Anti-Phishing: Use Policies – Best Practices for Internet and Email

June 25, 2017 by Infosec

An Internet usage policy is no longer something that organizations can consider operating without. It’s of pivotal importance to lay out the guidelines and the instructions for employees to follow whenever they are using company devices. Some companies enforce very strict policies while others like to give employees some liberty. A good usage policy will ensure that confidential data and valuable resources never become vulnerable to outside threats, along with enforcing the restrictions on certain websites. In this article, some of the best practices for Internet and email safety will be shared along with the considerations that should be made while enforcing safe usage Internet/email policy.

Things to Keep in Mind When Implementing an Internet Policy

The problem of one-off security awareness training classes is that the lesson is imparted once and then forgotten. To aid memory retention and increase awareness of suspicious activities, employees should be frequently reminded of policies as part of their security awareness training. Here are some of the things that should be kept in mind whilst enforcing an Internet policy:

  1. Allow a certain degree of recreational/personal usage

Even the most ambitious workaholics need to take a break from their strenuous routines to scroll through social network news feeds; the recommended practice hence is to restrict personal usage but not completely eliminate it.

  1. Acceptable Internet use policies

An acceptable usage policy (AUP) document lays out the constraints and the stipulations that every person using certain resources has to abide by in order to gain access to them. Many organizations have comprehensively laid out AUPs for every employee to abide by and it should be made a common practice. In additional, the organizational reasons for monitoring should be explained to the employees. A difference between productive and unproductive activity should properly be communicated to the employees. Lastly, all the employees should be made aware of the repercussions that policy violations could entail.

  1. A transparent monitoring approach

Most organizations these days monitor their employees’ activities, but it’s essential to make the monitoring approach transparent and honest. Once the employees know the extent to which they are being monitored, they will know exactly what’s expected of them.

  1. Different departments, different policies
  2. Make your network traffic visible

The network traffic should be visible to the Internet usage administrator at all times. Automated tools are available that can spot undesirable Internet activity and, if there is a defaulting incident, a quick response force should be available.


  1. Allow employees to view their own Internet usage

One of the most recommended practices is to allow employees to have a look at their Internet usage at the end of every day. This allows them to see how much time they spent on productive and unproductive activities. This can lead to employees realizing how much they hurt the company by being unproductive and eventually changing their behaviors accordingly.

  1. Take help of a legal team

While an Internet policy is being implemented, a law team should get involved. Legal teams help a lot in periodically auditing the policy and in figuring out potential periodic alterations.

  1. Monitor every person

A sound Internet usage policy monitors each and every single person in an organization, and that includes all the managers. This decreases the probability of employees feeling singled out or dealt with unfairly.

  1. Help employees stick to the rules

It’s very important for organizations to give periodic reminders to employees regarding safe Internet usage. Suppose a company allows its employees two hours of social media access during a day; if a certain employee is about to hit 1 and a half hours, they should be notified that they are getting close to the daily limit. Internet policy guidelines often take some getting used to and these small reminders can go a long way in helping the employees (and the organization) out.

  1. Automate

Once the policy has been laid out and ready to be enforced, it’s a viable choice to just get an automated tool to do all the dirty work. Not only does this help in preserving the privacy of employees, but it also makes the whole process efficient and devoid of false positives.

Email Policies

Just like an Internet policy, an email policy is also of paramount importance today. Normally, like an Internet policy document, the email policy document has the following four sections:

  1. Overview: The overview section lists the need for an email policy so that employees can understand why their emails are being monitored and why they have to keep certain stipulations in mind.
  2. Purpose: In the purpose section, the company officials explain what they expect to achieve via the email policy and how it’s going to affect day-to-day operations.
  3. Scope: The scope section explains the coverage of the policy. All the people/departments/networks that are affected by the policy are mentioned here.
  4. Policy: This is the section where the policy regulations and stipulations get mentioned.

What to Include in an Email Policy

These are only some of the most important email policy must-haves:

  1. Disallow commercial usage:

Where a company email should be usable for limited personal usage, it should not be available to the employees for commercial usage (using the company email to cater to personal business needs).

  1. Prohibit the forwarding of company messages:

Company emails that contain confidential emails should never get forwarded to external locations.

  1. Prohibit usage of offensive language:

Offensive language (racial slurs, sexist remarks) should be prohibited and violations should result in severe.

  1. Prohibit using third-party email service providers:

Most companies have their own mail servers in order to ensure security and the usage of third-party email systems, such as Google, Yahoo, etc. (if they are not the primary email servers) should be restricted within the organization’s premises.

  1. Nothing on the company’s email is private:

Anything that the employees store on the company’s email servers is not their private property anymore and organizations should make them aware of this fact.

Final Word

Having sound and rigorously enforced email/Internet policies has long since become a necessity. If enough awareness is imparted to the employees and if substantial network monitoring is carried out, organizations can go a long way toward keeping the ever-eager intruders at bay.

Posted: June 25, 2017
View Profile