Never email important files unprotected
If you send confidential documents by email without encrypting them first, they could be:
- Read by someone who accesses your email account (for example, through phishing)
- Sent accidentally to the wrong people
- Forwarded to anyone without your knowledge
- Intercepted en route to the recipient by threat actors (individuals or groups that perform malicious acts against a person or organisation)
Why is automatic email forwarding to external email addresses a problem?
From 1 August 2023, the indiscriminate forwarding or routing of email from a University email address to an external, non-University of Oxford, account will no longer be allowed, except in exceptional circumstances. You will still be able to forward individual emails to external email accounts. You may also create one or more rules in Outlook on the Web to forward a subset of emails, for example based on sender, to an external email address. Forwarding of emails to external accounts should be in line with the University’s Data Protection Policy.
- It’s a significant security risk: when you set all your email to forward to an external email address, you are circumventing the protections put in place to prevent our accounts being compromised, such as strong password rules and MFA (multi-factor authentication). This potentially enables unauthorised access to confidential University data because it could be much easier for hackers to break into your private email account than your Oxford University account.
- It’s a major personal data handling risk: if all your emails are being forwarded out of the University, you might unintentionally be forwarding emails that contain internal or confidential data - for example, a commercial contract with a research sponsor or personally sensitive correspondence from a colleague or student . Oxford University has a legal obligation, as the data controller, to manage how our personal data is shared and it can’t do that if it’s being sent to external email providers.
- There’s a reputational risk that all our email will be marked as spam: when you forward all your email to an external email provider, junk mail and spam may also be forwarded. This can result in external email providers’ spam filters thinking that legitimate email from Oxford University is also spam. This could be cause problems when, for example, you are communicating with applicants or external participants in research projects.
- It can result in an accidental breach of contract: There are recent examples of research sponsors and collaborators taking a dim view of receiving a response from a non -University of Oxford email account. All institutions are improving their security and have expectations that we will do the same. Data sharing agreements may include expectations around the handling of data. A reply from a non-University account could amount to a breach of contract.
How to send secure documents by email
If you are sending sensitive documents, it's essential that you encrypt them first. Here's how:
Choose the right tool. The most recent versions of Microsoft Office, Adobe Acrobat and Nuance Power PDF have built-in encryption and password-protection. For Office documents, use the newer "docx" and "xlsx" formats.
If you want to encrypt and password-protect multiple files and folders, use free tools such as 7-Zip and Keka.
Whichever tool you use, the important thing is that it uses the industry standard AES 256.
Your encrypted file is only as safe as your password, so make sure it's a strong one.
Sharing encryption passwords safely
As well as encrypting your document behind a password, it's important to share the password safely. Sharing the password by phone, text message or in person are all more secure than email, provided you take reasonable steps to make sure you call the correct number or know who you should be speaking to. If you are sharing documents with someone on a regular basis, you could set up a shared password in advance and update it on, say, a monthly basis.
Keeping emails out of the wrong hands
Firing an email off to the wrong person or people is all too easily done. You need to know who you are sending it to.
- Check the 'to' field carefully. Organisational address books may contain several people with the same or similar names.
- Don't send to group emails and mailing lists without regularly reviewing who is on them.
- Make sure only authorised people have permission to post, if you are the administrator of a mailing list.
- Email the message to yourself and BCC your recipients. This means they will not be able to reply all (potentially publicising your mistake), and you don’t expose other people's email addresses.
Other email risks to avoid
If your account gets hacked, it won't be just one wayward email you have to worry about. Anyone with access to your account can see all the emails you've sent and stored, and send them to anyone they want. See our pages on malware, phishing and protecting your online accounts for more information on how you may be the target of online fraud and what to do about it.