Woman using Outlook to send confidential data
Article
6 min

Should You Use Outlook to Send Confidential Data?

Email is a quick and simple way to exchange documents containing confidential information. But should you send confidential data using a standard email client like Outlook? Is Outlook Secure Enough?

The short answer is no.

You should never send sensitive information in an unprotected email using Outlook.

Email was not designed with security in mind.

Messages are left open to risk at several points in their journey.

You should assume that anyone can intercept or manipulate emails sent unprotected.

If you don’t secure your email, you should act as though anyone could intercept or manipulate it on its journey.

When sending confidential data over Outlook, there are a number of steps you can take to heighten the security of that data.

Depending on the level of security you need, there are various options.

As a writer and researcher in cybersecurity, I've spent countless hours studying email security and its vulnerabilities.

Let me share what you need to consider when sending confidential email data using Microsoft Outlook.

"Encryption is essential in protecting sensitive data, but it's just one piece of the puzzle. A layered approach to security ensures better protection against modern cyber threats."

Mike Wakefield, CTO, Beyond Encryption

1. Use Encryption

The most important step you can take to protect confidential data is to use email encryption.

Encryption scrambles the data so that it cannot be read by anyone who does not have the key.

However, it's important to note that not all encryption types offer the same level of security.

Encrypting an Email in Outlook

TLS (Transport Layer Security) encryption is used for all Outlook emails, but is not considered secure enough for sensitive information.

Outlook encrypt button

You can use additional encryption types to send a secure email in Outlook. These are designed for the exchange of confidential data:

  • S/MIME Encryption. Available to all Outlook users, you can set up an S/MIME certificate to encrypt an email in Outlook.
  • Microsoft Purview Message Encryption (MPME). Available only to certain Microsoft 365 subscribers, MPME is more user-friendly for recipients and uses an advanced encryption standard.

Learn more about how to encrypt an email in Outlook.

Is Outlook's Encryption Secure?

The Microsoft team itself has made it clear that its email encryption methods are preventative only, not to be used as security barriers.

Businesses sending highly sensitive or personal customer data are required by the ICO (Information Commissioner's Office) to secure it.

A secure email solution can provide advanced encryption, recipient authentication, and audit capabilities for full protection.

Many of these solutions offer Outlook encryption add-ins that bring their security features to the navigation bar in your inbox.

"A strong password is your first line of defence. Using a password manager ensures your credentials stay unique and secure."

Adam Byford, CCO, Beyond Encryption

2. Use Strong Passwords

When setting up your email account (or your encryption), it is important to use strong passwords.

Strong passwords are at least 12 characters long and include a mix of upper and lowercase letters, numbers, and symbols.

Create strong unique passwords

In addition to creating robust passwords, it's crucial to avoid reusing passwords across different accounts.

Using unique passwords can significantly reduce the risk of security breaches, especially in the event one of your accounts is compromised.

If you are sending confidential business data, it is vital these practices are in place for individual and administrator accounts.

Tip. Use a password manager to store your passwords. This will help you to create strong, unique passwords without having to remember them. Many password managers are available for free.

3. Check Recipient Emails

Only send confidential data to people you trust. Before sending the message, take a moment to check the recipient's email address.

You can do this by hovering over the email address to see if it is a valid address in the correct structure with the correct spelling.

Hover over an email address to check it

Regardless of how careful you are, you could still email the wrong person. In fact, it's the number one cause of data breaches.

That's why businesses use email recipient authentication to make sure highly confidential emails can only be accessed by the right people.

4. Recall Misfired Emails

If you send information to the wrong person, you need a way to retract it.

Outlook offers some recall features that allow you to retrieve messages sent in error. However, there are a few limitations:

  • The recipient must use Outlook.
  • The email must be unopened.
  • A recipient's spam filters can interrupt the process.

Recalling An Email In Outlook Email Client-1

Obviously, if you're sending highly sensitive information, you cannot rely on these native email recall features.

To make sure you can always retract sensitive emails, you will need a more advanced solution such as our own Outlook add-in.

5. Enable Account 2FA

Enabling two-factor authentication for your Outlook account means you can only sign in with your password after verifying access to a secondary device, such as your smartphone.

This security measure significantly reduces the chance of an inbox takeover (it protects against 99.9% of automated attacks, approximately 72% in the U.K.).

Using two-factor authentication blocks 99.9 of automated login attacks

It is a simple but effective measure you can take to make sure you are the only person with access to confidential data in your account.

Again, if you're handling sensitive data, two-factor authentication should be enabled for all accounts, especially administrators.

Importance of Data Classification

Before diving into email security, it's important to consider data classification. This process involves identifying different levels of sensitivity for the information you handle. Imagine customer credit card details compared to a company newsletter. Classifying your data helps determine the most appropriate security measures for each type. Highly sensitive data might require additional security beyond encryption, such as access restrictions or digital rights management (DRM) tools.

Data classification helps prioritise your security efforts. By classifying your data, you can make sure that the most valuable information receives the strongest protection. Let's say you're sending a document containing trade secrets. Encryption is crucial, but you might also consider restricting access within your organisation to those who genuinely need it. Data classification helps you identify these additional steps and makes sure a well-rounded security approach is in place.

6. Know the Risks

No matter how careful you are, there will be risks that data could be leaked or intercepted, and there are always new risks arising.

If you regularly send confidential data using Outlook, it is important to be aware of the risks so you can be vigilant.

For businesses, it is particularly important that employees are regularly trained to keep them up-to-date with new threats.

Additional risks to be aware of include:

Phishing Scams

Phishing scams are emails that are designed to trick you into giving away your personal information.

Do not click on links or open attachments from emails that you do not trust or from people you do not trust.

Malware

Malware is software that can be used to steal your data, monitor your activity, or damage your computer.

Be careful about the sites you visit and the files you download from incoming emails.

Inbox Attacks

Inbox takeover attacks happen when hackers unlawfully breach your email account, gaining access to your private communications.

You should always protect sensitive emails with authentication, creating an additional barrier in case an inbox is compromised.

Sending Confidential Data?

Use encryption, strong passwords, and if you're a business sending highly confidential data, use a secure email service.

You'll never protect against every eventuality, but you can make it very difficult for anyone to compromise your data.

By following the tips in this post, you vastly enhance the security of your confidential data when using Outlook.

Just email it (securely)! CTA

 

References

Microsoft 365 Secure Email vs Mailock: A Comparison, Beyond Encryption, 2024

Microsoft 365 Secure Email vs Mailock: A Comparison, The Register, 2022

Security Requirements, Information Commissioner's Office, 2024

How to Encrypt an Email in Outlook, Beyond Encryption, 2024

Data Security: An Analysis of the Latest ICO Findings, Beyond Encryption, 2023

How to Recall an Email in Outlook, Beyond Encryption, 2024

One Simple Action You Can Take to Prevent 99.9 Percent of Account Attacks, Microsoft, 2019

Reviewed by

Sabrina McClune, 20.12.24

Sam Kendall, 20.12.24

 

Originally posted on 06 10 21
Last updated on December 20, 2024

Posted by: Sabrina McClune

Sabrina McClune is a Women in Tech Excellence 2022 finalist who writes extensively on cybersecurity, digital transformation, data protection, and digital identity. With a postgraduate degree in Digital Marketing (Distinction) and a First-Class Honours degree in English, she combines a strong academic foundation with professional expertise. At Beyond Encryption, Sabrina develops research-led content that supports financial and technology sectors navigating the complexities of the digital age.

Return to listing