Concerns about Gmail’s security resurfaced this week following two major developments that put the email platform under fresh scrutiny. The spotlight was triggered by a report from The Washington Post revealing that members of the US National Security Council had used Gmail for sensitive discussions involving military operations. Although officials clarified that no classified information was shared via Gmail, the timing. On the heels of a Signal messaging leak—sparked renewed debate about the platform’s security posture, especially in high-stakes environments.
That same day, Google unveiled a significant update to its email service. Announcing new end-to-end encryption capabilities for Gmail through Google Workspace. While this update marks a meaningful step forward in protecting enterprise communications. Experts say companies still need to be cautious about what they send through Gmail—and ensure they activate the proper safeguards.
For businesses, sensitive information might not be state secrets. But intellectual property, strategy documents, and customer data carry just as much weight. That’s why Gmail’s enhanced encryption is being welcomed by many in the cybersecurity world. According to John Spencer-Taylor, co-founder and CEO of BrainGu, this feature finally allows emails to be encrypted beyond Google’s ecosystem. In some advanced subscription tiers, organizations can even use their own encryption keys. Which adds a layer of control by keeping data hidden from Google itself.
He emphasizes that this additional protection doesn’t complicate usability. In fact, it improves security while maintaining simplicity—something critical for businesses that want to tighten data privacy without burdening users.
Yet, there’s an important caveat: Gmail’s new end-to-end encryption doesn’t turn on by default. Ensar Seker, CISO of SOCRadar, notes that while the feature is a positive development. It requires manual activation in many cases. So unless organizations take deliberate action, they won’t be getting the full benefit of the new encryption measures.
Even with all controls in place, security experts warn that Gmail still poses certain risks. Raj Rajarajan, director at the Institute for Cyber Security at City St George’s, University of London, points out that users must apply the right settings for Gmail to be considered secure. But even then, he cautions that because Google is a third-party provider, it maintains some level of access to the content. That inherently introduces an element of risk.
Lawrence Pingree, vice president at Dispersive, adds that the real question is who holds the encryption keys. If it’s not the enterprise, then the third party could potentially access that data. And while encryption provides strong protection, it isn’t invulnerable—especially as future technologies like quantum computing could eventually crack it.
That’s why Seker believes a layered approach is essential. Using Gmail or any cloud-based platform for sensitive business communication should come with dedicated encryption gateways, data loss prevention systems, and strict identity verification. It’s also important to make sure mobile apps and third-party tools don’t create security gaps.
James McQuiggan from KnowBe4 reinforces the human factor in all of this. Phishing attacks and business email compromise scams remain major threats, and technical defenses won’t help much if employees aren’t trained to spot suspicious messages. Email gateway systems must be paired with strong filters and DLP rules to stop threats before they hit the inbox, but users themselves are the last line of defense.
Another crucial piece is device-level protection. As Lorrie Cranor of Carnegie Mellon University explains, Gmail’s encryption only covers data in transit—meaning messages could still be exposed on servers or through poor endpoint security. If users don’t secure their devices, use strong passwords, and enable multifactor authentication, their emails are vulnerable no matter how encrypted the transmission is.
Ultimately, no matter how many cybersecurity tools a company uses, email is never fully airtight. Enterprises must be selective about what they allow to move through Gmail or any other email platform. As Cranor puts it, every organization has to weigh its own risk tolerance and make decisions accordingly.
Seker echoes this point, noting that sensitive data isn’t just about trade secrets—it often involves regulated content like health information or financial records. In sectors bound by compliance rules such as HIPAA, GDPR, or CMMC, relying on Gmail alone—even with E2EE—may simply not be enough.
