Have you ever sent someone a password in an email? Chances are your answer is you have. We all know that sending an email is inherently insecure, but we do it anyway in the interest of expediency and ease. When an email traverses the internet, there is often little to no encryption on it, and any server it passes through may be able to read its contents. If any one of those middlemen has malware on it, then that malware could be analyzing emails for credentials and sending what it finds to bad actors. Once they have your password, only Multi-Factor Authentication and other advanced authentication security systems can save you.
Better to avoid this, right? But then how do you get passwords, credit card numbers, other sensitive, confidential, or otherwise private information from one person to the next? Messaging apps utilizing end-to-end encryption would be one secure method. However, you and the other person must be using the same app and you would also need to know how to find each other on it, which is time-consuming, cumbersome, and not particularly practical.
Another less secure, but generally acceptable method, would be to send one part of the credentials, like the username, with one method, and then the password with another. You could email the username then send the password in a text message. The problem here is that potentially none of the data is encrypted; however, the separation of methods makes matching them up more difficult. This way the hope is that a hacker would only get one and not both transmissions, and your credentials would still be partially protected. This method is not preferrable but is better than emailing alone.
Providing credentials verbally over the phone poses its own problems. You can mishear someone and enter a typo, even if the person spells it out. Also, in providing confidential information verbally there is the risk that someone might overhear you, or, if the person you are calling has you on speaker, then someone else there might be able to overhear you. This method is only reasonably secure when both ends of the line are in private and secure locations.
Considering all this, it’s no wonder so many people just give up and send credentials over email! But fear not, there is hope in the form of email encryption. We here at Vermont Panurgy have tested and utilized a few different email encryption systems, and one of our favorites has turned out to be Microsoft Purview Message Encryption. We already use Exchange Online and Outlook for our email system and since all Microsoft 365 licensing that includes Exchange Online also includes basic email encryption functionality, this option was already included for us, we just needed to enable it.
Enabling message encryption through Microsoft Purview is quite straightforward, and the default template allows for several different encryption options. You can set an email to be encrypted-only, disable forwarding, or mark it confidential so it can only be opened by internal recipients. Once an email has been marked as encrypted, that encryption becomes baked in and all replies, forwards, etc., will stay encrypted as well.
One of the most useful benefits of this particular encryption tool is its integration into Outlook. Any recipient of an encrypted email that is using Outlook, whether via their browser, mobile app or desktop app, and their org has encryption enabled, can receive and open the email right there in Outlook without having to enter any additional authentication. A little lock icon next to the email in the message list, as well as a note at the top of the opened email, indicates the encryption level, but other than that, it reads just like any other email. It even works with external contacts, provided the recipients have also enabled encryption in their Exchange Online system.
For recipients that are not using Outlook with Exchange Online, Microsoft’s encryption system forms what is called a “wrapper” email, which is an email that contains a link to open the encrypted email in a browser. To open the wrapper email, the user either needs to log in with their Microsoft 365 account or send a one-time passcode in a separate message, which they can then use to access the encrypted email. This is very similar in function to most other email encryption products out there.
Once email encryption is activated in your organization, the template can be customized to include your business logo, introductory text, disclaimer text, even the background color of the wrapper email messages and portal. You can also create rules to automatically encrypt messages that meet certain criteria, such as sender or recipient email address, words in the subject line, etc. You can even create a rule to automatically encrypt emails where either the email or its attachment contains certain data types, such as credit card numbers, passport numbers or social security numbers. Impressive!
With such power and protection through such a seemingly simple little “Encrypt” button in Outlook, any organization that has its email system in Exchange Online should have this functionality enabled and customized to meet their needs. If your organization would like some help with this, contact Vermont Panurgy today!