Email is one of the key entry points for hackers in an organisation. It is how hackers can gain access to passwords for third-party applications (by requesting password changes using your credentials), or by sending malware to your employees to compromise entire networks.

Just by implementing some of the best practices for email security you can help to secure your business from external threats.

So, what are the best practices for top email security? Here is a selection for you to implement straight away.

1. Force unique passwords

The first thing you should do is ensure that users are optimising passwords for security. All passwords should be between six and ten characters long and contain at least one number, one symbol and two letters (one uppercase and one lowercase). Passwords shouldn’t be recognised either. For instance ‘Foodtime’ should not become ‘F00dt1me’.

You should also insist that account holders don’t use commonly used passwords.

Passwords should be changed on a regular basis, as a precaution. If passwords are changed every 45-60 days, it makes it hard for criminals to continually use emails to gain access to systems. Users should also be told not to share passwords with other users within the business. Once shared, there is no control on who uses that password/account.

2. Teach employees about phishing

One of the oldest ways that email has been used to gain access to secure accounts. Basically, the criminal sends an email, impersonating a respectable company (or even IT support from within the company), and states that they are having an issue with an account or perhaps that they’ve won a prize. To resolve the matter, the receiver must reply with their password and username.

Sometimes, the email uses a link to a similar website that is just mimicking the respectable company. When the details are taken, the criminals have all the information they need.

Whenever an email like this is sent, the receiver should report it to IT support. They can then verify if there are issues with the service. Never should the employee act on the email. No respectable company will request these details via email.

3. Teach employees to not click on links

Links within emails should not be clicked upon. That is unless you are expecting a link from the sender. This is especially true of emails selling products/services or just trying to entertain you with pictures of cute animals. The links inside these emails are often linked to malware and viruses.

These can disrupt your business and cost you millions to repair. The worst-case scenario is that your employee downloads software that can lock all your data. This ransomware is very popular with criminals and it essentially wipes out productivity. Many businesses discontinue operations after a ransomware attack.

4. Install anti-virus software on every machine

As well as having anti-virus software installed on the server to detect viruses, all devices should also have virus scanners. This prevents an employee from downloading a virus from an email on their machine through a link or an attachment that hasn’t been scanned or come through a link inserted into the email.

The virus scanner should be updated on a regular basis, to ensure that it is up-to-date and the latest viruses are known. This is one of the main problems that companies find, is that their anti-virus software has not been updated in a long time.

5. Bring in IT security teams

While you are busy running your business, you can’t spend enough time training your team to identify and improve email security processes. If you do the training, your productivity can be hampered. Also, you aren’t an expert in IT security. So, bring in some experts to help teach your staff and test them on their email security.

When firms test staff, they can learn where weaknesses are. For instance, some dry run tests can see when staff are clicking on links from unknown sources. And it can see who is actually doing these behaviours so they can be trained further in email security.

Finally, IT security teams can help improve your whole network. Allowing you to feel more secure and keeping you, your data and your business safe.

6. Make sure there are protocols in place to protect you

It is always important to have policies in place that protect you and your staff from becoming victims of crime. For instance, knowing who can and can’t authorise payments, what emails they come in from and what format they should be in. Having strict policies allows you to spot malicious communications.

A good example of how this could be a problem is when Mattel paid criminals $3 million because the finance director was told by someone impersonating the CEO that a new manufacturer needed the funds wired to them. Because the email was informal and was from, apparently, the new CEO, she paid the money.

However, had there been a specific request process, rather than just an email, it is likely this payment would never have been made. Create these policies and processes and ensure that everyone knows them and follows them. You should also limit the number of people outside of the office who know about them.


Email security is vital for your business. It is a main attack point for so much cybercrime. So you need to secure this entry point through good training of your staff members, creating policies to protect users and having the best software/IT security support for your business. Without these, you are risking becoming one of the half of all businesses that become victims every year.