Email Security for Businesses and Employees - How Secure Is Your Email Password?
Modern businesses transmit sensitive, confidential and otherwise important data through email on a daily basis. From personally identifiable client information to proprietary company data, many businesses have good reason to be interested in improving their email security. But email security only begins with an improvement in technology -- to be truly successful, a company's security measures must also involve employee training.
There are many potential areas for email vulnerability and these often come down to the behavior of the employees rather than the technology itself. Business owners and IT professionals interested in ensuring the security of their email services should train their end users properly in addition to making the recommended upgrades to their overall IT security services and protocols.
Educate Your Employees: Compliance and Security Solutions
Employees need to understand the importance of security if they are to pay attention to security protocols. Digital security can be a very abstract concept to those who are not computer savvy. Proper employee training includes teaching them the basic principles behind IT security, such as encryption and password standards, thus empowering them to make the right decisions with a minimum of supervisory oversight. Any protocols that require a supervisor always be available will often fail in practice, as it's not always feasible to have an employee under watch.
Employees of certain industries, such as financial firms, should be aware of the additional standards and regulations that they are expected to meet and the security services that they are expected to use. At bare minimum, they should understand encryption -- how it works, what it does and, perhaps most importantly, what information always needs to be encrypted. Employees should also be aware of how to set appropriate passwords and how to protect their passwords from viewing.
Many employees do not understand what makes a good password a good one, they simply know what they have been taught to do. Employees may set their passwords hastily and end up with something like "password123," or they may have become so devoted to a simple password that they still set everything to that singular password. Employees should know that a good password is lengthy, complex, memorable and above all unique. Passwords should not be shared between accounts because that can cause a serious vulnerability.
A password such as "password" is unsuitable. Though most people know that, Splash Data discovered that some people are still using passwords such as "123456" and "qwerty." In fact, Jimmy Kimmel Live discovered that the most popular password is still just "password123." But a password such as "p@ssw0rd" still isn't fantastic, even though it may be better. It is short and a computer can still guess it because of that. A password such as "Th1s 1s a p@ss0rd." is actually much better -- in fact, "This is a password." is even considered to be a fairly decent password. Today, many IT professionals are suggesting the use of long simple phrases rather than more complicated letter substitution passwords.
Employees should also be advised that they should never give out their password, even to other employees, and that they should avoid writing their password down or saving their password through third-party programs. Sharing a password with a trusted employee can be dangerous simply through the mechanism by which the password is shared (such as by writing it down). Employees should also be advised not to use password saving solutions, as this could make it easier for someone on their computer to log into their accounts.
Mobile Device Management: Protect Your Assets
Mobile devices are simply not optional for the technological workings of most businesses. Most employees check their company emails and files on their mobile devices, using everything from smartphones to tablets. But mobile devices also represent a significant security risk. Most employees are using their personal phones, which they may run third party applications on. Their phones may even be "jailbroken," which means they are inherently not as secure as phones direct from the factory. Though iPhones are considered to be almost virus proof, there still have been two items of known malware released for the system. Android phones and Windows phones often have virus issues. Consequently employees could be running a security risk simply by having their email on their phones -- if their phones are vulnerable, their company data is, too.
There is additionally a physical risk. Employees take their phones with them almost everywhere. A single lost phone could mean that the entire network is compromised, should it fall into malicious hands. Employees who travel often may have phones targeted and stolen. It is in a company's best interests to lock down mobile devices, but it also has to be done in a way that still allows employees to be productive and efficient. A mobile device management platform can allow this. Mobile device management platforms let a company control access from mobile devices to the company's network.
A mobile device management platform should offer granular security controls -- the ability to control what everyone can view and when. These security controls should always be set to offer the minimum necessary access to each employee; this will reduce the potential for data breaches. Mobile device management doesn't just improve email access but also access to the company's overall IT infrastructure from outside of the office, such as the ability to view and copy files, or even remote desktop in. Mobile device management can be used to lock down phones quickly if they are lost and manage how employees can access and manipulate data on the company's servers. This can also prevent employees from accidentally doing something that could increase security vulnerabilities.
Employees should also be aware that they need to keep their phones locked automatically. Pin codes, passwords and fingerprints are all entirely valid solutions as long as the employee is using at least one of them -- there is nothing more dangerous than an entirely unsecured phone, even for their own personal security. Just as with other computers, employees should not use other phones to sign into their email accounts or their work network.
Employee Training: How Information Should Be Shared and Stored
One of the best ways to reduce email vulnerability is to reduce the amount of data that is shared and stored through email. Though email can be secured as described in the steps above, it's important to keep in mind that email is often an inherently insecure medium: it is, from time to time, probably going to be open to vulnerabilities, if only because most employees use email so often. Consequently, email should not be used for certain types of data. The moment an inbox is compromised, everything within that inbox is also compromised.
Employees should avoid sending confidential data through attachments as these attachments may be read by anyone in their email. Employees should always encrypt data before sending it through email and should only send it when the other party is expecting it to be sent. However, they should not put passwords or encryption keys in the body of the email itself, because of how easy it would be for a third party to access the contents.
Businesses should provide a secured and encrypted file server for documents that do need to be stored, and it should also be relatively easy for staff members to encrypt documents on-the-fly -- otherwise they may be tempted not to do it at all. Employees must also be trained in proper password hygiene, as mentioned above, and regarding how often they should change their passwords.
Mobile device management may make mobile devices safe, but there is seldom any safe way for an employee to sign into email in a public area. If they do need to sign into email at a business kiosk or other related area, they should know that they should always sign out and that they should never save their password information on the computer. Employees should also be trained not to sign into email on other computers even if the computers are familiar to them, such as a friend or family member's computer. Though their friend or family member may be trustworthy, the security may not be sufficient enough to protect them.
In addition to protecting company, employee and client data, businesses today also have an extraordinary amount of regulations that they are required to comply with. This is especially true for companies that are in industries such as healthcare. Companies who do not pay attention to their data security are likely to experience a data breach or other serious issues, which could ultimately lead to liability for the company and a loss of client faith. Having a secure email service from the beginning can be just as valuable as many of the above email security tips; there are many email providers, but not all of them offer the security that a business needs.