Email Security Best Practices for Small Businesses

It’s almost a cliché to say that email has become a leading business communication tool. Because we’re all deeply familiar with the role it plays in facilitating the exchange of information between businesses and their customers and partners. The importance of email makes it a prime target for cybercriminal activity – like social engineering – and the main reason employees need to use email security best practices.

It’s estimated that over 90 percent of all cyber attacks begin with a malicious email sent to an unsuspecting victim. And cybercriminals don’t discriminate. They target organizations of any size.

To protect your organization against email-based threats, you need to proactively strengthen your defenses. Start by implementing these email security best practices.

7 Email Security Best Practices

1. Enforce Strong Authentication

Nordpass revealed that exceptionally weak email passwords are still being used worldwide – despite growing cybersecurity awareness. Many people still protect their email accounts (and others) with passwords like “12345,” “qwerty,” or “password,” making it way too easy for cybercriminals to brute force their way in.

To address this problem, businesses should enforce strong passwords and combine them with multi-factor authentication. On its own, a strong password like “42sjg31of@#5r” protects against brute force attacks. But it doesn’t protect against password theft – which is where the requirement to present at least one additional piece of evidence during authentication in the form of a one-time password or SMS code comes in.

2. Enable Spoofing Protection

Phishing scams have become so widespread and costly because small and midsize businesses often make it way too easy for cybercriminals to spoof their domain names in order to craft malicious messages that appear as if they were sent by a legitimate sender.

How exactly do they make it easy? By not authenticating messages with SPF, DKIM, and DMARC.

These three acronyms stand for Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication, Reporting & Conformance. 

Together, they are used to authenticate and digitally sign messages to make it impossible for attackers to forge the “From” address. When configured correctly, they also increase deliverability, so messages won’t end up in the recipient’s spam folders.

3. Use Email Encryption

Electronic messages travel across the public internet, hopping from server to server until they reach their destinations. Unless encrypted, they can be intercepted along the way and tampered with. Fortunately, nearly all reputable business email providers encrypt messages by default when they are in transit using cryptographic protocols like Transport Layer Security (TLS).

To go a step further, businesses can encrypt messages at rest using technologies like S/MIME encryption and Microsoft 365 Message Encryption (available to Microsoft 365 subscribers). At rest encryption essentially converts the text of an email message along with all metadata into scrambled cipher text that can be deciphered by using the correct decryption key. As a result, the message can’t be read even by an attacker with direct access to the inbox.

4. Create an Email Policy

It’s fairly common for small and midsize businesses to not feel the need to set out expectations on acceptable use of email at work by creating a comprehensive email policy, but that’s a mistake, and its consequences can be far-reaching. At the very least, all businesses should prohibit employees from using their work email for personal purposes – such as online shopping and communication with friends.

Additionally, employees should also not be allowed to open their inboxes on devices that have not been approved by the IT team because. Such devices may not be secure and infected with malware. Mobile devices (especially those running the Android operating system) are no exception in this regard.

5. Scan Messages for Threats

Effective email security strategies always include multiple layers of defense. One of them should be active scanning of incoming messages to protect against malicious links leading to credential-stealing websites and attachments containing dangerous malware.

Microsoft, for example, protects Office 365 users by automatically performing anti-spam and anti-malware scans of inbound email messages. They also provide features like Safe Attachments and Safe Links to give businesses extra protection against malicious attachments and links, respectively.

6. Practice Granular Email Retention

Email retention periods required by various regulations for different message types can range anywhere from a few months to multiple years. To make things easier for themselves, many businesses store all messages to the maximum retention period even though they technically don’t have to. Unfortunately, there are two major problems with this approach.

First, it greatly increases the total size of stored messages. Second, it makes potential data breaches more damaging.

Instead of using one retention setting for all messages, it’s much better to implement granular email retention policies by type of content. Yes, their initial setup does take some extra time and effort, but they seldom need to be updated once they’re up and running.

7. Invest in Email Security Training

Employees who are not aware of the existence of phishing scams, malware disguised as legitimate attachments, and other common email threats are easy prey for today’s cybercriminals. Since the strength of the cybersecurity defense chain is always determined by the strength of its weakest link, it’s a good idea for businesses of all sizes to invest in email security training.

Instead of boring employees with stale PowerPoint presentations, it’s usually possible to achieve better results by giving them access to a self-paced online course that’s split into bite-sized lessons. The course can be complemented by phishing simulations designed to put employees’ newly acquired email security knowledge to the test.

Update Outdated Email Practices

Electronic mail may be more than half a century old, but email security is still a hot topic because of how ubiquitous email has become as a business communication tool. Small and midsize businesses that are still relying on outdated email security practices should update them as soon as possible because most cyber attacks these days begin with a malicious message.

Teal can help you implement the best practices described in this article so that you can keep all email-based cyber threats at bay and focus on what you do best – making your customers satisfied. Contact one of our business technology advisors today to book a free consultation.

Latest Teal News

Subscribe to Our Newsletter

Join Teal Exclusive now to be notified of the latest news, tech tips, and more.

Recent Articles
Don’t Stop Here

More To Explore