Your organization sends and receives email messages every day and sometimes those incoming messages are like malevolent organisms looking to attack or infect your computer systems.

Administrators can help to mitigate the adverse impacts of unsecured email by implementing secure email policies that are mandated and continually emphasized within their organizations. Getting end users to consistently follow email policies is more than half the battle when it comes to not becoming the next organizational victim of virulent email messages.

Here then are seven of thirteen policies worthy of any organization’s secure email policies and procedures.

1. Do not immediately open attachments. Employees should be reminded to verify the sender of the email message as a person of trust. There are many times during the day when I am busy with work and I get a phone call. I do not immediately open my cell phone until after I’ve recognized the caller’s identity as saved within my cell phone records. If it is an unknown caller then I simply let ring and then go to voice mail. Later I can then listen to the voice mail message – if one is left – and then return the phone call. Likewise, your end user community should receive similar instructions for how and when to open up email attachments. They should first confirm the sender of the email message as a person that they recognize.
2. Create tiered email architecture. Your end users should have three or four email sections within their inbox. A first tier of email messages can consist of all incoming email that has been cross-checked with the end users’ contact list. This will ensure a level of confidence in the origins and trustworthiness of the sender. Of course, the use of an authentication mechanism could also be incorporated to add a higher degree of trust. Second and third tiers might consist of email whose addresses were neither on the recipient’s contact list and/or cannot be authenticated.
   
3. Add automatic filtering mechanisms. Encourage your end users to make use of email aliases as a means for filtering email messages based on predefined relationships such as: personally known sender addresses, first-time communications with an entity or organization and then also an email alias used for inquiries or other communications not requiring fully identifiable email addresses. These methods could be used to minimize the many unnecessary email responses – and many times spam email messages – that users receive by allowing them simply “select all” and then hit “delete” for that subset of email messages sent to a particular alias.
4. Instruct your end users what email message links and icons not to open. Many times hackers will send spam via email that includes embedded icons or graphic files such as GIFs or JPEG files that when opened can unleash spambots that attack your systems by consuming their resources and thus clogging up the processing of more important business matters. Some spambots are there to interrogate your systems to search for and collect personal information about your end users or more vital business information all of which can be abused to hinder your normal business processes. The personal information of your end users could be harvested and sent to marketers. And of course there is always the threat of viruses.
5. Keep your anti-virus software up to date. Schedule regular checkpoints with your anti-virus software vendor of choice and verify that your company has the latest updates. Look for additional protection against phishing, spam, browser exploits, instant messaging and file sharing protection.
6. Proper secure email procedures should include disabling the opening of additional browser windows from being opened upon the clicking of links within email messages. Your system wide email clients should support the disabling of new window pop-ups.
7. And from the perspective of your end users whenever outgoing email has been marked by them as confidential then encryption techniques should be employed to ensure that the email messages cannot be changed or read by third parties.  Email messages that have been encrypted and compressed cannot be altered in any way. The sender is guaranteed with a more than reasonable amount of certainty that only the recipient can open and read the contents of the original email message.

Finally, remember that there is no true privacy. Periodically remind your end users to be cautious of all email they receive even after following your organization’s secure email policies.

In the follow-on post I will discuss the second half – six policies – of this two part discussion.

Be Sociable, Share!

•