Secure Email Best Practices

Email has become a powerful tool for both personal and professional communication.

But with its rise in popularity, the risks associated with email have also grown.

Emails can be intercepted by unauthorised parties and used to spread malware and other malicious software. It's essential to take steps to secure your email communications.

We'll explore the best practices for email security - from creating strong passwords and using encryption effectively, to spotting phishing scams before it’s too late.

Why Does Email Need to Be Secure?

Email is a common communication tool used by both businesses and individuals, with an estimated 361.6 billion emails sent and received worldwide daily.

However, email was not designed with security as a priority, making it vulnerable to various cyber threats.

This becomes a major concern when email is used to share sensitive information such as financial or personal data.

Because it's so widely used, email is an attractive target for cybercriminals. They exploit vulnerabilities to access data - exposing individuals and businesses to the risk of breach, financial loss, and reputational damage.

Beyond malicious attacks, simple human error also poses a serious risk. Accidentally sending a message or file to the wrong person is a common occurrence.

Our 2023 report shows that more than half of UK adults have sent personal data by email, and a quarter have done so to the wrong recipient.

Actions You Should Be Taking

There are several steps you can take to improve email security. Completing just one is not enough - try to adopt as many of these as possible to stay protected.

Use a Strong Password

The National Cyber Security Centre (NCSC) advises against changing passwords too often unless there’s a suspected compromise. Instead, use a strong, unique password for every account.

One method recommended by the NCSC is to combine three random words into a passphrase that is ‘long enough and strong enough’.

Alternatively, you can use a password generator and store the result in a secure password manager.

Turn On Two-Factor Authentication (2FA)

Two-factor authentication adds a second layer of protection. You'll need to enter a code sent to your phone in addition to your password when logging in.

Even if a hacker has your password, they won’t be able to access your email without also having your phone.

To turn on 2FA, check your email provider’s help pages for setup instructions.

Undergo Awareness Training

Employees are often the weakest link in security. Training helps ensure people know what to look out for - and what to do if something goes wrong.

Phishing is a common threat, where someone pretends to be a trusted organisation to trick recipients into clicking links or sharing sensitive data. IBM’s research suggests 41% of cyber attacks begin this way.

Awareness training helps staff identify suspicious emails and respond appropriately.

Keep Software Updated

Security flaws are regularly found in software. Updates often include patches that protect your system against new threats.

Enable automatic updates where possible and regularly check for available updates on all your devices.

Avoid Public WiFi

Public networks are often unencrypted and may be used by cybercriminals to intercept communications or mimic trusted networks.

If you must use public WiFi:

• Use only websites with HTTPS.
• Never send sensitive information over open networks.
• Use a VPN to encrypt your connection.

Tools You Should Be Using

Security best practices are crucial - but tools can take your protection to the next level. Here are three every business should consider.

End-to-End Encryption

End-to-end encryption ensures only the intended recipient can read your message - no one else can access it, not even your service provider.

Compare this with Transport Layer Security (TLS), which only protects emails in transit. Once the message reaches the server, it's decrypted.

End-to-end keeps data protected all the way to the recipient. But beware: basic email clients only encrypt your send. If the recipient replies in plain text, the thread is exposed.

Solutions like Mailock enable two-way secure email, ensuring encryption both ways.

Recipient Authentication

Recipient authentication requires your recipient to verify who they are before they can open your message. This can include:

• SMS verification
• Custom security questions

It’s especially useful when dealing with sensitive data. Even if you send it to the wrong email address, access can be blocked at the verification stage.

Email Revoke

Made a mistake? Revoke it. Email recall lets you stop someone accessing a message after it’s sent.

Outlook and Gmail offer basic recall features, but only under strict conditions. With a secure email platform, you can block access - even after the message has been opened.

What Else to Consider When Choosing a Secure Email Solution

• Is it scalable? Large organisations may need a secure email gateway.
• Is it user-friendly? Adoption depends on ease of use for staff and customers.
• Does it fit your sector? Mailock is widely adopted in finance and integrates with Unipass.
• Does it help with compliance? Regulated industries must retain communication records - look for solutions with auditing features.

References

Daily Number of Emails Worldwide, Statista, 2023

Problems with Forcing Regular Password Expiry, National Cyber Security Centre (NCSC), 2016

Three Random Words, National Cyber Security Centre (NCSC), 2021

IBM Threat Intelligence Report, IBM, 2024

Reviewed by

Sam Kendall, 14.06.24

Sabrina McClune, 17.06.25