Is It Time to Renew Your Email Policies?

Email PoliciesAs the year winds down so do some of the projects you have been working on. But as we all know, as those projects come to completion they will be replaced by new ones.

In the spirit of the new year and new year’s resolutions, make this year the one you revamp some of those old email policies that have been lingering around since your organization first installed Exchange 4.0 in the early nineties.

The effectiveness of good policies

To many, having an email policy is nothing more than an item on a security checklist somewhere. We are supposed to have one, we are supposed to make our co-workers sign off that they are aware of it, and that’s the last we speak of it – ever.

However this way of thinking can cause some serious harm to your organization in the event something goes wrong. Not having a realistic, and enforceable, email policy could wind up costing your organization a great deal of money, credibility with those who you do business with and it could wind up costing people their jobs.

Yet instead of focusing on the negative, let’s take a look at what a well-written email policy can do for you:

It promotes professionalism. Many an organization found its name in the headlines because of unprofessional behavior that was expressed via email. Whether the message was sent as a joke or as means to harass another employee is irrelevant, It something happens via email it can be tracked and published. By enforcing professionalism in all emails that are sent, you lessen the risk that your organization will draw public scrutiny because of the bad choices some employees make.

It helps reduce liabilities. To begin with, if IT and management take the email policy seriously then that sentiment will trickle down to the other employees. If people know ahead of time that certain actions are unacceptable most will abide by these rules of behavior. This immediately reduces risk to your organization. However for the person or persons who still insist on doing things outside the boundaries of what is acceptable, a signed and enforceable policy can help shield the organization from some liability if that person causes harm.

Productivity increases. That’s right, an effective email policy could lead to people spending more time on work related tasks because they will spend less time on distracting, non-work related emails and the sites that these messages send them too.

Your infrastructure will be more secure. Finally, if your email policy spells out what employees should do when they suspect that an email they have received is a spam message or a phishing attack your organization will have a leg up on the attacker. Knowing that someone is targeting your organization will allow you to better secure yourself against their attacks.

Creating the policy

Simply searching Google for email policies and copying someone else’s is not the solution you should be investing in. While using other policies as a guide is smart, no two businesses are the same so just taking from the Internet goes directly against best practices.

With that being said, there is no cookie cutter approach you can take to your policy. You, and the team, will have to roll up your sleeves and actually create the policy from scratch. Just make sure that sections you include cover the following basics:

Establish rules and guidelines. These are in place to protect your organization against threats. They should not only tell users what is appropriate and inappropriate but also should govern what can be sent and what cannot be sent via email. You should also include a section on how to report suspicious or inappropriate emails.

Educate users about email etiquette. Explain to them why certain things cannot be sent via email to customers or even each other. Then explain what could happen if they don’t abide by these rules of etiquette.

Inform them regarding monitoring. If you are monitoring emails then you need to let your co-workers know about it.

Finally, make sure that you go over the policies with the people signing it. Simply sending out a memo and attaching your policy to it sends the message that this is not important. Do it right from the beginning and you won’t have to keep doing this every year.

Written by Jeff


  1. Christopher · December 31, 2013

    It is essential to regular revisit the e-mail policies. In our office we do that every third month. Revisiting doesn’t have to mean new policies are introduced or some are being modified. It’s just a way of helping us keep track–if our policies remain up-to-date as new threats and security options become available quickly. But I don’t really know if this is something the small businesses do. I am not even sure if they have e-mail policies to begin with.

  2. Jenn W · December 31, 2013

    This is all so true. Email policies are important. They’re more than just a bunch of words that you type up to secure emails. In the past months, we’ve heard of some companies suffering the consequences of not having solid email security policies. Some have had to battle things out in court, while some had to endure tarnished images and reputations. Anything can happen if you do not have secure emails. So, at the start of 2014, company heads should find time to sit down with colleagues and employees to openly talk about email etiquette and all things related to email security. Policies should be drawn up accordingly. And these policies should be strictly implemented, with the employees made to understand that taking them for granted might lead to serious consequences. It’s about time that your company steps up into the fight against email pirates!

  3. Ivy · January 30, 2014

    Our company always makes sure that we perform all these IT reviews at the beginning and then end of the year, with a possible assessment in the middle of the year if there are huge changes in the industry or news about any kind of security threat for e-mails. We do this along with the IT department, and if need be, we also hire a consultant to review our policies. These steps have become more essential as we embrace BYOD.

  4. Niel · January 31, 2014

    @Jenn W: I completely agree with you. Formulating an email policy should be a major company activity or task. Some companies even form a committee tasked specifically with coming up with such policies. And it’s not enough that the policies are there…In addition to making sure that the policies are implemented, there should be a regular schedule for evaluating and updating the said policies. Likewise, every employee, regardless of position, should be trained and educated accordingly so that they will know how to adhere to the policies. If these are followed faithfully, your company will have no need to panic when spammers attempt to get into your email system.

  5. Alison Shriver · January 31, 2014

    Anyone who thinks that creating an e-mail policy is easy has never really produced one. It’s really very complicated, and what makes it worse is when you don’t get the support of the higher-ups. I have come across plenty of supervisors and managers who are the first violators of these policies, but you cannot really chastise them since they’re the powers that be. They’re such a pain in the arse.

  6. Shima · February 24, 2014

    I really recommend companies to have an e-mail policy, even if such business is often categorized as “small.” It doesn’t just instill discipline and professionalism to the employees, but it also prevents or reduces threats that can cause a huge financial and administrative loss for the business. One can already find a professional who can help in crafting these e-mail policies, and they don’t have to be in house and thus can be paid only when his services are needed.

  7. Lily · February 26, 2014

    @Jenn W: You are so right! Our company just came out with a revised set of email policies. It seems that the ones we’ve had for so long had some loopholes so that a number of my co-workers almost became victims of phishing and spamming. So our bosses have scheduled some sort of a tutorial session for us so we’ll completely understand the new policies, and so that we’ll be able to practice hands-on what we need to do to keep our emails safe. I think companies should regularly check and evaluate their email policies. This is the best way to determine whether the safety level is a reliable one or not.

  8. Omar · February 26, 2014

    I am an IT head in a fledging company here in Ohio, and I must have to tell you about the huge importance of having an e-mail policy. As the company I’m not with grows, more employees come in. It means web traffic also increases. Through monitoring, I found out that new entrants are usually the ones who do crazier stuff online, especially when it comes to their e-mails, sharing large attachments and hitting Reply All to include even those who should not be part of the conversation. And they love to talk to one another as well! So an e-mail policy keeps them more disciplined and should be created before new employees come in.

  9. Clarence · March 3, 2014

    I know it’s time to update the e-mail policies when I can already find plenty of spam and unethical or wrong use of e-mail in the office. As an HR practitioner, I deem it necessary to ensure that everyone is acting according to the tenets of our business, including how they conduct themselves online, especially with the use of e-mail.

  10. Mike · March 31, 2014

    Clarence: That would be very interesting, I mean “according to the tenets of the business.” What exactly do you mean? What are your current rules when it comes to conducting themselves online? I’m just curious because as an employee, I really don’t want HR telling me what to do when I’m online. I mean it’s my space, right?

  11. Cleo · March 31, 2014

    They say you’ll never know the gravity of a poor decision or management until you suffer its consequences. This is very true when we speak about e-mail use. These businesses that don’t really practice good e-mail management will never know what hit them until they’re hit with a very huge IT problem that’s going to drain their finances and savings.

  12. Apple · April 1, 2014

    The article is actually right in saying that there’s no hard and fast rule in drafting these policies. That’s why I find it disappointing to know many businesses who prefer to use “templates” or even use other companies’ policies on their own. Doing so isn’t completely wrong, but since even like-minded businesses can be so much different, the least thing they can do is to modify the policy to make it more suitable to their needs.

  13. Nona · April 1, 2014

    @Jenn and @Lily: We are in the same experience level! Ours is a start up company, so it took quite some time before our IT people were able to formulate email policies. It’s a good thing, though, that they first met with all of us to find out how much we knew about email security and the perils that hound it. Thus, the email policy booklet they created is something that anybody can understand. Simple but precise; complete. They also made sure to include detailed examples; like situations that can happen and their possible solutions. So far, so good. Things are going great for us.

  14. Sandra · April 28, 2014

    There’s always a good time to renew e-mail policies, but the question is, how many companies are actually doing this? Until now many are still taking these types of threats very lightly. They believe there are more important things to do or be concerned about rather than e-mail. So perhaps a follow-up blog post about how to make it easier to modify e-mail policies can be helpful.

  15. Gabb · April 29, 2014

    @Nona: Good for you! I wish there were more companies like the one you’re working for! There are some companies that simply refuse to spend for IT workshops and email security policies because they think it just adds to their expenses. What they don’t realize is that they’ll get to spend more if their email system is compromised by hackers and spammers. I have to agree with Alison, though; coming up with an effective and efficient email policy is not easy. It entails a lot of hard work. But then, the pay off is really good. So companies should not consider it an expense, but an investment.

  16. Mario · April 30, 2014

    I think aside from the e-mail, we should also be drafting and implementing BYOD policies. More employees are now using their own mobile devices for work, and a lot of companies are trying to become more efficient and effect cost savings by creating such program, yet because of the lack of reliable and easy-to-implement policies, BYOD is doing more harm than good for many businesses.

  17. Gio · April 30, 2014

    @Christopher: You actually have a nice program going on there. I like the idea of revisiting, because often companies do that out of sheer necessity, and that can be a source of a problem since by then the need makes the modifications or updates more urgent. We may not come up with a good policy in the process.

  18. Sammy · May 30, 2014

    Yes, definitely, especially if the company is implementing BYOD. That makes an e-mail policy update–or even the creation of such policy, for that matter–even more significant. Although BYOD carries a lot of great benefits, it also poses a very high risk for businesses in relation to online security threats. The more mobile the person, the more vulnerable their data become. One of the biggest sources of failure of BYOD is the lack of any policy that aims to curtail the abuse of mobile device in accessing e-mails.

  19. Brian · May 30, 2014

    Wow, good discussions right there. I am a small business owner, and to be perfectly honest, I haven’t really thought about creating an e-mail policy simply because we’re just a small team. I figured it’s best left to large companies that definitely have a lot of people accessing their e-mails and company data. Now I’m having a change of heart. I should already have one as early as now rather than when my company has already grown larger. It would then be a lot harder for me to deal with such policies and e-mail-related issues.

  20. Maan · June 30, 2014

    @Nona, Jenn, & Lily: You guys share similar stories. I won’t bore you with mine as it’s a little bit quite like what happened to all three of you. What I want to say is that I’m just lucky I have a computer geek for a husband because he taught me things that I never would have learned even if I listened all day long to our IT guys talk about spam protection. It’s not that they’re not good; on the contrary, they’re some of the best I know! I guess, in my case, a little familiarity helped me more. Anyway, our company has annual email policies reviews. This allows them to not only check our system, but also get updates from us employees. @Alison: You’re right. Creating an email policy is no easy task. But if it can help a lot of people, no task is really difficult. It just takes some getting used to (according to my husband!).

  21. Genie · July 31, 2014

    Everyday is a good day to examine and renew email policies! It might sound too tiring or routinary, but making sure that everything (and everyone) is safe does not mean just sitting down on your chair and hoping for the best. It means actually going through the policies and checking out if they’re still effective, efficient, or viable. It means religiously checking out your system to make sure that nothing is out of order, or that spammers cannot take advantage of anything. Security should be a major concern for a company or group that thrives online. if you don’t want to do it everyday, you can do your email policies check on a monthly basis. As long as you have a regular schedule for doing it, that’s fine.

  22. Rocco · August 30, 2014

    I deem it very important for companies to double-check their e-mail policies and revise them. In fact, the revision is mandatory. Otherwise, how do you reflect the changes that are happening within the organization and technologies used for communication if you don’t, right? Especially at this age where we already have different modes of accessing e-mails, including mobile devices such as smart phones and tablets.

  23. Terry C. · August 30, 2014

    Of all the many suggestions there, I find Ivy’s to be the best. I think it’s the one that’s more solid and reliable. However, I do have issues. It feels like a huge amount of time is devoted to creating and updating policies. I am not saying that only little time should be set aside, but clearly, there are other equally more important things an IT department does than to revise and review e-mail policies. I hope, Ivy, you can clear this up for me.

  24. Mario · September 28, 2014

    Hi, everyone! Can’t believe it’s been a while since I am again able to post in here. Seems like the website is pretty quiet too. Too bad. Anyway, just in case somebody misses me here–yeah, I can be that brash–we have been doing some updates in our e-mail policies, and guess what, I was able to use the inputs I learned in this website. It took us about a month to complete it, and then we had to monitor the policy’s effectiveness, hence, my absence. The good news is based on our initial survey last month, we’re able to reduce intra spam by as much as 95%.

  25. CJ · October 2, 2014

    Our company has the same policy as that of Ivy’s. Only, in our case, our IT Department does it every six months. While it’s true that they have other tasks to fulfill, email policy updates are already scheduled, so they know when they need to do it. Thus, it doesn’t really interfere with their other tasks. Additionally, email policies are a major responsibility for every IT Dept, especially in a day & age where spam threatens users almost every minute. If we do not consider this a major IT issue, how else can we keep up with the spammers, who seem to be always a step ahead of everybody else?

Leave A Reply