How to Create an Email Security Policy to Protect Your Company

Clear guidelines for employee use of email is essential in today’s digital age. Email policy isn't just about how employees use their company email address from their main workstation.  It involves how they use company email on any device (including their phone), and also what expectations the company has about any use of personal email from company devices.

There are nearly one billion google search results for “email policy for employees” -- so we know that teams all around the world are working to understand this important topic.  One big reason why we think so many businesspeople are search for guidance is that it's incredibly difficult to craft an email policy from scratch.  Every business that doesn't yet have an email policy should strongly consider building and implementing a policy that starts from a battle-tested policy template.  In this post, want to give you a clear way to determine whether the template you are starting from covers the most crucial points.  Havoc Shield customers already have policy templates available to them in-platform, but if you aren't yet a customer, here's what you should look for to gauge the quality of your email policy template.

TOP POINTS YOUR EMAIL POLICY SHOULD COVER

Whether you’re working from a template or starting from scratch, there are key areas you should cover:

• How can an employee use their company email?  We recommend your email policy explicitly address whether communication over company email may be used for personal purposes.  Traditionally (thinking back 5, 10, or 20 years), the typical policy firmly warned against any personal use at all.  More and more companies are tolerating some limited, restricted personal use of business email -- but with firm guard rails.   For example, an employee organizing a community networking event, or helping to raise funds for some worthy cause, or setting up a lunch with a long lost friend.  It is increasingly common that organizations find those types of personal use of company email acceptable.  However, some of the most effective guard rails are to list out types of content or communication that is not tolerated over company emails (i.e., offensive comments, cyberbullying, hate speech, pornography, gambling, disclosure of confidential information, etc).  
• Who owns the rights to emails sent/received? A company policy should declare any communication within company email is considered the property of the company, and go as far as to say the company has the right to monitor/access emails as needed. This protects company intellectual property, and ensures companies are covered if they need to audit email exchanges for any reason (related to business affairs or personnel issues).
• What is the employee responsible for? Here is your chance to lay out exactly what you expect of employees. Within your email policy, you should consider approaching the issue of email phishing and how to avoid it; where possible, require employees to complete a training course on email security. This is also the appropriate time to mention reasonable assumptions of confidentiality over email and the importance of including a standardized email signature that includes a confidentiality disclaimer.  
• What is expected of an employee on their personal email? While the prior points are specific to a company-owned email address, it’s also important for an email policy to address how an employee is expected to use their personal email when accessed on company internet or a company-owned device.
• How is the email policy enforced? Include how the company handles breaches of any policy terms. This may include penalties, a warning/strike system, suspension or termination. Consequences should be clearly outlined.

WHY EMAIL POLICY IS IGNORED

So much of our daily lives and interactions happen over the internet, and email is a key means of communication. It’s easy to get lost in the fast-paced nature of an email exchange without thinking about the consequences or how an interaction may make yourself, your company or your entire network vulnerable to a security breach.

Employees should receive and agree to the policy before they receive the login to their company email. Company leaders and stakeholders should revisit the email policy at least once per quarter to evaluate the policy for any outdated policy information or new vulnerabilities. TikTok is a great example; Employees may think signing up for TikTok with a company email is okay if they are using it for competitive research, yet your company/stakeholders may not want your company on the app at all, given the media and government attention around it.

Don’t let your email policy become something that’s distributed once and never again communicated. Hold employees responsible for understanding the ongoing commitment of your policy with frequent reminders, trainings as necessary, office hours/Q&As with IT, etc.

HOW TO PUT YOUR POLICY IN PLACE

Start by considering the different perspectives of the company and make sure they are able to voice their recommendations. This may include the CEO, founders, human resources, IT and the board of directors. Depending on the type of business you have, it may also involve some particular functions who use email in different ways (i.e., marketing team who may be signing up for demos or apps, sales team who may be using email as key points of communication with potential customers or clients, etc.)

Review your policies through the lens of security vulnerability, but also taking into account productivity. Be clear enough that nothing is left up to interpretation, but don’t be so strict that it takes away from employees’ ability to do their job.

If you’re interested in learning more about email policy or other cybersecurity topics, we’re standing by to help. We’re available for custom policy enforcement, as well as custom compliance modules.