Skip to main content

In today's digital age, email has become the lifeblood of communication for businesses of all sizes, but it also presents a significant security challenge, especially for small businesses. As cyber threats continue to evolve and become more sophisticated, protecting sensitive information and ensuring the confidentiality of email correspondence has never been more crucial.

In recent years cyberattacks via businesses’ email servers have seen a dramatic rise across the board. This shouldn’t come as too much of a surprise considering the global move to remote working over the last few years. However, with remote working now here to stay, what does come as a surprise to most cybersecurity specialists is that many organizations (especially smaller businesses, which are the most vulnerable to this type of attack) haven’t implemented basic cybersecurity practices to keep their systems safe from Business Email Compromise, or BEC, and other more traditional forms of email-orientated cyberattacks.

Business Email Compromise is a serious type of digital fraud and extortion that seeks to take advantage of the daily wave of email communications between businesses. Through a complicated process of social engineering, cybercriminals impersonate an employee or trusted business associate and convince victims at the same company to transfer sensitive information or funds to a hidden account. These types of attacks vary in severity but are usually very costly to the targeted business. That’s why we’ve decided to create this guide to email security best practices, guidelines, protocols, and policies, specially tailored towards small businesses (however, these practices will equally apply to organizations of any size). It’s time to make sure your small business emails are secure and that any sensitive information is safe from unwanted viewers.

Best Practices for Email Security in Small Businesses

The best practices for email security for small businesses are similar to those used for large organizations; they protect against the three main types of email cyberattacks: phishing scams, spear phishing attacks, and fraudulent invoices. Let’s start with the essential email security measures:

Business Email Accounts are for Business

Although this might seem rather simple and straightforward, it’s worth pointing out just in case. With work being an important part of everyone’s lives, it can be tempting to use your business email to sign up or log in to certain services that your personal accounts don’t have access to. However, using your company’s email for your personal online activities gives a scammer the ability to profile you more easily, which could lead to a much more targeted cyberattack. Equally, if you’re using your personal computer or home Wi-Fi connection, which are both not usually as secure as an enterprise connection or the customized machines used in your workplace, you are giving hackers a better chance of stealing your business credentials. This also leads us to our next best practice.

Don’t Use Your Business Email on Public Wi-Fi

Even if you’re using your company’s secure machine to access your business email account, public Wi-Fi is the perfect gateway for hackers and cybercriminals to infiltrate your machine and steal your sensitive data. When it’s not possible to avoid using a public connection, we recommend using a VPN in order to connect to your important business servers and improve your overall endpoint security. A Virtual Private Network (VPN) works by creating a sort of encrypted private tunnel between the user’s remote computer and the organization’s dedicated servers. As a result, it will protect any of the data you send over an unsecured network via real-time encryption. To learn more about VPNs and how they work, take a look at our article, "What is a VPN?".

Strong Passwords and Passphrases

When it comes to hacking an email account for a business, the first step is to brute-force attack the account and try to guess your password or passphrase. That’s why we recommend that all employees use “strong” passwords or passphrases. A password is considered to be “strong” when it is sufficiently long (12-14 characters) and contains a mix of special characters, numbers, uppercase, and lowercase letters. Equally, “strong” passphrases follow much the same rules, except they should be between 15-20 characters long and use letters from other languages (if possible).

For each of these, the most important thing to remember is that they must be unique and only used for one application. This means you’re going to need quite a few of these passwords or passphrases, depending on how many systems you use in your workplace. Consequently, we recommend using a password manager or password vault, which also provides a password generator for making strong passwords, to store all of your unique passwords and phrases. Although password vaults and managers can be hacked, your passwords will still be safe because they are encrypted; deciphering industry-standard encryption, like 256-bit AES (Advanced Encryption Standard), is almost impossible. So, even if a hacker gets "in" to the vault itself, it doesn't mean they can do anything with your encrypted data.

Phishing Scam and Attachment Awareness Training

One of the easiest ways to protect your business is to invest in simple cybersecurity training for all your employees. If this is not an option for your business, we recommend teaching your workforce about the dangers of phishing scams and email attachment attacks, otherwise known as malicious attachments or HTML smuggling. The main points to cover would be:

  • An awareness of common phishing scams, such as fraudulent websites and login windows that harvest a user’s login credentials and mimic common pop-up windows, such as the Microsoft Outlook Login window.
  • Knowledge of the most common email attachment vectors that malware can be hidden in, such as .DOCX, .HTML, and .EXE. This also includes a recent and popular form of email cyberattack known as HTML smuggling.
  • Warn your employees to never click on any link that looks suspicious or is sent from an unknown sender. Malicious links are the easiest way for scammers to successfully carry out a cyberattack on your employees and your business, usually via some sort of phishing scam website.

Enable Multi-Factor Authentication

One security practice that is becoming more and more popular, because of its effectiveness, is multi-factor authentication. Sometimes referred to as MFA, two-factor authentication, or 2FA, multi-factor authentication provides your business email accounts with multiple levels of security checks before an employee is given access to their messages. Examples include an additional password, a code from a secure SMS, or an answer to a predetermined security question.

Don’t Forget to Logout

Again, this may seem like the most obvious thing to do when using your work email, but it’s important to remember that a large amount of cybersecurity attacks begin with disgruntled employees looking to damage a former employer’s business. Co-opting someone’s account and masquerading as another employee is one of the easiest ways to commit cybercrime and evade detection. So, to stop yourself or your employees from becoming unwitting suspects, make sure that everyone in your business remembers to log out after each session and to never share their login details with each other.

Email Scanning and Protection Systems

With the growing complexity of social engineering threats and email-related cyberattacks, a dedicated email scanning and protection system is the best defense against advanced malicious email attachments and embedded script attacks. We recommend an automated antivirus solution that includes machine learning and static code analysis, which evaluates the actual content of an email and not just the attachment file type. For an advanced online cybersecurity solution, we recommend Kaspersky Security for Microsoft Office 365. An award-winning system for both businesses and personal users, our premium package comes with remote assistance and 24/7 support.

Email Security Protocols and Standards

One of the most important ways that you can protect your business email system is by implementing the proper email security protocols. Usually considered the first line of defense against email-related cyberattacks, email protocols are designed to keep your communications safe as they pass through the webmail services. To be clear, mail servers deliver email messages between recipients’ mail clients using email protocols. The protocols tell the server how to process and deliver the messages. Security protocols verify and authenticate this process.

There are a number of different protocols which can be used to secure your business email:

  • SPF – allows email domain owners to identify and verify who is authorized to use their domain names when sending email.
  • DMARC – allows domain owners to be notified and respond when a message has failed to be authenticated.
  • SMTPS and STARTTLS – encrypt email exchanges between clients and servers.
  • DKIM – enables the user to be linked to a digital signature for authentication.
  • S/MIME – defines how to encrypt and authenticate data formatted in MIME.
  • OpenPGP – is based on the Pretty Good Privacy framework and is an encryption and authentication standard for emails.
  • Digital Certificates – are a way of verifying the sender’s details via public key ownership.
  • SSL/TLS – is not directly used in email security, but it encrypts network traffic between servers (encompassing webmail messages) because it’s used for HTTPS.

Many popular email client providers use SPF, DKIM, and DMARC (configured via the DNS records) to protect their users’ privacy. We recommend implementing at least these three for your business email system.

Email Security Policies, Guidelines and Compliance

Email security policies, guidelines, and compliance define the rules and regulations around the use of business email accounts at a place of work. Each of the points listed above should be a major part of your organization’s email security policies. In addition, these guidelines should also include rules on:

  • User access and device usage.
  • Data handling and storage.
  • Rules around email forwarding, deletion, and retention.
  • The breadth of the policies’ scope, including network and system usage.
  • Ethical conduct and appropriate behavior.
  • Password encryption and other security tools that are used in email clients.
  • Cybersecurity training material pertaining to email malware and how to spot fraudulent attachments, links, or messages.
  • Email monitoring and employee recording practices undertaken by your business.
  • Where and how to report malware, threatening, or illegal content received by email.

In short, every organization, from a small business to a large corporate enterprise should have a Security Compliance Model (SCN) that clearly lays out and defines the above subject matter. These guidelines will act as a legal framework (enforceable by the national government) that can ensure the privacy and security of all the content contained in the company’s emails. This is especially important considering clients and partners have become more wary of businesses with digital communication violations.

In today’s digital landscape email has become indispensable for businesses, both small and large, however it is also a prime target for cyber targets. As remote working becomes more common the risk of email-related cyberattacks is rising. Protect your small business effortlessly with Kaspersky’s Small Business Security which is especially designed to meet the needs of your small businesses.

Related articles:

Recommended products:

Email Security for Small Businesses

With emails being one of the most common ways for cybercriminals to infiltrate small businesses, we created this guide to email security. Read more here.
Kaspersky Logo