Email remains the go-to method of communication for most organizations, despite the advancements in enterprise collaboration tools, such as voice over IP, video conferencing, IM and group chat. So, hackers will continue to target email with various phishing and ransomware campaigns in attempt to steal or corrupt data, either for espionage or extortion purposes, putting email security policy as a top priority for IT security teams.
Let's take a deeper look at the purpose of an email security policy and what it should contain, as well as tips on how to create and implement one within your company.
Why do you need an email security policy?
Although email has been around for decades, users tend to form bad habits with this familiar technology due to a lack understanding of the involved risks -- or a general "it won't happen to me" attitude. In either case, email users must be aware of the potential dangers, monetary and intellectual property risk to the organization, and the specific guidelines dictating how email should and should not be used.
Businesses should approach an email security policy as a significant risk avoidance measure. The policy should be crafted in such a way as to be informative, to be concise, to contain the right amount of detail to make employees understand their responsibilities and to dispel any false sense of security that they may have previously had about email use.
What should be included in an email security policy?
An email security policy should be drafted in a way that most employees -- both tech-savvy and not -- can understand its purpose, their responsibilities as a user and where to go for questions or concerns. More specifically, a policy should include the following seven sections:
- an overview regarding the purpose and scope of the policy;
- information regarding the legal ownership of email contents and privacy expectations;
- details on the organization's email retention and backup policies;
- the company's expectations regarding employee/user use or misuse of the email system;
- informative content on email security, including potential threats -- viruses, malware, phishing, etc. -- and behavior that leads to business risks of data theft/loss;
- tips on how to best protect the user and business from email security threats; and
- ways that email users can find more information on email security and who to contact for any email security-related questions.
How to build an email security policy, step by step
Every business -- and associated culture -- is unique, but email security policy should be identical regardless. The reason for this is simple: The technologies in use and accompanying threats are similar, no matter the organization's size, market vertical or maturity level. However, differences in how a policy is written differ based on the audience it's being crafted for, so the following step-by-step process can guide building an email security policy from scratch:
- Start with an existing security policy template. For example, the SANS Institute offers a host of security policy templates, including those specific to email retention and email security that outline proper use of email in enterprise environments.
- Modify the template email security policy or policies. Based on an understanding of business culture, size and maturity level, policy writers can modify the template(s) to suit the needs of the organization, while adjusting the messaging with the purpose of having the greatest end-user impact.
- Ensure that email security technologies and configurations adhere to outlined policy standards. There are any number of email security tools that can be integrated to help protect users from threats, including spam filters, sandboxes, antivirus/malware prevention tools and encryption. These tools should be implemented according to written policy.
- Devise a plan for user policy agreement/acknowledgement. Policies must include some way of ensuring that employees/users have read and accept email policy usage guidelines. Typically, this comes in the form of a required signature at the end of the policy, along with the ability to track ongoing email security training sessions.
- Develop training and incident response procedures. Procedures should be in place to help enforce proper email use and to be able to quickly respond to user questions or incidents.
How are security policies for email implemented?
Depending on the maturity level of a business, implementation of email security policies will vary widely. More established businesses will have an easier time with users understanding their email use requirements because they likely have read and acknowledged similar usage policies for other aspects of the business and corresponding technologies.
Newer organizations with a looser, startup mentality will likely have to tread more lightly and spend additional time reinforcing policy guidelines. Requiring frequent, mandatory email security training has shown to be successful in these types of business environments where users may not strictly adhere to policies, if they even exist at all.