Email remains a critical communication tool for organisations, but its use comes with significant security risks. To mitigate these risks, organisations must develop, implement, and maintain a robust email usage policy. The Australian Signals Directorate (ASD) has released guidelines for establishing such a policy to ensure that email systems are used securely and responsibly, protecting sensitive information from unauthorised access or data spills.
One key aspect of email security is controlling access to non-approved webmail services. When users bypass organisational controls, such as email content filtering, they expose the organisation to potential threats. Blocking access to non-approved webmail services is essential to maintain security.
Additionally, implementing protective markings for emails helps prevent unauthorised data releases. These markings should reflect the highest sensitivity or classification of the email’s subject, body, and attachments, ensuring that sensitive information is handled appropriately. These tools also require user involvement to ensure that emails are correctly classified, reducing the risk of over- or under-classification. Email content filters rely on these markings to prevent emails from being sent to unauthorised systems. Furthermore, email servers should be configured to block, log, and report emails with inappropriate protective markings, notifying both senders and recipients of any issues.
Centralised email gateways enhance security by enabling the deployment of protocols like Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication, Reporting and Conformance. These protocols help detect and prevent spoofed emails, ensuring that only authorised emails are sent and received. Additionally, enabling Transport Layer Security encryption and Mail Transfer Agent Strict Transport Security protects emails from interception and downgrade attacks.
Email content filtering is another critical defence mechanism, blocking potentially harmful content in email bodies and attachments. Suspicious emails, such as those with spoofed internal domain addresses, should be blocked at the email gateway to prevent phishing attempts. Finally, notifications of undeliverable emails should only be sent to verified senders to avoid contributing to spam practices.
By adhering to the ASD’s guidelines, organisations can significantly reduce the risks associated with email usage, safeguarding sensitive information and maintaining operational integrity.
