3 Tips for creating an effective email information security policy

March 19, 2020

Despite the popularity of social media and instant messaging, email remains an important communication tool for businesses. Unfortunately, its popularity also makes it an ideal platform for cybercrime.

Based on recent reports, 94% of all malware is delivered via email. Sometimes malware is delivered as a plain old attachment and sometimes it’s a deceptive link to a webpage that contains malware. But regardless of which strategy hackers choose, when you protect the company email, you protect the company’s future.

For small- to medium-sized businesses (SMBs), information is their most important asset, so protecting it is crucial. Information security (or infosec) is a set of practices intended to keep data secure from unauthorized access or alterations. It is made up of three basic components: confidentiality, integrity, and availability.

To create an email-specific infosec policy that addresses these three basic components, you need everyone in the company to be trained. This will ensure that your email communications are secure and that your employees are aware of the risks of a potential breach through human-factor mistakes, as well as the improper use of the internet and other dangerous activities.

Take a minute to learn about the three most common email threats and our recommendations for how to address them in an infosec policy:

Phishing and spear phishing

Phishing emails use psychological manipulation to trick recipients into divulging sensitive information, which can then be sold or exploited for nefarious purposes. Phishing typically includes an authentic-looking sender and a message to disguise malicious intent. If the message is convincing, users will click on malware attachments, links to fraudulent websites, or a combination of both.

Spear phishing is a more targeted version of phishing that employs highly customized content and information aimed at specific individuals. In these scenarios, fraudsters conduct extensive research on their victims to increase the believability of their emails.

Infosec tip: Cybercriminals and scammers alike use various social engineering tactics to pressure their targets into downloading files or giving out critical information. For example, fraudsters use scare tactics in fake emails that threaten to deactivate accounts if the recipient does not follow “instructions.” Because the employee is pressured, they succumb to the scammer’s lure. Train your employees on how to avoid phishing attacks by teaching them how phishing and spear phishing works.

You can also use simulation exercises to illustrate real-world scenarios. If your security software comes with these anti-phishing measures, consider sending fake phishing emails to your employees at least once per month to keep them on their toes.


Spam email continues to present a number of challenges to SMBs. What makes it so dangerous is that most people view it as a nuisance rather than what it really is: a malware-ridden danger. Like phishing emails, spam can also be designed to appear to come from legitimate sources like retail shops, which increases the likelihood of unwitting users downloading suspicious files.

Infosec tip: Network administrators should ensure that anti-spam filters — including policy management and threat detection level thresholds — are properly configured. If you already have email security solutions, make sure to utilize features like web reputation tracking and document exploit detection. These are designed to weed out targeted attacks before they reach users.

Business email compromise (BEC)

In this scam, hackers log to a C-suite executive’s email and send messages from that account. BEC scams often take the form of cybercriminals asking employees to transfer funds to an account controlled by the cybercriminal.

BEC scams are popular among cybercriminals because they’re dead simple to execute and scammers don’t need advanced coding, technical skills, or complex malware. The FBI’s 2019 Internet Crime Report reveals that BEC scams were the most damaging and effective type of cybercrime last year.

Infosec tip: SMBs should use automated email security software. Familiarize your IT technicians, managers, and employees with common BEC indicators so everyone on your team is equipped to scrutinize email sources and the content of incoming and outgoing emails.

A robust and effective infosec policy for your company’s email is a necessity. It is your responsibility to protect your clients’ and employees’ sensitive information. The Graphus app allows you to communicate with confidence, knowing that your inboxes are safe from cyberattacks and social engineering scams. Call us today to get started.

Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.

Get a Demo of Graphus