Email Security Best Practices [Tools + Tips]

Submitted by Chris Gaines on Thu, 04/ 14/ 22 - 03: 16 PM

Email Security Awareness


Some of us are kids of the 80s and 90s, which means if we hear someone say "did I do that?" this guy almost immediately comes to mind. 

Steve Urkel-min

No one wants to be the one who thinks or says that when their company's network goes down because of a ransomware attack. With that in mind, here are some "best practices" to not only employ, but share with staff and co-workers to avoid those messy (and often expensive) attacks and/or crashes.

Not a lot of time? Skip to see what you need:

Password Do's and Don'ts

Awareness as a tool

Other 'Best Practices'

Can Managed IT Services Help?

Password Do's and Don'ts

The confounding thing about passwords is you want them to be easy enough that you remember them, but also not so easy for others to figure out. That can be a tightrope walk, right?

What are the things you'll recall most? Your hometown, your parents', pet(s) and/or kid(s) name(s), your birthdate, your alma mater, favorite sports team(s), the street you grew up on, maybe even your childhood phone number. Hackers (and programs designed to hack) are also aware those are the go-to password roots.

Here's a reality check I'd like you to do for yourself:

Visit (a free site) and type in your childhood phone number in the "reverse phone" tab and see if your name comes up. Did for me, and I haven't been associated with that phone number for more than thirty years!

A variety of factors goes into whether or not that little test will or won't work on you, but you can use that site to self-check your background using phone numbers, addresses, your name and family members' names, roommates, spouse(s), etc. and so on. 

Throw in your social media activity (maybe consider altering your privacy settings there, too), and anyone who wants to figure out your password(s) likely can, given enough time. 

"Strong" vs. "Complex"

Before you go concocting a complex password, though, or asking your employees to, remember that the more complex the password is, the more likely you and staffers are going to have to write it down somewhere, store it in a document, or some other unsecure file on a computer. 

Current National Institute of Standards and Technology (NIST) standards, instead, recommend creating "pass phrases," such as "CHIckenSMAkeLOUsyHOUsePETs" as opposed to - for instance - a geographic location with symbols or numbers replacing letters. (Think: C@l1f0rn1@) I compared the most common password I've used in recent years to the example I just gave and the difference was stark:  according to's "How To Secure My Password" feature, it would take a computer 3 days to hack my most common password and 3 hundred septillion years to crack that phrase I just cited as an example. 

I appear to have some password updating to do.

P.S., NIST also recommends against requiring special characters in passwords, and definitely against repeating special characters. 

What's the frequency?

There's quite a debate about how often employees should be encouraged or required to change their password. I once worked for a company that required it every 90 days and - frankly - after a few cycles, got lazy about it. Turns out, according to NIST, I wasn't alone; they now recommend against forcing periodic password changes

That seems "wrong," though, doesn't it? Well, again, opinions vary, but perhaps using bi-annual or annual dates of significance makes more sense. The Monday after time changes (if your state's still doing that), as an example. Do, however, mandate password change(s) after a suspected compromise. 

'Multi-factor' it

According to Microsoft, it's what can prevent 99.9% of account compromises: multi-factor authentication (MFA). So what is that?

MFA is an authentication method for securing login protection that literally requires more than one (and thus "multiple") verification factor to access an account. Examples include:

+ One-time passcodes (OTPs) - 4-to-8 digit passcodes usually delivered via SMS/text or mobile app

+ Inherence tools - think: fingerprint or voice recognition. If you fly often, your retina may be used by a scanner. Each unique to an individual. 

+ Possessions - like badges, fobs, smart cards or smartphones (via apps) 

You can really go down a rabbit hole here, with location (think: IP addresses), device(s) used, time of day, even. You can dig deeper, via Microsoft, on your MFA options here

Awareness as a tool 

Phishing and ransomware attacks occur all the time, and while you don't want to send your employees (or yourself) into 'cyberphobia,' it's important to educate them on how to remain vigilant.

Consider 'phishing awareness training' to make sure you and your staff are aware of all the rudimentary (and then latest) ways hackers are trying to infiltrate networks by tricking a user with email attachments or disguised links to sites primed to trigger an attack. 

Sure, you could rely on Google or just share news stories with your co-worker(s), but your best bet is to farm out this training to professionals - either in person or online - to set up the training.

In many cases, in addition to being educated on the various tactics hackers use, your employee(s) can be tested - in open and/or in secret - to see how sharp they are at defending your network and their inbox. Constant phishing education is the best way to minimize security breaches.

Other 'best practices' 

+ Don't mix business and personal. By that we mean don't use your personal email to do business with and don't use your business email to handle personal tasks. Additionally, ensure your employees understand the dangers of using their work laptops for non-business purposes on their home (less-secured networks) and set-up a VPN for when they do use it.

+ Don't use public Wi-Fi. Open source connections are like standing water and mosquitoes. Savvy hackers using the same Wi-Fi can access email and passwords.

+ Talk to you IT pro(s) about email security & protocols. First, if you don't have an IT person/people, consider hiring one or outsourcing the task (more on that in a minute).  If you do have someone on staff, ask them what protocols and security options they're employing to keep spam and malware from even reaching inboxes.

Can Managed IT Services Help?

The short answer is "of course." If you don't have the ability fund an IT staff of your own or have a dedicated, full-time IT manager, outsourcing your Managed IT services could be precisely what your business needs.

Having comprehensive, round-the-clock protection and resources at efficient pricing can provide you the peace of mind in knowing that you and your staff will be better-prepared for potential email targeting. Better still, if someone on your staff does get fooled, you'll have a staff of IT professionals ready to help mitigate the damage and restore your data and operational capacity swiftly.

Managed IT can develop the comprehensive training to have you and your staff up-to-date on the latest email schemes and can help you create password policies and role-based security best suited for your business. A Managed IT Service provider will also be first-to-know about needed software updates and security patch installs. 

Have more questions about Email Security Practices or Managed IT Security Options?

Get Your Questions Answered Now

Posted by Chris Gaines