Once upon a time, business was conducted one of three ways…in person, on the phone or via written documents. Then the Internet came along, and e-mail became the tool of choice for everything from sales to sending contracts and spec sheets. And now, most people have a smart phone or tablet on hand all the time, so emails can be received and sent almost anywhere.
But with convenience comes responsibility. And email security is an area that all small businesses need to address. As email and digital communication methods have become more prevalent in the way we conduct business, we’ve also started putting our intellectual property, confidential communications and other private information in the path of sophisticated malware and spyware, as well as just plain old hackers.
The conventional solutions like firewalls and antivirus software are no longer enough. In addition to sophisticated hardware, companies must train employees—from interns to IT to the C-suite—on the ways to ensure email privacy and protection. Email security and data security training for employees can only work if everyone is aware of expectations and compliant with the policies set forth.
When it comes to your data, there are no shortcuts. Listed below are our top 5 email security tips to help you and other small businesses stay safe.
Tip 1: Think about the big picture
If you think that protecting your email is only about making sure your internal accounts and contacts aren’t being compromised, you’re only seeing half of the story. Securing your email also protects your database of current and potential customers. You can see the full effect of your email’s reach by mapping out each email platform you use for business (Gmail, Mailchimp and Outlook included) and its contacts. It’s probably more widespread than you think—or would like—if a breach were to occur.
Cutting all email communications from your business isn’t an effective solution to ensuring complete security, but making sure that the emails you send are as secure as possible will protect you, your business, your information and most importantly, your customers. One step we suggest taking is to evaluate all of the material that goes into the emails you send. Email servers tend to have large amounts of free storage available, but that doesn’t mean that everything you have must be stored there.
If you have information that would be detrimental if accidently leaked, consider communicating it to necessary parties outside of email. If it absolutely must be sent via email, make sure it’s encrypted thoroughly.
Tip 2: Embrace password resets
Believe it or not, Passw0rd123 isn’t that hard to crack. Neither is your spouse’s name and birthday or your alma mater and graduation year. While you may think you’re being clever, the hardest passwords to figure out are the ones don’t adhere to a rhyme or reason.
These email security tips from The Guardian offer some practical password advice:
• The longer the password is, the better.
• Use a combination of numbers, lowercase and uppercase letters and special characters.
• Do not use real words in your passwords. The majority of hacking attacks cycle through dictionary words, which means if you use a real word in your password it is more likely to be broken.
• The best passwords are randomly generated strings of characters (16 or more).
• Never use the same password twice.
Password managers like LastPass or 1Password can help you remember complicated passwords by storing them all in a secure place, but your primary account password should probably be stored in your own memory. It's OK to write your password down if it helps you to remember it, as long as you store it in a safe and secure place—not on a post-it note next to your keyboard.
Creating a strong password, however, doesn’t alleviate all security concerns. It’s important to change those passwords frequently at set intervals—for example, once a month or once every quarter. This will make it harder for hackers to take advantage of your email accounts. Also consider changing your email settings to lock the account when an incorrect password is entered several times in a row. Make sure these accounts have a valid secondary form of contact information for you (i.e. another email, phone number) so that you can be made aware when a password reset is necessary.
Another secure option for a password reset is to have a security question (or a series of questions) in place. Again, try to choose answers that are obscure and difficult to figure out—your favorite flavor of ice cream or your kid’s Little League team name are things that hackers can find out from looking through your social media posts. Ideally, make your answer a nonsense phrase which is difficult to guess, and store it somewhere safe if you’re worried about forgetting it.
Tip 3: Set up two-factor authentication
Here’s where things can get a little more technical—and a little safer. Setting up a two-factor authentication is absolutely necessary; even with your password, no hacker would be able to access your email. The most effective two-factor authentication entails sending a confirmation code to your phone.
It's slightly less effective to send the second password or code to another email because if the hacker has already managed to access one account, it won’t be too hard to intercept the message on another account. However, it's highly unlikely that they'll be able to get access to your mobile device.
Most secure providers offer options for two-factor authentication (2FA), sometimes called "2-step verification" or "second sign-in verification." Two-step verification is a pretty straightforward concept; in addition to your username and password, you have another form of identification, normally consisting of a code generated by a key fob or a smartphone app, that has to be put in at the time of login and changes every minute or so.
You can have your mail provider send a one-time code as a text or voice message every time you try to log in to your account. Some providers also offer the option to use a code-generating device or app to provide codes. One main advantage of this method is that you can get codes even when you don't have access to a phone.
If you want to avoid the hassle of always needing a code to access your email, but still have a form of two-factor authentication enabled, you can usually tell your webmail provider to trust a given computer once the initial code has been entered. This will allow future logins on that machine to only require your usual password.
One hiccup with two-factor authentication is that not all devices and platforms can process a secondary code, such as mail apps on mobile devices or programs like Outlook or Thunderbird. In these cases, two-step authentication should include one-off passcodes that can be generated and used in place of your normal password. Print these passwords and store them in a safe place, or copy and paste them into a file on a secure device and encrypt that file strongly.
Tip 4: Avoid accessing email via public computers or public networks
This one is simple: don’t access business email accounts from public places—and make it a workplace policy that no employees are to use public or unsecure devices to access work-related materials. While hotel lobbies and data center computers are convenient locations to check email, they're also a natural target for keystroke logging, data-packet-sniffing and other hacking attempts. If you must access email via a public machine, make sure you have two-factor authentication enabled through your webmail provider. This gives at least one more level of protection.
And if you areusing a trusted machine but have an unknown connection, such as public Wi-Fi in an airport or coffee shop, you should probably be using a VPN system to connect to the Internet. (It wouldn’t be a bad thing to connect via a VPN at all times, either, if your business has that capability.)
Tip 5: Set up those email privacy filters!
Most email platforms have the ability to set up custom filters to block potentially malicious content. This could include executable (.exe) attachments and emails from unknown or suspicious senders. But if a malicious email does get through, there's always the final line of security: the good judgment of your employees. Make sure your workforce knows to never open an unusual attachment or click on a link in a suspicious email.
Email security doesn’t just go one way—dangerous materials are just as easy to come in they are to go out. Small business owners and employees must be aware of phishing attempts and other harmful email ploys designed to steal information or infect email communications.
An increasing number of small businesses use email content filtering, which lets them block discrete attachments based on inbound and outbound content. This type of filtering can help companies remain compliant with corporate governance, industry requirements and management standards.
Additionally, there are online courses available that are designed to review email usage policy and provide employees with the best email security practices for professional and effective email communication—as well as show the dangers and pitfalls of improper or haphazard email use.
Following these email security tips may not protect your business 100 percent, but it will put you a few steps ahead of the typical small business email user—and more importantly, hackers. Keeping the big picture in mind, and being aware of how threats and security options are changing, will help you take the precautions needed to protect your business, your information and your customers.
We're sorry this resource is no longer available, we've redirected you to our Resource center.