This content is part of the Essential Guide: How to manage email security risks and threats

Implementing the top 6 email security best practices for employees

The list of email security best practices for employees can get long. To include the necessary options, check out the six essentials. Where does your organization stand?

Best practices -- we all know they're important. Most of the time, they're static guidelines on how to design or implement systems. But in terms of email security, best practices for employees are almost always a combination of steps taken by security architects and a set of desired behaviors for an organization's email system end users. While artificial intelligence is the first line of defense for keeping dangerous email out of your system, natural intelligence is the last line of defense, for better or worse.

If you don't have time to glean the best tips from the 265 million results returned when searching on this topic, below is a more manageable list of good ideas and recommended email security best practices for employees to consider.

The need to train your users is probably the most frequently mentioned best practice. More than anything else, modifying user behavior to reduce susceptibility to ever-more-sophisticated phishing schemes is likely the most important step that you can take. But from the mile-high view of email security best practices for employees, check out the following six areas you should focus on.

1. Stop phishing attacks. This is obvious but important. The more sophisticated and, presumably, more effective your email security, the fewer attacks will reach your users and the safer your users will be. Having the best email security features enabled and having products in place to prevent phishing is and should remain the first and most important email security best practice for employees.

2. Strong passwords. Keep passwords strong and unique. This advice has been around forever, but, unfortunately, poor password practices remain a problem. Fortunately, it's much easier to implement than it was in the past.

Random password generators are as close as your search bar. Many search engines respond to a search for a phrase with a random password for you. Or you can just go to a site like -- or others -- to get a password.

Because your browser or OS can store passwords for you, remembering a complex password is no longer such a challenge. Also, be sure to use a different password for each important application. That way, if you are hit with a phishing attack, the damage can at least be limited to one site.

3. Avoid public Wi-Fi. Unfortunately, avoiding public Wi-Fi is more wishful thinking than a practical suggestion. Who can or wants to avoid public Wi-Fi? Still, it never hurts to remind your users that intercepting Wi-Fi traffic is a piece of cake. Attackers can use numerous open source packet sniffers on wired or wireless Ethernet networks. Wireshark is one of the more prominent packet sniffers, and it's easy to use with a laptop.

Even if we try to not check email using Wi-Fi, almost every system is set up to check automatically for new mail. So if you are on Wi-Fi, so is your email, and your account credentials could be at risk.

4. Block large attachments. While it is not necessarily something I consider essential to email security, blocking large attachments is a good idea. Of course, how do we define large? Should your maximum be 1 GB, 10 GB or a larger size? Generally, I believe 1 GB is plenty. For the sake of your email system and archive, you don't want to have files that can balloon your storage requirements forever.

Most companies use a cloud service, such as Microsoft OneDrive, Google Drive, Dropbox or others, which is much more efficient for sending links to large attachments. Of course, those links could contain malware or phishing programs, reminding us of the importance of tip 1, implementing a solid email security system.

5. Block emails that include many recipients. This practice is probably better for keeping junk or spam out of your system than being an essential security practice. It is likely that emails with 50 or more recipients are either general announcements, spam or mass phishing attacks.

Many companies now use collaboration platforms that are more efficient for communication than sending mass emails. Even something as basic as a multiuser Skype chat can post notices and responses without adding to the deluge of email or introducing a potential phishing risk.

6. Training, training, training. Unfortunately, many users' sensitivity to training will most likely increase if they have been victimized. This is a high-tech version of the old saying, "Closing the stable door after the horse has bolted."

Static training consisting of do's and don'ts is often ineffective. Various ethical phishing studies done by various universities and businesses have proven that.

The Sophos Phishing Attack Simulation and Training system provides a more realistic, proactive approach to testing email user behavior and training them to recognize and avoid whatever phishing attacks might slip into their inboxes. In my view, this approach is far more effective than simply issuing a static memo reminding users how to deal with questionable email.

The bottom line on email security best practices for employees

The cost of a successful phishing attack can be high indeed. So be sure to implement a layered defense and avail yourself of all the email security best practices you can. If you have other good ideas for protecting email users from phishing attacks, let us know.

Next Steps

Check out more email security best practices options

Find out where the top five email security issues are coming from

Don't forget to test email security products

Understand the big three email security threats to help reduce their impact

This was last published in April 2019

Dig Deeper on Threats and vulnerabilities