How Safe Is Your Business’ Email?

In a recent blog, we at E-Complish suggested discarding old emails as part of an overall office spring cleaning. However, there’s more to do on the email “cleanup” front. It’s also time to assess the safety of your business’ email, as well as to take steps to strengthen that safety going forward. Why? Increasingly, criminals are preying on businesses by hacking into their email—and small businesses are no exception. What’s more, according to recent statistics published by CSO magazine, 92 percent of malware—software that is designed to disrupt, damage, or gain access to a computer system—is delivered via email channels.

To get a rough idea of how safe your business’ email may be, start by looking at how much email is sent to your employees daily using your own internal domains, but coming from external sources. Determine, also, how many external sources that use your email domain to send email to your employees are authorized to do so and are authenticating the email they send. See how much email is sent to your business’ email accounts each day by vendors and partners, from what domains these communications are being sent, and whether partner and vendor messages are being sent from authentic, authorized sources.

But this is not all. You need to ask more questions. For example, do you allow partners and vendors to use free email or webmail domains for business emails sent to your employees? How many emails are sent to your employees each day from social networks? How many total unique sources send email to your employees daily?

The more email that originates from external sources, and the more email that is unauthorized and unauthenticated, the more unsafe your business’ emails are. Similarly, the more emails your business receives from free domains, and the more emailed communications that arrive in employee inboxes from social networks, the lower your business email “safety quotient.” The same is true for unique email sources.

Now that you know you need to improve the safety of your business’ email, let’s discuss a few ways to do it. As a starting point, consider email encryption, which helps to protect sensitive information from hackers by only allowing certain users to access and read your business’ emails. Email encryption is made possible by downloading or purchasing extra software that plugs into your email client, or by installing an email certificate that lets employees share a public key with anyone who wants to send them an email and decrypt any emails they receive using a private key. It can also be handled by a third-party encryption service.

Additionally, ensure that each employee has their own password for their work computer and email system and that passwords are highly secure (i.e., they consist of at least 12 characters and a combination of numbers, symbols, lower-case letters, and capital letters). Passwords should not be something obvious (like a birthday or children’s names) and must be changed at least every three months. Using a watchdog service that monitors leaked passwords and generates an alert should any email address become vulnerable is a good idea.

Beyond instituting a requirement that email passwords be changed no less often than at three-month intervals, put together a stringent email retention policy. Require that employees purge emails that do not support business efforts. Many companies configure their systems to automatically archive emails that fall into this category after a certain interval following receipt, and to permanently remove them after a set time period.

Strict standards for company-related mobile device usage are also a must. Whether employees are using a company-issued mobile device or a personal device to send and receive company emails, require that employees encrypt data, keep the device password-protected, and install approved security apps to prevent hackers from accessing devices via shared WiFi networks.

Further, train employees on email security practices. This includes never opening links or attachments from unknown persons or responding to emails that request a password change and the sharing of personal information—no matter how official these communications may look. Employees should also be taught to ensure that their antivirus and anti-spy software has been updated, as well as to encrypt any emails containing sensitive data before sending them and to never leave an email program open when they are away from their desk. And of course, train staff to use company email only for business emails, as well as to avoid automatically forwarding company emails to a third-party system.

At a time when email hacking appears to be at fever-pitch, determining just how safe your business email really is—and taking steps to make it safer—is an initiative well worth undertaking.