editione1.0.0
Updated October 9, 2023While the technology is the same, there are subtle differences between personal and business email accounts. Business email accounts often provide features that would not be used for individuals, like creating multiple users and inboxes, and setting configurations across the entire domain instead of one account. Let’s talk about how to pick or vet the email provider you currently use, and how to keep it secure.
The first step in protecting your employees and your work email is to decide how it will be set up. The ultimate setup that will make it easier for you to manage if your business is growing is to move to a business email account—and this section will take you through the security involved in that.
This is not a one-size-fits-all solution. Moving to a business account usually involves a nominal monthly fee (usually at least a few bucks per month), and involves more work. The good news is that the work is up front—meaning you do it once, and then leave it be.
Are these statements true?
Your employees can do what they need without email, or only use email when logged into a computer accessed only at work.
Your organization does not give employees individual email addresses and has no plans to.
Important, confidential business documents are not stored in shared file storage or drives linked to email accounts (like OneDrive or Google Drive).
The current work email account does not contain personal or sensitive business conversations.
If the answer is yes to all of them, a business email domain may not be needed. You can stick with the work account you have been operating with so far and skip ahead to the next chapter.
You may eventually find yourself needing to give access to this email account to someone else, such as an operations manager or a second-in-command that you hire. Sharing passwords and email accounts is often discouraged in security, but there are reasonable situations where you can if you do it safely. If that is the case, you will need to read the sections below on password managers, especially making sure to pick one with 2FA built in. Also be sure to consider any other shared file storage, drives, or conversations that this email account gives them access to. If you do find yourself sharing access, be sure to move those files somewhere safe—such as your own personal shared drive.
This can also be a workable setup if your business has a laptop at a physical location that employees can use, if that use is limited to just one location and just a small number of staff. For example, a local cafe or restaurant might have a computer setup with access to the email account to be able to respond to reservations or catering requests. If you have more than one location, or three or more staff, then you will thank yourself later for getting a business account. It has both operational and security advantages at that point.
Some companies offer business packages that give you all the tools you need to run a small business—email, website hosting, collaboration tools. If you are small, these providers might even give you tools for free or at a very reduced cost.
If you have made it this far, we will assume that you are in the market for a new business email account. First, let’s make sure to start with the right foundation and a good email provider. If your business organically grew from being just you to now a few people, you might be using a stock-standard personal email account from a popular provider, such as Gmail, Yahoo Mail, or Microsoft Outlook.
It is time to think about upgrading from the second-hand suit to something a bit more tailored for your business. Unless you are setting up your own mail server, using a custom domain name for email requires a business email account. All the major email providers provide free personal emails—a single login and an email account on that email provider’s domain (for example, @gmail.com). When you shift to a business email account, you get the ability to add additional users (who will all have their own username and password to login) and the ability to use your own domain (for example, @safestack.io).
Picking a provider for your business is very similar to how you would have picked it in Part I. Except the options are a bit more scarce—there are a lot of personal email providers, but not many business email providers. When picking one, you need to make sure it has some key features:
Users can use 2FA using different, strong methods like one-time password (OTP) apps, mobile push notifications, or security keys.
Security settings can be enforced to protect your employees’ accounts (such as requiring 2FA and disabling automatic email forwarding).
Different security settings can be configured for your business account and domain. This includes good security scanning and filtering for emails and attachments, and email header configurations so others can’t impersonate your domain.
Accessibility to logs that tell you what your users are doing (and where they are connecting from), and allow you to easily manage user access in case you need to reset or remove access.
We are going to go into each of these features in detail in this chapter.
danger If an email provider doesn’t give you these features, you’ll need to keep looking. You might find free business email services out there, but if they don’t check these boxes it will be too good to be true. And since email is likely one of the IT tools you use all the time, the money will be well invested.
Generally, you can’t go wrong with using business email from one of the big technology providers, such as Google Workspace (formerly GSuite) or Microsoft 365 Business. You pay a few bucks per user, per month, and you might be able to qualify for credits if you are a special small business (like a not-for-profit).
You might be in a position where you have been operating solo, using a personal email account, and now have to migrate everything over to a business account. Although changing emails can be annoying, it is something you’ll be happy you did (because the alternative of having to manage multiple people with access to one email account sounds like a literal nightmare). While each email provider will have their own instructions on performing each step, here is a list of steps involved in moving from your personal to your new business email account:
Create your new business email account, along with the domain and users you need. If your personal email was configured to use a unique domain, be sure to check with your domain and email provider on moving that to the new business email account.
Configure security settings on your business account (which we will cover soon) before helping your team get set up.
Configure your personal email to auto-forward emails to an inbox on your new business email account.
Export relevant contacts or calendar entries from your personal email into your business email account. You could consider doing this for all your emails if that is helpful.
Let people know. Set up an auto-reply to let people know your email has changed and you will reply from your new business email, or you can send out an email to your contacts to let them know. Be sure to also update things like your website, social media, and anywhere else your old email is listed.
Make sure the password to your personal email account is only known by you (or reset it if unsure), store the password in your password manager, and ensure 2FA is turned on. This cleans up any lingering access others might have had, and gives you full control over that account again.
Change the email account for the accounts and tools used for your business. While any emails that come through for these accounts will be forwarded, it is a good exercise to completely decouple your personal email from your new business email.
While the steps for migrating across are straightforward, the tail on this drags out for a bit and it might be a while until everyone is using your new email address—newsletters, business accounts, and old customers will need updating, and those emails don’t always come on a regular basis.
After picking your provider, set up your own security first. Just like oxygen masks on an airplane, you need to help yourself before assisting others. Not only will you be more familiar with what you are asking your employees to do, but you also are one of the biggest and most valuable targets in the business.
Secure yourself first by taking these steps:
Set a unique and strong password.
Set up strong 2FA.
Store your backup two-factor codes in your password manager.
Provide an account recovery phone number and backup email.
We covered why these steps are so important back in Part I.
As a small business owner, there are a few extra reasons why these steps matter:
Going through the process yourself makes it so you know what your employees can expect. Was a process particularly challenging to set up? Was there an easy way you found to set it up for yourself?
This is a great way to lead your employees by example. It is the start of a “security culture” in your small business that says, “Hey, email is important to us and we need to protect it. Here is how.”
You would probably be surprised to hear that even larger organizations struggle to echo a positive security culture—despite being in charge of lots of data, money, and users. It all starts with the leaders, and what they have to say.
Definition More importantly, you will likely be the administrator, or the person who can make a lot of key configurations or changes that impact all the inboxes, users, and domains.
danger Administrator access is sacred and needs to be protected more than an employee who has access to an inbox and nothing else. The administrator users to your business account are also a very attractive target for attackers. It doesn’t mean the employee users don’t need to worry about security; both account types are valuable, just in different ways and uses.
Now you have an email domain set up, it’s time to ensure your email is protected. Whether it’s brand new or you set up a business email domain in the past, you can revisit these steps:
Set a strong password policy.
Require 2FA for all users.