Stay safe on email
Stay safe on email
Copying an inappropriate or deeply personal email to a senior member of staff or a group of unfamiliar colleagues by mistake can be embarrassing enough. But if you send unencrypted confidential documents to the wrong people, resulting in a serious security breach, you could quickly land yourself and your employer in very hot water indeed. Make sure you’re not the one who messes up by following our easy guide to staying safe on email.
At a glance
- Password-protect and encrypt confidential documents before sending.
- Send the password to the recipient by other means than email.
- Always double-check exactly who you are sending sensitive information to.
- Use 'bcc' when sending emails to large groups or mailing lists.
- Protect your email account from malware and phishing.
Anyone sending confidential documents by email without encrypting them first is asking for trouble, because documents can be:
- Read if someone gets access to your email account (for example, through phishing).
- Sent accidentally to the wrong people.
- Forwarded to anyone without your knowledge.
- Intercepted en route to the recipient by criminal hackers.
Email is still the go-to method of online communication for millions of people, because it's easy to use and incredibly useful. On the downside, however, it's not particularly secure. If you are sending sensitive documents, it's essential that you encrypt them first. Here's how:
- Choose the right tool to encrypt your documents. The most recent versions of Microsoft Office, Adobe Acrobat and Nuance Power PDF (in fact, going back as far as Office 2007 and Acrobat Pro 7.0) have built-in encryption and password-protection of documents which is secure enough for general use. However, please note that for Office documents you must use the newer "docx" and "xlsx" formats - the old "doc" and "xls" files formats are not secure, even when password encrypted.
- If you want to encrypt multiple files, free tools such as 7-Zip and Keka can be used to compress and password-protect files and folders ready to send by email.
- Whichever tool you use, the important thing is that it uses the industry standard AES 256.
- Your encrypted file is only as safe as your password, so make sure it's a strong one. Password advice here
For a full demonstration of how to encrypt files using common software, watch our on-line training videos.
As well as encrypting your document behind a password, it's important that you share the password in a safe way with the intended recipient(s). This means sharing it using a method other than email (if your email has been compromised, sending the password to unlock a password-protected file in the same or a separate email isn't going to help).
Sharing the password by phone, text message or in person are all more secure than email provided you take reasonable steps to make sure you call the correct number or know who you should be speaking to.
If you are sharing documents with someone on a regular basis, you could also set up shared passwords in advance. If you set up a single shared password to be used multiple times this should be changed frequently (on, say, a monthly basis).
Firing an email off to the wrong person or people is all too easily done. At risk of stating the blindingly obvious, you need to know who you are sending it to. Here's how:
- Check the 'to' field carefully. Organisational address books may contain several people with the same or similar names. You need to review names individually in case the auto-complete feature has inserted the wrong contact.
- Don't send to group emails and mailing lists without regularly reviewing who is on them.
- If you are the administrator of a mailing list, make sure only authorised people have permission to post to your list.
- If you are sending to a lot of people at once, email the message to yourself and 'bcc' (blind carbon copy) all your recipients. This is good practice on two fronts: the recipients will not be able to reply to all the other recipients (potentially publicising and exacerbating your mistake), and you don’t expose other people's email addresses.
If your account gets hacked, it won't be just one wayward email you have to worry about. Anyone with access to your account can see all the emails you've sent and stored and send them to anyone they want. See our pages on malware and phishing to find out more about how you may be the target of online fraud and what to do about it. And here's a link to more general information about protecting your online accounts.
And one final word of warning: never write down anything in an email you wouldn't be happy to have made public, because much of what you write at work is disclosable by law. Be mindful that people can make a ‘'subject access request' to see emails that make personal reference to them. And since the University is defined as a public body, Freedom of Information requests can also be made to access emails and other communications.
There's not much you can do to retract an email once it's sent, but if you've disclosed information you wish you hadn't, there are things you may be able to do to prevent your error from escalating. Depending on the circumstances, one or more of the following may help:
- Apologise/own up to your manager and the intended recipients of the email. They may be able to help limit the damage.
- Warn the unintended recipients of the email as soon as possible and ask them politely not to read or pass on the information, and delete it straight away.
- Contact the University's Data Protection team as soon as possible if you have unintentionally shared the personal data of others.
- Contact your local IT support staff to see if there is anything they can do to help.
- Get in touch with your local press office if you think the breach might be serious enough to generate negative publicity.