Example Of An Email Policy And Why it is Important to Cyber-Security

In this article we will define an email policy, the potential positive's and negative's and explain how to implement an effective email policy within your business. Implementing an an email policy for your employees can be an effective way to ensure good practice. 

What is internet and email policy?

Our definition of an email policy is: 

An email policy is a policy a business will choose to implement in order to ensure that employee's use their email in a way that is aligned with the aims of the business. This means the policy will change for different organisations, but there are general terms which are usually standard for most organisations. 

Therefore, an email policy will help ensure that employee's are aware of their responsibilities when using email, what they can and cannot do, and that these terms are agreed and signed. Therefore, an employee can be held accountable if there were a violation of these terms.

"Should an email be sent that is not considered appropriate content according to the email policy, the employee, not the organisation, would bear the brunt of liability for any damages or suits brought as a result of their sending an inappropriate email."

Having a good email policy at work can also help cyber-security. Even if employees may be familiar with email and if you use a well-known email provider like Office 365, by having rules around the sending of confidential information, you can establish rules which means if there is a compromised email, there will be a less significant damage to the business.

Pros and Cons of an Email Policy:

Pros Cons
- Ensures the employee is accountable for their actions via. email.  - There is the potential for an email policy to seem overbearing or 'micro-management'. 
- Safeguards the reputation of the company.  - Could be seen as time-wasting, or reducing productivity/
- Protection from data breaches.  - Some employee's may feel it infringes on their ability to communicate freely.
- Ensure's that there are clear guidelines for employee's to follow. - Must ensure commitment to the policy from all employee's. 
- In 2015, 43% of phishing campaigns were targeted at small businesses. Using an email policy will begin to help to mitigate that risk.  - May be hard to manage who is aware of the policy. 

What should an email policy include?

As stated earlier, all companies and organisations are different and therefore there is no one email policy that applies to all. However, there are a few standard things that should usually be included in any company-wide email policy

Workable suggests that sections prohibiting each of the following behaviours should be included in all email policies:

  • Signing up for illegal, unreliable, disreputable or suspect websites and services.
  • Sending unauthorised marketing content or solicitation emails.
  • Registering for a competitor’s services unless authorised.
  • Sending insulting or discriminatory messages and content.
  • Intentionally spamming other people’s emails, including their coworkers.

What is inappropriate use of email in the workplace?

Any form of harassment or bullying over email should be included as a specifically inappropriate use of email in the workplace. 

Lawdonut lists the following as inappropriate use of email in the workplace:

  • sexist, racist or other offensive material;
  • defamatory material;
  • content that is protected by copyright;
  • links to inappropriate material.

There also needs to be consequences for an email policy violation, this should be clearly stated to the employee so that they are aware of the punishments, especially if it is as severe as termination. 

Appropriate use of email

It is also important to have email policy guidelines so that employees are aware of how they should as well as shouldn't be using emails. Understanding general email etiquette is an essential for most employees. 

Email Security

  • Choose a strong password (current recommendation is 3 random words)
  • Never hand out your email password, even to colleagues. 
  • Don't write down your password 

Avoiding Email Phishing

A good email policy also could help to avoid phishing emails by establishing rules to avoid some of the tell tale signs of phishing emails. Unfortunately, phishing is something that can't be avoided and blaming the employee could do more harm than good. But by laying out clearly what to avoid, it could help mitigate the risk to the company.  

  • Do not click attachments, or links, on unsolicited emails especially from an unknown person.
  • Report suspicious looking emails to the correct person (usually an IT manager) immediately.

Usecure's Email Policy Example: 

    1. All use of email must be compliant with the Company’s policies on ethical conduct and security of business data.
    2. All use of email must be in line with proper business practices and relevant to job duties.
    3. The Company’s email addresses or systems shall not be used for creating, distributing or accessing any offensive or illegal material, including but not limited to material with offensive comments about gender, race, age, sexual orientation or religious beliefs.
    4. Any offensive material received in email must be reported to the IT Department and Human Resources without undue delay.
    5. Usage of Company-owned email addresses and systems for personal use should be limited to minimal and incidental use.
    6. Commercial and business related uses not part of the Company’s business using Company-owned email addresses or systems is prohibited.
    7. Email received to Company email addresses may not be automatically forwarded to email addresses not owned or operated by the Company.
    8. Individual email addresses forwarded to email addresses not owned or operated by the Company must not contain any sensitive or confidential information.
    9. The creation or forwarding of chain or joke letters from Company email addresses or systems is prohibited.
    10. The Company may monitor and record any and all email messages received or sent by email addresses or systems owned or operated by the Company.
    11. The Company does not necessarily monitor all email activity, but retains the right to do so.

If you're looking to automate your policy process, why not trial uPolicy absolutely free for 14-days

                                                                   Try uPolicy Free