Twenty-five years ago, when discussing email security, the response to this question would have been much simpler. Probably along the lines of “Wow, you use email?”
When you Google that question, you will find many solutions and products to peruse. And if you take all of them at face value, you’ll be spending the next several years trying to implement. So the best approach is to take a step back and ponder the sometimes annoying, but appropriate, answer to that question…“it depends.” Although this isn’t always what you want to hear, it’s very applicable to the broad spectrum of technologies that make up today’s email environments.
We’d all like to take a beginning-to-end, all-inclusive, don’t-leave-anything-out and no-budget approach to this problem, but that’s not always a reality. So I’d like to approach this in a realistic, budget-friendly, regulation-aware and business-aligned manner. The items discussed below are what I consider the bare minimum topics that should be addressed before implementing a solution.
Disclaimer – email is just a part of the overall security equation when it comes to protecting your company and its information. A comprehensive security plan that takes all facets of your IT and business process environment into consideration is always recommended.
Where Do I Start?
It would be impossible to propose a solution in a blog article that would work for everyone, but here are five critical activities you should undertake to get you started on the right path:
- Get help – it’s important to leverage the benefits of a trusted advisor who understands your business and can help navigate the requirements and solutions. An experienced and knowledgeable advisor will make sure you consider all of the aspects of email security, including encryption, patching, logging, DNS records, large file transfer, etc. Click here for more information on RSM’s Security and Privacy Rapid Assessment ®
- Define “safe.” Does “safe” mean that access to email must meet availability requirements, or does “safe” simply mean that email must be free from any harmful content? Your definition of “safe” can change the scope of your discussion very quickly.
- Define the requirements. This seems like a basic task, but it can drastically impact the scope of your solution. There may be regulations or compliance requirements that you must adhere to in order to pass the exams and reviews required by a regulating body, or even a board. You may have some company policies that dictate requirements, such as a policy that email must be available 99.9% of the time, or an email downtime cannot extend beyond 4 hours. It is also important to consider what competitors in your field are doing. You will find that vendors and clients may prefer working with an organization with a more mature email security policy.
- Protect your perimeter. This used to be one of the only things you really needed to worry about in regards to protecting your environment. Today, there are many other areas of your network that require protection, but the perimeter is still one of the most critical points in your network. This can be done with firewalls, email security appliances or cloud services.
- Train your employees. There will always be new ways in which hackers can compromise your environment using email phishing and social engineering attacks. Keeping your employees informed of safe email habits will drastically improve your security posture.
If you would like to learn how we can help your technology team be more effective for the organization, please visit our website. You can also contact RSM’s technology and management consulting professionals at 800.274.3978 or email us.