Two things happened on April 1 that got cybersecurity professionals buzzing. First, a report revealed that U.S. national security advisers were using Gmail for sensitive military-related discussions. Then, Google announced a major Gmail security upgrade—end-to-end encryption for its Workspace users. Coincidence? Maybe. But either way, it’s got enterprises asking a key question: Is Gmail actually secure enough for serious business?
While Google insists no classified data was sent through its systems, the optics weren’t great—especially after previous leaks involving encrypted messaging apps like Signal. And now, despite Google’s move to beef up Gmail’s defenses, experts say encryption is only part of the puzzle.
Gmail’s New Feature: Good News, But With Strings Attached
Google’s rollout of end-to-end encryption (E2EE) for Gmail has been welcomed across the board. But it’s not automatic—and definitely not one-size-fits-all.
According to John Spencer-Taylor, co-founder and CEO of BrainGu, the ability to use your own encryption keys is a “game-changer” for organizations concerned with data control. He says it lets you keep data out of Google’s reach entirely.
But there’s a catch.
You have to enable it yourself. It won’t just turn on by magic.
Ensar Seker, CISO at SOCRadar, puts it bluntly: “It’s not applied to all communications and requires manual activation.” Not exactly plug and play.
For most companies, especially ones without dedicated IT teams, that’s a red flag. One forgotten checkbox could mean the difference between secured data and a disaster waiting to happen.
So yes, E2EE is powerful. But only if you use it properly.
Email Still Isn’t a Safe Haven for Sensitive Data
Even with all the bells and whistles, email has limits. Big ones.
Professor Raj Rajarajan from City St George’s, University of London, reminds us: Gmail can be made secure, but Google still has access to your stuff. That third-party factor? It never really goes away.
Lawrence Pingree from Dispersive breaks it down further.
“If you don’t control the encryption key, you don’t control the data,” he says. And with advancements like quantum computing on the horizon, even strong encryption could be cracked sooner than we think.
One sentence here: That’s not paranoia—it’s basic risk management.
Emails may seem harmless, but buried in threads and attachments could be contracts, intellectual property, or regulatory info worth millions.
How Enterprises Should Actually Secure Their Email
So what’s the smart move? It’s not just E2EE. Think layers—like a cybersecurity onion.
Seker emphasizes the need for stacked protections:
-
Use encryption gateways to keep data safe before it even hits Gmail
-
Set up DLP tools to prevent accidental leaks
-
Implement ID verification like multifactor authentication
-
Harden mobile and third-party app access
It’s a lot, but it works.
One paragraph only: No single tool can cover all the angles, especially with so many users working remotely.
McQuiggan from KnowBe4 adds that educating employees is just as crucial. Teach them how to spot phishing and business email compromise (BEC) attempts before they do damage.
Here’s where it gets useful:
| Email Security Layer | Purpose | Who Should Use It |
|---|---|---|
| End-to-End Encryption | Scrambles content between users | Enterprises with proprietary data |
| DLP Tools | Stops data from leaking | Regulated industries |
| Multifactor Authentication | Prevents unauthorized logins | Everyone |
| Secure Email Gateways | Blocks phishing & malware | Mid to large-sized companies |
Because yes, one wrong click still ruins everything.
Not All Data Belongs in an Inbox
Lorrie Cranor from Carnegie Mellon makes a simple but critical point: even with encryption, messages stored on Gmail’s servers can live there forever.
Think about that.
One breach, years later, could expose a decade of old emails.
Cranor also notes that encryption in transit depends on the recipient’s server—if they’re not using a secure system, your efforts may be worthless.
There’s also the device factor. Weak passwords, unsecured phones, and stolen laptops can undermine even the best backend protection.
So really, email might be secure today… but what about tomorrow?
What Enterprises Should Keep Off Gmail Altogether
You can encrypt everything, but that doesn’t mean you should email everything.
Seker circles back to the key issue: compliance.
If your company falls under HIPAA, GDPR, or CMMC regulations, Gmail—even with E2EE—might not cut it.
His advice? Rethink what information actually needs to be emailed in the first place.
One-liner here: Less is more.
Think of Gmail as the hallway conversation, not the confidential boardroom.
Some content simply shouldn’t leave a secure file-sharing platform or a private server:
-
Patient health records
-
Legal disputes
-
Intellectual property details
-
Internal investigations
-
Password resets and credentials
Because once it’s in an email? You can’t take it back.
