In the past, email security best practices for employees could be summarized quickly: Don’t trust email, because email is an unauthenticated, unreliable messaging service. This is still mostly true, and the same best practices for email security for employees from 1989 — use strong passwords, block spammers, don’t trust offers that are too good to be true and verify requests even from trusted entities — still hold.
However, the table stakes for email security best practices for employees have gotten much higher as email has become an increasingly rich application capable of carrying messages with hidden links to malicious web sites, code and attachments that may be vectors for more sophisticated attacks.
Strategies behind email security best practices for employees
Employees who wish to level up their email security game on their own have some options, though the greatest responsibility — and capability — for improving email security rests with the employer. Few employees are able to drive corporate IT decisions like upgrading obsolete or deprecated versions of corporate email clients and servers.
Decisions on enterprise solutions for email content filtering and strong authentication are almost always made in the C-suite, although employees can advocate for enterprise email security tools like Domain-based Message Authentication, Reporting and Conformance (DMARC) for email authentication. When combined with the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) protocols, DMARC enables organizations to do a much better job of eliminating or reducing spam, phishing and other email threats, especially when coupled with DKIM and SPF.
However, employees can choose to secure their own email and keep themselves safe from email attacks. Email security best practices for employees focus on strong authentication and security education to reduce account takeovers and successful phishing attacks.
Email security best practices for employees
Email security best practices available to employees can be summarized simply:
- Use good passwords for strong authentication.
- Add multifactor authentication if possible.
- Take phishing awareness training seriously.
- Take caution when opening email attachments and links.
Employees’ exposure to email security best practices is limited: It is up to the organization to implement protection against email security threats at the infrastructure level. Any type of email security practices requires participation of employees, however. The most conscientious employees can help their organizations improve email security by demanding better infrastructural protection provided by implementation of strategies such as enterprise-wide multifactor authentication, DMARC, email scanning and filtering.
Strong passwords for strong authentication
One of the most important email security best practices for employees is to use strong passwords that are changed frequently and not reused across different systems. Taking a serious approach to email passwords may not entirely overcome poor practices on the part of the organization, but it will help defend against attackers using dictionary attacks to target weak passwords.
Reusing passwords across different systems means that accounts on any of those systems can be exploited if an attacker gains access to passwords on any of those systems. It means that the employer’s systems, no matter how well-protected, can be exposed by an exploit of a poorly-protected consumer website: Attackers know that trying a re-used password associated with a person’s account on a breached system often will work to unlock other accounts.
Requiring employees to change their passwords frequently is one tactic for password hygiene that has been reevaluated in recent years. The benefits of changing passwords quarterly or monthly must be balanced with users’ tendency to use weaker passwords that are easier to remember, and thus easier for attackers to exploit.
Multifactor authentication makes for stronger authentication
The use of two-factor authentication in an enterprise is not usually up to employees: Either the organization has implemented 2FA and requires employees to use it, or it hasn’t and they don’t. However, employees can protect themselves by using 2FA wherever it is available.
Locking down all accounts with 2FA is an important tactic to reduce the risk of email account takeovers. Employees who use 2FA for their private accounts will be better prepared to use 2FA in their work accounts. They can also advocate for deployment of 2FA in organizations that have yet to take it up on their own.
Take phishing awareness seriously
Increasing numbers of enterprises are addressing email security through phishing awareness training, and employees should consider such training an important best practice. Email security training can be tailored to emphasize the types of email security threats targeting enterprises in different industries and specific threats facing employees.
Employees can use this type of email security training to help identify problematic messages, and learn how to avoid clicking on the wrong links or opening the wrong attachments. More importantly, such training can also be used to inform employees about the types of security tactics used in the organization. For example, employees can better understand which malicious messages might be caught — and which might not be caught — by email filtering systems.
Take care with email attachments
Many email attacks rely on the ability to send and receive attachments that contain malicious executable code. Malicious attachments may be sent directly by an attacker to target individuals, and many such attachments can be blocked by antimalware software that detects the malicious source. However, malicious attachments can also be sent by trusted sources that have been exploited by attackers.
Whatever the source, employees should take care with attachments even when the organization uses email scanning and malware blocking software. If an attachment has an extension associated with an executable program, like .exe (executable program), .jar (Java application program) or .msi (Microsoft Installer), extra care should be taken before opening it. Word processing, spreadsheet and PDF files can carry malicious code too, so employees should be cautious when handling any type of attached file.
Approach email links with caution
Web links in email are also a risk, as they often connect to a web domain different from what they appear to represent. Some links may display a recognizable domain name like www.amazon.com but in fact direct the user to some different, malicious, domain. One tactic employees can use is to review the link contents by hovering the mouse pointer over the link to see if the actual link is different from the displayed link.
Attackers also use international character sets to create malicious domains that appear to be those of well-known brands. When in doubt, employees should type the domains directly into their browsers, or just avoid using the link at all.
Other helpful tactics for employee email security
The onus for providing secure email falls on the employer, but attackers can find ways to bypass protections even at organizations that implement best practices for email security. That means employees must act as the last line of defense, and they should be aware of the dangers of phishing, malicious attachments and malicious links in their email. Ultimately, users should rely on their best judgment when responding to suspicious messages.