Email Security

    Why Your Organization Should Have an Email Security Policy

    Why Your Organization Should Have an Email Security Policy


    Key Points

    • Email is the No. 1 cybersecurity threat vector.
    • Organizations should have an email security policy to protect against data loss, downtime, regulatory fines and reputational damage.
    • Your email security policy should not exist in a vacuum; it should feed into a holistic cybersecurity strategy.


    More and more businesspeople are using messaging platforms such as Slack, Google Workspace and Microsoft Teams, but email is not going anywhere — not by a long shot. About 306.4 billion emails were sent and received each day in 2020, and that figure is expected to increase to over 376.4 billion daily mails by 2025.[i]

    All those emails combined represent one very big target for attackers, which is why organizations must have an email security policy in place. Another reason email is such a significant threat vector: people. While there are many technology solutions available for combating email threats, it takes only one employee to respond to one carefully crafted phishing email to wreak financial, reputational and regulatory havoc.

    In 2020, email continued to be the most popular attack vector identified in Mimecast’s annual State of Email Security report.[ii] It’s used to infect organizations in three critical zones: at the perimeter of your network (where malware, viruses and impersonation need to be blocked), inside the perimeter (where these can spread if not blocked) and beyond the perimeter (where your brands and domains can be spoofed to defraud customers and partners).

    What’s more, “cyber threat actors and threat groups are continuously researching and testing out new tactics, techniques and procedures,” the report said. All of which has led 60% of IT decision-makers surveyed for the report to believe that it’s inevitable or likely that they will suffer from an email-borne attack in the coming year.

    Those attacks will come at great cost. The FBI has declared business email compromise to be “one of the most financially damaging online crimes. … It exploits the fact that so many of us rely on email to conduct business — both personal and professional.”[iii]

    Reasons Your Company Needs an Email Security Policy

    An email security policy is an official document that describes how the corporate email system should and should not be used. Email security policies are important for encouraging positive and productive communications, while also protecting the company from liability, data loss, downtime, reputational and brand damage, and more.

    What Is Included in an Email Security Policy?

    The exact wording and content of an email security policy will depend on a variety of factors, including company size, industry and the type of data the company stores (for example, health-related information, personally identifiable information and credit card information). However, there are some general guidelines for what should be included in email security policies.

    • A statement that the company owns any communications within the corporate email system
    • Explanation of what employees are responsible for, including lessons learned during security awareness training (such as looking out for emails that may be phishing schemes)
    • How — and to whom — to report suspicious and/or offensive email communications
    • How employees can and cannot use company email — for example, an email security policy forbidding employees from using business email for personal use
    • Specific content that will never be tolerated in business email communications, such as offensive language, racist comments, cyberbullying, disclosure of confidential information, or passwords and other credentials
    • Specific types/sizes of content that are and are not acceptable (such as ZIP files or very large attachments)
    • Information on how and how often email security policies will be updated
    • Information on how and how long emails will be retained
    • Specific consequences for not adhering to the guidelines provided in the email security policy

    How to Create an Effective Email Security Policy

    There are two different mindsets when creating an email security policy, said Joshua Douglas, vice president of threat intelligence at Mimecast. Some organizations develop a policy based on the technology and processes a company has. However, the more effective approach is to develop a policy based on the protections the company needs. “You should be taking account of how the security of the company is going to be established and what is needed to make that happen,” said Douglas.

    Then, organizations must begin what can be the daunting task of developing the email security policy. Fortunately, they do not have to start completely from scratch. Companies can use one of many available templates.

    The SANS Institute, for example, publishes templates for email policy and email retention policy,[iv] as do others.[v] Industry associations also provide sector-specific templates. Organizations can build on these templates to write their own policy based on their own requirements, including regulatory compliance.

    It’s important to ensure that all stakeholders are represented in the development of an email security policy. “You need several people at the table,” said Mimecast’s Douglas, including business managers and the human resources and legal departments. “If your company is more mature, and has a CIO or a CISO, they will absolutely be the ones running point on all this.”

    Douglas noted that one department is often forgotten during the process of developing email security polity: marketing. Bringing in this group is important because marketing professionals can address the requirements, issues and concerns around email communications used for customer engagement and marketing campaigns that leverage newsletters and other email.

    Finally, an email security policy should feed into a holistic security strategy. “When you think about email security, you should really extend it out past email,” said Douglas. “Email is the No. 1 attack vector, but you should think about the core things that you want to protect from an overall collaboration standpoint,” he said, which brings Slack, Microsoft Teams and other platforms back into the picture. “Companies must consider how they will actually map and marry those things together.”

    The Bottom Line

    Email is cyber criminals’ method of choice for entering business networks and stealing from them. Email is also most organizations’ primary means of communications. This yin and yang of email makes it imperative for organizations to maintain

    [i] “Number of Emails per Day Worldwide 2017-2025,” Statista

    [ii] “State of Email Security 2020,” Mimecast

    [iii] “Business Email Compromise,” FBI

    [iv] “Security Policy Templates,” SANS

    [v] “Email Security Policy,” Crowley


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top