Email Security Best Practices for Employees

No one is safe from cybercrime today.

Whether you are emailing from work, home, or on the go, making sure your email is as secure as possible is important to keep the danger at bay.

Let’s center around the work email for now.

Business security should be a top priority for any company.

A good majority of your security efforts should focus on email communication.

Why?

Because in 2019, phishing accounted for 90% of data breaches (IBM)!

And phishing attempts are only expected to rise throughout 2020 and years to come.

Think about how much important information you pass along through email.

To employees inside the company or the appropriate contacts outside the company.

You may share financial information, personal information, passwords, etc. through email communication.

Jump ahead to each of the best practices with the links in the table of contents below.

The easiest way for a threat to get its foot in the door of your company is through employee email.

Now, this doesn’t mean that one specific employee is completely at fault.

Cyberattacks are very complicated and utilize smart tactics to dodge any security you may throw their way.

But, this doesn’t mean you shouldn’t do everything you can to prevent an attack through email because preventing attacks doesn’t have to be as complicated.

Having some fundamental best practices in your back pocket to share with employees can be one of the best things you do for your company this year.

Let’s take a look at them below.

1. Unique Passwords

One of the easiest changes you can make is to change your password to something unique and tricky to guess.

No more 01234567, password01, letmein, etc.

Please, put a little more effort into creating a password.

A good practice is to use at least one upper case letter, a number, a special character and at least 10 characters to create a password.

For example, something like #Computer1995 or windowS$18 would be a lot more secure than the former examples.

Avoid using variations of your name, university, or company name.

A password following the rules doesn’t have to be very hard for you to remember either.

Such as keywords, years, numbers, characters that are memorable to you, but not personal information that can easily be looked up on your Facebook.

Another example to create stronger passwords is by using characters and numbers to replace letters, like vowels.

By removing vowels from words they cannot be dictionary searched.

This decreases the likelihood of your password getting guessed very quickly.

Since hackers use software to check for dictionary words using numbers and special characters comes in handy.

From there, think of the title of a song or a phrase that is not so common. 

One example I tell people is taking the song Twinkle Twinkle Little Start and just using the first letter of every word as your password. So it's like TTLSHIWWYA…

But, you’re not done yet.

Add in those special characters and numbers.

So, in the end, you have something that looks like $1T2T3L4S5H6I7W8W9Y0A@

That password seems ridiculous and hard to remember, but it’s just the first letter of each word in a phrase memorable to you and the numbers 0-9 between each letter with a special character at the beginning and end.

To make it even more complex, make some of the letters lowercase.

You can switch every other letter to be lowercase.

There you have it, a complex password, unique to you, yet hard to guess by hackers.

Check out our video below for another way to create complex passwords that are different for every website, yet still memorable for you.

2. Two-Form Factor Authentication

To add an extra layer of security to your email, you want to incorporate a second form of authentication.

This isn’t really as “techie” as it sounds.

Oftentimes, your email client will automatically request this option for you, or you may download it via a special software.

Either way you get it, it’s good to have.

The first form of authentication is your password.

The second form is a code sent to your phone via text message or through an app.

Or this also may be a security question that you can answer.

Even when a hacker gets through your password, they will be stopped again by a personal question or code.

This is why having a code sent your personal phone is much safer than having it sent to your computer via another email account.

See also: What Is 2 Factor Sign In? Should i Be Using It?

3. Beware of Phishing

Phishing is a common attack used to lure people to click on links in an email or open attachments to then steal their personal information, like usernames, passwords, bank information, etc.

It’s a pretty straightforward concept, but not as simple to detect if you don’t have experience with it.

As mentioned earlier, 97% of people around the world are unable to identify a sophisticated phishing email.

And all it takes is one person clicking a harmful link or opening a malicious attachment one time for their computer or network to be infected!

This is very dangerous and why phishing is so successful, is because it keeps working.

And as we get smarter, so do the hackers; creating more realistic and better-disguised emails.

So, here’s how the process works.

You will receive an email containing a link to a familiar website you often visit, the website is a good imitation of the real thing, prompting you to enter your login information, the phishing site then steals that information and sends it to the hacker.

Understanding what a phishing email looks like can save you and your business from falling victim to an attack. 

Here’s what to look out for:

• Sender address - Do you know who the sender is? Are you expecting this email? Look for spelling errors in their email address.

• Company logo, colors, and overall branding - Is this the correct logo on the email? Are they using the right colors, slogan, notice the position of the logo. Sometimes even the slightest bit of it could be skewed left or right, or inversed.

• Company contact information, address, phone number, etc. - Is there any contact information located at the bottom of the email. If so, cross-check it with a quick Google search.

• Spelling, grammar, and punctuation - Companies typically do not have typos in their emails, if so maybe just one. More than one typo should raise suspicion.

• Urgency or threats - Does the email want you to take action now or else you will lose your account forever? Yeah, I don’t think so. Watch out for these types of emails, Amazon will never delete your account forever if you don’t login in now.

• Links - Before clicking on a link, INSPECT IT! On your computer, hover on the link with your mouse. On your mobile device, long-press the link. The URL will pop up and you can see if it looks valid. A URL with spelling mistakes or suspicious wording is a good indicator that the email is not valid.

See more on how to prevent phishing on our blog here or take our phishing quiz below.

4. Don’t Access Email From Public WIFI

Public WIFI can be dangerous because it’s never as secure as private company or home WIFI.

This means it may not be the wisest choice to access company email using public WIFI.

Especially when the email contains any kind of important or sensitive information, leaving it susceptible to hackers just waiting for good information to pass through the network.

Public WIFI can become a playground for even the most amateur hackers out there.

All they need is a laptop and some basic software.

If however, you do need to check your work email while using the public WIFI, use your smartphone and the mobile Internet instead of your laptop.

Check it out: Know Your Threats: What Is Attacking My Computer?

 5. Don’t Use Company Email For Private Messaging

Do everything you possibly can to limit the number of chances hackers get to target your company email system.

Which means not allowing employees to use their work email addresses for personal use.

This means restricting business communication to work-related things only, no friends, online shopping, etc. with their work email.

This doesn’t make you the bad guy, or girl.

It just means you are protecting your company.

Meanwhile, employees can use a separate, personal email for things non-work related.

Of course, if employees are using their personal phones, make sure they don’t connect to the work WIFI, as that can open another can of worms.

Stick with the mobile Internet or guest WIFI.