Article
The 8 Best Email Security Best Practices For Your Business to Follow
Email security is critical, but it doesn’t have to be overly complex. Here’s what your organization can do.
Threat actors have been targeting email solutions for years, likely because it’s one of the most crucial tools for any modern organization.
In 1988, the Morris Worm, one of the first major attacks on the Internet, exploited a backdoor in the Internet’s mail system — and cyber attacks targeting email systems haven’t slowed down since.
Email-based threats pose a significant risk, from Business Email Compromise (BEC) to phishing scams that can lead to data breaches and ransomware attacks. For businesses that don’t have the in-house cybersecurity knowledge to monitor suspicious emails, vulnerabilities can seem overwhelming.
Thankfully, email security measures can be particularly easy to achieve. This comprehensive guide will explain the “how” and the “why” behind email security best practices, enabling you to strengthen your defenses and protect your sensitive information.
Why is Email Security Important?
Put simply, email security is important because cybercriminals love to use it as a way to attack businesses.
According to At-Bay’s own research, more than 50% of all cyberattacks start with an email.
Most email service providers today offer some kind of default security settings, but cybercriminals have enough know-how to breeze past them. The best email security practices stop threats before they start to cause problems (a “proactive” approach), letting businesses thrive without worrying about a big interruption or amount of money lost.
Below we’ve outlined eight security best practices most businesses can incorporate to improve their security posture.
1. Use Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) is a cybersecurity system that requires more than one method of checking credentials to confirm a user’s identity for a login or other transaction. In this case, MFA can be set up on email accounts by requiring users to provide two or more verification factors to gain access to their email accounts. This extra layer of protection ensures that even if someone else knows the password, they would still need access to the second factor, making unauthorized access significantly more difficult.
Typically, MFA involves at least two of the following:
- Something you know (such as a password or a PIN)
- Something you have (like a physical card, a security token, or a mobile device)
- Something you are (biometric data, including fingerprints, voice recognition, or facial recognition)
By requiring multiple methods of identification, MFA makes it much harder for unauthorized users to gain access to sensitive information or systems. These additional factors make it significantly harder for cybercriminals to access sensitive information or accounts.
The most popular email providers are aware of the security risks that come with business emails, so they allow for MFA to be used without making it a burden on employees.
We recommend MFA on all of a business’s employee and administrator email accounts. The most common and safest version of MFA is an authenticator app, such as Google Authenticator or Microsoft Authenticator, which At-Bay recommends over other MFA options, like text messages or phone calls. MFA that uses text messaging or phone calls relies on SMS protocols, which can be easily manipulated by attackers.
Learn more about our best practices for Google Workspace and Microsoft 365, including MFA and authenticator apps.
2. Use a Password Manager
A password manager is a beneficial tool that can work alongside multi-factor authentication to significantly enhance email security. First and foremost, using a password manager helps create and maintain strong, unique passwords for various email accounts.
By generating complex passwords and securely storing them, a password manager mitigates the risk of unauthorized access to email accounts.
Additionally, password managers often come equipped with features that support multi-factor authentication, providing an additional layer of protection for email accounts. These tools may also offer secure password sharing functionality, allowing businesses to safely manage and delegate access to email accounts across teams without compromising security.
3. Use Dedicated Administrator Accounts
An administrator account is an account that is used to maintain your email systems. It typically has full privileges and complete access to other business systems.
We recommend using a dedicated administrator account when installing updates and other software, managing user accounts, and modifying operating system settings because it limits the number of people who may have access to these types of critical solutions.
Unfortunately, cybercriminals love targeting administrator accounts, so it’s imperative to secure these accounts heavily.
These accounts should use MFA, and not be shared by multiple people. Businesses also should also set up email alerts for certain events related to these accounts, such as suspicious sign-in attempts, compromised mobile devices, or changes by another admin.
Admins may want to set up physical security keys — small hardware devices that are used for MFA — for further protection. They help stop phishing attacks and are one of the safest forms of MFA for email accounts that need extra protection.
Read more about best practices for administrator accounts for both Google Workspace and Microsoft 365.
4. Use a secure email gateway
A secure email gateway is like an extra guard wall for an organization’s email system. These security tools scan email content for malware, stopping it from reaching your organization’s email addresses. Given that 41% of At-Bay’s insurance claims originated from a malicious email, a secure email gateway is a great way for businesses to protect themselves from a cyberattack.
We recommend using a secure email gateway as an additional layer of security to your mail provider. However, not all email security solutions are equally effective at preventing cyberattacks. We recently studied our claims data to rank both email solutions and email security solutions to find the best products being used among At-Bay policyholders.
Here is a quick review of our findings:
- Move your email to the cloud. While there may be an added cost, it’s way less than the potential cost of a bad cyberattack.
- The big players know what they are doing. We found that Google’s Gmail is the top performer with 40% fewer cybersecurity incidents than other providers. For those who opt for Microsoft 365, we recommend using Microsoft Defender as an added-on email security solution.
- There was a clear winner. Mimecast was the top performing secure email gateway. We found that it was 53% more effective at preventing security incidents than the worst performer. Customers who used Mimecast experienced 22% fewer security incidents compared to the average of all email security solutions we measured.
Bottom line: a secure email gateway is a great way to keep cyberattackers out of a business’s email inbox. You can read our full report here.
5. Disable Automatic Email Forwarding
Automatic forwarding is an email setting that allows you to automatically send new incoming emails to another email address. While handy, email forwarding can cause big cybersecurity problems.
When emails get forwarded, they leave your usual safe email system. Turning off forwarding helps keep your messages more private and less likely to end up with cybercriminals, who can then use the emails to craft phishing attacks or spoofing attacks.
Email forwarding can also make it harder for your business to follow email security measures. When emails are forwarded outside of your secured corporate environment, these extra protections might not work as well, and could possibly lead to a data breach.
We recommend disabling automatic email forwarding on all accounts. Read more about how to disable auto-forwarding for email in both Google Workspace and Microsoft 365.
6. Adopt Email Security Protocols
Businesses should incorporate industry-standard email security protocols, which is a set of guidelines and standards designed to enhance email security. These protocols work to authenticate the origin of emails, verify the integrity of the message content, and ensure secure communication channels.
The protocols include Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). These can help a business fortify their defenses against phishing emails and email spoofing. You will need to access some technical assets to configure these protocols; most likely your organization’s Domain Name System (DNS) records.
SPF allows email domain owners to define which mail servers are authorized to send emails on their behalf, reducing the likelihood of email spoofing and phishing attacks. DKIM adds a digital signature to an email’s header, verifying the message’s authenticity and detecting tampering during transmission. DMARC builds upon SPF and DKIM, providing a policy framework for email senders to improve email authentication, enabling organizations to specify how email receivers should handle messages that don’t align with established authentication standards.
When put into place, all incoming emails to your business are referenced against your DMARC record. If the sender is not authorized, your business can configure the rules for how the unauthorized email is handled.
A few common options include:
- Email is still delivered to an employee, but with a warning
- Email is sent to the employee’s email quarantine for manual approval
- Email is sent to spam filter
- Email is automatically rejected
Please note: DMARC will not prevent all phishing and spam emails from being delivered. It also will not flag email attachments for malware. However, implementing and configuring a DMARC record for your business is an effective way to limit phishing and spam attempts.
7. Train Employees to Recognize Email Scams
Security awareness training should be comprehensive, engaging, and tailored to address specific risks and challenges commonly encountered in a business’s environment. The training should cover a range of foundational topics, practical examples, and actionable tips to encourage a culture of vigilance and responsibility when it comes to email security.
Employees should be educated on the significance of strong password practices, the use of multi-factor authentication, refraining from using personal email for business purposes, and the appropriate handling of email attachments.
It also should focus on the identification of scams, such as spear phishing and social engineering. Practical exercises and simulations can be employed to help employees recognize common email threats like phishing emails, and understand the risks associated with disclosing sensitive data in response to these email messages. Empowering employees to identify and report security threats like spear phishing is a crucial component of the training.
At-Bay’s Stance Exposure Manager now includes Security Awareness training, offering your organization access to train up to 1,000 employees on how to protect against cyberattacks.
8. Use other security tools to support cybersecurity strategy
Despite deploying all of the training and tools needed to safeguard email, employees are still human and may make mistakes. However, other tools that may already be in use inside your organization can serve as another layer of protection in the wake of human error.
- A good antivirus software can flag and remove malware downloaded from malicious email attachments on any corporate endpoints.
- Firewalls and virtual private networks (VPNs) can serve as a safe connection to corporate networks, especially if your organization works outside of an office and may connect to public wi-fi networks.
- A risk monitoring and vulnerability management system can help your organization quickly patch vulnerabilities and close attack vectors, which significantly reduces the risk of attacks.
- Managed Detection and Response (MDR) solutions can provide continuous monitoring and swift, targeted threat responses from on-call cybersecurity experts.
By integrating these other cybersecurity solutions into an email security strategy, organizations can create a robust and multi-faceted defense against a wide range of threats, ultimately fortifying their overall security posture across the email communication landscape.
Email Security Best Practices Will Save Your Organization
Secure email is especially important for businesses. Whether your business has 3 employees or 300, each person is a potential target for a cyberattack — and even one incident can cause irreparable damage.
Email security practices guard against a wide array of threats, ranging from phishing scams to ransomware attacks. The steps above can serve as a resilient shield, empowering businesses to carry out their operations with strengthened defense mechanisms and robust safeguards.
Yet even with these guidelines businesses of all sizes can benefit from a secure email gateway. A comprehensive secure email gateway is able to strike a balance between protecting inboxes from malicious content and ensuring all legitimate email still gets delivered, while also constantly evolving to keep up with cybercriminals.
We recently ranked email solutions and email security solutions with the highest to lowest frequencies of cyber incidents among At-Bay policyholders. You can read the full report here.
To learn more about how these best practices or a secure email gateway can fit in your organization, don’t hesitate to reach out at security@at-bay.com.
Visit our Knowledge Center to learn more ways to help your business stay secure
