3 Best Practices for Business when Creating Email Security Policies

email security2Every time someone in your company or organization sends or receives email they are opening up the possibility that infected emails are being distributed. Sooner or later everyone experiences the results of not using adequate email security practices.

Every day someone’s system or entire enterprise community is being probed by hackers.

Administrators can prevent a lot of problems from happening by having and following some common best practices for email security. Some of those best practices include routinely publicizing a company’s email security policies. Just having email security policies in the first place is a step in the right direction.

You can’t expect end users to follow the rules when they are unaware or have forgotten those policies. You must constantly educate and remind your end users of those policies on a routine basis. Maybe it is once a month or maybe once every two months will be sufficient to maintaining a security-aware end user community.

Here then are some email security policies worth noting that any organization can document and use in their best business practices.

1. Steganography is the action of hiding a message in plain sight using some format that is commonly used every day such as email or bitmap images. Steganography can be used to pass intellectual property from within a company to someone in particular on the outside. An example would be if a company were working on a secret or proprietary piece of software and then suddenly while browsing the Internet they recognize their code posted in the open on someone else’s public website.

As part of your company or organization’s best security practices and policies should be a software package that allows you to identify steganography software. This anti-steganography tool should be able to scan systems in the same manner as if it were looking for viruses.

Another solution to prevent steganography from being used is to bring in a security company that can perform forensics analysis on bitmap images and email attachments.

2. You can now secure the email messages that you send to someone by using encryption communications. The process works like this: I need your public key for me to send encrypted email messages to you. You need my public key for you to send encrypted email messages to me.

To get the process started you must first create your email message and then “digitally sign” it. Most email clients today have some method for digitally signing an email. There may be a delivery option or a pull down menu which allows you to choose “sign” this email message. When a sender digitally signs their email message they are including their Public Key certificate. The recipient of the sender’s email can then store the sender’s public key information.

When the recipient (of the digitally signed email from a sender) wishes to send an encrypted email to the previous sender then they just need to select the “secure this email” option using the previously stored public key information. A receiver of an encrypted email message can decrypt the message using their own private key.

3. And one of my personal favorites is when you receive email from some “World” organization such as the International Monetary Fund (IMF) or the World Bank Auditors. The tease is the first line informing you that you have received some unimaginable amount of money such as US$10,000,000.00 dollars that were it true, would change your life forever. I love the requisite misspellings – got to have those to make the email believable that it came from some third world country.

The catch, of course, is that they only ask you to send some small amount of money as a token of trust or to cover their transfer fees. Or they ask you to send them your full banking information and any form of identification with complete addresses, etc.

By now you’d think that most everyone within your organization would be familiar with these types of scams but sadly there is always someone who desperately wants to believe in their good fortune.

Your security policies should clearly state the pitfalls of opening up emails from the “Barrister” of such and such a country or from the International Monetary Fund. And type in black and white not to divulge personal information or send money in any efforts to receive a thousand times more in response.

The above security best practices are just a very small number of the many possible ways to have secure email.




Written by Jacob Rede


  1. Gina · December 18, 2013

    I still think the best way to beat or control any kind of business e-mail risk or threat is proper education. These are all good technologies and methods, but hey, they do sound complicated, especially for those whose knowledge about e-mails are minimal. Organizations should, more than anything else, strengthen their security knowledge base. This way, too, users will find greater value of the applications or technologies.

  2. David Black · December 19, 2013

    The basic rule of thumb with any policy is to keep it as simple and straightforward as possible. If it isn’t easy to understand, nobody will bother to read it, not to mention follow it. This is why you might need to sacrifice technical accuracy for readability and don’t make it too long – one or two pages should suffice, the majority of users won’t read beyond that.

  3. Michael · December 31, 2013

    Perhaps one of the best tips I’ve learned is to be very careful when it comes to uploading and downloading attachments. It’s very important that I properly introduce the attachment so the recipient doesn’t second-guess if my e-mail is a spam or not. on the other hand, I should be weary if I received an attachment especially if the sender isn’t the type to send one. But the truth is these days it’s difficult to get all smart when it comes to business e-mails.

  4. Nils G · December 31, 2013

    Of the three that you mentioned, I am most familiar with the third one as I receive around three or four of these type of email almost every week. Of course, since I am well updated with the latest in email security, I do not open these emails and directly delete them without even taking a peek at what’s inside. But, it’s true, there are still a lot of people who remain “in the dark” regarding issues like this. I have friends who almost had themselves victimized when they thought of replying to similar emails – until I told them what these really meant. And these friends hold esteemed positions in big companies! I encouraged them to do some self-study/research on email security and, thank God, they’re now more knowledgeable and have even passed on the information to the higher-ups in their offices. Now their companies have regular (monthly, I think) email security updates for employees.

  5. Alice · December 31, 2013

    I wonder if there will come a time when we can incorporate biometrics into our own e-mail, not just in our devices but right in our mail. You know, to open a mail, you can scan your retina or use a finger print. Sounds so James Bond or Mission Impossible, but I think biometrics is still the best way to secure systems these days.

  6. Shonda · December 31, 2013

    I love companies that put premium into things like these and that take a more proactive approach against spamming and other online threats. I remember I used to work in a fledgling firm that didn’t allow us to use the Internet for fear we may infect the system with something. I don’t think it was the right thing to do. Instead, it’s only a lazy excuse for the IT guys not to do their jobs right.

  7. Cedric · January 30, 2014

    Although these tips are very good, I think they are a bit more complicated and quite time-consuming. Not all businesses too are willing to invest on more advanced technologies just for e-mail. I think that the best form of defense for e-mail security is updates. Many existing programs are already upgrading or offering patches, so if they work before, there’s no reason why they can’t today.

  8. Stacy Woodley · January 30, 2014

    Our company is currently using Data Motion, which is just the best. In fact, it’s considered as one of the most reliable e-mail security programs in the market today. I like it’s multi-level approach to security. It doesn’t just protect or secure the e-mails, it also prevents data loss, which is also a very huge problem. It also works across multiple devices, from PCs to mobiles. I think it’s also important to keep the firewall running, especially for e-mails.

  9. Meg · January 31, 2014

    @Alice: I think it would be quite awkward to be putting your thumb or your eyeballs close to the phone or monitor before you can open an e-mail, though I’d like to think that it’s the price to pay if you want to make sure no one can steal your information. I still have to read about the effectiveness of biometrics, though. I wonder when it will be officially mass produced and that phones will eventually accept it as a security feature.

  10. Lloyd · February 24, 2014

    Our IT administrator has actually created a checklist that we can refer to every time we send an e-mail. It includes tips on how to send with attachments, turn on the e-mail scanner, etc. Although it’s a bit long and it did pose some challenges to us, later we learned to appreciate its importance. I for one experienced a huge reduction of spam and unnecessary e-mails in my inbox. I think e-mail management requires a more proactive approach to begin with.

  11. Serena · February 26, 2014

    @Nils G: You and I have the same story! I often receive emails from organizations asking for donations. I did not know any of these organizations and neither am I a member of them. The first few emails were solicitations, though.

    The first time I got one, I opened the email and was immediately puzzled. I did not understand why they’d solicit from someone like me who’s terribly busy trying to make both ends meet. And then I realized what it was, so I just deleted the email. They were asking for my checking account and credit card details – “for verification purposes”. Why would they need my credit card info?

    The next time I got a similar email, it was already to inform me that I had won “millions” through an online lottery. I deleted all emails with the same subject line.

    If I had been ignorant about spam, I would have given my personal details and lost whatever finances I had left. I hope that, by now, majority of the world population is already informed about what spammers are capable of.

  12. Sheena D. · February 26, 2014

    Shonda, I have to agree with you. We can also have another analogy like a jewelry heist pulled off by men with caps inside a mall. Instead of increasing security, the mall decides to ban wearing and even sale of caps! Although it may actually work, the solution provided is impractical. Besides, I could not think of a company anymore that doesn’t need Internet to some extent.

  13. Dominic · March 3, 2014

    Most of the comments I’ve seen here are very basic, and I don’t think it’s such a bad thing. It only means that we are sometimes too focused on what’s technical, forgetting that the basic or most essential ones are the easiest and most important ones, such as being careful of the kind of attachments we upload in e-mails.

  14. Cassandra · March 31, 2014

    I simply implement Stop Look and Listen, though in this case Listen means read. Every time I receive an e-mail, I stop and look at the headline and the sender. If it sounds spammy, I immediately hit Spam Report or throw it right away. If it isn’t, I open it and stop and look at the content. Then I read everything extensively.

  15. Shawn · March 31, 2014

    Do you want to know how to fight spam and enhance e-mail security? Convince the top management. The money is in their hands. They have the final decision no matter how much the IT would like to convince them. In other words, they have the power over everything.

  16. Mirabel · April 1, 2014

    @Serena and @Nils G: I’ve been through your experiences, too. I receive a lot of lottery emails from people I don’t know. The first time I got one, I opened it. I don’t know, maybe it was because of curiosity. I did not, however, click on the link it gave. In fact, I deleted the email right after reading it. Maybe I just wanted to see what the letter looked like so I’d know which ones are fake the next time. Anyway, I agree with Dominic. It all comes down to paying attention to the most essential things and knowing what to do. So it’s important not to read emails coming from senders unknown to you and it is likewise important to take extra care when uploading or downloading email attachments.The best protection, they say, is knowledge.

  17. Tony · April 28, 2014

    One of the best practices I’ve learned so far and the one that I truly adhere to is to take time to read the e-mail. You know, sometimes you get excited to open a mail especially if you’re expecting something, perhaps an e-mail about a new job opportunity or a message from a friend, but we all know that things can already be so deceiving. By reading and analyzing the content, I think I saved myself far too many times.

  18. Pamela · April 29, 2014

    @Mirabel: Experiences like yours, Nils, and Serena’s are the exact reasons why it is important to educate people. I mean, if a person is well-informed about things like spam and how it can threaten email security, risks will be lesser. I agree with Michael, too. It is important to screen whatever attachment you are downloading from your email. Most emails now come with filters that scan attachments; one should make use of this feature. One of the best things to do to avoid spam is to not open emails and links that come from people, companies, or organizations that you do not know (or have no relation to)!

  19. Sahara · April 30, 2014

    Hmm, I don’t really completely get the gist of the article. Does it focus on some of the nasty tricks in e-mailing? It seems to be that way for me, but anyway, as a business owner with my own staff–there are 5 of them–I always remind them to be careful when it comes to opening their e-mail. I may be operating in a small scale, but I do have my own e-mail policy because I see the value of protecting assets from IT threats.

  20. Paul · April 30, 2014

    Steganography is something new to me. That’s also very interesting. It’s basically like the black hat technique you use in SEO where you hide keywords from plain sight, and yet it’s readable by spider crawlers. I doubt this technique still works, however, since Google is really trying to prevent these unscrupulous people from getting the high ranks through nasty means. Anyway, how do I exactly go about with the software?

  21. Eve · May 30, 2014

    Although it’s currently a subject of a huge debate, one of the most effective e-mail security strategies these days, at least for me, is to include the e-mail policy as part of mobile device management, particularly in relation to BYOD. I know it’s quite tough, especially if the device itself is owned by the employee, but there should be a limit as to data accessibility and use in order to not put this data in an vulnerable security situation.

  22. Claire · May 30, 2014

    “3. And one of my personal favorites is when you receive email from some “World” organization such as the International Monetary Fund (IMF) or the World Bank Auditors. The tease is the first line informing you that you have received some unimaginable amount of money such as US$10,000,000.00 dollars that were it true, would change your life forever. “–If someone falls for this, then you’re definitely stupid!

  23. Chelie · July 31, 2014

    @Dominic: Totally agree with you. Most of the time, we focus too much on forgetting the basic – and even the root of the problem. Why do we have victims? Because they allow themselves to become one. I mean, I’m not talking about everyone, just a number of people. The point is, it is always good to look at the simplest things because that’s where or how you may find solutions or answers to problems. Being careful is a basic instinct; one that we should not take for granted. We should all be careful at all times, so whenever we see emails with attachments, we should not right away open or download them. Find a way to verify its safety and legitimacy first. Maybe you can check with the sender for authentication. We don’t need to sweat the small stuff, but sometimes, we do need to take careful notice of them, too!

  24. Dolly · August 30, 2014

    @Chelle: You are quite right. I do know many people who are aware of the dangers of spam, and yet they allow themselves to become victims of these tactics. Is it because of greed? Because normally these spam messages promise them millions of dollars in a bank account somewhere. Is it because of curiosity to see what’s really in the attachment?

  25. Pip · August 30, 2014

    “I love companies that put premium into things like these and that take a more proactive approach against spamming and other online threats.”

    Oh, I love them too, Shonda. But here’s the thing: for some reason, I find more small businesses who are taking these steps than big ones. I don’t know . . . is it just my observation or there’s a statistic that can support this?

  26. Carmen · September 28, 2014

    Hi, how’s everybody here? I would like to ask some feedback about how your policies are going these days. I am currently working as an HR officer, and my team is busy drafting and amending company policies. I wonder if someone can help me out in how to design this e-mail security plan. We are not really IT, and not all of us use e-mail extensively in our jobs, but still, I think it’s better to have these policies in place.

  27. marla · October 2, 2014

    I agree with you, Chelie. It’s a bit disheartening to know that there are still people who fall for this kind of scam. You know, the obvious ones. Then again, I guess we cannot really blame some people; maybe they just really do not know there are things like spam and phishing. So, again and again, we go back to the drawing boar and provide them a little education about these scams. I do believe, though. that like what Chelie said, we all have basic instincts; so we know when something does not feel or look right; we know how to avoid danger or how to look for danger signs. If an email attachment looks suspicious, don’t let it get the better of you. Verify from the sender first before opening or downloading. If you don’t know the sender, put it in the trash!

Leave A Reply