What is Email Security? | Definition and Best Practices

The term ‘email security’ covers various ways of using email safely to ensure that the confidentiality, integrity and availability of information is not compromised.

This includes following email security best practices when sending information by email, storing it in email accounts and protecting against inbound email security threats such as phishing attacks.

Email was not originally designed with security in mind. Although security measures have improved since email was first used, it is still often unencrypted, so attackers who can access poorly secured networks and email servers can read everything.

Moreover, once an email has been sent, the sender has no control over who it is forwarded to.

If you do need to send sensitive information via email, it is best to use an email provider that provides end-to-end encryption, or specialist secure file-sharing software.

There are two main reasons to enforce the secure use of email communications.

First, many data breaches are caused by emails mistakenly being sent to the wrong recipient, for instance through misusing the Cc (carbon copy) and Bcc (blind carbon copy) fields.

If personal information is compromised, organisations are at risk of regulatory action under the DPA (Data Protection Act) 2018 and UK GDPR (General Data Protection Regulation), and EU GDPR.

Second, most cyber attacks start with phishing emails. By clicking on a link or opening a malicious attachment, victims can endanger their organisation’s security and compromise sensitive data.

As well as implementing technical security measures, it is essential to ensure that all staff are aware of the threat and know what to do to ensure they use email safely.

This reduces the risks associated with email communications and the impact of email threats.

Email security works by reducing the risk of legitimate emails reaching the wrong recipient, and of malicious emails reaching recipients – and ensuring that if users do encounter malicious emails, they know how to recognise them and what to do.

Security practices differ depending on whether emails are being sent or received.

Outbound

Human error is one of the main outbound email security risks, so it is essential to train staff to ensure they are sending emails to the right recipients and using Cc and Bcc properly, and check any files they might attach so that they do not accidentally share sensitive information.

Training should be backed up by policies requiring strong passwords and multifactor authentication to restrict access to accounts, and technical controls such as encryption to ensure that, if emails are intercepted, their confidentiality is not compromised. Types of email encryption include TLS (transport layer security), S/MIME and PGP (pretty good privacy).

Inbound

Malicious external traffic is arguably easier to control: inbound emails can be filtered by antivirus software and secure email gateways to reduce the chance of malicious messages, such as spam and phishing attempts, reaching users’ inboxes.

However, no technical solution is 100% effective so, again, it is critical to train staff to recognise phishing attempts and understand what to do if they receive a suspicious email.

Email security measures can be split into two groups: technical and organisational.

Technical measures include encryption and filtering.

Organisational measures include policies to enforce email security practices and staff awareness training to ensure employees are a strong last line of defence against malicious content.

Email security best practices include:

• Automated email encryption that can analyse outbound email traffic and encrypt it if it is sensitive. This way, attackers will not be able to read emails if they do manage to intercept them.
• Threat intelligence to understand the latest threats and how they might affect your organisation.
• A secure email gateway to prevent spam and malicious email messages, such as those from spear phishing and business email compromise (BEC) attackers, from getting through.
• Security awareness training to help staff understand the threats they face, and know how to recognise phishing emails and what to do when they suspect an email is malicious.
• Password security and MFA (multifactor authentication) policies to ensure individual email accounts are secure and prevent attackers from hacking them.

This book covers the main security issues affecting corporate email use, considering email in terms of its significance in a business context, and focusing on the importance of effective security and acceptable use policies and safeguards such as encryption.

Buy now

This complete phishing security awareness training programme explains how phishing attacks work, the tactics cyber criminals employ and what to do when you’re targeted. It is updated quarterly with current examples of phishing scams and tactics to help reinforce staff awareness of the threats they face. A free monthly staff awareness newsletter also provides tips, information on the latest phishing attacks and security news.

This e-learning course covers:

• What social engineering is.
• How to identify social engineering attacks.
• The consequences of a phishing attack.
• How easy it is to fall victim to a phishing attack.
• How phishing attacks are orchestrated.
• How to identify a phishing scam.
• Ground rules for avoiding phishing scams.

Buy now

Mitigate your risk of a data breach or GDPR violation by educating employees on the risks of using email, and when to use the To, Cc and Bcc fields.

This e-learning course covers:

• What Cc and Bcc are.
• Examples of Cc and Bcc in use.
• What autocomplete is and why it is important.
• Why it is important to understand Cc, Bcc and autocomplete.
• Legal and business risks.
• What happens when you misuse email.
• Case studies.
• Understanding what you are emailing.

Buy now