The Importance of Having an Email Security Policy

June 12, 2017

Last year’s malicious attack on the DNC was a wake-up call to the entire country about how devastating a hack can be. As technology becomes ever more pervasive in our daily lives, cyber-security should hold high priority, and that goes double for law firms. Hackers tend to focus on larger legal firms, as they hold a greater volume of financial and personal information that, if accessed, can be lucratively traded on the black market.

Cyber-security is a job that is never solely the job of one department or one individual. Your IT team will work hard on shoring up your network defenses with firewalls and data encryption, but your entire staff should always do their utmost to ensure that their communications are protected from cyber-criminals.

Emails are important because hackers use them to gain access into your network. They do this through “social engineering” tactics, which include phishing.

Phishing gets its name because they provide bait for the recipients, encouraging them to click on a link or open a document that contains malicious code meant to steal your personal information or gain access to your systems. Phishing emails might look like they are coming from a legitimate source, like your bank, a social media account, or any other organization that might have your personal information.

When you receive such a message, it may ask you to sign in to your account to change your password, or enter payment or personal information. Once the hacker has gained access to your data, they will proceed to use it to access the company’s servers or network, which is when the real issues begin.

Phishing emails are so common, you may have several in your inbox as we speak. This is why you need to pay attention to this trend: one innocuous looking email can take your entire firm down in one fell swoop.

At its most basic, your security policy must include protocols for identifying and preventing phishing attacks and other such scams. Always keep in mind that this is just the tip of the iceberg.

 

What to Include in Your Firm’s E-Mail Security Policy

Since it’s your staff who are going to be enforcing your email security policy, it is crucial to get them on board. They need to understand how to protect themselves and the organization, and they should know what your IT team is doing to prevent malicious attacks.

Schedule regular and mandatory meetings so that everybody is on the same page. The more every staff member knows about cyber security, the better they can be a part of the solution.

When you are crafting your email security policy, always include the following:

 

1.      Basic guidelines and best practices

What may seem like common sense to you might not be so mainstream to others. Outline basic strategies for everyday use and safety of company email, such as “never connect to unsecured Wi-Fi”, and “be sure to change your password at least monthly”.

 

2.      Easy ways to identify and report phishing and other scams

Even if they know what phishing is, your employees might not know how to recognize it if it’s staring them in the face. The best way to protect your organization is to actually show them what they look like, and give them steps to take in order to report the threat to your security team or office manager.

 

3.      Monitor email for suspicious activity

Your IT team or managed services provider should be watching your network and monitoring your servers carefully to identify malicious activity. If you decide to go this route, make sure you let your staff know what is going on – partly for transparency’s sake, but also to demonstrate your commitment to your firm’s cyber-security.

 

4.      Craft a policy around prohibited content

Be sure to inform your staff that their emails are being monitored, and that blacklisted websites will be inaccessible unless individual permissions are granted by the administrator. This serves them notice that if they send or receive prohibited content, you will know. Outline what information is okay to send, and what is too sensitive for emails, such as personal information, financial details, and similar. Think about what you wouldn’t want to be made public knowledge, and use that as a guideline when you create your list of restricted content.

 

5.      Use Barracuda Essentials for Microsoft Office 365

Since you likely already use Microsoft Office or Microsoft Exchange, it just makes sense to use a compatible cloud service and security platform. Barracuda is an email scanner that protects against threats that originate from email, such as spam, viruses, phishing and other types of malware. It’s free, it removes and examines potential threats, even remote-detonates them to ensure they never come back to haunt you. Microsoft Office 365 is pretty good, but it has vulnerabilities inherent in the software that can put your infrastructure at risk, which is what Barracuda was developed for. It secures your cloud storage and protects your email accounts, as well as your software. You’ll have outbound email security, encryption and an easy, centralized dashboard from which to manage the whole thing.

Using Barracuda means that every employee on the network should know its features and how it protects them. Make it crystal-clear that under no circumstances should they ever send or receive firm or work-related emails through personal accounts or external email programs.

 

6.      Conduct Regular Workshops and Seminars

Workshops and seminars are a great way to deliver ongoing education, and should be a part of your firm’s security policy. This shouldn’t be a one-time thing, either, as protocols change, threats evolve, and it’s always good for everybody to have a refresher once in a while.

Other efforts you can make to strengthen e-mail security

Your employees should feel safe knowing that you are doing everything in your power to keep your client’s and their personal information safe and secure. Make sure everybody knows what steps are being taken and what programs are in place to ensure your continued protection from malicious cyber-attacks.