Using Consumer-Grade Email Services

Download ASD Protect: Using Consumer-Grade Email Services (PDF), January 2018
First published 2013; updated January 2018

Introduction

  1. Using consumer-grade email services to conduct business is often attractive due to the low costs (if any) and minimal effort required setting up new email accounts. However, given the uncertainly around the security provided by consumer-grade email services, particular care should be taken when choosing to use such services, especially when using the services for sensitive business transactions. This includes considering the provider’s ability to delete or recover communications if required, and the legislation service providers may be subject to in the countries they operate from.

Recommendations

  1. If using consumer-grade email services, the following measures are recommended to lower the risk of using such services:
    1. use separate email accounts for work and personal purposes
    2. use a strong password that is unique for each email account
    3. use multi-factor authentication when supported by the service provider
    4. do not share passwords for email accounts
    5. do not store passwords for email accounts in emails or in documents
    6. do not elect to remember passwords for email accounts when offered by web browsers
    7. avoid configuring mobile or desktop applications to automatically sign in to email accounts
    8. if asked to set up security questions to recover email accounts, do not provide answers that could easily be obtained from public sources of information
    9. do not access email accounts from untrusted devices in internet cafes or hotels
    10. always remember to sign out of email accounts after use
    11. use lock screens and a password on devices that have access to email accounts
    12. where possible, access email accounts using devices that are using the latest versions of software and have had all recent patches applied
    13. remember to close old email accounts when they are no longer required.
  2. Organisations looking for more robust enterprise-grade email services should consider using services listed on the Australian Signals Directorate’s Certified Cloud Services List (CCSL).

Further information

  1. The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations' systems.
  2. The Strategies to Mitigate Cyber Security Incidents complement the advice in the ISM.
  3. Detecting Socially-Engineered Messages provides additional guidance on how to identify socially-engineered messages.

Contact details

  1. Organisations or individuals with questions regarding this advice can contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).