Nonprofit Resources


3 Steps to Improved Email Security

Email is a business necessity, but it also is a significant cybersecurity risk. That means email security has become an increasingly important issue for all organizations.

The following steps will help your organization increase email security and protect your data, your employees, and your constituents.

1. Evaluate Your Process

The first step is understanding how your organization uses email.

What type of information is being communicated? Are you sending public information only, so there is no risk if the email is intercepted? Or are you transferring sensitive, confidential, or proprietary details about your clients, staff, or organization?

Depending on the answers to these questions, you may need to consider a process change.

All organizations should prohibit the use of email for transmitting sensitive information or conducting transactions. The risks posed by email are just too big. And a breach can have long-lasting reputational and financial repercussions, especially as new data privacy laws go into effect.

But what if a vendor, business partner, donor, client, or other constituent submits a sensitive request or confidential information via email? You already have the information, so what’s the harm in accepting it? A lot!

While this may seem inconvenient to the constituent and counterintuitive to you, you should decline the information or request sent through this unsecured method. Many organizations struggle with this fine balance between email security and convenience. However, by accepting the communication, you inadvertently convey that it is acceptable to transmit sensitive information in this manner.

Explain your process to the constituent and how it protects them. Most people appreciate your commitment to protecting their information and money and ultimately hold you accountable for doing so.

If you choose not to fully reject these unsecured requests, ensure you mitigate the risk by:

  • Educating the constituent about the dangers of unsecured email
  • Calling the constituent at the number on file to verify the request
  • Removing sensitive information from any reply emails
  • Providing the constituent with an alternate, more secure means for submitting the information or request in the future
2. Train Your End-Users on Email Security

To maintain a higher level of security, some controls must be a joint venture between constituents and organizations and employees and employers. Like all joint ventures, an investment of time and patience is required. And in this instance, the investment is in the form of ongoing training and awareness.

All constituents should be trained in appropriate email usage to help safeguard information. For clients, customers, or donors, this often comes in the form of providing a secure way to communicate sensitive information and requests and, as noted above, declining to accept information sent outside of these specifications.

For employees, it includes formal and ongoing training on:

  • How to identify and report suspicious or fraudulent emails and requests
  • The type of information your organization does and does not allow to be sent by email
  • The acceptable response to unsecured emails with sensitive data or requests
  • How to properly use any available encryption services or file transfer solutions
3. Secure Your Systems

In addition to training, you can also use automated and configurable controls to reduce the risk of compromise or impact if an incident or breach occurs in your email system.

  • Implement strong authentication controls. This includes stringent account lockout settings and multi-factor authentication (MFA). These controls reduce the likelihood and potential impact of an email account compromise if a user’s password is stolen or acquired through password guessing or brute force attacks. Restrictive lockout settings will limit the number of attempts to guess a password. MFA will enhance security at sign-in by requiring a specific PIN, code, or other authentication in addition to the user name and password. In the event of a user name and password compromise, this feature prohibits a hacker from successfully logging into the account. And the actual user will become aware of the compromise when they receive the login verification code or request.
  • Provide email encryption solutions. Email encryption secures email in transit. Some services provide one-way encryption, while others also allow for the encryption of responses to the original email. Keep in mind that there are multiple points at which an email can be compromised. For the most comprehensive security, email needs to be encrypted in the sender’s mailbox (and all devices it syncs with), during transmission to the sender’s mail server, during transmission to the receiver’s inbox, and in the receiver’s inbox. Depending on the service, the encryption process could require the sender to press a button or enter a specific word in the subject line of the email, or it could include automatic encryption based on certain criteria. Regardless of the configuration, it’s important to train employees on the correct steps to encrypt an email. Without training, the encryption service could become ineffective through lack of use. In addition, email attachments create a unique concern if the encryption service doesn’t detect sensitive information stored in the attached file. Therefore, it’s important to stipulate in training and configurable controls that attachments with sensitive details should also be properly secured before sending.
  • Configure data loss prevention (DLP) controls. Automated DLP measures are another way to add a layer of security. Many email services provide options for setting up filters and rules to prevent the loss or unsecured sending of sensitive data. Encryption services can often scan for specific types of information, such as account, Social Security, and credit card numbers. If this data is identified, the email may be automatically encrypted before being sent or may be flagged for further review. In addition, if override controls are available, you can often generate reports to see who is sending these emails and pinpoint repeat offenders who may need additional training.
Reducing Your Risk

Most of us rely on email every day, and it’s not going away any time soon. Implementing the controls outlined here will help strengthen your organization’s email security without negatively impacting productivity.

Authors: Allison Davis Ward, Partner and Kamilla Ben, Senior, CapinTech

Leave a Comment