8 Corporate Email Security Policies to Review for 2022
With cybercrime on an endless rise, it’s a good idea for organizations to audit their cybersecurity. One place we see a lot of businesses miss is their email. Whether you are a small business with just a handful of employees or a large corporation with hundreds of users and an IT department, it’s critical that email best practices are followed.
With any luck, this will be more of a review than anything else. If it is, consider this your reminder to review your internal policies to confirm that all is as secure as can be.
Change Those Passwords!
When was the last time you updated your email password? If it’s been a few months (or, heaven forbid, years) since you last did so, it’s time to replace it, just as you should periodically do with all of your passwords. It’s possible and recommended that you put network policies in place that require your users to reset their passwords every so often.
When your users do so, it is important that they follow a few crucial best practices to ensure that they aren’t protecting their emails with lackluster passwords. This is fundamentally important to do, and in case they need to be reminded, the most important rules for good password hygiene are the following:
- Use a different, unique password for each account you have. Never use the same password twice.
- Ensure passwords are secure by making them sufficiently long and complex, and use a combination of uppercase and lowercase letters, numbers, and special characters.
- Use a secure password management solution, rather than keeping them written down.
- Use methods like passphrases (unique phrases or unrelated words in sequence) to help with memorability
While passwords aren’t necessarily the be-all, end-all of your business’ security, ensuring that your communications are sufficiently protected is an important step.
Establish Two-Factor Authentication
Two-factor authentication, or 2FA (and sometimes referred to as multi-factor authentication/MFA) takes the security provided by the password and significantly increases it. By not only requiring a correct password, but also additional proof of a user’s identity through things like a generated PIN number, biometric scans, or the possession of a specific device, an account becomes far harder for a cybercriminal to break into… including email.
Use DKIM, SPF, and DMARC
Getting a little more technical, it also helps to configure your email to abide by these three email security protocols—DKIM, or DomainKeys Identified Mail, SPF, or Sender Policy Framework, and DMARC, Domain-based Message Authentication, Reporting, and Performance. These protocols help prevent email spoofing, verify that a message came from where it supposedly did, and allow domain owners to publicize these requirements and the consequences of falling short of them.
Educate Users on Phishing Scams
Phishing—a method of infiltrating a network or exfiltrating data by fooling an authorized user into providing access—is a very common practice nowadays, with attackers utilizing email, telephone calls, text messages, comments… effectively any communication medium you could name. You need to ensure that your users understand the risks that phishing can pose, how to spot them, and how to react to them properly.
While many phishing attacks have become more wily and are better hidden, there are a few basic warning signs that make many of them easier to spot:
- Many phishing attacks will come from suspicious domains, those that are clearly meant to look like other trustworthy ones or that don’t match where they claim to be from. Having your users keep an eye out for these factors could help them catch these threats.
- While some will make it through, spam blocking and firewalls can help stop a lot of the phishing attacks you might otherwise be subjected to.
- Make sure that any links in an email are thoroughly examined before being clicked through. Hovering the mouse cursor over the link will reveal the URL it actually directs to, so you should always make sure that the two match before clicking through any.
This is closely related to our next point:
Treat Email Attachments with Skepticism (Especially If You Weren’t Expecting Them)
Unexpected email attachments are a classic phishing methodology, as they can contain a variety of malicious elements instead of what the attachment claims to be. Executable files (.exe) are commonly used to activate unpleasant effects in a targeted system. Think before you click—it’s a habit that, if instilled in your users, might just save your organization’s neck.
Don’t Use Public Wi-Fi Without a Secure VPN to the Office
It’s not exactly a secret that Wi-Fi can easily be used by a cybercriminal to steal data while it is in transit, particularly on an open, public network. You need to be sure that your entire team is aware of the dangers and is equipped with a virtual private network (VPN) if they are to try and access office documents from outside the protections of your network.
Keep Work and Personal Emails Separate
We’ve all heard not to mix business and pleasure, and it's important that your users apply this advice to their use of emails. Consider the users that you have at your company, and the email lists that they might be inclined to sign up for in their personal lives.
Potential for cyberthreats aside, merging personal and work emails is inviting distractions into the workflow. That’s assuming that personal emails are sent to the work account. If the opposite approach is taken, your data is leaving your control and going to an account that you have no authority over. Neither is good, and the latter could leave you non-compliant. Insist that your team members observe the separation of church and state with their emails.
Encourage Users to Contact IT If They Receive Suspicious Emails
Your users need to know that they have a resource for assistance, should they ever receive an email that they just aren’t sure about. If an email appears in their inbox that they just can’t help but wonder about, they need to have someone to turn to. This is a major part of what IT is for—ensuring that the use of technology is helping your business, not hurting it. Having IT take a look at an email means that an expert (like the ones on our team here at Digital Sky Solutions) is using their experience and expertise to your benefit.
Reach Out to Digital Sky Solutions for a Full Cybersecurity Audit
At Digital Sky Solutions, we’re capable of handling all things IT—including the continued security of your business’ email. Give us a call today to have us go over your cybersecurity so we can identify any shortcomings present (whether they are related to your use of email or not). Reach out at (250) 483-5623 to set something up.