Business Email Security Best Practices

Email is one of the most popular tools used for personal and business communication in the modern era

However, email is insecure by design. When you send an email, that email is plain text and stored on someone’s computer. There’s absolutely no guarantee that your message is protected in transit or at rest. You are trusting the administrator of that computer not to read through your email.

Without the right security measures, email can easily serve as a gateway for cyber attacks. A single act of negligence can compromise the safety and security of the organization’s email system. Attackers can spoof domains to make it appear that their emails are from trusted contacts; they can distribute malware and spam via email channels; and they can use social engineering to trick users to make payments or log into websites that contain malicious content.

Implementing email security best practices can help you prevent and mitigate the risk of email-related cyber attacks. This article outlines five essential business email security best practices to help minimize your exposure to business and security risk.

1. Develop and Enforce Corporate Email Policy

A corporate email policy is a management document that formally outlines guidelines for acceptable use of company email. An email policy will help ensure that employees are aware of their responsibilities when using company email, what they can and cannot do and that these terms are agreed on. This means that an employee can be held accountable if there is a breach of the agreed terms. An email policy is important because it protects your brand, reduces the risk of cyber-attacks and data breaches, and defines how employees must use the company’s email.

A corporate email policy should among other things include detailed guidelines on personal usage of corporate email, stating whether personal emails are accepted or not, and if they can be used on company devices. The policy should also address corporate email retention issues, limits on what types of files employees are able to exchange with others, guidance about prohibited content, and the handling of confidential data. As a more specific example, an email policy may state that management can read any employee’s email messages that reside on the mail server, but not on the user’s workstation. The email policy might also state that employees may be subject to monitoring of their actions for compliance. Before granting access, employees should be asked to confirm that they have read and understand the email policy by signing off a confirmation document.

Organizations should develop and maintain a documented policy for email usage as part of their security best practice and instruct employees to adhere to that policy. A process for dealing with those who choose not to comply with the security policies must be developed and enforced so there is a structured method of response to noncompliance

2. Implement Security Awareness Training

Organizations must invest in security awareness training programs to get employees prepared to deal with email and other information security risks. A security awareness program aims to train users on the potential threats to an organization’s information and how to avoid situations that might put the organization’s data at risk. In information security, people are the weakest link. You may have the best technical controls in place, but if your people are not well trained on how to spot and respond to potential security threats, all those controls will amount to little or nothing. Cybercriminals seek to exploit weaknesses in human nature and behavior to compromise systems.

Security awareness training is performed to modify employees’ behavior and attitude toward security. The goal is for each employee to understand the importance of security to the company as a whole and to each individual, to lower the organization’s attack surface, to empower users to take personal responsibility for protecting the organization’s information, and to enforce the policies and procedures the organization has in place to protect its data. Expected responsibilities and acceptable behaviors must be clarified, and implications for non-compliance, which could range from a warning to dismissal, must be explained before being invoked.

Organizations are to train their staff on how to spot and respond to email-related cyberattacks such as email spoofing, spam, social engineering, malicious attachments, phishing, and spear-phishing attempts using customized training programs. In fact, phishing is one of the biggest threats to businesses from email. Phishing emails target users with email fraud, BEC scam, impersonation attempts, and social engineering in order to trick them into clicking on malicious links, divulging personal account details, or making fraudulent payments. Sometimes, a phishing email is so convincing that your employee still falls for it despite all efforts.

Therefore for an organization to achieve the desired results of its security program, it must communicate the what, how, and why of security to its employees, and find a way to measure the impact of the training. For example, you can carry out regular phishing simulations to measure the impact of training and keep employees alert and aware of emails with signs of phishing scams. Security awareness training should be tailored for specific groups, and organization-wide. A security awareness program is typically created for at least three types of audiences: general staff, technical employees, and management staff. Each type of awareness training must be geared toward the target audience to ensure each group understands its particular responsibilities, liabilities, and expectations.

Various methods and formats should be employed to reinforce the concepts of security awareness. Things like banners, posters, handbills (both physical and electronic), and even employee handbooks can be utilized to remind employees about their duties and the necessities of good security practices. It should be simple to understand, be kept up-to-date, be positive and humorous,  and most of all—be supported by senior management.

3. Implement Strong Email Defenses

Having strong email defenses and protection solutions in place allows organizations to wade off malware threats before they even reach users’ mailboxes. A good way to begin is by implementing solutions like email gateway (a type of email server that protects an organization’s internal email servers), and DMARC (Domain-based Message Authentication, Reporting, and Conformance), among others.

A secure email gateway is essential to protecting your business from malicious content contained within emails, including phishing attacks by preventing them from reaching their intended recipient. By placing malicious emails into quarantine or blocking the sender, a secure email gateway significantly reduces the number of successful compromises of user credentials, email hosts, and sensitive company data. It is effectively a firewall for your email and scans both outbound and inbound emails for any malicious content. Businesses of all sizes should consider implementing an email gateway, to protect their users and enhance their protection against email threats.

On the other hand, DMARC protects the company’s domain from being used to send emails linked to security threats. It guarantees the legitimacy of your emails and their deliverability because only authorized IPs can send emails from your domain. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, social engineering, phishing emails, spoofing, spam, and other forms of email-related attacks.

Other technical defense measures you may wish to consider to secure your email system include:

  • Sender Policy Framework (SPF) An email authentication method designed to detect forging sender addresses during the delivery of the email.
  • DomainKeys Identified Mail An email authentication method designed to detect forged sender addresses in the email (email spoofing), a technique often used in phishing and email spam.
  • Specialized Spam Filters Consider configuring your email with spam filters to reduce the number of spam and phishing emails that reach users’ mailboxes.
  • Post-Delivery Protection Network admins can utilize this tool to fight against phishing attacks. These solutions sit between users and the gateway and use machine learning algorithms to detect phishing attacks and remove them automatically.
  • Other technical controls such as DNS-based blackhole lists (DNSBL), graylisting, spamtraps, SMTP authentication enforcement, and checksumming systems to detect bulk email all help to defend your email against spam.

Proton for Business (FREE DEMO)

proton mail screenshot

Proton has developed a range of secure products that includes an email system and a VPN service. These are bundled together along with cloud storage and a calendar into packs of services under the Proton for Business banner. Proton provides end-to-end encryption, which is fine when exchanging emails with team members but won’t work for communications with outsiders. To get around that procedural weakness, the company provides a password-protected encryption system. Give the recipient the password over the phone so they can unlock the encrypted email contents. Proton doesn’t offer a free trial but you can access a demo.

Proton Mail Access a FREE Demo


Guardz Email Security Software

An example of a post-delivery protection system is the Guardz package. This tool scans mailboxes, looking for spam, phishing attempts impersonation scams, and malware. The service uses machine learning to improve its accuracy over time. Discovered malicious email is moved into a quarantine area rather than being deleted. This enables a technician to inspect those suspicious emails and possibly restore them if they are not, in fact, malicious. The Guardz service is delivered from the cloud and is intended for use by managed service providers to protect the systems of their clients. You can examine the package with a 14-day free trial.

Guardz Get a 14-day FREE Trial

Fortra Agari Email Security (GET DEMO)

Fortra Agari Executive Overview

To see DMARC in action, take a look at Fortra Agari Email Security. This cloud-based service also implements SPF and DKIM to provide reputation security for companies and block phishing and BEC. This package records genuine emails from your domain and provides an authentication service for receiving email servers. The system applies to internal emails as well as to those sent to other companies. The internal email verification service helps guard against business email compromise attacks. Failed spoofing attempts get logged in the administrator console for the subscribing business, which enables attack analysis. Agari also updates global scammer databases with relevant information. Examine the Agari service by watching a demo.

Fortra Agari Email Security Access a FREE Demo

4. Ensure Better Email Password Management

One of the most important email security best practices is implementing strong password management policies. Previous thinking was that complex equaled strong. Forcing employees to create complex passwords. However, complex passwords such as }k}$4p#F@Q7n, will likely end up being written on a sticky note on a user’s desk or saved in an insecure file on a user’s desktop.

Current NIST recommendations maintain that password length, not complexity, is key to password strength. Password complexity rules are one of the most burdensome behaviors the security industry has imposed on users. Users are usually required to provide unique complex passwords, say a minimum of 8 characters, one upper case, one lower case, one number, and one symbol for every email account. After creating this complex password, they are advised to never write it down or reuse it somewhere else. But in reality that seems like an uphill task for many. Bill Burr, the man who invented those standards back in 2003 has himself admitted that they are basically useless today. The problem wasn’t that Burr was advising people to make passwords that are inherently easy to crack, but that his advice steered everyday computer users toward lazy mistakes and easy-to-predict practices.

While complexity rules make passwords seem secure on the surface, the issue is that most people usually adhere to certain patterns when creating them. These patterns are well known to criminals. Time and again research has shown that users have difficulty remembering those complex passwords, so they end up writing or saving them in places that are easy for an intruder to find, which defeats the whole goal of security in the first place. If a user manages to create a complex password, the next challenge begins: remembering the password and difficulty entering the correct password especially when numbers and special characters are involved. So errors are pretty likely, hence one of the most often pressed buttons is the “I forgot my password“ button to reset the password, and the cycle continues. Security experts all agree that the use of passphrases (the stringing together of a few words) is the way to go. Passphrases are easier to remember and difficult to crack. In other words, length, not complexity, is the new entropy.

Similarly, a password expiration policy that forces users to change their password every 90 days or so is according to NIST, an outdated practice. This practice was hinged on the fact that it would take 90 days to crack the average password hash. But today’s enormous computing power makes this policy irrelevant. Passwords that would have taken a hacker 90 days to crack twenty years ago now take seconds or hours. Regular password change doesn’t do anything to actually secure you, it only makes you feel secure. With just a few dollars, one can obtain a password cracking tool that can decode an 8-character password—no matter how many capital letters or special characters are involved. These tools coupled with high computing power, have been used by hackers to expose millions of passwords after a breach. If you keep forcing people to change their email passwords in your workplace, they are going to come up with some methods that make it easy for them to remember, such as incrementing that letter or number at the end of their password in a predictable pattern.

Don’t make people change their passwords unless there’s an indication of compromise. With tools like Have I Been Pwned and Google’s Password Checkup browser extension, you can easily tell if your password is among breached passwords. If you have a high-risk account you need to secure, use Multi-Factor Authentication (MFA). This is one of the simplest, most effective ways to secure any authentication requirements.

5. Implement Email Encryption

Email encryption is an important email security practice that protects personal and company email from unauthorized access. As with all digital content, the best way to keep emails secure is by using encryption—which is basically complex algorithms that prevent anyone from reading the content of your email unless they have the correct encryption keys.

The main purpose of encrypting emails is to make sure that emails are only ever received by their intended recipient, with all data they contain protected and intact. If businesses use encryption, attackers will not be able to read sensitive business emails. It also protects emails from man-in-the-middle attacks. Good email encryption supports end-to-end encryption (where your own data is encrypted on your own device, and only you and the intended recipient can access it), and zero-access encryption (where email is encrypted and decrypted using only your public key and private key respectively).

Most modern email services encrypt emails in any of or a combination of the following methods:

  • TLS/SSL encryption in transit  This is the same encryption used to secure HTTPS websites, and it is the backbone of all security on the internet.
  • Symmetric-key encryption algorithms such as AES to store emails Most email services apply this encryption when an email is stored on its servers. This means the provider holds the encryption keys, which it can use to access your emails for advertising purposes or in response to third-party demands.
  • Encrypt emails in transit using TLS and store them on servers using AES All email communications are end-to-end encrypted and are stored on servers using zero-access encryption. This protects the confidentiality and integrity of email messages and makes it difficult for email providers to access your emails for advertising purposes or in response to third-party demands.

OpenPGP provides a way for the end-users to encrypt the email without any support from the server and be sure that only the intended recipient can read it. Other encryption options include PGP and GNU Privacy Guard (GnuPG). Free and commercial software (desktop application, webmail, and add-ons) are also available. However, there are usability issues and difficulties in getting it to work. But you can easily get around this by using encrypted email providers such as Proton Mail and Tutanota, as well as commercial encryption appliances and services that automate encryption.