Secure Email Best Practices

Email is a powerful tool that we use for everything from personal to professional communication. But as email has become more popular, so too have the risks associated with it.

Emails can be intercepted and read by unauthorised parties, and they can also be used to spread malware and other malicious software. That's why it's important to take steps to secure your email communications.

In this article, we'll discuss some of the best practices for email security, including how to create strong passwords, how to use encryption, and how to identify and avoid phishing scams.

Why Does Email Need To Be Secure?

Email is a ubiquitous communication tool used by businesses and individuals alike, with an estimated 347 billion emails sent and received every day worldwide.

However, email was not designed with security as its primary consideration, which has left it vulnerable to a wide range of security threats. This is especially true when email is used to share confidential information, such as financial details or personal information.

The variety of people who use email for both personal and business purposes makes it an attractive target for cybercriminals, who seek to exploit vulnerabilities and gain unauthorised access to sensitive data. This puts both individuals and organisations at risk of data breaches, financial losses, and reputational damage.

In addition to these security threats, email is also at risk from human error. For example, accidentally sending a message or attachment containing sensitive information to the wrong recipient is a common occurrence.

Our 2023 report shows that more than half of UK adults have sent personal data over email, and one quarter have accidentally shared personal data via email with the wrong recipient.

Actions You Should Be Taking

There are a number of behaviours and actions you can adopt to ensure your email remains secure. Remember, completing one of these tasks is not enough to comprehensively protect your email – you should aim to complete the majority to ensure risk is minimised.

Use A Strong Password

While the National Cyber Security Centre (NCSC) recommends against changing your password too frequently unless you suspect you have been compromised, it is strongly suggested that you have a strong and unique password across all of your accounts.

One common method of creating a strong password, put forward by the NCSC, involves combining three random words to create a password that is ‘long enough and strong enough’. Another way to create a strong password is to use a random password generator which is composed of a random string of numbers, letters and symbols, storing the passwords in a secure password manager to ensure you can access them when needed.

Turn On Two-Factor Authentication (2FA)

With 2FA enabled, you will be prompted to enter a code from your phone in addition to your password when you sign in to your email account. This code is sent to your phone via SMS or generated by an authentication app.

2FA makes it much more difficult for unauthorised users to access your email account, even if they have your password. This is because they would need to have access to your phone to receive the code.

To turn on 2FA for your email account, follow the instructions provided by your email provider.

Undergo Awareness Training

Employees are often the weakest link in an organisation's defences, as they may not be aware of the latest threats or how to protect themselves from them. For those engaging with email regularly, especially for professional use, it is important to carry out awareness training around key threats you may encounter over email, such as phishing.

Phishing is the process in which a malicious individual creates and sends an email impersonating someone else, usually a legitimate business such as Royal Mail and the NHS. The aim is to convince the recipient to share personal data directly, or to click on a fraudulent link. Recent studies have shown that an estimated 41% of cyber-attacks use phishing.

Awareness training can help employees spot and avoid threats such as phishing emails, and help them to understand the process they should undergo if they come across a link or attachment that could be malicious.

Keep Software Updated

Each electrical device you use (such as a computer or phone) will have a variety of software installed  - some specifically for the security of your device. These pieces of software will need updates on a regular basis, as they will include security patches for flaws within the system.

Hackers are constantly looking for new ways to exploit vulnerabilities in software, so keeping your software up to date will help secure your device from digital threats. You won’t need any specialist skills to complete this – your device will usually give you a nudge when an update is available. But if you’re worried about missing the notification, you can set your device to automatically update.

Avoid Public WiFi

When you use public Wi-Fi, there is an increased likelihood of your emails being intercepted by threat actors, as the network is open and accessible to everyone. It is also possible that what you think is public WiFi may be a fake hotspot, set up by hackers to look like regular WiFi, but in reality, is solely used to steal the data of whoever connects to it.

If you have to use public WiFi:

• Try to only access websites that use HTTPS – a secure protocol that encrypts data between your device and the website.
• Don’t share any sensitive information, such as passwords or credit card numbers.
• Utilise a VPN, which protects your information by redirecting your internet connection through a private internet server and encrypting any data. This means that anyone attempting to spy on your connection will be unable to bypass the encryption protocols to reach the data.

Tools You Should Be Using

While carrying out the above actions will help keep your account secure, there are several key tools that are specifically designed to protect your emails and are recommended for everyday use – especially by businesses. These tools are often bundled into secure email solutions and utilised by professionals across a variety of industries.

End-To-End Encryption

End-to-end email encryption is a method of disguising data. Only the intended recipient has access to the correct encryption ‘keys’ to decrypt the email, meaning that only the original sender and recipient can read it. The process of encryption and decryption is also performed at the endpoints of the communication, so that no one in between can intercept and read the data. This includes your internet service provider.

There are a number of benefits to using end-to-end encryption. As one of the most secure levels of encryption, it provides a high level of security for your email communications, making it the best choice for sending sensitive information, such as financial data or medical records.

Compared to other encryption types, such as encryption in transit (otherwise known as Transport Layer Security), it secures your email across the entirety of its journey and is only decrypted when it reaches the intended recipient's computer. In comparison, Transport Layer Security decrypts messages when they reach the recipient's server, leaving a window of opportunity for threat actors to strike.

When considering how to use end-to-end encryption for your own comms, email clients such as Outlook and Gmail provide a basic level of encryption that has the capability to protect the majority of emails you send. However, the problem is when you are sending emails that require a reply – possibly from customers and most likely containing sensitive information.

The optional encryption that is offered by email clients only protects the messages and documents that you send. If your recipient responds and does not have encryption enabled on their end, all contents within the email thread will be open to interception.

This is why organisations should consider investing in a solution that enables two-way secure communication between two parties, creating an encrypted thread that is protected even when the recipient hits reply.

Recipient Authentication

While account authentication is a standard for email clients, recipient authentication is a specific feature available through secure email solutions. It enables the sender to verify the identity of the recipient before they can gain access to an email by using aspects of multi-factor authentication (MFA).

MFA requires an individual to fulfil a minimum of two verification factors before they can access their message. This includes a combination of something you know (such as your email password), something you have (such as a phone or other digital device), or something you are (like a fingerprint or facial recognition).

When using MFA for email, the most common authentication methods often include:

SMS verification, where the recipient must input a unique code sent to their device in order to access the email, therefore fulfilling the factor of  ‘something you own’.

Q&A verification, otherwise known as ‘question and answer’ verification, is where a recipient must answer a question set by the sender, and that only they would know the answer to, therefore fulfilling the ‘something you know’ factor.

Utilising recipient authentication is an important step in minimising cyber risk. It prevents incidents of human error in email use, such as when you send an email to the wrong recipient, as they would be unable to pass the authentication stage and access the message.

Email Revoke

Email revoke is the process of retrieving an email after it has been sent, blocking the recipient from accessing it. This is useful for instances of human error where you may have sent an email to the correct recipient but attached the wrong document. By recalling the email, you prevent the recipient from retaining the information that, if it were sensitive in nature, would lead to a data breach for your organisation.

Revoke is common in many email clients, including Outlook and Gmail. However, their innate offering is available only under a certain set of circumstances. These stipulations include only being able to recall the email if the recipient has not yet opened it, and only if the recipient shares the same email provider as the sender.

Secure email solutions are unique in that they can offer full email revocation, which allows senders to block access to a message they have sent even after it has been opened.

What Else To Consider When Choosing A Secure Email Solution

While encryption, authentication and revoke are three core elements to email security, there are a variety of other features and benefits that a secure email solution can offer businesses. When considering which provider or software to implement, think about the following points:

• Is the solution scalable for your business needs? For large organisations dealing with large numbers of email comms, choosing a product that can keep up with your output will be key to providing continuous and frictionless service. In this case, a secure email gateway with automation capabilities might be the best option.
• Is it easy to use for both you and your customers? The best email solutions on the market don’t just prioritise security, they focus on usability too. Otherwise, your staff and your customers won’t use it.
• Is it designed for your industry? Picking an email software that offers specific integrations and is already used by your peers strengthens your network of connections and streamlines the process of communicating with other providers and organisations. For example, our secure email solution, Mailock, is the industry standard for the financial industry and offers a unique integration with Unipass.
• Does it help you with compliance? Regulated industries have obligations they must fulfil to remain compliant. For instance, The FCA mandates that all communications and proof-of-delivery must be recorded and retained for investment documentation. Choosing a secure email solution that offers auditing capabilities will be essential for meeting these requirements and avoiding costly fines.