Stay safe on email

Copying an inappropriate or deeply personal email to a senior colleague or group of unfamiliar co-workers can be embarrassing enough. But if you send unencrypted confidential documents to the wrong people you could cause a serious security breach. 

At a glance

 Password-protect and encrypt confidential documents before sending

 Send the password to the recipient by means other than email

 Always double-check exactly who you're emailing

 Use 'BCC’ when sending emails to large groups or mailing lists

 Protect your email account from malware and phishing

 
AT OXFORD

Sharing documents via email

Most people use email for sharing documents with colleagues inside and outside of the University. Email is not the most secure form of communication, the main risks to data come from people getting access to your account, or from sending data to the wrong people. While the University email will be safe to use in most cases, there are several steps you can take to enhance security: 

  • Double check the email address before sending;  
  • Use ‘Bcc’ when sending bulk emails or use a properly configured mailing list;  
  • Seek help from your IT team if you’re in doubt about security settings. 

If you’re sending confidential data, you need to take extra precautions, such as using password protection. Be sure to share passwords by an alternative method to email, e.g. phone or SMS. Alternatively find another way to share the information. 

Sending confidential documents securely by email

 

Good

  • Use password protection to encrypt confidential documents before sending

Better

  • Use an alternative solution such as SharePoint
  • Set appropriate access controls so that only the recipient has access

Best

  • Encrypt the entire email content using MFA protected accounts (which  everyone in the University should have) . Microsoft 365 Message Encryption is probably the best option for most users (provided they're on an E3 licence).  

Alternate solutions to sharing via email

Features to consider/Solution SharePoint Nexus365 OneDrive for Business
Alerts sent on access to documents Yes Yes
Authentication required to access Yes (SSO) Yes (SSO)
Documents accessible to external users No Yes
Documents encrypted in transit Yes Yes
Expiry for document sharing No Yes
Geographical location of data UK Datacentres UK Datacentres
Granular access controls Yes Yes
Secure data centre Certified to industry good practice

Certified to industry good practice
Storage Capacity 1TB per site 1GB per user
Two-factor authentication available Yes No
Version history Yes Yes

 

Key Considerations:

Multi-Factor Authentication (MFA): Both SharePoint Online and OneDrive for Business are integrated with MFA, providing an additional layer of security to protect your account and documents. 

Granular access: You can control who has access to specific files or folders, set expiration dates for sharing links, and monitor activity on shared files through alerts. 

External sharing: Both platforms allow external sharing with appropriate permissions, making it easier to collaborate with partners outside the University while maintaining security. 

Recommendations: 

For internal sharing, use SharePoint Online to centralize document management with robust collaboration features. 

For external sharing, ensure external users have authenticated access, and consider setting expiration dates for access links. 

Always ensure that MFA is enabled on your University account to safeguard against unauthorized access. 

THE BASICS

Never email important files unprotected 

If you send confidential documents by email without encrypting them first, they could be:

  • Read by someone who accesses your email account (for example, through phishing)
  • Sent accidentally to the wrong people
  • Forwarded to anyone without your knowledge
  • Intercepted en route to the recipient by threat actors (individuals or groups that perform malicious acts against a person or organisation)

Why is automatic email forwarding to external email addresses a problem?

From 1 August 2023, the indiscriminate  forwarding or routing of email from a University email address to an external, non-University of Oxford, account will no longer be allowed, except in exceptional circumstances.  You will still be able to forward individual emails to external email accounts.  You may also create one or more rules in Outlook on the Web to forward a subset of emails, for example based on sender, to an external email address. Forwarding of emails to external accounts should be in line with the University’s Data Protection Policy.

  1. It’s a significant security risk: when you set all your email to forward to an external email address, you are circumventing the protections put in place to prevent our accounts being compromised, such as strong password rules and MFA (multi-factor authentication). This potentially enables unauthorised access to confidential University data because it could be much easier for hackers to break into your private email account than your Oxford University account. 
  2. It’s a major personal data handling risk: if all your emails are being forwarded out of the University, you might unintentionally be forwarding emails that contain internal or confidential data - for example, a commercial contract with a research sponsor or personally sensitive correspondence from a colleague or student . Oxford University has a legal obligation, as the data controller, to manage how our personal data is shared and it can’t do that if it’s being sent to external email providers. 
  3. There’s a reputational risk that all our email will be marked as spam: when you forward all your email to an external email provider, junk mail and spam may also be forwarded. This can result in external email providers’ spam filters thinking that legitimate email from Oxford University is also spam. This could be cause problems when, for example, you are communicating with applicants or external participants in research projects. 
  4. It can result in an accidental breach of contract: There are recent examples of research sponsors and collaborators taking a dim view of receiving a response from a non -University of Oxford email account. All institutions are improving their security and have expectations that we will do the same. Data sharing agreements may include expectations around the handling of data. A reply from a non-University account could amount to a breach of contract. 
     

How to send secure documents by email

If you are sending sensitive documents, it's essential that you encrypt them first. Here's how:

Choose the right tool. The most recent versions of Microsoft Office, Adobe Acrobat and Nuance Power PDF have built-in encryption and password-protection. For Office documents, use the newer "docx" and "xlsx" formats. 

If you want to encrypt and password-protect multiple files and folders, use free tools such as 7-Zip and Keka.

Whichever tool you use, the important thing is that it uses the industry standard AES 256.

Your encrypted file is only as safe as your password, so make sure it's a strong one

Sharing encryption passwords safely

As well as encrypting your document behind a password, it's important to share the password safely. Sharing the password by phone, text message or in person are all more secure than email, provided you take reasonable steps to make sure you call the correct number or know who you should be speaking to. If you are sharing documents with someone on a regular basis, you could set up a shared password in advance and update it on, say, a monthly basis.

Keeping emails out of the wrong hands

Firing an email off to the wrong person or people is all too easily done. You need to know who you are sending it to. 

  • Check the 'to' field carefully. Organisational address books may contain several people with the same or similar names.
  • Don't send to group emails and mailing lists without regularly reviewing who is on them.
  • Make sure only authorised people have permission to post, if you are the administrator of a mailing list.
  • Email the message to yourself and BCC your recipients. This means they will not be able to reply all (potentially publicising your mistake), and you don’t expose other people's email addresses.

Other email risks to avoid

If your account gets hacked, it won't be just one wayward email you have to worry about. Anyone with access to your account can see all the emails you've sent and stored, and send them to anyone they want. See our pages on malware,  phishing and protecting your online accounts for more information on how you may be the target of online fraud and what to do about it.