Don’t use ZipCrypo, it’s much weaker than AES-256 and doesn’t allow you to encrypt the filenames (it only prompts for the password when you attempt to open the file).
If best practice in this case means ‘most secure’ I agree about the passwords being the weak point and public key encryption being the way to go. You wouldn’t want to pass government secrets with a 7z file.
But for ‘normal’ companies a 7z file is easier and isn’t a bad way to go. As the sender you choose the password. Make it long (16+ characters) and avoid dictionary words and you should be fine.
There are ways to do it.
On OneDrive, for example, you can share a folder with access restricted to a specific recipient; the folder doesn’t need to contain any files when initially shared (or a dummy text file can be put there during setup). A telephone conversation, or some other independent channel, can ascertain that the intended recipient has access, then the file can be uploaded into the folder, and deleted as soon as the recipient has downloaded it.
That’s not exactly a massively secure method (and there are file sharing solutions that probably offer more security), but it does reduce opportunity for interception, and doesn’t prevent other security methods (such as encryption) from also being used.
GPG definitely supports encrypting a message or file, only once, so that it can be decrypted by multiple recipients. You just need to have all of the recipients’ public keys, that is, you encrypt using the public keys provided by A, B, C, and D when sending the email, but if E later needs a copy that will be a separate message to E.
You are unlikely to change the security culture there, especially with something as hard to use as GPG or public keys.
Maybe pitch proton mail or signal as easier to use alternatives. But frankly you’re probably not going to win. Security and convenience are tradeoffs, and they’ve opted for the latter.
Have a plan in place for if and when stuff gets leaked, and practice the recovery. You won’t be able to secure a culture like that without drastic changes, which they are pretty much guaranteed to not want.
Maybe you can whistle blow somewhere if you want (media? Some higher up regulatory agency?) but in this political climate, I doubt anyone would care.
[quote=“Reply, post:25, topic:918035, full:true”]Security and convenience are tradeoffs, and they’ve opted for the latter.
[/quote]
I suspect the situation is something like, "the rules say, ‘use encryption when sending sensitive data’, so we’re going to do the minimum required to obey the rule’, rather than having a real security policy.