Key Points in This Article:
Email. It’s become so common in our personal and professional lives that we often take for granted just how much it’s transformed society. But just as much as we overlook its rewards, we also overlook its risks. Individuals and professionals transmit sensitive information by email every single day.
By some estimates, as much as half of the emails people send are insecure. Unsecured emails pose a significant threat to the individual who sends and receives them, opening them up to someone snooping on your conversation, accessing your financial info, falling victim to malware, and more.
If you’re a business owner, consider the damage unsecured email may cause. A phishing email or downloaded malware could be the foothold a cybercriminal needs to hold your business for ransom, steal confidential information, and more.
Further, suppose your business, like many others, is now more reliant on hybrid-remote or remote work, or you’ve implemented BYOD (bring your own device) policies. In that case, you’re more vulnerable than before.
Fortunately, Microsoft Outlook provides robust tools to strengthen your email security. But before you start exploring and training your employees to use them, it’s critical to ensure you have the appropriate email policies. Ensure your employees know when they must send secure emails and that they will be held accountable for not doing so.
Microsoft 365 has two built-in tools for email encryption. Encrypting an email translates it into indecipherable text that only the appropriate recipient can decipher (or decrypt), read, and access.
Outlook 365 offers users both Microsoft 365 Message Encryption and S/MIME encryption. The former is fairly simple to use. When you want to encrypt an email using Microsoft 365 Message Encryption, you’ll choose Properties from the File tab in Outlook. From there, select Security Settings, and check Encrypt message contents and attachments. After you do so, send your message. You can also choose the Options tab, then Encrypt, then select the Encrypt-only option before sending.
You can also choose to encrypt all your messages by default. You’ll need to choose Options from File, then Trust Center, then Trust Center Settings. From the resulting dialogue box, you’ll find Encrypted email under the Email security tab. You’ll check Encrypt contents and attachments for outgoing messages from here, then close.
Microsoft 365 also uses Azure Information Protection (AIP) to help you protect emails in other ways. Using webmail, you can choose Encrypt under the Options tab in Outlook and choose the permissions you set on your email. You’ll see several besides Encrypt-only, including Do Not Forward, Confidential All Employees, and Highly Confidential All Employees. You can also find these options in the Outlook application by selecting Protect in a new email you’ve started. You’ll see that Do Not Forward is chosen by default, though you can choose another option by selecting Change Permissions.
Choosing Do Not Forward will not only encrypt your email but will also prevent its recipients from forwarding or printing it. When you select Confidential All Employees, your email will be encrypted, protected from printing or forwarding, and protected from viewing by recipients outside your organization. And when you choose Highly Confidential All Employees, your message will enjoy the protections of a Confidential All Employees email and will further not allow recipients to reply to it.
When a recipient receives your email, they’ll be asked to verify their identity by signing back into their email account or using a one-time passcode pushed to them. Once they’ve been authenticated, the recipient will see the email but will have restrictions on what they can do with it or, in some cases, what they can see.
When you train your employees to use these options, you’re ensuring they can safeguard the sensitive business information they email. These options can greatly mitigate the risk of third-party snooping and accidental distribution of confidential data outside the organization as well as to those inside it who don’t need to see it.
Microsoft 365 also supports S/MIME encryption. However, to use this encryption type, your recipient must also use an email application that supports S/MIME. You’ll also need to enable it before you can use it.
To do so, you’ll select Options from File, then select Trust Center, then Trust Center Settings. From here, choose Email Security, then Settings, which can be found under Encrypted email. You’ll find the option for the S/MIME certificate under Choose when you’ve selected Certificates and Algorithms. Click OK to enable it.
Once enabled, you’ll encrypt your email with S/MIME by opening a message, selecting Options, then Encrypt, and finally, Encrypt with S/MIME. You should note this option works with individual emails, but for mass emails, you’ll want to use Microsoft 365 Message Encryption or a trusted third-party encryption provider.
You can use other encryption plugins, like PGP (Pretty Good Privacy), but you’ll want your IT staff to vet them thoroughly before using them. You should also note that the levels of support for these plugins vary and that they’re typically ideal for individual, ratchet than mass emails.
You also may wish to consider a third-party secure email application. There are also plenty of these on the market, with freemium pricing models allowing you to test them before you commit. With these services, make sure you fully understand their capabilities and limitations. Some providers use encryption standards that only a small percentage of other email applications also use. If you’re not careful, you could use a service that sends emails that you can’t open with Outlook.
Overall, Microsoft 365 Message Encryption and S/MIME encryption provide great protection for businesses. You’ll significantly mitigate your email-related security risk when you require your employees send secure emails to share sensitive information. Ensure you implement secure email policies in tandem with other best practices, such as strong firewalls, rigorous access controls, zero-trust architecture, and employee cyber awareness training.