Email is not secure. It has never been secure, and little has changed since its invention by Ray Tomlinson back in 1971.
Fast forward to 2022 and most business leaders and end users are aware of the risks of email phishing. Most also know that it is a primary way for hackers to gain access to sensitive company data, however, what is often overlooked is the sheer lack of security that exists in email messaging.
It is important that we understand the risks of email communication and that we all know how to safely share sensitive information on the internet.
Encryption is the process by which information is encoded so that only an authorized recipient can decode and consume the information.
Why email is not secure
Email is not a secure method of communication because it is not encrypted. Additionally, multiple copies of content are created and stored in various places. So, as it turns out in some sectors, sending sensitive data via email is prohibited.
The primary issue is email is not encrypted by default. When your email message passes over the internet, it is possible to intercept the content of the message, which is not the case for most other forms of communication any longer, including most web browsing. You have probably seen the little padlock icon in the corner of your web browser. This means all the communication between your web browser and the server is encrypted and cannot be read by anyone else.
Secondly, email communication creates copies of the content. The intent of an email is to send someone a copy of some information, but an additional copy is automatically created and is placed in your sent items folder. It also creates a copy of the message on any mobile device that synchronizes to your mailbox, or the recipient mailbox, which creates more opportunities for sensitive information to be accidentally leaked.
Lastly, there are compliance requirements, like PCI, that define how sensitive information can be shared and email is frequently prohibited. This is especially true in the public sector where government regulation or funding requirements will often specify rules about what can be sent via email.
Consequently, even though email is a convenient and common way to share information, it is not ideal for sensitive information.
So, what do we do instead?
It is always best to store sensitive information securely and then provide the intended recipient with access. One way to do this is by storing sensitive information in a document within your Microsoft 365 environment, specifically in SharePoint or OneDrive. You can then use the built-in sharing features to allow third parties to view or download the data securely. While your email content will not be encrypted, the sensitive information within the documents you are sharing will be. These features are freely available to any user who has a license that entitles them to OneDrive storage- even Microsoft 365 Business Basic.
Alternatively, you can make this even easier and more secure if your business has a subscription that includes Azure AD P1 (Business Premium or the EMS E3 addon) by configuring Outlook Message Encryption. Once encryption is enabled, a button will be available at the top of every email that turns it into an encrypted message. The recipient of the message receives a link, and their identity is verified with a single-use code or through integrations with their Microsoft, Gmail, or Yahoo Mail accounts before granting access to the message content.
Using this method, both the email content and any attachments are encrypted. You can also configure features that will prevent forwarding of the message or enforcing automatic encryption of messages that meet Data Loss Prevention rules.
Both options are great ways to ensure that sensitive information is shared securely and do not involve much in the way of difficult configuration or expensive licensing. The features are both simple to use and integrate easily into most users’ workflow.