Secure Email Best Practices

Email has become a powerful tool for both personal and professional communication. But with its rise in popularity, the risks associated with email have also grown.

Emails can be intercepted by unauthorised parties and used to spread malware and other malicious software. It's essential to take steps to secure your email communications.

In this article, we'll explore the best practices for email security, including how to create strong passwords, use encryption effectively, and identify and avoid phishing scams.

Why Does Email Need To Be Secure?

Email is a common communication tool used by both businesses and individuals, with an estimated 361.6 billion emails sent and received worldwide daily.

However, email was not designed with security as a primary concern, making it vulnerable to various security threats.

This is particularly problematic when email is used to share sensitive information, such as financial or personal details.

The wide range of people using email for both personal and business purposes makes it an attractive target for cybercriminals.

They exploit vulnerabilities to gain unauthorised access to sensitive data, putting both individuals and organisations at risk of data breaches, financial losses, and reputational damage.

Beyond security threats, human error also poses a significant risk. Accidentally sending a message or attachment containing sensitive information to the wrong recipient is a common mistake.

Our 2023 report reveals that more than half of UK adults have sent personal data over email, and one-quarter have accidentally shared personal data with the wrong recipient via email.

Actions You Should Be Taking

There are several practices you can adopt to keep your email secure. Completing one task is not enough; aim to implement most of these actions to minimise risk.

Use A Strong Password

The National Cyber Security Centre (NCSC) advises against changing your password too frequently unless you suspect a compromise. Instead, they recommend using a strong and unique password for each account.

A popular method to create a strong password, suggested by the NCSC, involves combining three random words to make a password that is ‘long enough and strong enough’.

Alternatively, you can use a random password generator to create a password made up of a random string of numbers, letters, and symbols, and store it securely in a password manager.

Turn On Two-Factor Authentication (2FA)

With 2FA enabled, you'll need to enter a code from your phone in addition to your password when you log in to your email account. This code is sent via SMS or generated by an authentication app.

2FA significantly enhances security by making it much harder for unauthorised users to access your account, even if they have your password. They would also need access to your phone to receive the code.

To enable 2FA, follow the instructions provided by your email provider.

Undergo Awareness Training

Employees often represent the weakest link in an organisation's defences, as they may not be aware of the latest threats or how to protect themselves.

For regular email users, especially in a professional context, it's vital to undergo training on the key threats, such as phishing.

Phishing involves a malicious individual impersonating a legitimate business to deceive the recipient into sharing personal data or clicking on a fraudulent link. Studies indicate that an estimated 41% of cyber-attacks utilise phishing.

Awareness training can help employees identify and avoid phishing emails and understand the procedures to follow if they encounter a potentially malicious link or attachment.

Keep Software Updated

Your devices, such as computers and phones, have various software installed, some specifically for security. Regular updates are necessary as they include security patches for system flaws.

Hackers continually look for new ways to exploit software vulnerabilities, so keeping your software updated helps protect your device from digital threats.

Typically, your device will notify you when an update is available, but you can also set your device to update automatically.

Avoid Public WiFi

Using public WiFi increases the risk of your emails being intercepted, as the network is open to everyone. There’s also the danger of connecting to fake hotspots set up by hackers to steal data.

If you must use public WiFi:

• Access only websites that use HTTPS, which encrypts data between your device and the website.
• Avoid sharing sensitive information, like passwords or credit card numbers.
• Use a VPN to protect your information by encrypting data and redirecting your internet connection through a private server.

Tools You Should Be Using

While the actions above will enhance email security, several tools are designed to protect emails and are recommended for daily use, especially by businesses.

These tools are often part of secure email solutions used by professionals across various industries.

End-To-End Encryption

End-to-end encryption disguises data so that only the intended recipient can decrypt and read it.

The encryption and decryption occur at the endpoints of communication, preventing anyone in between, including your internet service provider, from intercepting the data.

This level of encryption is highly secure and is ideal for sending sensitive information, such as financial data or medical records.

Compared to other types, such as Transport Layer Security (TLS), which decrypts messages when they reach the recipient's server, end-to-end encryption ensures security throughout the email’s journey until it reaches the intended recipient.

For those considering end-to-end encryption, email clients like Outlook and Gmail offer basic encryption. However, this only protects the emails you send. If the recipient responds without encryption, the entire email thread becomes vulnerable.

This is why businesses should consider solutions that enable secure two-way communication, protecting the entire email thread even when the recipient replies.

Recipient Authentication

While account authentication is standard for email clients, recipient authentication is a specific feature of secure email solutions. It allows the sender to verify the recipient's identity before they can access the email using multi-factor authentication (MFA).

MFA requires at least two verification factors: something you know (like a password), something you have (such as a phone), or something you are (like a fingerprint).

Common MFA methods include:

• SMS verification, where the recipient must enter a code sent to their device.
• Q&A verification, where the recipient answers a question only they would know the answer to.

Using recipient authentication helps minimise cyber risk. It prevents emails sent to the wrong recipient from being accessed, as they won't pass the authentication stage.

Email Revoke

Email revoke allows you to retrieve an email after it's sent, blocking the recipient from accessing it.

This is useful if you send an email to the correct recipient but attach the wrong document. By recalling the email, you prevent sensitive information from leading to a data breach.

Many email clients, such as Outlook and Gmail, offer email revocation, but with limitations.

These include only being able to recall the email if the recipient hasn't opened it yet and if the recipient uses the same email provider.

Secure email solutions offer full email revocation, allowing you to block access to a message even after it's opened.

What Else To Consider When Choosing A Secure Email Solution

While encryption, authentication, and revoke are core elements of email security, other features and benefits should be considered when choosing a secure email solution for your business:

• Is the solution scalable for your business needs? For large organisations with significant email traffic, a secure email gateway with automation capabilities might be ideal for continuous, seamless service.
• Is it user-friendly for both you and your customers? Top email solutions prioritise both security and usability to ensure adoption by staff and customers.
• Is it tailored for your industry? Selecting email software that offers specific integrations and is used by peers strengthens connections and streamlines communication. For instance, our secure email solution, Mailock, is the industry standard for the financial sector and uniquely integrates with Unipass.
• Does it assist with compliance? Regulated industries must meet compliance requirements. For example, the FCA mandates that all communications and proof-of-delivery be recorded for investment documentation. A secure email solution with auditing capabilities is crucial to meet these requirements and avoid fines.

References:

Daily Number of Emails Worldwide, Statista, 2023

Problems with Forcing Regular Password Expiry, National Cyber Security Centre (NCSC), 2016

Three Random Words, National Cyber Security Centre (NCSC), 2021

IBM Threat Intelligence Report, IBM, 2024

Reviewed By:

Sam Kendall, 14.06.24

Sabrina McClune, 14.06.24