Secure Email Communication and Use
Email is one of the most popular methods of communicating today and is used for communicating with business colleagues, friends and family. However, being an Internet based technology, email brings with it a number of security threats such as malware and phishing.
This information security awareness article looks at some common email security characteristics, then outlines some best practices that you can follow for using email in a secure manner.
Common Email Security Characteristics
Email is Not Secure
- Never assume that email is a secure method of communication, as in most cases it is not. Email messages are sent over the Internet and travel through many different routing servers to reach their destinations and associated recipients.
- Unless you actively encrypt an email message, it can be read by anyone who intercepts it and even encryption does not guarantee 100% security.
Email Can be Legally Binding
- Email may appear to be a casual form of communication, but you should be aware that emails can be just as legally binding as a written letter and can be used as legal evidence.
- Always think carefully about what you are sending via email and read through the message before you press that send button.
There is No Delete Once Sent
- Once an email is sent, you cannot get it back. Even if you use the ‘recall’ function provided by some email programs, you should never assume it has not been read. In addition, email travels through many servers to reach its destination and always leaves a trail.
- Always double check your recipients and re-read content before hitting send. Also, avoid sending work related email in anger or when under the influence of alcohol.
Beware of Fraudulent Senders
- It is very easy to send an email that appears to have come from a legitimate sender, and this is a commonly used method for spreading malware or conducting phishing.
- Do not open attachments or click links within emails that seem suspicious, even if they appear to come from someone you know or trust. If in doubt, phone the sender to confirm they actually sent the email. Digital Signatures can be used to help recipients verify that your emails actually came from you.
Using Email Securely
Know What is Acceptable
- Your company may have an ‘Acceptable Use Policy’ in place for email communication, that you must know and comply with.
- This policy is designed to protect both you and your company. It usually includes rules around using work email for personal use, the type of information allowed to be sent via email, and your company’s ability to monitor email communications.
Encrypt Sensitive Emails
- An email sent without encryption is like sending a postcard – it can be read by anyone along the way to its destination. An email sent with encryption is like sending a letter inside a sealed envelope – it can only be opened and read by the recipient.
- Always ensure encryption is used when sending sensitive emails. PGP and S/MIME are commonly used methods for email encryption. If you are unable to encrypt the actual email, put the sensitive content in a file, then encrypt the file and send as an email attachment.
Check Recipients Carefully
- It is very easy to send email to people in error, especially when using functions like ‘Reply to All’. Email messages should only be sent to those that need to see them.
- Always be mindful of the message content and sensitivity and double check email recipients before pressing send.
Keep All Software Updated
- Malware or hackers can take advantage of vulnerabilities discovered in software in order to obtain unauthorized access to your computer or sensitive information.
- Ensure all software on your computer, including your email client, is kept updated with the latest security updates and patches.
Use Security Software
- Email is a common method of spreading malware and conducting phishing attacks. Security software must be used to help detect and prevent against these types of threats.
- Ensure your computer has up to date malware prevention software, a securely configured firewall and that Spam and Phishing filters are activated.
Don’t Click on the Links
- Malicious emails will often contain Internet links (URLs) that direct you to websites containing malware. Simply clicking on the link and visiting the website could infect your computer and compromise your information.
- Always be wary of links within emails and never click links in emails from unknown or untrusted senders.
Don’t Open the Attachments
- Malicious emails often contain attachments that contain malware. Malware can hide in all types of files including PDF and ZIP files.
- Never open email attachments from unknown or untrusted senders and be wary when opening any attachments. Always ensure attachments are scanned for malware before opening them.
Report Suspicious Emails
- Malicious emails are becoming more targeted to the individual recipients and are increasingly harder to spot. Any email requesting sensitive information, asking you to click on a link or open an attachment should be treated with suspicion.
- Report any suspected Phishing or other malicious emails received at work to your company immediately. Reporting will allow your company to identify if they have become a possible target of attack, communicate to other workers and block any future emails.
Use Secure (https) Webmail Providers
- If using a webmail provider, ensure your login (i.e. your username and password) is secured at a minimum, by checking for “https://” (s = secure) in the URL.
- Ideally, your whole online session (i.e. all communications between your PC and your online account) should be secured. Gmail is one such provider that allows you to do this, but you have to activate this in the Gmail settings.
Disable Automatic Content Downloads
- Automatically downloading images or other dynamic content in emails might make them look nice, but can also download malicious software and inform senders that your account is active.
- As a minimum, turn off automatic image downloads in your emails until you are sure the email is trusted. Specifying to read messages in plain text only will add a further level of security, as all dynamic content will be blocked from download.
Turn Off the Preview Pane
- Many email programs have a ‘Preview Pane’ function that displays a preview email when it is clicked on. Viewing the preview is no different from actually opening the mail and malware can be automatically downloaded as soon as this occurs.
- A lot of email can be identified as spam, phishing or malicious and deleted without needing to be opened. Turning off the preview pane function will prevent these emails from opening on your computer.
Use Unique and Strong Passwords
-A password helps to prevent an attacker from accessing your email account and the information within it, but using the same password for every Internet account gives an attacker access to everything if it gets compromised.
- Use a password that is over 8 characters and contains uppercase, lowercase, numbers and special characters. Ensure it is changed regularly and not shared with any other account.
Don’t Forget to Log Out
- A common error when accessing webmail from a shared computer (e.g. in a hotel lobby or Internet cafe) is to forget to log out of your email account. This may allow someone using the computer after you to gain access to your account.
- Always log out of your webmail using the log out link provided and close all Internet browser windows.
Delete or Archive Old Emails
- If you have had the same email account for a long time, it is likely that your account holds a lot of sensitive information about you, your activities and your company. This presents an increased risk should your email account ever be compromised. The less sensitive information you hold in your email account the better.
- Don’t keep emails for years. Delete or securely archive any emails that are no longer required.