For a small business owner with a busy schedule, establishing email security measures for the company is usually something that gets pushed to the back burner. But ignoring this issue can bring on problems down the road, whether it’s dealing with computer viruses or the liability of passing sensitive data between parties. We reached out to Edward Capra, president of technology support company LifeguardTech Inc. and security firm SecurusFortis LLC, to give us some basics on how to properly establish email security procedures, and what issues to consider when setting up your company email. He answers our questions below.
* * *
Understanding Email Servers
CBI: As a small company, how should I handle email servers? What is the benefit of getting my own server versus getting Google Apps for Business or Yahoo Small Business?
EC: Mail servers are a lot of work, not so much in setting them up or using them, but from the standpoint of maintenance. Managing your own mail server can become a bottomless pit of tech resources. Because of the never-ending war between hackers, criminals, and all sorts of bad guys that want to compromise your server or steal your data, I feel it is best (in most small business cases) to relegate this task to the big monolithic mail giants such as Google or Yahoo. These big players have the resources to keep on the cutting edge of the security front lines and fight that battle for you. Of course there is a price tag associated with outsourcing that email function, but it is easily out weighed by the cost of the IT services required to mitigate security issues. I would consider keeping your own mail server if you have a full-time IT person or more than 35-40 employees.
* * *
Bring Your Own Device (BYOD) Policies
CBI: These days, many small businesses allow their employees to use their work email on their personal computers, mobiles, and tablets. What email security issues should you consider with a BYOD (bring your own device) policy?
EC: There are serious security issues with BYOD. The first consideration is liability. Employees should adhere to the same (or better) security standard required of the business devices in use at the office. It is wise to have a formal “BYOD policy” that they should read and sign off on to acknowledge their responsibility about keeping their device (and your business data) secure, especially if you’re handling sensitive data from clients. If your company has a BYOD policy, it’s important to acquire liability insurance to help protect against employee error and damages that can occur if such an employee breach were to happen.
* * *
Establishing Company Email Policies
CBI: In addition to BYOD policy, what other company policies should be in place regarding email security? How should small business go about educating employees about these policies?
EC: When hiring an employee it is wise to require a median level of technical knowledge so you can be sure he/she knows better than to click a link to "grow hair" or "make money at home.” But the very basic stuff aside, it’s important to set standards and requirements through an educational program. This could be as easy as a PDF outline that you include in the employee handbook.
If your company processes credit cards, your card transaction company may require a yearly compliance audit in order to avoid the sorts of compromises that slammed Target late last year. These audits are usually a self-guided tour with an employee training component in which you checklist your email security practices.
Generally, some of the most important policies to consider include the following:
- Email password security. Set a minimum password length for all business email accounts (long passwords are always more secure), and require that the password also include a mix of letters, numbers, and special characters. Promote additional security measures such as two-step authentication or requiring that passwords be changed every 90 days. It’s important to emphasize why employees should use different passwords for different accounts, as well as avoid using names of pets or family members or things that a stalker could easily take off your Facebook account.
- Hardware rules. This educational program or document should state what the rules are for any hardware used for business (whether BYOD or company-owned). This should include rules such as disabling automatic login, installing location tracking and remote wipe software for portable devices (such as Find My iPhone), and protecting the physical device at any unsecured Internet access point (i.e. never accessing sensitive info from a Starbucks connection or any other openly shared Wi-Fi).
- Sensitive file sharing. Employees should treat all sensitive files as if it were their own credit card number or social security number – never send it via email! If you do need to email something important, make sure that the document is password protected, twice if possible (a password for the document and then another different password for the zip file that contains it). Never include the password in the email—that should be phoned in directly to the person receiving it. There are also numerous secure file transfer services available, which also double as online backup services.
* * *
CBI: Any other best security practices or considerations?
EC: Yes—audits! A primary function of my security business is to perform audits. It is a great comfort to managers and owners to have a tidy document that states what should be done with email or how to handle certain files, but companies should regularly question if they are following the practices or guidelines. Often businesses will have an email policy or “safe handling” procedures, but sadly, they may not be carried out entirely or at all.
To perform an internal audit, walk into your own office and pretend for just a moment that you are an outside party. Ask yourself, “Is this how I’d like my private information handled?” or “Would I like the bank teller to do this with my financial information?” It is one thing to have rules, but another thing to follow them.
Managers and other higher-level employees should regularly complete these internal audits and keep records of them. This will help you find weaknesses, address them, and monitor improvement. This will show clients that your business is safe to work with. Of course, the downside of doing your own audits is that anyone can claim that you fudge your data, so consider hiring outside security firms as a third party to help you legitimize your audits.