Are your communications encrypted?
Cyber security threats are becoming increasingly complex, leading to an increase in cyber breaches on UK businesses from 2.39 million in 2022 to 8.58 million in 2024. Meaning that businesses, now more than ever, need to ensure that they are abiding by data protection regulations and ensuring they have encrypted communication for sensitive data in place to protect themselves from complex cyber threats.
Microsoft 365 includes robust communication encryption features that support secure email and message exchanges. However, understanding how encryption operates, and how it differs between internal and external communication, remains vital for business owners, managers, IT administrators and compliance officers alike to ensure that they can keep their business secure.
What is the risk behind everyday communication?
The notion that cyber attacks are the only threat to business data is misleading. It is important to remember that your employees are likely to be the weakest link in your cyber security strategy.
According to the UK Information Commissioner’s Office (ICO), misaddressed emails were the most common cause of reported data breaches in 2023. More than 1,700 incidents were reported where sensitive information was sent to the wrong email recipient, accounting for roughly 16% of all personal data breaches.
A notable example occurred in 2021 when the Ministry of Defence accidentally copied over 250 Afghan nationals into a single email, revealing their identities and affiliations during the NATO withdrawal. In 2023, the ICO fined the MoD £350,000, calling it an “egregious breach” that could have endangered lives.
Similarly, charities like HIV Scotland have mistakenly used the “CC” (Carbon Copy) field instead of “BCC” (Blind Carbon Copy), exposing the personal details of individuals with HIV to others on the same mailing list. This simple act of human error and not having the right processes and training in place cost the charity £10,000 in fines.
Incidents such as these demonstrate that even well-intentioned communication can lead to data breaches when basic security controls are missing. For businesses, these breaches highlight the essential need for tools that don’t just protect data from hackers but also from human error. Thankfully, Microsoft 365’s encryption framework offers solutions for both.
How does Microsoft 365 Secure Communication?
Microsoft 365 applies encryption at multiple layers, both within its infrastructure and as a controllable feature for administrators and users.
Firstly, all emails are encrypted in transit using Transport Layer Security (TLS) and at rest using technologies such as BitLocker. However, these default protection methods are not visible to the end user and don’t address specific scenarios where message content needs to be restricted or controlled beyond simple transport/sending security.
To support this, Microsoft 365 includes Microsoft Purview Message Encryption (previously OME), a more advanced service built on Azure Rights Management, which allows users to apply encryption to individual messages and attachments directly within Outlook, using labels like “Encrypt-only” or “Do Not Forward”. These options not only individually encrypt the contents of the email but can also limit actions that the recipient can take, such as forwarding, copying, or printing.
Messages sent within your business are typically handled seamlessly. Users inside the same Microsoft 365 tenancy/environment receive protected emails with no additional authentication steps, and the encryption is enforced behind the scenes. This makes internal communication both secure and unobtrusive.
However, when sending encrypted emails to external contacts, such as suppliers, clients, or partners, Microsoft 365 intelligently adapts its communication security accordingly. Recipients using external and independent email providers then receive a wrapper email with a secure link directing them to an encrypted message portal, which requires authentication or a one-time passcode. This ensures that even non-Microsoft users can receive and reply to encrypted messages without risking data exposure and securing an audit trail on those messages.
Administrator Access and Compliance
While email encryption is designed to restrict unauthorised access, business IT administrators must still have the ability to be able to retrieve and review messages under legitimate circumstances in line with each business’s IT, Cyber and Data Security Policies. Microsoft Purview’s compliance tools, which include eDiscovery and Content Search, enable IT administrators to be able to do this. With appropriate permissions, administrators can search for, and export messages stored in user mailboxes within their business, ensuring that compliance teams can fulfil legal, HR, or investigatory requirements without undermining security.
It is important to consider that the functionality of this can heavily depend on the encryption policies being centrally managed through Azure Rights Management. If encryption is user-managed, admin access may be restricted unless the user’s private keys are made available. Therefore, Microsoft recommend using the Purview Message Encryption framework for broader business needs, where security and accessibility must coexist.
Advanced Controls for External Communication
However, there are many businesses that will require more control over sensitive outbound emails and their contents. Microsoft Purview Advanced Message Encryption offers further capabilities to be able to support this. Administrators can create branded secure emails that reflect the organisation’s identity to lend to their authenticity when communicating with people who may be unfamiliar with these encrypted communications, and configure rules to automatically encrypt messages based on the type of content, such as keywords or data types (Such as account details, personal information, contact information and more).
Additionally, messages sent to external users of businesses through the Microsoft secure portal can be configured to expire after a set period or even be revoked entirely after sending. These powerful tools give businesses the edge when managing sensitive data and reducing on data breach risk, particularly when sensitive content is shared outside your business.
Preventing Breaches
As examples such as the Ministry of Defence and the HIV Scotland blunders show, email is not just a communication tool; it is both a data protection concern and, in the case of phishing, an attack vector.
In 2020, Interserve suffered a data breach when an untrained employee opened a phishing email, which led to malware spreading through their systems to compromise the data of more than 113,000 employees. The ICO fined the company £4.4 million for its failure to implement basic email security and training.
Businesses that do not control and monitor how data is used and the security of their data, and how it is communicated, leave themselves vulnerable to both internal mistakes and external threats.
Thankfully, through Microsoft 365, we can give businesses a proactive way to protect their communications and data within them, at multiple levels. From securing internal conversations and encrypting attachments to limiting external recipients' access, all whilst also ensuring that communications can be securely monitored and audited and providing the ability to intervene and investigate where needed.
How can TwentyFour IT support your business?
Email is the most common form of business outbound and inbound communication, but it is also one of the most common sources of data breaches. In the UK, misaddressed emails, insecure data sharing, and phishing are responsible for a growing number of incidents each year. Throughout 2024, 85% of UK businesses and charities experienced phishing attacks.
However, many businesses are still unaware that Microsoft 365’s encryption tools, combined with its compliance and security features, offer businesses the means to protect themselves not just from external threats, but from the everyday human errors that can cost them reputational damage and regulatory fines.
For businesses that handle and communicate highly sensitive information of end users and other businesses, safeguarding their information and respecting the privacy of their stakeholders through encrypted communication is not just optional, it’s essential. With the right tools, training, and policies in place, TwentyFour can ensure that your business communications remain secure and your data safe.
If you would like to find out more about email encryption and our other email security solutions, such as Active Email Threat Protection which uses AI and Machine Learning to protect your business and its employees from phishing, malicious links, files and much more, fill out the form below to reach out to us today.
Or, book an appointment with one of our consultants.