Email: Best Practices

In Brief

Email is one of the primary forms of private and professional communication. It is a user-friendly, fast, and inexpensive tool. Despite its advantages, there are still some precautions to be taken into consideration when both sending and receiving messages.

While it is true that sending company emails internally does not carry the same risk of interception when the company has its internal mail server, it is nevertheless important to remember that the information sent is not just saved on the company’s secure server. It can also be found in the sender and recipient’s mailboxes. Most of the time, these computers are both physically and logically significantly less well protected than the servers – and are, therefore, more vulnerable to attack – while containing, in some cases, the same information with the same classification levels as the servers.

Therefore, emails sent within the company are often the source of inappropriate broadcast or distribution of confidential information. This information would be more secure if it were stored in a single, protected environment, with information that could be reached according to the right classification level.

The problem with loss of information is also made worse by the use of laptop computers within the company.

For the company’s security, it is also important to set up, amongst other things, specific disposal procedures for IT equipment.

Risks Related to Sending Emails

• Loss of confidentiality as a result of
  • sending confidential information by email (interception or social engineering);
  • sending confidential information to a wrong recipient;
  • adding new recipients to a discussion that previously contained confidential information;
  • a recipient in the same company forwarding emails to an external mailbox to receive ‘push’ notifications on their smartphones;
  • logging into their mailboxes without SSL;
  • the email server being compromised externally or internally (bad protection, bad configuration, weak administrator password, etc.);
  • the malicious extraction of confidential data by an employee;
  • the malicious extraction of confidential data from a badly protected workstation (physical security, access security, weak password or password that is visible on or near the workstation);
  • the theft of a computer with an email account;
  • the theft of an email server;
  • not following the data classification instructions;
• Loss of integrity due to multiple versions of a document distributed through multiple company mailboxes.

Risks Related to Receiving Emails

• Risk of loss of confidentiality, integrity or availability as a result of
  • infection by malicious software through linked files;
  • infection by malicious software through links provided in emails;
• Risk of loss of confidentiality due to being tricked into disclosing confidential information by social engineering techniques;
• Risk of loss of availability:
  • due to the presence of spam;
  • due to hoaxes.

Behavioural Measures

• Make sure you do not reveal any confidential information when replying to emails. Check the legitimacy of the request and be careful not to divulge too much information when you respond;
• The majority of emails containing attachments are follow-ups to previous discussions, meaning that they fall within a special context in which the addition of attachments is to be expected. If this is not the case, be very careful when you receive an email with an attachment, as this attachment may contain malicious codes;
• Ill-intentioned people often try to exploit human vulnerability, such as curiosity, pity, fear, the lure of rewards, or even libido. If you receive an email that alludes to any of these things, it is very likely a malicious email;
  • There are many types of malicious emails, including hoaxes, phishing emails, spear phishing emails (a highly targeted type of phishing), Nigerian scams, malicious codes, and spam;
• Check if the email resembles those you have previously received from the supposed sender. The language used, way of writing, spelling, style, etc. may all be clues. If something seems odd, it is probably a malicious email;
• Never click on links in emails when you do not know the sender, or in particular, if there are signs the email may be malicious, as it could be a phishing email or a link towards a fake website;
• Never answer to suspicious emails. By answering, you are confirming to the sender that the email address is valid and active.

Organisational Practices

• Staff training in the classification of data and associated rules;
• Staff training in risks related to social engineering;
• Try to eliminate any procedures involving attachments;
• If opening attachments is necessary:
  • wait four days before opening attachments. Waiting this long gives the antivirus a chance to detect malicious codes. A minimum of three to four days is necessary to detect a new virus when it first appears and add it to the signature database for the corresponding antiviruses.
• Equip PCs used to open attachments with a less common operating system that is therefore subject to fewer attacks, e.g. ‘Linux’;
• Call the person who sent you a suspicious email and ask them if they did indeed send it. Tell them why you thought the email was suspicious;
• Avoid opening emails on critical assets or those which have access to critical assets, such as confidential information or indispensable assets.

Applicable Sectoral Policies

Draw up and enforce the following sectoral policies:

• Classification and monitoring of resources
  • Classification of and responsibility for resources
• Human factors
  • Training and information
• Operational and communications aspects
  • Protection against malware
  • Email
• Access control
  • Use of external networks
  • External connections
  • Separation of networks
  • Login procedure
• Development and maintenance of systems
  • Use of encryption
  • Electronic signatures
• Management of security incidents
  • Reporting information security events
• Compliance
  • Intellectual property
  • Protection of operational data
  • Personal data protection

Technical Measures

• Make sure your antivirus software is always up to date. Normally, updates are downloaded automatically;
• Do not use the same antivirus software on both the email server and on the workstations. This increases the likelihood of discovering malicious software. No antivirus detects more than 80% of existing malicious codes;
• Do not work at a workstation when logged on in administrator mode. Malicious codes run on these workstations will inherit your rights and will, therefore, be able to access and install programs on all of the computer’s accounts;
• Activate the spam filter in your email software;
• Encrypt the content of your laptop computers;
• Dutifully adhere to the equipment disposal instructions, both for servers and for computers and GSM;
• Use strong authentication tools for your webmail solutions (OTP, LuxTrust);
• Only use secure SSL log-ins for your webmail solutions.