Email Security: A Guide to Keeping Your Inbox Safe in 2023

Although more business and personal communication is being conducted through apps and collaborative software, email remains one of the most frequently used forms of communication for businesses and their employees. As a result, cybercriminals wishing to access and exploit sensitive company data often begin by targeting a company’s email accounts, seeking login credentials, payroll information, and other data. 

Email Security A Guide to Keeping Your Inbox Safe in 2023

In this guide, we’ll offer email security best practices that will help your business and employees stay protected and vigilant in the face of online threats. Whether it’s creating strong passwords, simulating phishing attacks for employee training, or backing up data to a secure cloud-based platform, we’ll cover the steps you can take to enjoy peace of mind about your company’s email accounts and associated data.

Use Strong Passwords

Although it’s tempting to use short and memorable passwords across a number of accounts, websites, or devices, this can create a serious security issue if a cybercriminal successfully guesses your password or obtains even one set of login credentials, including your email password. If passwords are the same or similar across multiple accounts, it can simultaneously compromise sensitive professional and personal information. 

Whether using an encrypted password manager, memorization, or another system, we recommend taking the following steps to strengthen your email password:

  • Use a combination of lowercase and uppercase letters
  • Use more than 15 characters
  • Include numbers and special characters/symbols
  • Keep your login credentials secure and inaccessible to coworkers and others

Utilize Multifactor Authentication

Through multifactor authentication (or two-factor authentication), an employee enters their normal email login information, including password, but must then enter a security code sent to a separate device. The security code is most often sent through SMS or an authentication app to the employee’s mobile phone. The advantage of multifactor authentication is that it prevents a hacker from accessing an employee’s email account even if they’ve already illegally secured their login credentials. Without access to both the mobile phone and the email login credentials, multifactor authentication obstructs a cybercriminal from completing an email compromise and is likely to deter further efforts.

Remember that your employees are likely to use their professional email accounts on multiple devices, so it’s wise to setup multifactor authentication across all of the devices and accounts they use to conduct business.

Only Connect to Trustworthy Wi-Fi Networks

As much as possible, employees should use secure and trustworthy Wi-Fi networks, especially since public networks make email credentials and other login information much more vulnerable to a cyberattack. Many cybersecurity experts recommend using private Wi-Fi networks with WPA protection, or using a virtual private network (VPN) that allows for increased security and encryption when working or checking email outside of the office. Computers and phones that are connected to private or virtual private networks are significantly more secure than those connecting to public networks, especially those without even basic password protection.

Regularly Update Antivirus and Anti-Malware Software

Another important step in preventing email compromise is to keep your antivirus and anti-malware software up to date and scheduled for automatic updates. In addition to permitting automatic and regular updates, you can also set your software to automatically scan for viruses, malware or other threats to your device. Again, it’s essential to remember that this software and update/scanning strategy should be utilized across all business-related devices that your employees use. This is especially true because cybercriminals actively exploit outdated software to hack systems that are more vulnerable to attacks that updated software could prevent.

Nearly all operating systems include antivirus software, but it’s best to speak with your IT department or cybersecurity consultant about the additional measures and upgrades you can make to ensure that your most essential software (and email system) is up-to-date and offers sufficient protection for your business.

Train Employees to Identify Phishing and Suspicious Emails

Phishing attacks most frequently occur by email, and often target payroll information, which is why emails are usually directed to payroll or HR employees. Our related article discusses how to successfully identify and prevent these attacks. Reviewing this information is a powerful first step in understanding the tactics used by cybercriminals, but it’s also vital to offer training to all employees so that those who are most likely to be targeted are informed, prepared, and can respond to possible threats using pre-established company protocols.

More businesses are using phishing simulations as one piece of the training process. This helps employees identify common “red flags” in phishing emails and allows them to walk through the company’s response strategy when suspicious emails are received. Since it’s very likely that your IT department or an IT staff member will be contacted when/if a suspicious email is received, it’s wise to involve them in the training process to help communicate best practices.

Generally speaking, employees should be wary of any social engineering tactics used to create a sense of panic or urgency in the recipient. It’s very common for phishers to convincingly mimic an existing employee and request payroll information on short notice due to a supposed financial or family concern. Although there may be clear red flags like grammatical errors, awkward salutations, or embedded links in the email, some of these attacks are more sophisticated and believable. With this in mind, your business should not only develop a system for passing suspicious emails to IT staff, but also develop multi-step protocols for employees requesting a change to any payroll information. This is an extra safeguard in the event that a convincing phishing attempt slips through with other legitimate requests that require additional authentication.

Data Backup and Email Archiving

Outside of phishing, there are a host of other potential online security breaches that can occur. Regardless of the form (phishing attempt, ransomware threat, or otherwise), backing up your sensitive data to a secure location can offer an added layer of protection in the event that a minor or major compromise occurs.

An email archiving system guarantees that your most important business correspondence, including sensitive company data, employee data, client data, calendars, and more, are all stored in a safe location that is inaccessible to cybercriminals. Especially if you’re using a cloud-based system that encrypts any sent data, your business can enjoy additional protection, scheduled data backups, and improved threat detection. 

Email archiving also allows you to locate the source of an attempted or successful security breach, especially because these attacks often originate via email. Information about who was targeted, which credentials were sought, and which period saw an increase in phishing attempts (as one example) can help your business improve its security practices.

Secure Payroll Support with Workforce PayHub

To support our clients with their payroll processes, we require strong passwords, multifactor authentication, and use a comprehensive set of encryption and security measures. Our goal is to help our clients enjoy lasting peace of mind about payroll efficiency, security and the safety of any sensitive financial and employee data.

Subscribe to our newsletter to receive the latest updates on HR best practices, labor law regulations, and other news that affects Great Lakes businesses.

Eric Jones
What Are the Most Common Online Security Breaches? Understanding and Preventing Common Payroll Errors
We're Ready To Talk Payroll