Q: Why are we making changes to our email security?
A: In February 2024 we’re upgrading our ISO27001 certification to the latest 2022 standards that some of our stakeholders require to deliver services on their behalf.
The key changes in standards require us to strengthen our email controls to include email classification, data leak prevention and email encryptions controls.
This means we need to make changes to how emails and documents being sent by email are 'classified'. The classification will determine whether an email can be sent externally or not.
Q: How will these changes mean for me when I’m sending an email?
A: There are two things you need to consider and action from Monday 18th December 2023:
(1) All GC information must now have a classification, There is a 'sensitivity icon' on the tool bar in Outlook, Word, Excel, and PowerPoint – which contains a drop-down list of the classifications to be used ongoing.
When you draft a new email, it'll automatically be classed as ‘Internal personal and confidential’, and you can change this default classification as and when required to the other three options: External confidential, Public or Internal. You can read more about what each classification means here in the main news article.
The main thing to remember is that, if you're sending to an external email address, your email must either be classified as 'Public' or 'External Confidential' so that you avoid a bounce back.
Documents in Word, Excel and PowerPoint do not have a default setting, so you'll need to select the appropriate classification for the document upon saving before attaching or linking it to your email.
(2) To prevent data loss and data breaches, you must make sure your email doesn’t include any personal, sensitive information – that’s things like debit card numbers, UK drivers licence numbers – see the main news article for the full list of sensitive number types.
This type of information can now only be sent via email if it is ‘encrypted’ – whether this information is being sent internally or externally. You need to use ‘Outlook Email Encryption’ which is a security feature which turns readable plain text data into a scrambled unreadable format.
Q: When doo these changes come into effect?
A: Monday 18th December 2023.
Q: If I encrypt an email – what does this mean for the recipient at the other end?
A: When recipients open your email message, those using Microsoft Outlook or outlook.com (previously known as Hotmail) can simply open the email without any further actions. The email will display a small padlock and message to say the message is encrypted.
For those not using Outlook, they’ll receive a message stating they’ve been sent a protected message when they click on the email. They need to click ‘Read the message’ and will then be presented with two methods to read the encrypted email: ‘Sign in with Google’ / ‘Sign in with a Yahoo ID’ (depending on which email programme they’re using), or click on ‘Sign in with one time passcode’ which is used for less well-known email services that cannot be used to authenticate your identity to Microsoft 365.
Q: What happens if I forget to add the correct email classification, or send an email that’s not encrypted?
A: If you forget to add the correct classification, or send an email that’s not encrypted which has personal sensitive information, you’ll instantly receive a ‘bounce back’ message from the system identifying the issue.
The subject line in the bounce back message will let you know why your email was blocked – either for the incorrect classification, or no encryption was added due to personal or sensitive information being found in your content.
If you receive a bounce back, you'll need to resend the message again with the correct classification or correct encryption status.
Q: How do I resend my email correctly if I do receive a ‘bounce back’ message?
A: You just need to click on the warning bounce back message and double click the email message attachment contained within. This’ll re-open the email you were originally sending, and you can select ‘forward’ and add in the names again, or reply to all (which will keep intact all the recipients).
Before you resend, you must remember to correct the issue identified i.e. – adding the correct classification or by adding email encryption option.
Q: Where do I go to if I have any questions about these changes
A: If you have any questions which are not covered above, please contact IT service helpdesk on the self-service portal or ITservices@growthco.uk. The team can help with any specific issues or queries you have.