Best practices for email security at your organisation

Email is a popular messaging method used by many, particularly in organisations. However, dangerously it is also an effective entry for cybercriminals to enter your domain with spoofing and phishing attacks becoming common via emailing.

In an organisation, it could only take one employee not being sufficiently vigilant about email security to compromise the safety and security of countless others, and even the whole enterprise.

In fact, your employees are the biggest vulnerability you have, so an email security plan really starts there. It will only be a matter of time before your organisation falls victim to an email hack attempt, but its impact doesn't have to be devastating if you've got a 'best practice' in place and know exactly what to do.

Read on for our list of best practices to keep your email safe.

Additional reporting by Charlotte Trueman and Hannah Williams

Read next: 7 of the best security tools for your home office

Flag emails from outside the company as external

Flag emails from outside the company as external

One way to help ensure your email domain is kept secure is by adding an ‘external message’ warning to alert the receiver when a message arrives from external domains.

As emails from external domains run the risk of being spoofed, it is essential to reduce the risk of such emails compromising your organisation by quickly being able to spot when an unfamiliar message comes in.

The warning alert can easily be set up in your email settings, with the opportunity to edit how the alert appears.

Implement DMARC: Domain-based Message Authentication Reporting and Conformance
Getty Images/iStockphoto

Implement DMARC: Domain-based Message Authentication Reporting and Conformance

The DMARC protocol aims to minimise the risk of opening fake emails with an authentication process, which works by helping recipients recognise if an email message aligns with what they know about the sender.

DMARC also helps to increase visibility in your email by alerting you when emails are sent from your domain.

Use appropriate passwords and encryption
iStock

Use appropriate passwords and encryption

'Choose a strong password' is one of the most basic, most invaluable and yet most ignored pieces of IT advice. A simple tip is to always use unique and complex passwords, ideally at least eight characters long and containing numbers, symbols and a combination of upper and lower case characters that has no identifiable association with the user. Two-factor authentication adds another level of protection.

People often end up plumping for a variation of the same password that unlocks everything from their Twitter to their bank account, but don't let something so simple end up coming back to bite you. If you're worried you won't be able to remember a more complex password, use an encrypted password manager such as Last Pass, and instruct employees to do the same.

The level of encryption your enterprise uses is another issue to consider. If emails are unencrypted, they can still be intercepted. The most effective encryption starts with a similarly complex password for decryption. GPG/PGP and S/MIME are among the encryption options available. While they remain vulnerable to social engineering, they make email safer and can help fulfil compliance requirements at your organisation.

Use two-factor authentication
Getty Images/iStockphoto

Use two-factor authentication

No matter how many times you tell your employees about the importance of exercising good password health, human nature dictates there will always be those who re-use passwords or don’t make them complex enough.

Two-factor authentication helps to minimise the risks of poor password practices because it means even if a criminal is able to gain the credentials, they would then need access to a second device owned by the user, usually a mobile phone, in order to complete the log in process.

Two factor authentication software can usually be purchased for a specialised vendor, although a number of email platforms now offer it as part of its services.

Avoid using public Wi-Fi
Getty Images

Avoid using public Wi-Fi

The convenience and sometimes necessity of public Wi-Fi often means avoiding it is often easier said than done. However, it’s important your employees understand the security risks that comes with opening their emails whilst connected to a public Wi-Fi hotspot.

Public Wi-Fi is never secure, meaning cybercriminals are presented with a variety of ways through which they can steal information that passes through the network. These include packet sniffers, the use of rouge hotspots or so called ‘Man in the Middle’ attacks.

Once an attack has gained access to the network, any information that is contained with in your emails will be available to them. Threat actors are also able to steal user credentials via these types of attacks, making both your emails and your organisation vulnerable in the long-term.

Watch out for phishing
Getty Images/iStockphoto

Watch out for phishing

Phishing is one of the most effective ways for cybercriminals to gain access to your network. The practice involves sending out emails with malicious links or attachments in the hopes that the unsuspecting recipient will open it and either input their credentials or launch a malware attack.

Most phishing emails are now automatically filtered out by your email provider’s spam filter however, some cybercriminals are now using increasingly sophisticated methods to bypass these security checks and make their phishing emails look totally legitimate. Others create phishing emails that are expertly tailored to the recipient to increase the chance of the malicious link or attachment being clicked out. This is a technique known as Spear phishing.

Ensuring your employees are educated on the risks of phishing and the importance of not clicking on dodgy links and attachments is the most effective way to stop criminals gaining access to your network via an email account.

Provide security awareness training
iStock

Provide security awareness training

People are the weakest link in any security system and need to be the first line of defence. File-sharing, workplace collaboration and mobile devices bring new dangers to enterprises that aren't always understood. A security awareness programme can ensure staff keep on top of evolving safety recommendations surrounding email as long as the training programme evolves as new threats emerge.

Practical tips can raise awareness of emerging risks before they become disasters by increasing understanding and alertness in relation to phishing emails, malware, mobile device security and social engineering scams among the workforce.

Also, some examples of training could include phishing simulation and employee rewards for those that have been good at spotting and reporting fake emails.

Identify your weaknesses and define potential threats

Identify your weaknesses and define potential threats

Human error is one of the biggest reasons why organisations fall victim to phishing, ransomware and other email-related scams. But it's not enough to just flag employee error as the most likely entrance for hackers.

Ideally, you'll create a document illustrating all the various malware that can be deployed by hackers via email. This should act as a live document and be updated with information on new and emerging hacking techniques, as well as providing a flow for how to act once malware has been detected.

Create a flow that highlights the many possible routes for hackers, and make everyone from employees to board members aware of this.

Usually, when an email is opened and malware enters your network there is a 'golden hour' in which you'll need to act. Make sure you have a set plan and structured procedures in place. The document you've just created illustrating all the potential threats and how to act will be an excellent resource.

Acting after a security blip is only one part of creating an email best practices. Read on for practical tips on how to make email security a priority in your organisation and ensure you don't fall victim to the myriad of threats.

Exercise caution when enabling macros
iStock

Exercise caution when enabling macros

In theory, macros are good. They are a series of commands, used in Microsoft Office, that enables the automation of tasks you perform frequently.

However, they can also cause chaos if you unwittingly run a malicious macro.

For example, if you receive an email with a Microsoft Office attachment - as most of us regularly do - and open it, you could be asked to run macros to see its content.

This - if it's malicious - could corrupt your MS Office or spread a virus around your PC or laptop.

To avoid this type of attack, instruct employees to exercise a high level of caution before running these macros. In fact, caution should be shown towards any type of email attachment, as these are often vehicles of malware. Tell employees to thoroughly check the sender and the legitimacy of the email before opening.

Implement and promote an up-to-date email policy across your organisation
iStock

Implement and promote an up-to-date email policy across your organisation

Evaluate the use of email in your organisation and establish whether employee behaviour is sufficiently secure, as well as areas that could pose potential vulnerabilities. Choosing the correct email provider is a decision that shouldn't be taken lightly - some won't provide enterprise-level security.

Create a comprehensive email usage policy and ensure staff are aware of it. Make it user-friendly with plenty of examples for clarity and ease of understanding. Governance backing can ensure the policy is successful.

The infrastructure established in the past may no longer provide adequate protection, so make sure the business adapts these policies and practices as new dangers emerge requiring different precautions and in line with more general technological advancements.

Know who to notify

Know who to notify

Since GDPR came into effect in May 2018, the way people think about data has changed and the need for a succinct security strategy is greater than ever. For a company that carries consumer data, any information breach including email hacks can lead to customer data being at risk.

Under GDPR you have 72 hours to inform the Information Commissioner's Office and you should ensure any customers impacted or third-parties potentially affected.

You'll also need to inform your system administrator and perhaps put a block on emails for a short while in case multiple scam emails have been sent out.

Dispose with care but don\'t assume you can delete everything
iStock

Dispose with care but don't assume you can delete everything

Getting rid of unwanted emails isn't as simple as just a click of a button, in fact it's peskily difficult. You can wipe a hard drive, but if the data is backed up somewhere else (the cloud for instance) or by someone else, a record could remain.

Businesses with their own mail systems have a greater capacity to remove emails systematically and keeping email confined to a single server makes it a lot simpler to permanently remove the content. But generally speaking, even if an email is deleted, it could be archived in another location. Backups in long-term storage can exist even when deleted messages are permanently removed.

The most sensible course of action is to assume the business will keep copies of everything, and avoid discussing anything in email that you'd be unwilling to reveal in public. You can never know if an email has been archived or intercepted.

Install effective antivirus software
iStock

Install effective antivirus software

Install antivirus software that prevents, detects and removes dangers. The program used should scan incoming emails and attachments and block spam, remove viruses, phishing, worms, malware, ransomware, Trojans and any other threats, both incoming and outgoing. It must also stay updated automatically and continuously to protect against any new threats as soon as they emerge.

Business security solutions are an attractive option for big companies spread across multiple sites as they can be remotely installed and centrally managed. A free 'home' option may be sufficient for smaller businesses. Consider the different types of security included and which devices it will protect.

Read next: 10 of the best free antivirus products for business use

Use a VPN
iStock

Use a VPN

A VPN (Virtual Private Network) adds additional security to email by encrypting and routing all internet traffic through the VPN provider's server, making it less easily detectable for would-be hackers.

There is a multitude of enterprise VPN services available. Establish the authentication level and management control required, and choose one that can cater to your specific needs around who will be connected and how. Free open source alternatives are also available but can be complex to set up and get the most out of.

Read next:Best VPNs for business use.

Close former employees\' email accounts

Close former employees' email accounts

Once an employee has left, make sure that they no longer have access to their email accounts by closing or suspending it. This reduces the possibility that they could misuse or share sensitive company information.

Forwarding means that any correspondence directed at this former employee will be instead directed to a current employee who can help with any queries.

Copyright © 2020 IDG Communications, Inc.

Related Slideshows