Top 15 email security best practices for 2023
Attackers exploit email every day to break into corporate networks, but the risk can be reduced by adhering to these 15 email security best practices.
In the past, email security best practices could be summarized quickly: Don't trust email because email is an unauthenticated, unreliable messaging service. This is still mostly true, and the same best practices for email security for employees from 1989 still hold: Use strong passwords, block spammers, don't trust offers that are too good to be true and verify requests even from trusted entities.
As email becomes increasingly critical to business success, however, a stronger set of email security best practices is recommended. They can be summarized as follows:
- Train employees on email security best practices.
- Create strong passwords.
- Don't reuse passwords across accounts.
- Consider changing passwords regularly -- or not.
- Use multifactor authentication (MFA).
- Take phishing seriously.
- Be wary of email attachments.
- Don't click email links.
- Don't use business email for personal use and vice versa.
- Only use corporate email on approved devices.
- Encrypt email, communications and attachments.
- Avoid public Wi-Fi.
- Use email security protocols.
- Use email security tools.
- Log out.
Let's explore each best practice in further detail.
1. Train employees on email security best practices
Regularly scheduled security awareness trainings inform employees about security best practices and keep users up to date with not only corporate security policies and their role in keeping their organizations secure, but also threats they might encounter.
Be sure to discuss email during security awareness trainings and explain the company's email security policy, email security threats and recommended best practices.
2. Create strong passwords
One of the most important email security best practices is to use strong passwords. Password security advice has changed in recent years, though. Previous thinking was that complex equaled strong. But forcing employees to create complex passwords, such as }m}{4p#P@R9w, will likely end up with the password being written on a sticky note on a user's desk or saved in an insecure file on a user's desktop.
Current NIST recommendations maintain that password length, not complexity, is key to password strength. Passphrases -- the stringing together of a few words, such as kittEnsarEadorablE -- are one method to make longer, easy-to-remember yet difficult-to-guess passwords that help defend against attackers who use dictionary attacks to target weak passwords.
Plug these two examples into Security.org's How Secure Is My Password? tool, and you find that }m}{4p#P@R9w would take 400,000 years for a computer to crack, while kittEnsarEadorablE would take 6 trillion years. Stronger passphrases should string together unrelated words. For example, per Security.org's calculator, the passphrase kittEnsmErryvisitortrEE would take 2 sextillion years for a computer to guess.
NIST further recommends companies not require special characters in passwords -- unlike the often required addition of !, # or $, for example -- and not prohibit consecutively repeated characters.
3. Don't reuse passwords across accounts
Password reuse is another email security threat. If one account using the same credentials as other accounts is compromised, attackers can easily gain access to those other accounts as well. Attackers know that trying a reused password associated with a person's account on a breached system often unlocks other accounts. Password reuse is especially dangerous when employees use the same passwords for corporate and personal accounts.
Encourage employees to use strong, unique passwords for each account. This is a pain point for many users, especially those with dozens or hundreds of logins to remember. Using single sign-on or a password manager can help alleviate the challenge.
4. Consider changing passwords regularly -- or not
Guidance around the frequency of password changes has been debated in recent years. Changing passwords every 90 days used to be the norm. The assumption was that frequent password changes help keep systems secure, but they often lead to user frustration and the use of less secure passwords as a result. More often than not, Password1 will turn into Password2 after 90 days.
NIST recommends against forcing periodic password changes. Forced password changes must be required following a suspected compromise, however. Also note that some compliance regulations, such as PCI DSS, require frequent password changes.
Companies must weigh the benefits of regular password changes with users' tendencies to use weaker passwords that are easier to remember and therefore easier for attackers to exploit.
5. Use multifactor authentication
MFA involves using more than one method to authenticate a user's identity. This could include, for example, a username and password in combination with a one-time password or fingerprint biometric. Adding a second -- or third, or more -- factor to the authentication process adds an additional layer of defense and defends against common email security issues, such as brute-force attacks and password cracking. Microsoft has predicted locking down accounts with MFA can block 99.9% of account compromise attacks.
Companies should mandate the use of MFA. Employees should also protect their personal accounts by using MFA wherever available.
6. Take phishing seriously
While email security products prevent many spam emails from reaching a user's inbox, a good amount of spam still gets through that can contain phishing schemes, which are becoming increasingly sophisticated and realistic. These can include standard phishing scams, along with spear phishing or whaling attacks. Users should be on the lookout for phishing scams and use caution when opening any potentially malicious emails. Don't open, respond to, click links in or open attachments from emails that appear suspicious.
More and more enterprises are including phishing awareness training in their security awareness training programs to help employees identify problematic messages and teach them how to avoid clicking on the wrong links or opening the wrong attachments.
7. Be wary of email attachments
Many email attacks rely on the ability to send and receive attachments that contain malicious executable code. Malicious attachments can be blocked by antimalware software that detects the malicious source. Malicious attachments, however, can also be sent by trusted sources that have been exploited by attackers.
Whatever the source, employees should take care with attachments even when the organization uses email scanning and malware blocking software. If an attachment has an extension associated with an executable program, such as EXE (executable program), JAR (Java application program) or MSI (Windows Installer), extra caution should be taken before opening it. Files such as Word documents, spreadsheets and PDFs can also carry malicious code, so be careful handling any type of attached file. Scan files with an antimalware program or avoid opening them altogether.
8. Don't click email links
Hyperlinks in emails can often connect to a web domain different from the one they appear to represent. Some links might display a recognizable domain name -- such as www.amazon.com -- but, in fact, direct the user to a different, malicious domain. Attackers also use international character sets or misspellings to create malicious domains that appear to be those of well-known brands.
Always review link contents by hovering the mouse pointer over the link to see if the actual link is different from the displayed link. Note that even this can be spoofed, however. When in doubt, type domains directly into browsers to avoid clicking links in emails at all.
9. Don't use business email for personal use and vice versa
While it might be tempting and convenient for employees to use a corporate email account for personal matters, an enterprise email security best practice is to prohibit this. Likewise, work-related emails should never be sent from personal accounts. Mixing business and personal matters can result in threats such as spear phishing.
Outline acceptable email use policies and any restrictions in a corporate email policy.
10. Only use corporate email on approved devices
In the BYOD age, email can be accessed from practically anywhere and on any internet-connected device. While convenient for employees, this could spell a security disaster for an organization. If company email is opened on devices that don't have the proper security controls, then credentials, email and data could be exfiltrated.
Require employees only access email on company-approved and trusted devices.
11. Encrypt email, communications and attachments
It has been said that email is like a postcard: Every person and system that it comes in contact with can see what was written in it. For this reason, email should be encrypted. Encryption, the process of converting plaintext into ciphertext, ensures anyone who intercepts the email will not be able to read its contents. This helps prevent many email security issues, such as man-in-the-middle and business email compromise attacks.
Most major email services have encryption capabilities. Encrypting the message isn't enough, however. Encryption should also be used between the organization and the email provider. Attachments should also be encrypted, even if the email they are attached to is encrypted.
12. Avoid public Wi-Fi
Employees might see public Wi-Fi as a blessing, but remind them that these connections are ripe for attacks. If employees log into corporate email on public Wi-Fi, anyone on that network could also access their email. Malicious actors can use open source packet sniffers, such as Wireshark, to monitor and gain access to personal information via email. Even if users don't actively check email on public Wi-Fi, almost every system is set to automatically update inboxes when a device connects to a network. If users are on Wi-Fi then so is their email, putting account credentials at risk.
Only use secure, known Wi-Fi networks to check email.
13. Use email security protocols
Three standards are key to filtering spam messages: DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC):
- DKIM. This standard uses asymmetric cryptography to prevent email spoofing. A digital signature is added to an email to verify the message was not altered after it was sent. If the signature doesn't match the email domain's public key, it is blocked. If it does match, it is delivered.
- SPF. The Sender Policy Framework verifies an email came from its source and is authorized to send an email from that domain. If verified, the email gets delivered. If not, the email is blocked.
- DMARC. The DMARC protocol extends DKIM and SPF. Using DMARC, domain owners can publish their DKIM and SPF requirements, as well as specify what happens when an email fails to meet those requirements, such as reporting back to the sending domain.
Note, these technical controls prevent spoofed emails but do not stop all unwanted messages.
14. Use email security tools
Beyond implementing the proper protocols, email security strategies should include multiple tools that help maintain email security. Antimalware, antispam, antivirus, email filtering, email security gateways, email monitoring systems, firewalls and endpoint protection should be considered.
15. Log out
Require employees to log out of their email when it's not in use, as well as when they have finished for the day. Leaving email open on devices that are accessible to others can lead to security issues.
