The Business Owner’s Easy Guide to Secure Email (with Best Practices to Follow)
Having a secure email is important for any business, no matter its size or industry. Your business email is under constant threat from hackers and other bad actors, much more so than your personal email.
For instance, according to Proofpoint’s 2020 State of the Phish report (pdf), as many as 88% of organizations have experienced a spear-phishing attempt in 2019.
Simply put, if your business is making any kind of money, it will be a target for a data breach (86% of data breaches are motivated by money, according to Verizon’s 2020 Data Breach Investigations Report).
The big question now is, how to create a secure email for business?
Well, we’ll explain it to you in this business owner’s guide to secure email, including what you should pay attention to in order to make your business email account more secure against threat actors and what common pitfalls to avoid.
Finally, we’ll also give you 21 best practices to follow for a secure email.
How to Protect Personal Information (5 Important Principles to Remember)
No matter how big or small your business is, you will be in possession of some sensitive data. This could be data related to your customers or employees, financial data of your company, trade secrets, or something else that someone would want to steal for some type of benefit (usually illegal).
That being said, the first order of business to have a secure email is to develop and implement a sound data security plan.
A good idea here is to follow the 5 key principles as outlined by the United States Federal Trade Commission (FTC), or a similar set of principles, depending on your business.
These FTC principles are:
- Take Stock.
This means knowing what personal information (PI) you have both on your computers and in the files about your customers and your employees.
- Scale Down.
Only collect, use and store personal information that you have a legit business need for and only for as long as it’s really necessary. If you are in the EU or doing business with EU companies, you’ll also have to follow their General Data Protection Regulations (GDPR) on this one.
- Lock It.
The next principle, once you scaled down on the amount of PII that you need to collect, is to protect it. This can include physical security such as locking cabinets, or electronic security like proper authentication or firewalls among other things.
- Pitch It.
Next, you need to properly dispose of the files and information that you no longer need. If it’s paper, you can shred them or burn them, while for computers and storage devices, make sure to erase data by overwriting it.
It’s also very useful to have an email client that will allow you to permanently and instantly delete data, without having to keep it.
- Plan Ahead.
Finally, always remember to plan ahead and prepare for a security incident. Because, they are likely to happen. Make sure you know how to respond and who is in charge of the response plan.
Got that? Good. Now let’s go over some tips for a secure email for business.
Secure Email for Business Best Practices to Follow
A secure email is a vital part of your overall data security plan. This is because email is still, at least when it comes to business, the number one communication channel, internally and externally.
That’s why you must ensure that your business email is secure with these best practices:
- Use a Secure Email Service
Popular email providers like Gmail or Yahoo Mail are convenient for a personal email account since they are free, but don’t rely on them too much for security.
Instead, use an email that offers end-to-end encryption for your incoming and outgoing emails using OpenPGP standard, such as CTemplar. Alternatively, you can download and install a PGP 3rd-party software for your email like FlowCrypt, but this is a much more complicated method and you’ll have to import or generate keys yourself.
How does PGP encryption work?
PGP, or Pretty Good Privacy (OpenPGP is an open-source PGP that is available for public use) uses two sets of keys (public and private) to send and receive sensitive information between two parties.
We have a whole article about PGP encryption that you can check out, so we’ll just go over some of the important stuff here.
- User A wants to send a private email to user B.
- User B will then generate two keys, private and public.
- User B sends the public key to user A. He keeps the private key. We’ll get to it in a bit.
- With the public key, user A encrypts his message. The message is now unreadable to anyone who tries to.
- User A can now send the private message to user B without fear that someone will read the message. Even if someone manages to intercept it, it won’t do them much good as the message is encrypted and they will need a private key to decrypt it.
- Finally, upon receiving the email, user B uses his private key to decrypt and read the message user A sent them.
Again, installing a 3rd-party PGP software yourself can be tricky if you are not technically inclined, so using an email service that already allows you to use it out of the box is beneficial.
However, having a PGP encryption can do a lot to protect your emails at rest (meaning on servers), whereas TLS (Transport Layer Security) only works in transit. Gmail, for example, only has TLS encryption, but not PGP.
- Educate and Train Employees on Secure Email Best Practices
As many as 95% of cybersecurity breaches are the result of human error, says a global cyber education company Cybint in its 15 Alarming Cyber Security Facts and Stats.
Your employees especially play a vital role in securing your email and data and you should make an effort to properly educate and train them to create and use a secure email.
If you properly implement these rules and ensure everyone is following them, you should see much fewer cases of an email data breach.
- Use Strong Passwords for Secure Email
Even today, passwords remain one of the best ways to secure an email account. Ensure that all your employees have a strong password for their email and that they change it every 3-6 months.
What does a strong password mean? It means not using something that could link back to you (meaning your children’s names, spouse name, birthday or anything of the sort). It also means avoiding some commonly used, but weak passwords like “qwerty”, “12345678”, “password” or anything like that.
Passwords should be at least 10 -12 characters long and a combination of small-case and capital case letters, numbers and special symbols.
It’s also a good idea to use a password manager like LastPass or 1Pass. These services will help you store passwords securely and easily access them so you don’t have to remember them or write them down on a piece of paper or a text file on your computer that someone could easily access.
You can also use password generators to create strong passwords for your employees using LastPass Password Generator or a similar tool.
- Use Multi-factor Authentication
While passwords are important, you shouldn’t rely on them completely. Especially knowing that, let’s be honest, some of your employees won’t put too much effort into creating a strong password.
For these employees (and in general for stronger protection), you should employ multi-factor authentication.
Multi-factor authentication, such as 2FA (2-factor authentication) uses an extra piece of information or a device to add another layer of protection. This can be, for example, a code, PIN, or a token delivered to you to a connected device like a mobile phone.
- Have Employees Report Suspicious Emails
It’s often not enough for employees to simply delete a suspicious email, they should also report this activity to a higher-up.
That’s mainly because, while that employee was able to spot it, another might not and scammers will often try the same tactic multiple times until it works. By having everyone wise to their tricks, you can ensure that they won’t work on your company emails.
For instance, X receives a suspicious email. He spots it, but only deletes it without telling anyone. The next day, Y receives the same email, but responds to it, unlike X. If X remembered to notify everyone about the suspicious email, then Y probably wouldn’t have replied to it.
- Be Sure Your Employees Have a Separate Private and Work Email Account
Make sure your employees are not using their company email account for private stuff like sending personal emails or logging in to social media accounts.
Unfortunately, this is often something that goes over people’s heads. According to a survey done by Avatier in 2017, nearly 4 in 10 people use their personal email accounts for work-related emails and 1 in 4 use work email addresses as a login for personal email.
- Monitor Work Emails
This might be a bit unpopular to say, but as an employer, you will have the right to monitor and access email accounts that you provided to your employees.
However, you can only do this if you notify the employee in a written policy and if you have a valid reason for doing so (you can’t use it to prevent organizing a union for instance).
On the other hand, personal emails are, for the most part, off-liimits to you. The only exception is if the employee logs in from a device that you provided, in which case you’ll be able to look at their browsing history for instance.
Be careful not to abuse this. Make sure to familiarize yourself with email privacy laws in your country or state and what they allow you to do.
- Be Sure They Log Out at the End of the Day
At the end of the day, make sure that your employees have logged out from their work email accounts, especially if they need to carry it with them back home. This will ensure that a potential thief stealing the device from them won’t be able to simply turn on the device and easily access the email.
If the employee is using their own personal computer or only uses it at home, they don’t have to do this.
- Pay Attention to Internal Email Communication
While most malware spreads through external email, some of it might still come from internal emails.
This can, for example, happen if the employee’s device is already infected and now the infection can spread out to other devices in your company network via email. This is another reason why it’s important to ensure that your employees keep their antivirus and antimalware software up to date.
These were some of the best practices that you should follow for a secure email for your business that both you as the owner and your employees should follow.
We also have a longer, 21 best practice, version that we recommend checking out to learn how to keep your private and business emails protected.
What’s great about these best practices is that they work over different business sizes and industries. In other words, it doesn’t matter if you have a small 5-people or a 500+ people company and if you are in finance, tech, healthcare, hospitality or another industry, you can (and should) follow these tips to secure your business emails.
Sign up today to protect your personal and business email accounts with CTemplar: Armored Email’s end-to-end encryption.
To make your email untraceable, use an anonymous email service (not Gmail or Yahoo) and make sure that your IP is hidden by using a VPN and a private browser (not Google).
To make your iPhone untraceable:
Go to Settings
Tap Mail, Contacts, Calendar
Under Accounts tap MobileMe
Slide Find My Phone to Off.
To set up an untraceable email account you should first know how to browse anonymously as regular web browsers like Google will serve you cookies which can reveal plenty of information about you, including your IP address.
Your IP address can reveal your location, so you’ll want to hide that with a VPN service or a Tor browser. You won’t be truly untraceable if you log in to an anonymous email service without this.
Next, you’ll need to find an anonymous email service that doesn’t record, monitor, store, log or share any data about you or that you submit (including your IP address, phone number, credit card, etc,). One such email service is CTemplar: Armored Email.