises aren’t likely dealing with attack plans, their business communications can contain all sorts of existential proprietary data the C-suite guards as closely as US national secrets. Gmail’s new end-to-end encryption is an excellent step forward in securing enterprise communications, according to [John Spencer-Taylor](https://www.darkreading.com/author/john-spencer-taylor), co-founder and CEO of BrainGu.Related:[Google Quick Share Bug Bypasses Allow Zero-Click File Transfer](/application-security/google-quick-share-bug-bypasses-zero-click-file-transfer) Loading…==========’Google Workspace has always encrypted email and data in transit and at rest. But, this new rollout is different in that it allows users to extend encryption beyond Google’s ecosystem,’ Spencer-Taylor says. ‘At higher-paid tiers, it even lets organizations bring their own encryption keys, keeping data inaccessible to Google itself.’ Critically, it adds security without making things more complicated, he points out.’For organizations concerned about data sovereignty and privacy, especially outside the Google ecosystem, this gives them tighter control and an extra layer of assurance,’ Spencer-Taylor says.However, enterprises should recognize Gmail’s new E2EE isn’t set up by default.’Google’s rollout of end-to-end encryption for Gmail is a step in the right direction, but it’s important to understand the nuance: it’s not automatically applied to all communications and requires manual activation in some cases,’ Ensar Seker, chief information security officer (CISO) of SOCRadar, says. How Secure is Gmail?——————–Security teams should also consider that when all of Gmail’s encryption controls are in place inside the enterprise, Google is still a third party and a potential point of information security failure, says professor Raj Rajarajan, director of the Institute for Cyber Security at City St George’s, University of London.Related:[Oracle Cloud Users Urged to Take Action](/application-security/oracle-cloud-users-urged-take-action)’If the user knows how to apply the correct settings in Gmail, it can be made secure,’ Rajarajan says. ‘Nevertheless, Google still has access to your emails and content.’Any time a third party has access to your data, there is a potential for compromise, Lawrence Pingree, vice president of Dispersive, explains.’There are quite a few capabilities in security you need to consider, for instance if you do not control data, do you retain an encryption key,’ Pingree says. ‘If not, and the third party does, then, of course, they could access your data, and that’s ignoring that encryption can be brute forced or potentially cracked (when quantum computing arrives). Really, no matter how you slice it, if you use a software as a service, and that service has your data, it’s an added risk.’Securing enterprise email, regardless of the platform, requires additional layers of protection, Seker says. ‘Enterprises should layer their email security with dedicated encryption gateways, data loss prevention (DLP) tools, and identity verification mechanisms,’ Seker adds. ‘It’s also critical to ensure mobile access and third-party integrations don’t weaken those controls.’Related:[New Testing Framework Helps Evaluate Sandboxes](/application-security/testing-framework-evaluate-sandbox)Robust user awareness against phishing threats and business email compromise scams are another important factor in securing email communications.’For email gateway systems, implementing data loss prevention policies and configuration rules and filters will work to filter, detect, and block sensitive data leakage or allow phishing and malware from reaching mailboxes,’ James McQuiggan, a security awareness advocate at KnowBe4, explains. ‘It’s important to teach users about phishing and business email compromise scams, as well as how to recognize these types of emails.’Lorrie Cranor, director and Bosch Distinguished Professor in Security and Privacy Technologies at Carnegie Mellon’s CyLab, explains that regardless of encryption protections, user devices and accounts need to be secured.’While Gmail uses encryption in transit, if supported by the recipient’s server, it is not currently end-to-end encrypted, which means that there is the potential of exposing that sensitive data on both Google’s servers and the recipient’s servers,’ Cranor explains. ‘In addition, Gmail messages may be stored indefinitely on Google’s servers. Furthermore, depending on how well the user secures the devices they use to send and receive email and whether they use strong passwords and multifactor authentication, there may be a risk of someone accessing sent or received email on their device or by accessing their account.’Regardless of the cybersecurity tools, controls, and practices in place, email is not a bulletproof method for communicating, and enterprises should be selective about what they allow to traverse Gmail, as well as other platforms. Cranor adds that businesses need to make decisions about what is sent over email based on their own tolerance for risk. Seker agrees, and stresses that sensitive data isn’t just proprietary business information — it’s regulated data as well. ‘Google’s rollout of end-to-end encryption for Gmail is a step in the right direction, but it’s important to understand the nuance: it’s not automatically applied to all communications and requires manual activation in some cases,’ Seker says. ‘For enterprise environments, especially those subject to compliance standards like HIPAA, GDPR, or CMMC, relying solely on Gmail, even with E2EE, isn’t enough.’ [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/application-security/gmail-not-secure-way-send-sensitive-comms)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/application-security/gmail-not-secure-way-send-sensitive-comms)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/application-security/gmail-not-secure-way-send-sensitive-comms)[](https://www.reddit.com/submit?url=https://www.darkreading.com/application-security/gmail-not-secure-way-send-sensitive-comms&title=Gmail%20Is%20Not%20a%20Secure%20Way%20to%20Send%20Sensitive%20Comms%3A%20A%20Friendly%20Reminder)[](mailto:?subject=Gmail Is Not a Secure Way to Send Sensitive Comms: A Friendly Reminder&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Gmail%20Is%20Not%20a%20Secure%20Way%20to%20Send%20Sensitive%20Comms%3A%20A%20Friendly%20Reminder%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fapplication-security%2Fgmail-not-secure-way-send-sensitive-comms) About the Author—————- [Becky Bracken, Senior Editor, Dark Reading](/author/becky-bracken) Dark Reading Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading. [See more from Becky Bracken, Senior Editor, Dark Reading](/author/becky-bracken) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi) More Insights Webinars* [Unifying Cloud Security: A Blueprint for Modern Threat Resilience](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo270&ch=SBX&cid=_upcoming_webinars_8.500001533&_mc=_upcoming_webinars_8.500001533)Apr 4, 2025* [DPRK’s Hidden Insider Workforce: Their Evolving Tactics + Your Strategy to Detect and Defend](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa8046&ch=SBX&cid=_upcoming_webinars_8.500001540&_mc=_upcoming_webinars_8.500001540)Apr 8, 2025* [Every Second Counts: Accelerating Cyber Recovery with Proactive Threat Analytics](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_rubr136&ch=SBX&cid=_upcoming_webinars_8.500001547&_mc=_upcoming_webinars_8.500001547)Apr 9, 2025* [My Server is Secure. Why Should I Bother about my Mobile App?](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_guas12&ch=SBX&cid=_upcoming_webinars_8.500001539&_mc=_upcoming_webinars_8.500001539)Apr 15, 2025* [VPNs, RMMs, and Beyond: How Are Attackers Adapting?](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_goog82&ch=SBX&cid=_upcoming_webinars_8.500001544&_mc=_upcoming_webinars_8.500001544)Apr 16, 2025[More Webinars](/resources?types=Webinar) Events* [-[Conference-] Black Hat USA – August 2-7 – Learn More](https://www.blackhat.com/us-25/?_mc=we_bhas25_drcuration&cid=_session_16.500330)Aug 2, 2025[More Events](/events)You May Also Like*** ** * ** ***[Application SecurityDeepSeek Jailbreak Reveals Its Entire System Prompt](https://www.darkreading.com/application-security/deepseek-jailbreak-system-prompt) [Application SecurityContractor Software Targeted via Microsoft SQL Server Loophole](https://www.darkreading.com/application-security/contractor-software-targeted-mssql-loophole) [Application SecurityPlatform Engineering Is Security Engineering](https://www.darkreading.com/application-security/platform-engineering-is-security-engineering) [Application SecurityCreating Insecure AI Assistants With Microsoft Copilot Studio Is Easy](https://www.darkreading.com/application-security/creating-insecure-ai-assistants-microsoft-copilot-studio)
Related Tags:
NAICS: 611 – Educational Services
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 517 – Telecommunications
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 51 – Information
Blog: Dark Reading
Phishing
Create or Modify System Process: Windows Service
Create or Modify System Process
Associated Indicators: