Four Easy Steps to Email Compliance

Clear and simple guidance for managing your email infrastructure

Email Compliance in Four Easy Steps

Clear and simple guidance for managing your email infrastructure

While alternate forms of communication like Teams, Skype for Business, Slack, and other options grow in popularity, email is still a huge part of many organizations, and it falls on IT managers and chief information officers to ensure that their organizations are protecting their email, and their end users, effectively. This starts with setting out ground rules for how company email is used, as well as educating the end users on common risks they’ll encounter through email.

You do want to have guidelines set out formally for your organization, no matter the size of the business. A clear set of defined guidelines not only keeps users and company data safer, it helps with monitoring for deviations and helps with responding to such.

Here are some key tips for email compliance:

Be clear about the rules

Your starting point should be to define a clear and transparent framework for behavior, setting down what is acceptable and what isn’t when it comes to using email. An explicit, organization-wide Acceptable Use Policy (AUP), accompanied by the ability to audit use and enforce its rules, is a simple first step in demonstrating the intention to meet regulations and goes a long way toward avoiding liability. As an example, typical clauses might be:

Don’t forward or send email containing pornographic images

Do limit attachment sizes (your organization should establish that size)

With the AUP in place, you can then focus on ensuring that your practices are compliant with the wide range of local, regional, national, and international laws that extend into email communications.

A wide range of online examples is available from industry analysts such as Forrester, IDC, and Gartner.

Prevent data loss via email

The data that you hold in your systems is valuable business information. It must be guarded carefully from accidental or deliberate disclosure of confidential information to parties outside and, on occasion, within your organization. Some of the processes will be covered by your AUP, but new employees, leaving employees, distracted, employees and disgruntled employees can all inadvertently (or maliciously) threaten the security of your data.

It is essential to put in place an automated, centrally-managed mechanism to prevent data loss regardless of intention or the goodwill of your employees. This solution should be able to:

  • Block emails by the filetypes of their attachments
  • Scan messages for keywords
  • Add disclaimers and banners to mail in all directions
  • Encrypt messages so that only the intended recipient can read them
  • Ensure that your email system is not being abused by unknown and/or malicious users

Maintain visibility over and access to current and past traffic

You need to make sure that you are aware of – and can account for – the email coming into, going out of, and circulating around your organization. This means you must:

Retain accessible records of relevant email communications, including log information that can show who sent what to whom and when.

  • Copy and/or archive sensitive messages, both internal and external
  • Be able to intercept and re-route violating messages to those responsible for enforcement so that potentially damaging incidents can be avoided and remedial efforts can take place

Consider a powerful, seamless encryption option for your organization’s email. The right appliance will encrypt data leaving your organization so that only the intended recipient can view it. This protects against both accidental and malicious data loss.

Email encryption capabilities are available in Sophos XG Firewall, Sophos UTM Email Protection and our Sophos Email Appliances.

Eliminate spam, phishing, and malware

We still see a ton of malware entering systems via email. Spam and phishing messages are opened at rates marketing teams only dream of, because the bad guys know how to write convincing, tricky messaging. All it takes is one end user tricked by a bad actor to put your company’s data at risk.

You must ensure, and be able to demonstrate, that your email infrastructure is protected against malware, viruses, spyware, and other threats to system and data integrity. For this you need a solution that blocks malware, spam, Denial of Service attacks, and harvesting of email addresses.

By blocking threats at the perimeter right through to your internal mail servers and desktops, you will eliminate most of the external risk associated with data loss. Your AUP will go a long way toward covering the remaining internal risk.

Disclaimer: this is not intended to replace professional/legal guidance on compliance issues that your organization may face. We strongly suggest that you seek advice from recognized compliance experts to determine your needs.

Download a free Virus Removal Tool

Security Solutions