The importance of an email security policy

Despite many alternatives, such as Slack, Microsoft Teams, etc. gaining popularity, email isn't dead. With over 4 billion email users worldwide and over 300 billion emails sent and received every day, email communication is an essential and longstanding part of business communication. Your organisation needs an email security policy.

It is this prevalence which make email such a popular method of attack for cyber-criminals. From data breaches, to targeted spear phishing attacks and highly destructive ransomware campaigns, all these information security threats typically stem from this same vector.

With so much sensitive information sent via email, many organisations will rely heavily on technological solutions for defending against such threats, and while these certainly play a big role, it can take only a single user falling victim to a phishing email for an entire organisation to suffer a breach.

As cyber-criminals employ ever more sophisticated tactics and the costs of recovery continue to grow, it is vital that organisations across all sectors and sizes take the necessary steps to help protect against these attacks and ensure the security of their information.

Email-Based Information Security Threats

Though there are many threats to information security that stem from email communications, below we have outlined some of the most prevalent and potentially damaging that organisations face.

Phishing Attacks

Likely familiar to most users, ‘phishing’ is a broad term describing a form of social engineering attack in which cyber-criminals employ fraudulent communications with the goal of gaining access to personal and sensitive information.

From passwords, bank details or other personal information, scammers may employ a variety of different tactics to get their hands on this information, though more often than not, cyber criminals rely on statistics. Indiscriminately sending thousands or even millions of emails in the knowledge that a small percentage of users will not be adhering to an email security policy.

“Phishing is often the first step in a lot of fraud cases we see. It provides a gateway for criminals to steal your personal and financial details, sometimes without you even realising it.”

Clinton Blackburn, Commander, City of London Police

Often designed to mimic the appearance of known and trusted companies, phishing emails usually prompt a user to respond in some way with the desired information. Disguised links, misleading offers, and an implied sense of urgency are common to this form of attack.

As one of the most common information security threats, the issue of phishing is also worsening, with research showing that in 2020, 86% of businesses experienced phishing attacks - a 14% increase from only 3 years prior.

Spear Phishing

While a run-of-the-mill phishing attack will focus upon a large number of low-yield targets, spear phishing attacks are far more selective, where attackers carefully craft malicious communications to a specific intended victim.

By using a mixture of publicly accessible information, as well as more sensitive or confidential data captured through less legitimate means, a spear phisher will typically imitate a trusted sender, with the content of the message being tailored to resemble a message or format that is expected and will thus be accepted as legitimate.

Again, employing some of the same tactics as a generic phishing campaign, such as urgency and disguised elements, spear phishing attacks are typically much harder to detect, yet at the same time can potentially cause a great deal of damage to a company.

Business Email Compromise

Business email compromise (BEC) is a form of attack in which specific accounts, usually email accounts, are exploited to redirect payments. This form of financial fraud is far more sophisticated than a standard phishing attack, with attackers impersonating unsuspecting employees and executives and likely monitoring key accounts for extended periods of time.

Employing phishing attacks and keyloggers to initially compromise targeted accounts, cyber criminals will research their targets, gaining an understanding of how an organisation internally operates before making their move.

In 2018, French film company Pathé fell victim to this form of attack when a scammer pretending to be a French executive emailed the Chief Financial Officer of the company’s Dutch brand requesting a “strictly confidential” initial transfer of just under $1,000,000.

Having obliged the scammer, the BEC attack was not recognised until the company’s head office eventually enquired about the transfers; by which time a total of over $21 million had been lost to the fraudsters.

It is difficult to know just how common and costly BEC attacks are, though it is invariably minor details and a lack of stringent email security policy that allows this flourishing underground industry to survive.

What is an Email Security Policy?

An email security policy is an official document outlining and describing how an organisations email system should, and equally importantly, should not be used.

The policy should not only help define productive and positive communications practices, but additionally inform users about avoiding potential threats, protecting against data loss, reputational and financial damage and issues of liability.

What is in an Email Security Policy?

Though the exact wording and content of an email security policy will vary depending on the specifics of your company or organisation, below is a general outline of what should be included within your email security policy.

• A statement clarifying that the company or organisation owns any communication within a defined email system.
• An overview of user responsibilities when using email, including applying lessons learnt from information security awareness training (anti-phishing, BEC, etc.).
• Guidelines of the purposes for which employee can and cannot use the organisations email system. For example, the express forbidding of personal usage.
• The procedures which users should follow in reporting suspicious or inappropriate email communications (i.e., how, to whom and in what timeframe).
• Specific types and sizes of content which are acceptable. For example, some corporate email systems may which to prohibit the sending of certain file types such as .EXE files.
• An outline of content standards, such as the prohibiting of certain content (confidential information, personal data, passwords etc.).
• Information regarding how long communications will be retained and/or archived.
• The consequences for users not adhering to the email security policy.

Writing an Effective Policy

When setting out to develop an effective email security policy, it is important to involve a variety of key stakeholders in the process. Depending on your organisation and the maturity of your internal information security team, you will likely wish to involve not only security professionals, but also business managers and members of human resources, given emails importance and variety of purposes.

Ultimately, writing an effective email security policy is just one element of developing a holistic information security strategy. From equipping users with the correct tools to avoid threats, to providing information and training they need to ensure your organisations information is secure, these are all important steps in developing a secure culture mindset.

Information Security Awareness Training

While there are many companies which provide some level of in-house training, specialised online information security training offers a variety of options for training, testing, and tracking your employees.

From detailed tutorials imparting the foundations of information security, interactive tutorials in which users put their education into practice, to simulated phishing campaigns, online information security training is increasingly the choice for organisations wanting to get serious about security.

These specialised online information security training features allow an employer to not only provide their staff with necessary training, but to also monitor users’ progress and demonstrate compliance. Giving an organisation the tools to help fight avoidable human errors and improve information security.

Hut Six Training

Featuring twenty-six comprehensive tutorials covering all aspects of information and cyber security, with Hut Six’s learning management system (LMS) employers can assess and track the achievements of staff and better understand areas for improvement.

Providing engaging, relevant, and bite-sized training, Hut Six’s awareness solution builds a security aware culture by focusing on achieving meaningful, behavioural change. 

If you have found this guide to human error useful and you’d like to learn more about how you can protect and strengthen your business with unique and engaging information security awareness training.