Topic:

HR Headaches: How Can I Send Sensitive Emails to Employees Securely?

January 7, 2022
HR Headaches: How Can I Send Sensitive Emails to Employees Securely?

Year-end results, performance reviews, and benefit packages updates all contain highly sensitive information — from company data to an individual's address. While transparency is critical to healthy workplace culture, communicating sensitive data should be confidential and safe. But how can you keep employee and business information from prying eyes? The fact is, hackers send 92% of malware programs through email. And the volume of fraudulent emails delivered to businesses increases 8% every year. Many of these scams look real to employees. Today, a malicious actor can pretend to be someone from your business to elicit information from employees, or even gain access to their email account. This is called a phishing attack, and they are extremely sophisticated. Sometimes, only small details, such as a typo in the footer or incorrect email provider, reveal that the email is fake. There are even specific scams targeting HR departments and payroll. A secure email strategy is essential for any business. Not only are data breaches incredibly expensive, but they can have long-lasting negative impacts on your business, such as a loss of customers and lack of employee trust. The good news is that there are a few different methods to improve your email security and safeguard sensitive information. One way is to use encrypted email.

Hackers send 92% of malware programs through email. And the volume of fraudulent emails delivered to businesses increases 8% every year.

What is encryption?

Encryption is a method of replacing data with scrambled letters, numbers, and symbols to prevent just anyone from viewing the email or document. Only authorized parties can see the information. To open the information, the authorized users have a cryptographic key. Sometimes the same key is used to encrypt and decode the data, and this is called a symmetric key. When two different keys are used, this is called public-key encryption. Email encryption is becoming increasingly important and considered in work environments. Because so much information is passed through written dialog, private information such as company financials, product strategies, or growth tactics could be leaked by employees. And these data leaks are not always malicious. In fact, 23% of leaks are based on human error, rather than intentional sabotage. Regular email isn't enough anymore to send a secure message. To keep your Q4 and year-end data secure, it's smart to consider sending sensitive info via encrypted email. dThe good news is that encryption isn't a headache. Most email providers offer some form of email encryption. At the same time, there are specific encrypted email service providers who offer high levels of security, although they may cost more than the popular email services. Most likely, your organization isn't going to invest in a high-grade security email provider unless the data is highly sensitive and related to trade secrets. And even then, such accounts would only be used for certain employees. Most likely, your workers are using a standard email account with a popular email provider. We will cover how to encrypt your email in 3 of the biggest email providers here: Outlook, Gmail, Apple Mail.

Encryption with Microsoft Outlook

Outlook offers easy email encryption when email senders are ready to send their content. They literally have a button called "Encrypt" which ensures that all contents of the email are converted from readable plain text into scrambled ciphertext. You can find these features under "Email Security" in the Trust Center Settings. Only the intended recipient of the email may read its contents. You can also set additional permissions, such as the inability to forward the email or if it's highly confidential. Here is their step-by-step guide to setting up encryption and using it on a Microsoft Outlook email.

Encryption with Gmail

Gmail offers a confidential service on its emails that allows senders to specify if and when emails expire. Recipients will not be able to copy, print, forward, or download messages and the email will disappear upon its expiration date. You can also password protect these messages via a second-authentication SMS code. Here is Google's step-by-step guide for sending confidential emails.

Encryption with Apple Mail

Apple Mail has two services: signed mail and encrypted mail, both of which provide security measures to protect sensitive information. To send an encrypted email, both sender and receiver must have a personal certificate in their keychains. When an email is delivered, it will be designated as encrypted with an icon, but unless both parties have the correct "keys" Apple Mail will fail to decrypt the contents. Emails sent this way are read-only. Here is Apple's guide to encrypted emails.

More email security tips

Educating employees and providing them with the right tools for email security can help reduce the likelihood of accidental leaks.

While an encrypted message is a great way to protect company information, it's not the only way to keep sensitive data secure. There are a few other steps a business can take to boost its email security, such as:

  • Offer training about common phishing or cyber attacks
  • Require strong passwords for all employee accounts
  • Mandate password changes on a regular basis
  • Use malware scanners and anti-virus software
  • Provide a VPN for employees to use when accessing their email from a personal device

Employees should never share passwords or open links for emails that look suspicious. Educating employees and providing them with the right tools for email security can help reduce the likelihood of accidental leaks.

Multi-factor authentication

Another method to secure emails is to make multi-factor authentication mandatory. This feature may ask employees to provide not only a password, but also a one-time password (OTP) sent to their mobile phone, an answer to a security question, or even biometric data. In 2019, 40% of Microsoft Office 365 users faced credential theft despite using the basic security measures for email communication. Adding an additional method for logging into your email service provider is a great way to prevent attacks from getting access to an email account, even if they have a user's password or username.

Expiring emails

Some messaging or email services, such as Gmail, Telegram, and Confide offer expiring emails. In other words, after a certain date has passed or the intended recipient reads the secure message, that email is no longer available to anyone. While it may seem extreme, this method is a great way to reduce risks, since email storage isn't a problem, and the sensitive data is erased. Finally, there are also additional secure email solutions outside of the regular brands, such as ProtonMail, Preveil, or Zoho Mail. And there are email providers like Virtru that add another layer of encryption to Gmail accounts. Of course, these platforms come at a cost and generally offer few features outside of email service security and some file storage. For HR teams planning to send regular information to employees that contain sensitive data, such as benefits packages, W-2s, and performance reviews, you may choose to ditch email altogether. No one would blame you! HR platforms should also come with their own security features to safeguard company and employee data.

This communication is for informational purposes only; it is not legal, tax or accounting advice; and is not an offer to sell, buy or procure insurance.

This post may contain hyperlinks to websites operated by parties other than TriNet. Such hyperlinks are provided for reference only. TriNet does not control such web sites and is not responsible for their content. Inclusion of such hyperlinks on TriNet.com does not necessarily imply any endorsement of the material on such websites or association with their operators.

esac.png
ESAC Accreditation
We comply with all ESAC standards and maintain ESAC accreditation since 1995.
logo_irs.png
Certified PEO
A TriNet subsidiary is classified as a Certified Professional Employer Organization by the IRS.