What is email security?
The term ‘email security’ covers various ways of using email safely to ensure that the confidentiality, integrity and availability of information is not compromised.
This includes following email security best practices when sending information by email, storing it in email accounts and protecting against inbound email security threats such as phishing attacks.
How secure is email?
Email was not originally designed with security in mind. Although security measures have improved since email was first used, it is still often unencrypted, so attackers who can access poorly secured networks and email servers can read everything.
Moreover, once an email has been sent, the sender has no control over who it is forwarded to.
If you do need to send sensitive information via email, it is best to use an email provider that provides end-to-end encryption, or specialist secure file-sharing software.
Why is email security important?
There are two main reasons to enforce the secure use of email communications.
First, many data breaches are caused by emails mistakenly being sent to the wrong recipient, for instance through misusing the Cc (carbon copy) and Bcc (blind carbon copy) fields.
If personal information is compromised, organisations are at risk of regulatory action under the DPA (Data Protection Act) 2018 and UK GDPR (General Data Protection Regulation), and EU GDPR.
Second, most cyber attacks start with phishing emails. By clicking on a link or opening a malicious attachment, victims can endanger their organisation’s security and compromise sensitive data.
As well as implementing technical security measures, it is essential to ensure that all staff are aware of the threat and know what to do to ensure they use email safely.
This reduces the risks associated with email communications and the impact of email threats.
How email security works
Email security works by reducing the risk of legitimate emails reaching the wrong recipient, and of malicious emails reaching recipients – and ensuring that if users do encounter malicious emails, they know how to recognise them and what to do.
Security practices differ depending on whether emails are being sent or received.
Human error is one of the main outbound email security risks, so it is essential to train staff to ensure they are sending emails to the right recipients and using Cc and Bcc properly, and check any files they might attach so that they do not accidentally share sensitive information.
Training should be backed up by policies requiring strong passwords and multifactor authentication to restrict access to accounts, and technical controls such as encryption to ensure that, if emails are intercepted, their confidentiality is not compromised. Types of email encryption include TLS (transport layer security), S/MIME and PGP (pretty good privacy).
Malicious external traffic is arguably easier to control: inbound emails can be filtered by antivirus software and secure email gateways to reduce the chance of malicious messages, such as spam and phishing attempts, reaching users’ inboxes.
However, no technical solution is 100% effective so, again, it is critical to train staff to recognise phishing attempts and understand what to do if they receive a suspicious email.
What are the different types of email security?
Email security measures can be split into two groups: technical and organisational.
Technical measures include encryption and filtering.
Organisational measures include policies to enforce email security practices and staff awareness training to ensure employees are a strong last line of defence against malicious content.
Email security best practices
Email security best practices include:
- Automated email encryption that can analyse outbound email traffic and encrypt it if it is sensitive. This way, attackers will not be able to read emails if they do manage to intercept them.
- Threat intelligence to understand the latest threats and how they might affect your organisation.
- A secure email gateway to prevent spam and malicious email messages, such as those from spear phishing and business email compromise (BEC) attackers, from getting through.
- Security awareness training to help staff understand the threats they face, and know how to recognise phishing emails and what to do when they suspect an email is malicious.
- Password security and MFA (multifactor authentication) policies to ensure individual email accounts are secure and prevent attackers from hacking them.