What an email security policy is and how to build one

What is an email security policy?

Corporate-wide technology policies enable business owners to outline how employees can use various business-owned, cloud-based and managed digital services. Such policies include incident response, acceptable use, vendor management and remote access, among others.

An email security policy establishes rules and expectations on how to use business email accounts. Its aim is to define acceptable use and help eliminate internal and external threats that could cause harm to the organization.

Before given access to their business email accounts, employees must review and sign an email security policy as part of the onboarding process. This indicates that they agree they will adhere to the outlined rules and guidelines for corporate email use to the best of their ability and that they acknowledge any consequences they could face for violating the policy.

Common email security threats

Email security policies are largely designed to inform users of internal and external threats and how to spot them before they cause any harm.

Clearly define and include the following email security threats in the policy document:

• Malware. Short for malicious software, malware is designed to infiltrate a system and cause harm. Attackers send emails containing malicious attachments or links that direct users to malware-laden websites that attempt to install various types of malware, including viruses, Trojans, spyware, keyloggers, worms and ransomware. If installed and not caught by email security tools, malware can result in lost or stolen data.
• Phishing. A form of social engineering, phishing emails aim to trick users into installing malware. Malicious hackers craft emails to convince users into opening compromised email attachments or click malware-infested links to steal login credentials, account data and sensitive information. Types of phishing attacks include spear phishing, such as business email compromise and whaling; vishing; smishing; quishing; and social media phishing.
• Email account takeover and cross-account takeover. Bad actors access user email accounts for a variety of reasons. One is to scan the contents of an account to identify private information, such as login credentials, banking information or intellectual property. Cybercriminals use this information for identity theft or extortion attempts. Cross-account takeovers result in malicious actors gaining credentials to other systems from an unprotected email account and accessing those other accounts to facilitate theft or data loss on other applications, such as bank accounts, residing outside the email system.
• Email spoofing. Spoofing involves attackers sending legitimate-looking but fraudulent emails to users, masking the sender address to make it look as though it is from a known source. Antispoofing technologies can identify email spoofing attempts but cannot eliminate them.
• Spam. While not always malicious in nature, an inordinate amount of bulk spam email can dramatically reduce employee productivity. Malicious actors can also use spam as a botnet that can result in a DoS attack on corporate email servers.

Also, include information about insider risk in the document. Not all attacks come from the outside. Insider threats -- malicious or negligent -- also threaten email security. Include information in the policy about malicious insider risk, such as disgruntled employees or moles, and negligent insiders, such as employees who leave their company email open when they aren't at their laptop or who accidentally attach the wrong file to an email and send it to the incorrect recipient.

Why is an email security policy important?

Although email has been around for decades, users tend to form bad habits with this familiar technology due to a lack of understanding of the involved risks -- or a general "it won't happen to me" attitude. In either case, email users must be aware of the potential dangers, monetary and intellectual property risks to the organization, and the specific guidelines dictating how email can and cannot be used.

Businesses should approach an email security policy as a significant risk avoidance measure and highlight the detrimental business and employee consequences of noncompliance. Craft the policy to be informative and concise, and have it contain the right amount of detail to make employees understand their responsibilities. This dispels any false sense of security employees might have about email use.

What to include in an email security policy

Draft the email security policy in a way that all employees -- both tech-savvy and not -- can understand its purpose, their responsibilities, the consequences for noncompliance and where to go for questions or concerns.

A policy should include the following seven sections:

1. An overview of the purpose and scope of the policy. Explain why the document exists and why the company needs it.
2. Information about the legal ownership of email contents and privacy expectations. Detail who owns the email systems and email communications, as well as the privacy expectations for employees using the system and the privacy rights of the employees, including what they write, send and receive.
3. Details on the organization's email retention and backup policies. Outline rules about data retention and deletion, as well as email backup and archiving.
4. The company's restrictions, expectations and consequences regarding employee and user use or misuse of the email system. Clearly state what employees can and cannot do with the email system. Consider the following:
   • Restrict who can use the email, for example, only employees and not their family members.
   • Define acceptable language, for example, nothing offensive or discriminatory, etc.
   • Prohibit the use of corporate email for personal use.
   • Refrain from forwarding emails to third parties.
   • Prohibit using third-party email and storage systems, such as Gmail or Box.
   • Disallow sending chain emails or jokes.

   Include information about corporate email monitoring procedures, if applicable. Also, include consequences of any violations -- for example, additional trainings, warnings or termination.

5. Informative content about email security, email security threats and behavior that commonly leads to business risks of data theft and loss. Include information about common email cybersecurity threats -- internal and external -- and how to prevent and avoid them.
6. Tips on how to best protect the user and business from email security threats. This includes email security best practices, such as creating strong passwords, adhering to the company password policy, avoiding public Wi-Fi and more.
7. Ways email users can find more information on email security and who to contact for any email security-related questions. Include information about who employees should contact if they receive a suspicious email or suspect an email security breach or policy violation. Also, include information about the policy itself, including who updates and reviews the policy and when.

How to build an email security policy, step by step

While every business and its associated business culture are unique, email security policies generally follow the same structure. Email security technologies used and threats faced are similar, regardless of an organization's size, market vertical or maturity level.

Policies might differ based on the audience, however. The following step-by-step process can guide building a company email security policy suitable for your organization's specific needs:

1. Start with an existing security policy template. SANS Institute, for example, has a host of security policy templates online, including specific email and email retention policies that outline proper email use in enterprise environments.
2. Modify the email security policy template. Based on an understanding of business culture, size and maturity level, modify the template(s) to suit the needs of the organization. Adjust the messaging to have the greatest end-user understanding and impact.
3. Ensure email security technologies and configurations adhere to outlined policy standards. A number of email security prevention and mitigation tools help protect users from threats, including spam filters, email security gateways, sandboxes, antivirus and antimalware, and encryption. Implement and maintain these tools according to written policy. Also, include information about other security measures, such as multifactor authentication, password security, and allowlisting and blocklisting.
4. Devise a plan for user policy agreement and acknowledgment. Include a way for employees and users to acknowledge they have read and accepted email policy use guidelines. This typically comes in the form of a required signature at the end of the policy, along with the ability to track ongoing email security training sessions. Maintain security policy acknowledgment forms throughout the employment of the user -- and up to several years after depending on corporate policy or government regulation. Major changes to an email policy could result in needing all employees to resign the policy document.
5. Develop training and incident response procedures. Include email security threats and best practices during regular security awareness trainings. Put procedures in place to enforce proper email use and to enable quick response to user questions or incidents.

How to implement an email security policy

The implementations of email security policies vary widely based on the maturity level of the business. More established businesses have an easier time getting users to understand their email use requirements because they likely have read and acknowledged similar usage policies for other aspects of the business and corresponding technologies.

Newer organizations with a looser or startup mentality likely have to spend additional time reinforcing policy guidelines. Conduct frequent, mandatory email security trainings in business environments where users might not strictly adhere to policies.