Email Security

Recently, I have been asked a lot of questions about email and email security. The simple answer to the question, “Should you be sending sensitive documents to other people via email” is no, email is not secure. It’s true that email is not secure; however, there are steps one can take to make it more secure. Before we go any further, I want to say that I believe that in most cases using a secure document sharing platform is a much better solution for securing attachments and data that may need to be shared with clients. If you must send data via email then read the rest of the article to find out what needs to happen before your email can be secured.

Securing an email requires that it be encrypted before it is sent then decrypted on the machine it will be opened on. To do this, you need a certificate with which to sign and encrypt email messages. Companies like Thawte and Comodo have SSL certificate products both free and for a small fee that will allow users to encrypt email from their email client, Outlook for example. Purchasing a certificate is different for each vendor, but in general you create an account when you purchase the certificate, log in, and download the certificate file. Once you have the certificate file, find it on your computer and double click it. A certificate import wizard will launch. Follow the instructions. Depending on the certificate, there may be specific steps you need to follow that will be provided to you by the vendor you purchased your certificate from. When finished importing the certificate into Windows, you will be able to import the certificate into Outlook. Open Outlook and click File, then Options, and Trust Center. Click the Trust Center Settings button then click E-mail Security. Select Add Digital Signature to Outgoing Messages. This will add the public portion of your signature to every email you send out so the recipient can add it to their contact info. The recipient need this signature to decrypt encrypted messages you send to them in the future. Next select Send clear text signed messages when sending signed messages This allows the recipients to read signed messages so they can import your certificate. DO NOT select Encrypt contents and attachments for outgoing messages. This will encrypt everything you send out which may cause issues for your recipients for whom you may not have a certificate for. Next click Settings and click choose next to Signing Certificate. Select your certificate from the list and click OK. Select the hash algorithm which will be SHA1. Now click Choose next to Encryption Certificate and select your certificate from the list and click OK. Choose the Encryption Algorithm, 3DES or AES 256-BIT. You should now be able to send signed email messages and receive encrypted messages from people with your public certificate. For you to send an encrypted message, your recipient will have to set up a certificate for themself and send you a message signed with their public certificate. You can save their contact info by right clicking their email address. This will save their certificate as well so that you can send them encrypted messages in the future.

As you can see, securing email is no trivial task to set up and it requires setup by both parties in order to encrypt messages both ways. Once it is set up however, all you need to do is tell Outlook to encrypt the message you are sending and Outlook takes care of the rest. I would also recommend that any attachments with sensitive information be password protected and encrypted before they are attached to an email and sent to add another layer of protection if possible. I still stand by the recommendation that a secure document sharing site is a better solution to sharing sensitive data with parties outside your business and recommend that no email be sent containing any personal or sensitive information written its text.