The small business’s guide to secure email
It probably comes as no surprise to most business owners that email is a primary way hackers can gain access to sensitive company data and information. But it may alarm you to know that small businesses are particularly vulnerable. Specifically, overall cyber-attacks on companies with 250 or fewer employees doubled in the first six months of last year—and the loss per attack was more than $188,000 on average. The effect of cyber-attacks on the American economy as a whole is a high cost of $100 billion annually, according to the Center for Strategic and International Studies.
That’s one reason the great Sony email hack of 2014 was such a big deal—it left every business wondering how they could avoid the same fate. It stands to reason that if such a large company, with multiple layers of security, can be hacked, small businesses with fewer resources have no hope, right?
Maybe not. There are many ways to ensure your business is protected through secure email. Since your business’s security is only as strong as your weakest link, the secret is to get employees involved and invested in the success of your security. Here are seven tips to get you started.
- Make it a top priority to create and implement a cybersecurity plan.
Of course, this involves more than simply considering how to ensure secure email service—it should also include strategies for keeping your website, payment information, and other information safe—but addressing email security should be a main part of your plan. The Federal Communications Commission created a handy tool, the Small Biz Cyber Planner 2.0, to assist you in creating a customized plan.
- Consider email encryption. Email encryption helps to protect personal information from hackers by only permitting certain users to access and read your emails. There are several methods of email encryption depending on the level of security—and convenience—you require. For example, you could download or purchase extra software that will plug in to your current email client. Or, you could install an email certificate like PGP (Pretty Good Privacy), which allows your employees to share a public key with anyone who wants to send them an email and use a private key to decrypt any emails they receive. Another simple solution is to use a third-party encrypted email service.
- Ensure passwords are secure. All employees should have their own password for their work computer and email system. These passwords should be reset every three months; also consider requiring multifactor authentication when employees change their passwords. The strongest passwords consist of at least 12 characters and a combination of numbers, symbols, lower-case letters, and capital letters. Passwords should not be something obvious (e.g., birthdays, children’s names, etc.) but should be memorable. In other words, employees should steer clear of the two most common—and worst—passwords of 2014: “password” and “123456.” Also, employees should not use the same password for multiple accounts or websites. Consider allowing the use of a password manager or single sign on function. Some great solutions for small businesses looking for tools to store codes, bank accounts, email accounts, PIN numbers, and other account information in one place include CommonKey, LastPass, and Password Genie. How do you know whether your password has been compromised? Sign up for watchdog services like PwnedList or Breach Alarm, which monitor leaked passwords and will report automatically to you if any of your email addresses are vulnerable.
- Develop an email retention policy that makes sense. Ask employees to purge emails that do not support business efforts and implement a policy to ensure compliance. Many companies institute a 60-90-day standard, with steps toward automatic archiving and permanent removal after a set time period. Remembering to delete emails that don’t comply with this standard can be difficult for some employees, so frequent reminders may be necessary.
- Train employees in email security.
Employees play a crucial role in keeping data secure through email. They should be trained on what types of behaviors to refrain from and what types of emails to avoid. Unfortunately, according to InfoSight, nearly half of all companies spend less than 1 percent of their security budget on programs that train employees on how to be aware of security threats. Yet 64 percent of organizations experienced some level of financial loss due to computer breaches and 85 percent detected computer viruses. Wouldn’t it be worth the low cost of training to mitigate the potentially large cost of a hack?
Specifically, employees should be trained to comply with the following rules:
- Never open links or attachments from unknown persons.
- Don’t respond to emails that request a password change and require you to divulge personal information—no matter how official the source appears.
- Ensure antivirus and anti-spy software is updated on your computer.
- Encrypt any emails containing sensitive data before sending.
- Don’t use your company email address to send and receive personal emails.
- Don’t automatically forward company emails to a third-party email system.
In addition, some companies have found success in instituting programs that test employees with phishing campaigns, spear-phishing emails, and other cybersecurity threats and then reward them when they pass these tests.
- Maintain strict standards for company-related mobile device usage. When using a company-issued mobile device, or a personal mobile device where you send and receive company emails, employees should encrypt data, keep the device password-protected, and install approved security apps so hackers cannot access devices via shared WiFi networks. Look for solutions with built-in mobile device management capabilities, providing options to help you keep your data safe with conditional access, device management, and selective wipe of company data.
- Avoid common pitfalls when securing email.
Besides all of the things we’ve already discussed, email can remain unsecured in other ways as well. Be sure to consider the following:
- All computers—not just a few—should use email encryption. There’s no point in encrypting emails unless the same standard is applied across the board.
- Unlocked computers should never be left unattended. Make it company policy for employees to lock their computers (which should be password-protected at login) before getting up from their desks. By being purposeful when creating policies involving your small business’s emails, you will head off a lot of issues before they even come to pass. Get employees on board and reward them for assisting in developing an environment where information is secure. Together, it’s possible to keep employee, customer, and business data safe—one email at a time.
The Growth Center does not constitute professional tax or financial advice. You should contact your own tax or financial professional to discuss your situation.