This document will outline the fundamentals to include in your own company policy and how to implement it.
1. Permitted Usage
Employees should use company email for business, however:
- You cannot prevent them from receiving personal emails
- It is realistic to allow some personal email communication, specifically for employees who use their email for work outside of normal hours.
To limit personal use, you may:
- Ban excessive personal use of email
- Ban illegal or inappropriate content (offensive jokes and humour is a problem)
- Ban engaging in illegal activities
- Not allow the encryption of personal emails
- No-one else whatsoever should have access to their email account
For example, you may have a staff member that is using their company email to harass someone which is a clear violation of your email policy and they need to be reprimanded. A good idea is to encourage users to separate their personal email and business email into folders so that personal email does not get the way of productivity.
You should also state what devices employees may have their email on. For example, would you like them to have their email on their smartphone?
2. Mobile devices
Most employees now send and receive email on their mobile device. In general, the same email guidelines should be applied to mobile email communication. Employees may get upset if you prevent personal email communication if they use their cell phone for email.
The biggest issue with Mobile devices is security.
- Even though they are personal devices, if employees are accessing their professional email on them, they can put the company at risk. Ask staff to password protect their phones as well as their email app on their phone.
- Set up a function that allows you to remotely wipe any email data if a staff members phone is stolen or lost.
- Use an email service such as Office 365 or Google to make sure email syncs across all devices so that if something happens, no important information is lost.
Think about work-life balance.
- Using smartphones for emails gives employees the opportunity to check email at all hours.
- You need to make it clear that just because staff want their email on their phone does not mean they are expected to respond out of working hours.
Many people already know how to write professional emails; however, your email policy should include the tone you expect them to use. The tone of most emails falls between the informality of a phone conversation and the formality of a letter. Keep in mind that a very formal style may seem tedious to staff used to quick, brief email responses.
Some industries and nationalities have their own standards.
- Short emails can appear blunt.
- Typing in capitals sometimes comes across as shouting
- Formal communication should always be used with confidential, important documents and emailing someone for the first time.
Email signatures with vital company contact details and disclaimers should be on all emails from all staff.
You may also need to specify what content is prohibited, such as:
- Sexist, racist or any other offensive material
- Defamatory information and harassment
- Content that is protected by copyright
- Links, images or videos containing inappropriate content
4. Sending Emails
Staff should only use their own password protected email accounts.
- Passwords must be monitored and controlled
- It’s best practice to change passwords every 3 months
- Passwords should also follow strict security standards, therefore, they need to include a mix of uppercase and lowercase letters, numbers and special characters.
All email should be backed up and used for communication that needs to be recorded.
You should establish a standard for outgoing email communication.
- Set what font, size and colour should be used
- Consider putting a limit on the size of attachments. The person you are sending attachments to may not have the capability that you have inside your organisation. Most email servers can hand 15MB files. It is polite to send large files using a service such as DropBox.
You need rules for handling confidential information.
- Make sure employees know that most emails are sent in plain text so they can be read online
- For security reasons, you may want to prohibit information such as customer lists and new product information being sent via email
- If email is your primary communication tool, you should specify what information needs to be sent using encrypted email. Cloud platforms such as Office365 have this already.
Sending too many emails can lead to information overload. Excessive email, particularly within the company, can lead to emails not being taking seriously and disregarded. Set rules to avoid this.
- Implement that important emails that include tasks and responses that influence work are marked as urgent.
- Staff should not send an email if it can be handled in person. You also can utilize an instant messaging platform in the business such as Skype or Google Hangouts.
- Before sending an email to All Staff or a large number of people, staff must check if all parties involved need to receive the mail.
- The “reply all” feature is another common problem; some companies actually do not allow staff to use it in group emails. You need to set guidelines on when it can be used.
You will need to outline a policy on storing of email communication.
- The system you are using may back emails up automatically
- These emails must be protected from any editing or deletion
- Back-up email data every day
- Employees need to be informed on the period you keep emails backed up and that the emails are stored even though they have deleted them.
- You must tell employees how you monitor emails.
5. Receiving Emails
You need to establish who receives emails.
- Generally, staff receive emails addressed to them and only read those
- However, you will need to create rules on who will handle generic emails addresses such as firstname.lastname@example.org. You must set up your email system so that the correct person is receiving these emails.
- Your email policy also needs to cover how emails are handled when staff are on leave.
Set out security procedures so that viruses and other threats can be dealt with
- Employees must be informed of and follow the procedure that you set out for attachments
- Educate your staff on the threats of phishing. Make sure they are up to date on the latest phishing techniques.
Set out guideline of when it is appropriate to respond to emails.
- You will need to specify that some emails – such as customer enquiries or requests from management – need to be attended to within 24 hours.
- Depending on the industry, within 2 hours or faster may be appropriate.
- You can get email software that can help filter and prioritise emails.
You need to set out rules about how email is handled if an employee is absent or leaves the company
- Often, it’s best and easiest to set up and auto-responder that details that the employee is not in the office and who to rather contact.
- If you need another staff member to track said absentee’s emails, you must make sure that personal emails are handled appropriately.
Explain how disapproving emails should be dealt with
- Employees need to tell friends and other contacts not to send inappropriate emails to their work address such as chain letters or enquiries from recruiters.
- Junk and spam should be immediately deleted. It’s a bad idea to reply to spam as it lets the spammer know that they have sent to a live address.
You need to set a policy on how you store emails (see point 4)
6. Viruses and Phishing
Emails are the main way hackers can get into your network and 90% of ransomware attacks happen because a staff member clicked on a malicious email.
A central mail server and cloud mail normally comes with protection provided by your IT service provider. However, hacks are getting more advanced and getting through even the strongest software. Ensure your email policy deals with the handling of suspicious emails.
- Delete attachments from unknown senders unless you are expecting something from a new contact.
- Be careful with certain file types
- Some files are more likely to carry viruses, such as: .vbs, .js, .exe, .bar, .cmd or .lnk.
- Compressed files (.zip, .arc or .cab) may also contain viruses.
- Staff should contact their IT provider if they are unsure.
- The IT provider also must be informed every time a suspicious mail is received, or the system is suspected to be infected.
- Staff must be trained on phishing emails
- Make them aware that criminals easily target them in spear phishing attempts.
7. Monitoring Email
There are laws protecting your staff on how you can monitor their emails. Your policy should include a clause on how you monitor emails. This should also be included in employment contracts. The latter is the better route as it means you don’t need to get consent every time you perform checks.
If you use monitoring software, staff need to be made aware.
Explain why you need to read and monitor emails. You may need to inspect emails for business purposes such as:
- Having access to important business transactions and communications
- Ensuring staff are complying with the law and internal rules
- Preventing abuse
- Checking emails when employees are on leave
If you wish to monitor email for other reasons such as marketing, you will need consent from the sender and recipient.
Your employees are entitled to their privacy at work. If you suspect that an employee is abusing your telecoms system by spending more time on personal emails, make sure they are informed that their mail is monitored and they know about the limit on personal use of mail. Avoid reading the actual content of personal emails if you must monitor the employee’s mail.
- Ask employees what they would include in the email policy
- Make sure you consult your lawyer and IT consultant, especially with issues of data protection and privacy.
- The policy needs to be accessible to everyone
- Employees must sign a copy to say they’ve received it
- Include the policy in staff contracts
- Make sure managers know the policy
- Provide a point of contact for anyone who has queries
- Install email monitoring software such as SolarWinds or ESET. You get various software that:
- Monitors traffic
- Filters traffic
- Auto-replies for when staff are out of office (such as Microsoft Office365)
- Anti-virus and phishing software
- Provide training if needed. Dial a Nerd can train your staff in the effective use of email software.
- Apply the policy
- Make someone, such as a network administrator, responsible for enforcing the policy. A CEO or director should take full control of the policy.
- In order for the policy to be effective in protecting your data, you must apply it across the board from management to reception.
- All exceptions need to be stated in the policy.
- You must have an appropriate disciplinary process in place from staff that are in breach of the policy.
- Revise the policy if need be
The policy only provides protection if it is properly implemented and applied.
Dial a Nerd can assist you with deploying an email policy. Office365 rollouts, cloud back-ups and even monitoring. Our newly phishing test allows you to test your staff on their willingness to click on phishing scams as they are the most vulnerable to attacks.