Email addresses are regularly compromised. According to Help Net Security, 83% of businesses suffered an email data breach in 2021. Surfshark reports 5.5 million email addresses are leaked per day.
Email is the most widely used team communication platform. However, it is not a secure platform for storing or sending sensitive info. Most of us use our business email to send everything – from routine messages to important documents. We even send passwords and personal info.
Think of how much data is in your email right now. How many months or years of emails are sitting in your old Yahoo Mail account? Is there anything in your email you wouldn’t want a hacker to find? Nobody wants someone else snooping on their messages. What should you never send over business email, and what are the best email alternatives if email isn’t a safe option?
Email accounts are lucrative for hackers because of the wealth of information that’s inside. Our emails are a treasure chest filled with contact details, attachments, messages and more.
Depending on your settings, your emails may never get deleted. That Netflix password you sent to your brother-in-law five years ago is still sitting comfortably in your Sent folder. If a hacker got access today, there’s nothing stopping them from seeing every email you’ve sent and received.
The following sensitive information should never be sent in an email:
Password sharing with coworkers is a common practice. In general, you shouldn’t share passwords. However, there are some instances where a single account needs to be used by multiple people.
For example, if multiple people manage your company’s social media, sharing the password with the team makes sense. The same is true if multiple people need access to project management software, bank accounts, or any other shared account.
Don’t send the password over email. Instead, use a password manager. Enterprise password managers like LastPass, Keeper and Dashlane all have advanced features like secure sharing options. This lets teams collaborate more securely.
Some can even self-destruct messages:
The professional versions of these collaboration tools give administrators a window into the passwords being shared. They can also prevent passwords from being shared outside the company. This makes sure only the right people are getting the shared password and is a great email alternative.
Sending and receiving credit card payments over email can violate the Payment Card Industry Data Security Standard (PCI DSS). PCI Compliance is required for businesses to accept credit card payments.
To maintain compliance, all emails with this information must be encrypted. By default, most email is not encrypted. This means hackers intercepting email messages can read that data without needing to decode the encryption.
Despite the risks, some customers and small businesses send and accept credit cards over email. Hackers who breach email accounts could gain access to the credit card info sent and received from that address.
A better alternative is to request and submit payments over secure websites or payment platforms, typically denoted with URLs that contain HTTPS.
Web Content Filters should also be in place. They protect businesses by scanning incoming and outgoing emails for credit card numbers and other sensitive information. They can then block those emails from being sent or received.
As a result, credit card information cannot enter or leave your network via email while the Web Content Filter is active. Content filtering is a common feature of Next-Generation Firewalls.
Personally Identifiable Information (PII) should not be sent over email. Whether this is your own PII, or your customers’, sending the following information over email is risky:
Hackers can use some of this information, like Social Security Numbers, directly to commit identity theft. They can combine other information like birthdays and mailing addresses to identify individual targets. Secure personally identifiable information for better customer relationship management.
A hacker can access attachments sent and received over email too. As a result, documents with sensitive information should not be sent over email either.
Sending an attachment creates a copy of the document for your recipient. Even if your email is secure, your document could still be accessed by hackers if they compromise your recipient’s email address.
The recipient can also share their copy with anyone, so that the attachment you meant for one person could be distributed to anyone else. These attachments should not be sent over email.
Sensitive contracts, trade secrets, and confidential projects often live inside critical documents. Consider this example: You and your legal team spend days drafting a confidential contract for your client’s review. After all the effort making sure the proprietary information in the contract isn’t leaked, you send it for a signature over email.
Suddenly, your classified info is one breached email account away from being leaked to the world. You’re placing your faith in another organization to never get breached.
Some tools, like Data Loss Prevention (DLP) policies, are designed to stop this from happening. But DLP tools work only as well as they are set up to. Most DLP technology requires manual tagging of sensitive info. Some include rudimentary machine learning to block sensitive info from leaving your environment. However, these tools are not foolproof.
Some 42% of IT professionals believe their DLP tools will fail to catch half of all data loss incidents. It’s better to catch the problem upstream and share confidential documents using more secure methods.
All job applications ask for sensitive information. Most require sensitive info like Social Security Numbers and addresses.
Many applications need to be reviewed by multiple people. It is common practice to email the application to the entire hiring committee. Applicants trust you to keep their information secure. But just one compromised inbox gives a hacker all the applicants’ personal details.
Job applications should be shared more securely. Applicant tracking systems are a good solution. They keep all applicant data in one place without the need to share over email.
For some businesses, the information on invoices isn’t sensitive. In those cases, it’s not particularly risky to send over email. Other invoices do have sensitive information, like medical bills or confidential pricing. These should not be sent as standard email attachments.
Purpose-built invoicing software offers security tools like encryption and invoice password protection that are more secure than standard email.
You can’t stop sharing documents altogether. Collaboration is the engine that drives every business. But if you shouldn’t be sharing sensitive documents as email attachments, how should you share them?
Shared storage means documents are saved where multiple people can access them. Shared storage drives are mapped to authorized users’ PCs, so they can access them through their file system.
Cloud applications like Sharepoint, OneDrive, and Google Drive also allow for shared storage. Users can access these anywhere on any device using only an internet connection. Some of these platforms also let you create groups of people who can access specific information.
In both cases, authorized users can access documents without needing to send attachments over email.
The above cloud applications allow you to create links to documents with expiration dates. Using this method, you can share links to the document over email, but set a time limit for how long the link stays active.
If a hacker breached an email account past the expiration date, the document would be inaccessible.
It’s unrealistic to abandon email. Despite the security risk, it’s a widely used, effective, and convenient communication platform. If we can’t abandon email, how can we make it more secure?
Enabling multifactor authentication (MFA) for your business email is critical for protecting company inboxes. With MFA, users verify their identity with both a username and password and a second authentication method like a text code or authenticator app.
This is typically limited to only the user’s first login attempt per device, so accessing email doesn’t become cumbersome once the device is known. This is the single most secure way to prevent an unauthorized user from accessing an email account.
How to enable Multi-Factor Authentication for Microsoft 365 (Outlook)
How to enable Multi-Factor Authentication for Google Workspace (Gmail)
A hacker doesn’t need to gain access to an email account to read emails. Emails can also be scanned while in transit. Encryption prevents this by encoding the email, making it nearly impossible to decipher by anyone other than the intended recipient.
When a sender encrypts a message, an algorithm converts the contents into unintelligible strings of text. The message is only decoded once it lands in the recipient’s email. Anyone who intercepts the message in transit will only see the unintelligible text strings.
Encrypting is not necessary for day-to-day emails. For sensitive emails, encryption does provide an extra layer of protection. However, you should try the other email alternatives in this post first.
Outlook supports sending encrypted messages. Gmail supports encryption and confidential messages with other security features.
Migrating away from email is just one step on your cybersecurity journey. Our guide on How to Improve Cybersecurity is full of tips to improve your company’s cybersecurity posture. Not sure where to start? A LeeShanok Network Security Assessment will provide a snapshot of where you are and a roadmap to where you should be.