usecure Blog

Example of an email policy and why it is important to cyber security

Written by Elliot Bolland | 9 September 2020 12:36

Introduction

What are the internet and email policy? 

Pros and cons of an email policy

What should an email policy include?

The inappropriate use of email in the workplace

The appropriate use of email in the workplace

Avoiding email phishing

usecure's email policy examples

Introduction

In this article, we will define an email policy, the potential positives and negatives and explain how to implement an effective email policy within your business. Implementing an email policy for your employees can be an effective way to ensure good practice. 

What are the Internet and email policy? 

Our definition of an email policy is: 

An email policy is a policy a business will choose to implement in order to ensure that employees use their email in a way that is aligned with the aim of the business. This means the policy will change for different organisations, but there are general terms which are usually standard for most organisations. 

Therefore, an email policy will help ensure that employees are aware of their responsibilities when using email, what they can and cannot do and that these terms are agreed upon and signed. Therefore, an employee can be held accountable if there were a violation of these terms.

"Should an email be sent that is not considered appropriate content according to the email policy, the employee, not the organisation, would bear the brunt of liability for any damages or suits brought as a result of their sending an inappropriate email."

Having a good email policy at work can also help cyber security. Even if employees may be familiar with email and if you use a well-known email provider like Office 365, by having rules around the sending of confidential information, you can establish rules which means if there is a compromised email, there will be less significant damage to the business.

Pros and cons of an email policy:

Pros Cons
Ensures the employee is accountable for their actions via email.  There is the potential for an email policy to seem overbearing or 'micro-management'. 
Safeguards the reputation of the company.  Could be seen as time-wasting or reducing productivity.
Protection from data breaches.  Some employees may feel it infringes on their ability to communicate freely.
Ensure that there are clear guidelines for employees to follow. Must ensure commitment to the policy from all employees. 
In 2015, 43% of phishing campaigns were targeted at small businesses. Using an email policy will begin to help to mitigate that risk.  May be hard to manage who is aware of the policy. 

What should an email policy include?

As stated earlier, all companies and organisations are different and therefore there is no one email policy that applies to all. However, there are a few standard things that should usually be included in any company-wide email policy.

Workable suggests that sections prohibiting each of the following behaviours should be included in all email policies:

  • Signing up for illegal, unreliable, disreputable or suspect websites and services.
  • Sending unauthorised marketing content or solicitation emails.
  • Registering for a competitor’s services unless authorised.
  • Sending insulting or discriminatory messages and content.
  • Intentionally spamming other people’s emails, including their coworkers.

What is the inappropriate use of email in the workplace?

Any form of harassment or bullying over emails should be included as a specifically inappropriate use of email in the workplace. 

Lawdonut lists the following as inappropriate use of email in the workplace:

  • sexist, racist or other offensive material;
  • defamatory material;
  • content that is protected by copyright;
  • links to inappropriate material.

There also needs to be consequences for an email policy violation, this should be clearly stated to the employees so that they are aware of the punishments, especially if it is as severe as termination. 

The appropriate use of emails

It is also important to have email policy guidelines so that employees are aware of how they should as well as shouldn't be using emails. Understanding general email etiquette is essential for most employees. 

Email Security

  • Choose a strong password (the current recommendation is 3 random words)
  • Never hand out your email password, even to colleagues. 
  • Don't write down your password 

Avoiding email phishing

A good email policy also could help to avoid phishing emails by establishing rules to avoid some of the telltale signs of phishing emails. Unfortunately, phishing is something that can't be avoided and blaming the employee could do more harm than good. But laying out clearly what to avoid, could help mitigate the risk to the company.  

  • Do not click attachments, or links, on unsolicited emails, especially from an unknown person.
  • Report suspicious-looking emails to the correct person (usually an IT manager) immediately.

usecure's email policy examples: 

    1. All use of email must be compliant with the Company’s policies on ethical conduct and the security of business data.
    2. All use of email must be in line with proper business practices and relevant to job duties.
    3. The Company’s email addresses or systems shall not be used for creating, distributing or accessing any offensive or illegal material, including but not limited to material with offensive comments about gender, race, age, sexual orientation or religious beliefs.
    4. Any offensive material received in the email must be reported to the IT Department and Human Resources without undue delay.
    5. Usage of Company-owned email addresses and systems for personal use should be limited to minimal and incidental use.
    6. Commercial and business-related uses not part of the Company’s business using Company-owned email addresses or systems is prohibited.
    7. Email received to Company email addresses may not be automatically forwarded to email addresses not owned or operated by the Company.
    8. Individual email addresses forwarded to email addresses not owned or operated by the Company must not contain any sensitive or confidential information.
    9. The creation or forwarding of chain or joke letters from Company email addresses or systems is prohibited.
    10. The Company may monitor and record any and all email messages received or sent by email addresses or systems owned or operated by the Company.
    11. The Company does not necessarily monitor all email activity but retains the right to do so.

If you're looking to automate your policy process, check out our Demo Hub and get to know how we can help simplify your policy management.