How to Talk to Your Users About Email Security

presentationIllicit emails like spam and phishing attacks are something that people have to deal with on a daily basis. However, those who serve as email administrators don’t have the option of just dealing with email borne attacks. Email administrators are the ones tasked with stopping and containing malicious emails and most realize that email security needs to be taken seriously.

Unfortunately, the one or two people who handle email responsibilities for your organization can’t be the only ones who take the email threat landscape seriously. Everyone in the organization needs to understand a few things when it comes to their email and these are:

  • What they can and cannot do with their work email
  • What threats are out there
  • The damage that these attacks can do and the ramifications for your organization
  • How to identify these threats
  • What your organization is doing to stop these threats
  • What to do if they encounter an email based attack

As the email administrator part of your job is, or at least should be, educating your coworkers to all of these things about email security. For some, this is easy but if you are one of those who is more comfortable behind a wall of monitors than you are in a face-to-face conversation then this might be a difficult task. Understand, however, that if you are able to convey the seriousness of email security to your coworkers you will be much more effective at your job; and here is how you can go about doing just that.

Use Policies as Support

Every organization should have some type of policy that dictates the use of email in the workplace. Some smaller companies don’t put this in writing because the rules are “understood” but this isn’t good enough. They need to be written down and people need to know what is expected of them. You may think that everyone knows that they can’t send off-color jokes or make inappropriate comments through email but it happens more often than it should.

With these policies in hand, you have the support of management and this will usually help open the door with your coworkers. Use this as a way to break the ice and lead into the meat of your discussion.

Show Others What Is At Risk

Before you start thinking about what you are going to use here whatever you do, don’t exaggerate and use scare tactics. They rarely work with adults and can easily cause people to disregard what else you have to say.

Be honest about the threats and use specific examples; use examples from your industry if possible. These are easy to find using an Internet search.

Next, tie in how these threats effect them specifically. In a large organization a multi-million dollar fine for a data breach may be written into a budget somewhere but most small to medium sized organizations simply can’t take that kind of hit without having to cut back somewhere.

Be Clear

Simply telling your coworkers that email threats are bad won’t buy you any credibility or win you any allies. Instead of general statements, tell them exactly how a virus can be sent using an email and what it can do. Show them how data can be leaked through an email message or how a spear-phisher can steal user credentials with a fake login screen or by including a link to a malicious website.

Finally, explain to them how to spot dangerous email messages and what they should do when they receive one. Go over your investigative process with them instead of just telling them that you will look into any suspicious emails. The more they understand about how things work the more likely it is that they will see just how important it is for them to take this topic seriously.

Good email administrators understand that their users are often the last line of defense and that an educated user, coupled with a solid anti-spam filter, is the best defense you can have against email based attacks. If one of these is ignored or not given enough support then the organization is left open to an attack that could have possibly been avoided.

Written by Jeff Orloff

10 Comments

  1. David Black · September 24, 2013

    And hope that you deal with intelligent staff who can understand the risks rather than think you are exaggarating the dangers. For instance, I can’t remember how many times I’ve told friends, relatives, and co-workers something as simple as not sharing your password with others. As you guess, I was accused of being paranoid, of not trusting people, and what not. Fortunately, these people are not in my email security range, so at least I am not responsible for their actions.

  2. Isabelle · September 26, 2013

    The first people who need to understand about the importance of e-mail security is the management. They are the ones who have make the final decision when it comes to budget, human resource, and every core function of the business. If it doesn’t allocate enough money to buy the right tools, if it doesn’t allow and support the HR and IT departments when it comes to drafting anti-spam education programs, then all these tips are worthless.

  3. Nathan Gaston · September 27, 2013

    I like all the points you discussed here. It has basically everything that people need to know and share about email security. I’m sure that if people follow your list as honestly as they can, we’ll see lesser email security problems in the next days/months. Let me just add that it is important to reiterate how spam can change every now and then; that spammers regularly devise ways to beat anti-spam systems. It will also help a lot if one uses visual materials in explaining the threats, the damage, as well as the things that your organization or company is doing to fight spam.

  4. Lea · September 27, 2013

    I think case studies are going to be a very huge help. Sometimes the users don’t really completely appreciate the efforts in securing their systems and privacy unless they become victims of threats. Of course, we shouldn’t wait for this to happen, but a case study can allow them to connect the IT policies about security to real life situations.

  5. Bernard · September 30, 2013

    One of the things I like about our IT department right now is they send us not just an e-mail but a newsletter about anything related to spam and e-mail security. They do so at the start of the week, Monday, so we don’t have to be bothered by more updates and reminders for the rest of the week, unless they are urgent, sudden, or definitely necessary. Before, I don’t know much about spam and e-mail, but with their newsletters, I become more educated and enlightened. I am even sharing them with my friends and family.

  6. Jun · October 30, 2013

    I think it would be a great help if the IT gets support from the management. If the higher-ups completely understand the gravity of the problem–how it’s going to impact the way the business functions–then there’s no doubt that they are going to give the right budget and support for policy making. The problem, though, is that it feels a lot of IT guys and girls don’t know how to really explain the situation to business owners and managers.

  7. Tyler · October 31, 2013

    The new company I am working on has a very good anti-spam program in place. Every week, we receive a newsletter digest with the messages from our IT as well as links of articles that are related to Internet security, especially e-mail. We love it in the office because the news is a beautiful breather from our hectic work, we don’t feel as if we’re really forced to learn everything about e-mail security, and we can sense that the IT department is trying its best to work closely with us. We can feel the sincerity and the empathy.

  8. Bob · November 30, 2013

    We just had some lessons about spam a couple of days ago. What the IT department did was to send out questionnaires that can help them evaluate the level of knowledge and awareness we have about different security threats. I think it was a good move since they can give more emphasis on topics we don’t know much about like BYOD.

  9. Brett · March 3, 2014

    @Nathan: Totally agree with you, man! Spammers nowadays follow a vicious cycle. They change tactics very now and then so that many of us are often caught by surprise when they come up with something new. Even the authorities do not have any idea when they strike or how they choose to deliver the blow. Spam is continuously changing and developing. And as technology continues to advance, their “tricks” also evolve. It’s like they know what to expect next, so they prepare for it way ahead of time! It is a definitely scary reality. Therefore, we should all be extra cautious when dealing with email.

  10. Maria Ortiz · April 1, 2014

    I currently work in a Houston start-up software development company. Currently we are 50+, so the number is still manageable. Nevertheless, I have to hand it to the company for creating a newsletter as a central point for all information. Every month we release one, and we do have a corner for any kind of updates about security. It’s less than 500 words, so it’s easy to read, and we don’t suffer from information overload. Most of all, the more we read about these notes, the more we begin to understand and appreciate the importance of security.

Leave A Reply