Mailing it safe: how to send secure emails in Outlook

Some 400 million users open Outlook to check their inbox every day. The email service is used by over a million businesses worldwide, with over 731,000 companies in the US alone. No wonder: many of them see it as a one-stop-shop for managing communication at work, whether it’s setting up meetings, finding more information about a contact, dialing into conference calls, or jumping onto online meetings.

But when it comes to enterprise email platforms, convenience is only half the story – if that. How to send secure emails in Outlook to protect the privacy of work-related messages is a question that weighs heavily on the minds of users and IT managers everywhere. In this mini-guide to Outlook message encryption, we’ll show you how to encrypt emails in Outlook, both the clunky and the easy ways.

Cybersecurity vs. Outlook: why use encrypted emails?

In a recent survey of 400 businesses, one in four said they’d suffered an email-related security breach. Human error causes a staggering 88% of data breach incidents, according to a 2019 joint study carried out by Stanford University Professor Jeff Hancock and security firm Tessian. In addition, nearly 50% of the employees surveyed stated that they were “very” or “pretty” sure they’d made an error at work that could have led to security issues at their company.

Just one such click can have dire consequences for employers, from loss of trust and revenue to civil suits and regulatory fines. In 2016, for example, an employee at global aerospace leader FACC received an email from company CEO Walter Stephan asking them to transfer money to an account for an acquisition project. Of course, no such project existed, nor did the message come from Stephan. With the employee being none the wiser, the “fake president incident” cost Stephan his job and FACC a hefty €50 million, plus an operating loss of €23.4 million for the 2015/16 financial year, Reuters reports.

Add misdirected emails to the mix, and CIOs have an even bigger headache on their hands. Tessian has found that an average of 800 company emails are sent to the wrong person in organizations with 1,000 employees during a single year. The 2018 data spillage that emanated from the US Marine Corps Forces Reserve is a prime example of the damage these rouge emails can cause. According to the Marine Corps Times, the personal information, including bank account numbers of more than 20,000 marines, sailors, and civilians, were leaked when an unencrypted email was sent to the wrong email distribution list by the Defense Travel System.

“Even if you never email sensitive information – social security numbers, banking info, business secrets, and so on – you should consider using encryption,” PC World’s Eric Geier advises. In the simplest terms, encrypting an email means disguising its content so no unwanted party can read it. In Outlook, encryption is done by converting messages from readable plain text into scrambled cipher text that only the recipient can decipher for reading. Email encryption is asynchronous, using the private and public key pairs of RSA encryption. Learn more about how those work in our previous blog.

Encrypting emails with S/MIME in Outlook – The clunky way

Outlook supports two encryption options. The first one is called S/MIME encryption, where S/MIME stands for Secure/Multipurpose Internet Mail Extensions. It’s a widely accepted protocol for sending digitally signed and encrypted messages, which requires both the sender and recipient to have a mail application that supports the S/MIME standard.

Digital signatures verify that a message was sent by the person or organization who claims to have sent the message. They prevent senders from disavowing message ownership and provide assurance that the original message was not altered in transit. Encryption ensures that the information exchanged cannot be read or understood in transit or in storage.

Remember that these capabilities only offer proper protection for messages at rest and in transit when used together. Messages with only a digital signature are sent in clear text, and anyone can read them. The same way as message encryption keeps content hidden from prying eyes but doesn’t authenticate the sender in any way.

Want to try it out? You can get started by setting up a certificate for each user in your organization. Don’t worry; it’s not easy. Then you have to add the S/MIME certificate to the keychain on each user’s computer and configure it in Outlook. Here’s how:

• Under the File menu, select Options > Trust Center > Trust Center Settings.
• On the left, choose Email Security, then under Encrypted email, select Settings.
• Under Certificates and Algorithms, click Choose, select S/MIME certificate, and hit OK.
• Finish composing your email and click Send.

How Outlook email encryption works – Microsoft 365 Message Encryption

The second method for sending secure emails in Outlook is using Microsoft 365 Message Encryption, an online service built on Microsoft Azure Rights Management (Azure RMS) and available to Office 365 Enterprise E3 license holders. Including encryption, identity, and authorization policies all at once, it allows users to encrypt messages by using rights management templates, the Do Not Forward option, and the encrypt-only option. Admins can also define mail flow rules to secure messages, including rules requiring the encryption of all messages sent to a certain recipient or those containing specific words in the subject.

When someone sends an email message that matches an encryption mail flow rule, the message is encrypted before it’s sent. Microsoft 365 end-users with Outlook clients can open and read encrypted messages directly from their Outlook desktop, Outlook Mac, Outlook mobile on iOS and Android apps, or Outlook on the web. Recipients who receive encrypted or rights-protected mail sent to their non-business accounts, for example, Gmail, can do so through a dedicated portal called Office 365 Message Encryption(OME), following authentication using a Microsoft account, Gmail, or Yahoo credentials.

Encrypting a single message? Here’s what you should do.

• In the message, click File > Properties.
• Go to Security Settings and select the Encrypt message contents and attachments check box.
• Finish writing your message, and then hit Send.

Alternatively, you can encrypt all outgoing messages by default by following the steps below.

• On the File tab, select Options >Trust Center > Trust Center Settings.
• On the Email Security tab, under Encrypted email, choose the Encrypt contents and attachments for outgoing messages check box.
• Click Settings to change additional settings, such as choosing a specific certificate to use.

Outlook email security: how safe is safe enough?

International industry standards, such as TISAX in the automotive industry, are increasingly pushing email encryption into the mainstream. In the long run, every company will have to take steps to secure their email communications. The uncomfortable truth is that email was not designed to be secure. As a result, outlook email security is difficult to roll out and use or limited to users with pricy enterprise-tier Microsoft accounts.

Even if your teams get past the difficulty of setting everything up correctly, using encrypted emails is not the seamless experience it should be. With all the settings available, senders can get things wrong and send messages with the wrong security measures. In addition, recipients still need to jump through several hoops to access an encrypted message. For example, their organization may block third-party links. Unfortunately, that’s if they even see the message because encrypted messages often get sent straight to the spam folder. Sadly, even with everything set up correctly, organizations still lose control of their emails once sent. For example, they cannot revoke them if a recipient was included incorrectly.

At Tresorit, we help everyone take back control of their digital valuables. That’s why we’ve created our email encryption solution, which allows you to encrypt your message, subject line, and attachments with a single click. Access controls will even allow you to revoke access to an email once it’s left your organization, and most importantly, a single Outlook plug-in is all you need. No new workflows, no clunky setup, and recipients will access messages easily regardless of the email provider they use.

Learn more about Tresorit email encryption, available for the Microsoft Outlook client, and begin securing your digital communication.