Using Consumer-Grade Email Services

Download Using Consumer-Grade Email Services (PDF), updated January 2018
First published 2013; updated 2017, January 2018

Introduction

  1. Using consumer-grade email services to conduct business is often attractive due to the low costs (if any) and minimal effort required setting up new email accounts. However, given the uncertainly around the security provided by consumer-grade email services, particular care should be taken when choosing to use such services, especially when using the services for sensitive business transactions. This includes considering the provider’s ability to delete or recover communications if required, and the legislation service providers may be subject to in the countries they operate from.

Recommendations

  1. If using consumer-grade email services, the following measures are recommended to lower the risk of using such services:
    1. use separate email accounts for work and personal purposes
    2. use a strong password that is unique for each email account
    3. use multi-factor authentication when supported by the service provider
    4. do not share passwords for email accounts
    5. do not store passwords for email accounts in emails or in documents
    6. do not elect to remember passwords for email accounts when offered by web browsers
    7. avoid configuring mobile or desktop applications to automatically sign in to email accounts
    8. if asked to set up security questions to recover email accounts, do not provide answers that could easily be obtained from public sources of information
    9. do not access email accounts from untrusted devices in internet cafes or hotels
    10. always remember to sign out of email accounts after use
    11. use lock screens and a password on devices that have access to email accounts
    12. where possible, access email accounts using devices that are using the latest versions of software and have had all recent patches applied
    13. remember to close old email accounts when they are no longer required.
  2. Organisations looking for more robust enterprise-grade email services should consider using services listed on the Australian Signals Directorate’s Certified Cloud Services List (CCSL).

Further information

  1. The Australian Government Information Security Manual assists in the protection of official government information that is processed, stored or communicated by Australian Government systems.
  2. ASD’s Strategies to Mitigate Cyber Security Incidents complements the advice in the ISM.
  3. ASD’s Detecting Socially-Engineered Emails provides additional guidance on how to identify socially-engineered emails.

Contact

Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.