Back to Basics: How to Write a Company Email Policy

Introduction

Every company needs an email policy.  This is to protect employees as well as the firm.

The purpose of an email policy is to set proper expectations with your employees.  What are the rules and guidelines regarding email and what happens if you ignore the rules?

The email policy should be written and reviewed with the employee at the time of employment.  A signature block is optional.

DISCLAIMER: I am not a lawyer, any legal policy you implement at your company should be reviewed and signed off by your legal team.  The following are merely guidelines and sample text to help you create your own email policy.

Typical Sections included in an Email Policy

  • Introduction
  • Email Ownership and Privacy
  • Email Usage Guidelines
  • Email Misuse and Abuse
  • Email Retention and Backup
  • Personal Use of email / Opinions / Personal Views
  • Security / Trade Secrets / Personal Information
  • Questions / Who to ask
  • Signature line and Date

Introduction

The introduction should state the purpose and reason for having and enforcing an email policy.  It should state the business purpose of email and explain the need for an email policy.

SAMPLE TEXT

[COMPANY] Email Policy [version or date]

Date

[COMPANY] provides email to all authorized employees. email is a business tool to help [COMPANY] employees serve our customers, communicate with vendors, streamline internal communications and reduce unnecessary paperwork. The email system is intended primarily for business purposes. This email policy outlines the acceptable use of business email for {COMPANY].

Email Ownership and Privacy

This section explains the Company owns the email and email systems.  The company can access email for ANY reason and the employee has NO expectation of privacy.  Email is a company owned tool (like your desk and PC) and the employer can access any email at any time for any reason.

Employees must realize email is not private.  If required, email access can be cut off and all email sent and received may be restricted for any reason.  This is very important in the case of harassment accusations.

SAMPLE TEXT

All communications and information transmitted, received, or archived in [COMPANY]’s computer system belong to the company. Management has the right to access and disclose all employee email messages transmitted or received via the organization’s computer system. [COMPANY] may exercise its legal right to monitor employees’ email activity. Regarding email, employees should have no expectation of privacy. Be aware management may access and monitor email at any time, for any reason, with or without prior notice.

Email Usage Guidelines

This section outlines the basic use and guidelines for company email.  It discusses email etiquette and stresses the business use of email.  It should remind employees to abide by all corporate standards including logos, signatures, and copyrights. You should warn about the use of CC and BCC and inadvertently sharing email addresses in a group email.  You should caution against using inappropriate language and tone and what to do if you receive an email that does not conform to these guidelines.  Employees should be told sending confidential or sensitive information over email is not secure.  They should never include user names, passwords or other client or personal information in an email.

SAMPLE TEXT

Exercise sound judgment and common sense when sending email messages. Client-related messages should be carefully guarded and protected, like any other written materials. You must also abide by copyright laws, ethics rules and other applicable laws. Exercise caution when sending blind carbon copies (BCC) and carbon copies (CC) to ensure you don’t violate addressees’ privacy by inadvertently sharing email address information.

Email usage must conform to [COMPANY]’s harassment and discrimination policies. Messages containing defamatory, obscene, menacing, threatening, offensive, harassing, or otherwise objectionable and/or inappropriate statements and/or messages that disclose personal information without authorization will not be tolerated. If you receive this type of prohibited, unsolicited message, do not forward it. Notify your supervisor, the HR department, and the Director of Information Technology about the message. Handle the message as instructed by management.

Email Misuse and Abuse

Email should not be used for frivolous purposes.  Company email should not be used to share jokes or other inappropriate or suggestive content (pornography).  Also, include a warning about sending firm-wide (ALL STAFF) email.  I have seen firm-wide email regarding after-hour parties/outings and lost and found items sent using ALL STAFF distribution lists.  This is not a good use of the company’s resources and should be avoided.

SAMPLE TEXT

E-mail messages should be treated as formal business documents, written in accordance with [COMPANY]’s correspondence guidelines. E-mail creates a permanent and documented communication and must not be treated casually.

Employees are prohibited from sending jokes, rumors, gossip, or unsubstantiated opinions via email. These communications, which often contain objectionable material, are easily misconstrued when communicated electronically. Employees should not waste [COMPANY]’s computer resources or colleagues’ time.

Send email messages and copies only to those with a legitimate need to read your message. Chain messages, jokes and large graphics should be deleted, not forwarded, as they can overload the system.

Employees are prohibited from sending firm-wide email messages to All Staff without prior authorization and this practice is limited to only necessary correspondence. In addition, employees are prohibited from requesting replies to firm-wide email without prior authorization. Sending firm-wide email is generally discouraged.

Misuse and/or abuse of [COMPANY]’s electronic assets (wasting productive time online, copying or downloading copyrighted materials, visiting inappropriate sites, sending inappropriate/abusive email messages, etc.) will result in disciplinary action, up to and including termination.

Please address any questions or concerns regarding firm-wide email to the Director of IT or the Director of HR.

Email retention and backup

Email should be retained according to the company’s Document Management guidelines and legal requirements.  Your policy should explain the difference between “record” email and “non-record” email, email that should be saved versus email that can be discarded. In this section, you can also explain the means and limits of email backup.  Depending on your legal requirements and the type of email, you need clear standards outlined for saving and deleting email.

Many companies deliberately delete non-record email.  When email is backed up, depending on your backup system, you may not have the ability to retrieve individual emails for each account.  Employees need to understand the limits of the email backup and retrieval and plan accordingly.

SAMPLE TEXT

All email messages (whether in electronic form or printed) with an ongoing legal, compliance, business, or project value (considered a “business record”) must be retained in accordance with the company’s records management policies and applicable retention schedules. Project related email, particularly critical project email, such as milestone progress reviews and approvals and scope changes must be filed using the [name of email archiving or filing software’s] filing system.

 (See the most recent Records Documentation Policy for further information)

 It is the responsibility of every email user to maintain email records. It is the responsibility of each user to retain email records (defined as any email having an ongoing legal, compliance, business, operational, project or historical value) like all other records in accordance with the company’s retention policies.

 Project electronic files are regularly backed up and retrievable. Email accounts are not typically permanently backed up or retrievable except in the case of disaster recovery. For this reason, it is essential all important project-related email is transferred to the network project folders on a regular basis using the [name of email filing software] program.

 To maximize the operating efficiency of the company’s email system and to minimize the storage costs associated with retaining large volumes of unnecessary email, every employee has a limited amount of email storage in their email account. Requests for additional space will be considered on a case-by-case basis.  Keep your email storage cleaned out and up to date. [describe the email storage limits if any]

 Email will be backed up daily for disaster recovery purposes only and will thereafter be retained for [X] months. The company is not able to restore individual email messages. If you are unable to access your email account for more than 14 days, please contact IT or HR to make arrangements for your email account during your absence.

 All copies of non-record email (those with no ongoing legal, compliance, business, operational, project or historical value) can be deleted and paper printouts of such messages disposed of when no longer needed.

 Non-record email messages include, but are not limited to, administrative email (such as an invitation to the company holiday party or a meeting notice); they do not need to be retained as a company record, according to the records retention schedule. Such messages only need to be kept if they are needed to conduct business. Failure to dispose of such messages wastes valuable company computer resources and employee time. However, if you would retain the message if it had been sent in paper form, then you should retain record copies of the email transmission. Email can be archived electronically using [email archive software]. Please see IT for instructions on archiving email.

 You should, unless otherwise directed:

  1. Purge drafts and non-record email messages immediately when no longer needed.
  2. Purge convenience or reference email copies immediately when no longer needed.
  3. Purge duplicate email immediately when no longer needed.

Personal use of email / Opinions / Personal Views / Solicitation

Employees will unavoidably use their company email for personal reasons.  While almost everyone has a personal email account, inevitably there will be an intermingling of personal email and work email.  Employees corresponding to each other may by default use the company email rather than a personal email.  They may not even know each other’s personal email address.

Recognizing this will happen, you should include language in your email policy to describe the acceptable personal use of company email.  If it is 100% prohibited, you should say that.

SAMPLE TEXT

[COMPANY]’s electronic mail service is reserved primarily for business use. All users should consider this in their decision to use the firm’s email services for personal purposes.

Employees may use [COMPANY]’s email service for incidental personal reasons with the following guidelines:

  1. Communication with non-business contacts is permitted but should be minimized during business hours.

Employees also are free to correspond during the lunch hour and other break times. Personal email should not interfere with the email user’s employment or other obligations and responsibilities to the firm.

  1. Personal email communication that exceeds the limits outlined above is prohibited unless justified by family emergency or otherwise specifically authorized by [COMPANY]’s Human Resources Director. Personal email should not directly or indirectly interfere with the firm’s operation of computing facilities or electronic mail services or burden the firm with noticeable additional cost.
  2. The use of [COMPANY]’s email system to solicit for any purpose, campaign for a political candidate, espouse political views, promote a religious cause, and/or advertise the sale of merchandise is strictly prohibited.
  3. Personal Email usage must also conform to [COMPANY]’s harassment and discrimination policies.

Security / Trade Secrets / Personal information / Viruses

This section discusses email security.  Users are required to use secure passwords and change their password often.  Include a warning about sending personal information or trade secrets via email.  Email (unless encrypted) is not secure. Employees should know any sent email can be intercepted or read.  Phone and snail mail are both more secure than email.  Finally, warn employees about opening email they do not recognize or are not expecting.  Most email systems have SPAM and virus protection but occasionally something will slip through security.  Employees need to think before opening email and if they suspect an email, they need to know what to do with it and who to notify.

SAMPLE TEXT

Email passwords are the property of [COMPANY]. Employees are required to provide the Director of Information Technology with current passwords upon request. Only authorized personnel are permitted to access another employee’s email without consent. Misuse of passwords, the sharing of passwords with non-employees, and/or the unauthorized access of another employee’s password or mailbox for any reason will result in disciplinary action, up to and including termination.

Security is difficult if not impossible to achieve in the electronic age. Confidential or personal information should never be sent via email understanding it can be intercepted. This includes the transmission of client information, Social Security numbers, employee health records, proprietary data and trade secrets, or other confidential material. When sending sensitive material (or any message, for that matter), employees should use extreme caution to ensure the intended recipient’s email address is correct.

Be careful when opening email with attachments.  While [Company] has email SPAM and virus filtering, there is a possibility a malicious link or new exploit can bypass our system.  If you receive strange messages or unexpected email from someone, use caution and common sense before opening.  When in doubt, contact the sender to verify the email is legitimate and safe.  If you accidentally open an unknown file or click on an unsafe link, notify IT as soon as possible and they can determine if it was safe.

Questions / Who to ask / Signature line and date

Finally, let staff know who to contact if they have questions or concerns.  When reviewing this policy with a new employee or introducing an email policy for the first time, you can include a signature line to state the employee has received and read the email policy.

SAMPLE TEXT

If you have any questions about the above policies, please address them to the Director of Information Technology or Human Resources Director.

I [Employee Name] have received and read [Company]’ Email Policy [version or dated]

_________________________ Signature

_____________ Date

 

I hope this article has convinced you every company needs an email policy.  If you need help writing your company’s email policy, click here and we can get you started.

 

Ransomware: What it is, Who’s at Risk, and How to Stop an Attack

Last year was riddled with ransomware attacks with thousands of systems compromised as a result. With technology evolving at the current rate, hackers are finding more and more ways to attack. For example, ransomware is no longer limited to affecting desktops or laptops — it can also target mobile devices. A report by Kaspersky noted that there was a 250% increase in mobile ransomware attacks just within the first few months of 2017.

Thankfully, the ever-evolving technology also gives us more ways to protect against these attacks.

The first step toward protecting yourself and your business against ransomware is knowledge. Understanding what ransomware is and how it works can help you take the necessary security precautions. Below, we’ll delve into the history of ransomware, the various ways it accesses devices, who is at risk, and some of the technologies and best practices you can follow to prevent an attack or save encrypted data.

Are you prepared for an attack? Click here for our free checklist and learn how to stop ransomware in its tracks.

 

What exactly is ransomware and where did it come from?

Ransomware is a form of malicious software that blocks and/or locks your computer and prevents you from accessing your data until you pay a ransom. Both the attacks and the ransoms can come in many different forms. Some demand payment, some threaten with harm, and others do both.

According to an article by Heimdal Security, ransomware first appeared in 1989 in the form of the AIDS Trojan; where malware was spread using floppy disks and demanded victims to pay $189 as ransom. More commonly noted instances of ransomware occured in Russia and Eastern Europe between 2005 and 2009. Victims were demanded to pay using SMS messages or by calling a premium rate phone number, since online payment wasn’t as available as it is today.

Since then, ransomware attacks have continued (and continued to evolve) at an alarming rate. In 2013, CryptoLocker — a software that locks and unlocks victims’ files — infected over half a million victims, extorting around $27 million from the percentage of users who paid the ransom. In 2017, victims were hit by WannaCry, one of the most wide-spread malware attacks, which infected Windows users by encrypting files on the hard drive and demanding Bitcoin payment from the victims.

Ransomware today can generally be classified into two types: encrypting and locker. Locker is also known as MBR or Master Boot Record exploit. Encrypting ransomware blocks files using encryption algorithms, and demands payment in order to decrypt the blocked data. Examples of this type are CryptoLocker and CryptoWall. According to Wired, “with the development of ransom cryptware, [it] encrypts your files using a private key that only the attacker possesses, instead of simply locking your keyboard or computer.” Whereas, locker ransomware locks the user out of the operating system, blocking access to the entire desktop without actually encrypting any files, such as police-themed ransomware. There is also a less common type of ransomware known as leakware or doxware, that threatens to release sensitive data from the user’s computer unless the ransom is paid. To read about the different variations of encrypting and locker ransomware, check out this source.

How does ransomware spread?

Understanding exactly what ransomware looks like is crucial because you’ll know how to look out for phishy signs. Heimdal Security goes into detail describing the various characteristics that make ransomware unique from other forms of malware. Keep an eye out for these actions, which may indicate a ransomware attack:

  • Encrypting all kinds of files
  • Scrambling file names
  • Adding extensions to files
  • Displaying an image or message that your data has been encrypted (and asking for a ransom)
  • Requesting payment in Bitcoins
  • Limiting the time available to make a payment (and/or threatening if payment is not met)
  • Spreading to other PCs (within a local or wide area network)

All forms of ransomware can be spread through infected email attachments (phishing scams), software apps, external hard drives (e.g. flash drives), drive-by downloads, SPAM, out-of-date anti-virus, and compromised websites. Not to mention there’s now infected SMS messaging to target mobile devices.

Now that you have a better grasp on what signs to look for, we’ll discuss who are the most likely targets of a ransomware attack and what you can do to protect yourself and your business.

Who is at risk of a ransomware attack?

Unfortunately, basically everyone. Since there are variants of each type of ransomware and new forms are coming out at an ever-increasing pace, it’s nearly impossible to predict who the next victim(s) will be. That being said, we can make some educated guesses.

By analyzing the circumstances and characteristics of past victims, we can figure out why some users were attacked — helping us predict who might be at risk in the future. Presently, we know that some attackers aim for businesses only, while others aim for the average individual user. Here are some of the reasons why:

If users don’t have any kind of data backup, attackers will definitely take notice. And users are less likely to have knowledge about proper IT security, therefore they’re more likely to open phishy emails or click on suspicious links. Attackers also look for users who don’t keep their software up to date and lack of basic cybersecurity knowledge.

As for businesses, they’re targeted often because they’ve proven more lucrative than the individual. If a ransomware attack is causing a major disruption, they’ll likely pay off the ransom quickly, no matter the amount. In addition to all the computers housed within a business’ building, Heimal Security points out that ransomware can infect “servers and cloud-based file-sharing systems, going deep into a business’s core.”
It’s no surprise that large businesses and corporations are targeted because they have the ability to pay off a large ransom if all or some of their computers and data are attacked.

Small businesses also fall prey to ransomware because of IT security negligence. Many — especially new startups —- don’t have security in place and are unprepared to deal with security breaches.

Some businesses and individuals are guilty of thinking a malware attack won’t happen to them. But, according to Wired, “at least $5 million is extorted from ransomware victims each year.” The damage caused by ransomware attacks cannot and should not be ignored. Experts say that a ransomware attack can cost a user between $200 and $10,000, and more than 50% of businesses surveyed have paid anywhere from $10,000 to $40,000.

Thankfully, there is technology available to guard against malware, and some practices you can learn to protect yourself or your business from becoming another victim.

What are some technologies and best practices you can follow?

As we mentioned previously, understanding what ransomware is and how it works can make you less vulnerable to an attack — knowledge is power!

The next step to ensure basic IT security for anyone is to install antivirus protection on your computers/devices, and to keep all your operating system and software up to date. Updating promptly and on a regular basis gives attackers fewer vulnerabilities to exploit.

Then — and we can’t stress this point enough — backup all of your data. This doesn’t stop a ransomware attack, but it will make it a whole lot easier when it comes to recovering from an attack.

Some of the best practices you can follow to prevent falling victim to ransomware are:

  • Never open spam emails or emails from unknown senders;
  • Never download attachments from spam/suspicious emails;
  • Never click links in spam/suspicious emails.

Pro tip: If you receive emails from Microsoft or some other well-known brand name asking for your account information or payment, be sure to check the sender’s email address. If it’s not directly from @microsoft.com, or looks suspicious in any other way – don’t open it or click any links within them.

If you’re removing ransomware (on a Windows system) you can follow these steps lined out by CSO Online:

  • Reboot Windows 10 to safe mode
  • Install anti-malware software
  • Scan the system to find the ransomware program
  • Restore the computer to a previous state

As soon as you notice either the ransomware warnings or evidence of encrypted files, unplug you PC from any network! The virus will crawl your network and infect any files or machines it finds — you need to contain the infection.

There are also professional cybersecurity researchers working around the world to break the encryptions on large-scale ransomware attacks. Unfortunately, if you didn’t backup your data, there is no way to get your data back or decyrpted without paying the ransom. Remember, you need to remove any malicious software before you restore from a recent backup. When in doubt, always reach out to your IT department or an IT professional service like ours at Advance2000 as soon as possible. We can help you recover your files and hardware.

Recap

There is no reason for anyone to feel helpless when it comes to ransomware. With basically unlimited information about ransomware on the internet and the ever-evolving technologies to keep your computers and data secure, you should be able to safeguard yourself against most malicious ransomware attacks.

To help, we’ve partnered with Sophos to provide you with a comprehensive checklist outlining exactly how to stop malicious ransomware attacks in their tracks. Click below to ensure you’re prepared in the event of an attack:

ransomware-security-checklist-CTA

13 Eye-Opening Cybersecurity Facts

In light of recent global cyberattacks (read: WannaCry), it’s more important than ever to understand the risks of poor cybersecurity.

According to Skyhigh, virtually every organization experiences at least one cloud-based threat per month. In fact, three out of four IT professionals cited their businesses were at risk for cybersecurity (and man-made) disasters.

Many businesses may not have the budget for high-end security, or may consider it an unnecessary expense. Unfortunately, the cost of not having a solid security plan and strategy in place can far outweigh the price of investing in security. According to IBM, the global cost of cybercrime will reach $2 trillion by 2019 and $6 trillion by 2021. And money is not the only aspect of your business you can lose to a security breach. You can lose years of your organization’s and your clients’ data, which can result in loss of trust and even overall business from your clients.

With the recent security breaches and ransomware attacks, we thought it pertinent to remind you of the seriousness of cybersecurity. Below are a collection of staggering facts and statistics about cybercrime and cybersecurity to keep in mind.

Be smart and stay safe!

cybersecurity-facts-infographic

 

IT Security Consultation

 

HIPAA Compliance and Ransomware: What You Need to Know

If you work in the medical field or for a health care provider, chances are you’re very familiar with HIPAA guidelines and how they pertain to patient care. But are you familiar with how HIPAA affects your IT environment? When it comes to HIPPA and patient care, most people are already familiar with the HIPAA Privacy Rule, but how familiar are you with the HIPAA Security Rule? Due to recent events regarding ransomware and the Erie County Medical Center, HIPAA compliance – along with data security – has become more important than ever.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates the use and disclosure of Protected Health Information (PHI). This applies to (but is not limited to) health insurers, medical service providers, health clearing houses, and employer sponsored health plans. From April of 2003 until January of 2013 there were over 91,000 HIPAA complaints, which led to 22,000 enforcement actions. As if going through legal litigation isn’t bad enough, violators also pay a pretty penny per HIPAA violation. In 2010, Cignet Health of Maryland was fined 4.3 million dollars for simply not providing patients copies of patient medical records when requested.

How can HIPAA compliance affect your daily operation?

Now that we’ve established how important HIPAA is, lets break down how this may affect your operations on a day-to-day basis. To do this, I’m going to refer back to ECMC. When ECMC was initially hit with the cyberattack, they were given an option to settle for 1.7 bitcoin (which is the equivalent of $4,644 U.S. dollars). This may not seem like an astronomical amount of money; however, the $4,644 dollar figure was in reference to each infected machine. If you take into account how many machines a small- to medium-size office may have (likely around 10 to 15), you’re looking at a starting point of around fifty thousand dollars and up (now the fee seems a bit more severe). On top of the monetary losses, you also must take data security, HIPAA fines, down time, productivity loss, and reputation into account.

Hopefully now we see how the consequences from not being HIPAA compliant, but how does HIPAA compliance help protect your data?

The first step in becoming HIPAA compliant, from an IT perspective, is to have an audit of your environment completed. This way a managed service provider can provide a detailed scope of your environment, along with an IT roadmap, which will help you to plan for future expenses and potential issues. During the audit, multiple scans of the environment will be run. Some of the scans will make sure your hardware and software is up to date, and will also check for any security vulnerabilities or possible holes in your infrastructure configuration management.

After the audit has been completed, an engineer will sit down with you and explain his finding and recommendations. Sometimes the recommendations may be very minute in scale and will be able to be implemented in a very short amount of time. On other occasions the engineer may find larger holes or more serious issues which may need to be addressed in a more urgent matter.  As an example, a main part of being HIPAA compliant is having a full off-site backup. If the audit is completed and no backup is found, an engineer will sit down with you and provide you with a detailed proposal which will help you protect your data in the event that you are ever attacked by a malicious software and data loss does indeed occur.

As technology continues to advance and hackers become more sophisticated, data security increasingly becomes a top priority for organizations like yours. We’ve seen foreign countries/governments “hack” U.S. computers with the explicit interest of stealing intellectual property and extorting money from U.S. business. A HIPAA security audit is great way to make sure this doesn’t happen to you.

Free HIPAA Security Checklist