Improving Email Security Practices

We recently completed a survey where IT administrators using Microsoft Exchange Server for small to medium-sized companies were asked various questions pertaining to email security.

After reviewing survey results, we found that malware breaches were quite common among participating companies, and spam and malware were identified as two of the top pain points respondents had with their current email security solution. From our survey, we were able to collect some key statistics on the email security practices of companies and expand on several identified issues.

39% of companies use only one anti-malware engineEmail Security Findings

  • 51% of companies had malware get past their email filters in the last 18 months
  • 50% of companies had employees that clicked on phishing links in the last 18 months
  • 55% of respondents are 'not certain' or 'not certain at all' that their employees will not click on phishing links or malicious email attachments
  • 39% of respondents use only one anti-malware engine
  • 68% of companies do not use any form of email encryption

Preventing Phishing and Malicious Email Attachments

Phishing is quite common, and most of us encounter it quite regularly, whether it be at work or on our personal email accounts. Hackers often pose as banks or financial institutions to try and gain personal account information. For example, you may receive an email from your bank asking you to renew your password, when it is really a well-disguised attack. Spear phishing is inherently more dangerous because emails are targeted towards a specific individual or company, and the email could even appear to be from a person you know or company that you do business with. The individuals or groups organizing these spear phishing attacks use personal information about you gleaned from the internet to make the email look legitimate and entice you to open the malicious attachment or enter your credentials on a fake website.

Employees clicking on phishing emails or opening malicious email attachments can be a nightmare for any organization's IT department. Unfortunately, not all employees have the training to recognize an attack. Our survey results showed that 50% of companies surveyed had employees click on phishing links in the last 18 months and 55% of their IT administrators said they were 'not certain' or 'not certain at all' that their employees would not click on phishing links or malicious email attachments. Since IT administrators can't monitor every individual employee's email practices to prevent attacks, it is important to have a solution in place that will perform this function in their place.

Policy Patrol Mail Security provides the necessary tools for blocking spam and phishing emails and has a content policy that prevents harmful content from being sent to or from an organization. Additionally, Policy Patrol can search email attachments for keywords and regular expressions, making sure no confidential content such as credit card data or social security numbers are sent via unsecured email.

Why Multi-Scanning?

The majority of respondents from our survey were only using 1-2 antivirus engines to scan for potential threats. In addition, 51% of companies surveyed had malware get past their email filters in the last 18 months. When one antivirus software doesn't detect a threat, there is still a good chance that another engine will. Each anti-malware engine brings different capabilities to the table. The Metascan® multi-scanning technology leverages the power of over 40 antivirus engines to scan data entering an organization or sent internally. Metascan also provides file filtering capabilities and allows customers to sanitize potentially dangerous media by converting files and removing embedded malware.

Importance of Email Encryption

68% of the companies included in our survey did not use any form of email encryption. Email encryption may not seem like it is necessary, especially if a company feels like they have nothing to hide. Privacy isn't about whether you have anything to hide; it's about what you could potentially lose. The recent attack on Sony is a perfect example of how faulty email practices and the loss of private company data can come back to bite you. Email encryption works by using both a public key and a private key. The public key can be accessed by anyone and is used to encrypt email messages. The private key is kept secure by the email service used by a company or the IT department and is used to decrypt messages. Email encryption is mandatory for some organizations while others have not yet implemented the practice. If an organization does not utilize email encryption, their private information is vulnerable to attacks. Without encryption, anyone connected to a companies' network can read messages, potentially exposing private company information.

Policy Patrol Secure File Transfer can help you avoid the potential exposure of sensitive company data by allowing users to send and receive confidential files securely. Policy Patrol Secure File Transfer automatically encrypts files and can authenticate receipts, ensuring that sensitive data does not end up in the wrong hands.


After reviewing survey results, we discovered that a majority of surveyed companies were not as protected as they should be. A majority of companies had recently experienced some type of data breach, but were not utilizing the power of multi-scanning or email encryption. Email security should be a top priority for companies in order to reduce the risk of a possible data breach.

Sign up for Blog updates

Get information and insight from the leaders in advanced threat prevention.