Business Email Compromise (BEC) scams accounted for 19,954 complaints and a total of $2.4 billion in losses last year. (FBI Internet Crime Report of 2021) Small businesses are frequent targets of these attacks due to a false sense of security or lack of email best practices.

These scams are initiated by phishing attacks, which rely on malicious emails to trick you into giving up login information. You have to know how to recognize these and other suspicious emails in order to protect your business. 

What are email best practices for small businesses?

1. Use strong passwords
2. Identify phishing attempts
3. Utilize 2FA
4. Install VPNs
5. Encrypt sensitive data
6. Write comprehensive email policy
7. Use antivirus/filter services on email provider
8. Backup email data
9. Automate as much as possible

We’ll go on to explain each of our email best practices in detail in the rest of this article, as well as suggesting ways to improve your email security.

Protect Your Small Business With These Email Best Practices

1. Use strong passwords

It’s kind of a given that using strong, complex passwords is a good security practice. However, depending on which email service provider your company uses, you could be left vulnerable to attack. The default password requirements inherent with your email provider may not be strong enough to thoroughly protect your company’s emails.

Make sure not to use any words, names, or phrases that are obvious on your social media or website as a part of your password. Use uppercase and lowercase letters, numbers, and special characters. Try to avoid obvious substitutions of special characters- like @ for the letter “a”. 

Institute automated password timeouts that force your users to change their passwords every 2-3 months. Consider banning users from repeating passwords within a 12-18 month period as well. 

Check out our guide The Secret to Good Passwords to learn more about secure password protocols. Having secure and updated passwords is key to our email best practices.

2. Identify phishing attempts

A super important component of a small business cybersecurity plan is phishing education and awareness. It’s crucial you and your employees are up to date on the different types of phishing emails that are out there.

Fostering a culture of cybersecurity within your business should include regular phishing exercises. Those exercises should consist of faux phishing emails designed by your IT security team that are designed to test your employees. 

If they fall for it and click the link, route them to a page explaining what has happened and pointing out the clues they missed. If they recognize it as a phishing email and report it, congratulate them. Then, a week or two later, report the company wide results and either congratulate your staff or plan further training if necessary.

3. Utilize 2FA

Even if you have strong passwords and good cyber hygiene, your password can be compromised. The best way to prevent unauthorized access to your business’ emails is to require a second point of authentication at login, separate from the password. 

This practice is called two factor authentication (2FA). It often uses a randomly generated 6 digit code and is sent to either an authentication app or via text message to your employee’s phones. This code should expire within a short time frame in order to ensure it isn’t used again. 

It’s extremely unlikely that a cybercriminal would gain access to your employee’s username, password, and 6 digit code for authentication. Two factor authentication is an essential staple of our email best practices. 

4. Install VPNs

Virtual Private Networks, or VPNs, are the best way to protect your systems if you or any employees work remotely or publicly. They create a secure, encrypted connection between each computer and the internet so that even if you use public wifi, you are protected. 

VPNs allow you to work as if you are on a private server from hotel lobbies, airport gates, or coffee shops. They prevent cybercriminals from observing or gleaning any browsing patterns or login information if you connect to a public network. 

VPNs allow you and your staff to access your work email from any wifi network without fear of experiencing a hack. Make sure that any software updates are installed in a timely manner in order to maintain maximum security.

Next Generation Firewalls (like our preferred firewall from Fortinet) usually have a VPN baked right into the software, or you can purchase a standalone VPN app. Learn more in our article all about VPNs!

5. Encrypt sensitive data

Email makes it incredibly easy to share files, whether you’re delivering a presentation, spreadsheet, document, or picture/video. However, if those files contain sensitive information, they’re also very susceptible to hacking when sent via email. So how can you protect your email attachments? Data encryption.

Data encryption is the practice of converting your files into scrambled text known as cipher text. This cipher text is completely unreadable to unauthorized users who don’t have the decryption key(s) to unscramble the text. Even if a cyber criminal gains access to your data, without the encryption key it’s useless to them. 

Encryption isn’t just for text files, you can encrypt pictures and videos as well. Anything that can be attached to an email can and should be encrypted as part of your email best practices.

Want to know more about encryption? Read our post about it here!

6. Write (and enforce) a comprehensive email policy

It’s impossible to do it all on your own, as you’ve no doubt realized during your journey owning a business. That concept applies to cybersecurity as well. You will only be as strong as your weakest links, so it’s necessary to instill a culture of security in all your staff.

Ongoing education and awareness is one key to building a security minded team. The second is a comprehensive and clear email policy. Ask your employees to read and enforce the policy. Delegate the enforcement to your network administrators, but ask everyone to help hold each other accountable.

Each department of your organization needs to be informed of the email policy and regularly retrained at appropriate intervals. Knowing what’s expected of everyone and how they can help protect their customers and each other will help your employees keep vigilant and secure.

7. Use antivirus/filter services on email provider

Email connects you to anyone at anytime- and can connect anyone to you or your business anytime. Human error is never 100% preventable, so it’s best to fortify your email security education with antivirus/filtering software. 

Basic antivirus software might be built into your email provider. You can (and should) also upgrade to beefier email protection with most antivirus providers. This application will provide a safety net in case someone slips up and clicks a malware link or replies to a scam email.

For example, our preferred provider, Fortinet, offers an antivirus and filtering app called Fortimail. Fortimail provides URL filtering, antivirus scanning, spam filtering, a filter that flags suspicious emails, click protection, outbreak protection, and more! Learn more about how Fortinet can help with your email best practices here.

8. Backup email data

Just as frequent and complete backups help to protect your entire network, backups help to protect your emails too. They’ll allow you to access your entire message history even when things are accidentally deleted, a server goes down, or you hit your service provider’s storage limits. 

Most backup service providers allow you to instantly restore individual emails, attachments, or whole conversations. Even if your business’ email isn’t what is compromised, having these backed up can allow your business to recover more quickly in the event of a virus or data breach. 

9. Automate as much as possible

The best way to protect your business is to automate as many of the above security measures as possible. There’s no reason to ask your employees to remember to change their passwords every 3 months when you can simply set them to expire after that time frame is up. 

Similarly, you can configure your email antivirus or provider to filter for suspicious emails, send spam to a different inbox, and automatically scan the links within an email for malware. Don’t put more on your employees than you have to, because most of them aren’t cybersecurity experts. And they shouldn’t have to be. 

Automation of email best practices removes the human element from the compliance effort. It leaves way less room for costly errors, and makes it easier for everyone to get with the program.

Send Files Safely With These Email Best Practices

Although the landscape of cyber threat is constantly changing and growing, you can protect your business by implementing our email best practices. They are small changes to the way most of us do things, but they have a big impact when it comes to preventing cyber crime. 

If you have further questions about any of the email best practices we outlined, or need help getting started with your company email policy, please schedule a consultation with us. Your security is our utmost priority.