Address users impacted by IMAP and POP turn-offs

Photo by Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0)

By Carlota Sage, guest columnist

In my series so far, we’ve discussed choosing your productivity platform and turning on multi factor authentication (MFA). But in order for MFA to fully protect your email platform, you need to turn off IMAP and POP – both of these bypass MFA when logging into email. Last week, I talked about how to communicate to user that you’re turning on MFA. As with turning on MFA, turning off IMAP and POP needs to be communicated well and well ahead of the turn-off date.

Here are a few things to consider:

Who will likely be affected?

In my experience, the users most likely to be impacted by turning off IMAP and POP are the C-Suite and the Sales and Marketing teams, but anyone using a third-party desktop client, such as Apple’s Mail client, will be affected. It’s much more difficult to get the buy-in to turn off IMAP and POP when your Sales team is convinced they won’t be able to do their job as well and sales will take a dive, or your C-Suite just refuses to learn another email interface.

What’s the best way to communicate this?

That depends on your internal audience. If they’re a group that is resistant to change, make sure this change is a part of your general MFA rollout. If they’re a group that is comfortable with a more fluid environment, it’s okay to roll this change out separately.

As for timing, I have my own 3-2-1 rule when it comes to communication – if possible, your communication schedule should have messaging at 3-2-1 months out and 3-2-1 days out. The larger the organization, the more important it is to be constant and consistent with your messaging.

What if I just cannot get buy-in?

If the pushback on this one is really over the top, you can disable IMAP and POP in general and enable it for specific people in both Google Workspace and MS 365. But absolutely do not go this route without creating a risk register or risk memo and having the CEO sign off on it, along with each individual user for whom this is enabled. I cannot overstate the risk associated with bypassing MFA.

Email is critical to your business. Protect it as such.

Even after turning off IMAP and POP, I recommend additional mitigation controls to protect email, especially for MS 365. More importantly, I do not recommend relying on Microsoft tools to protect your 365 instance, but suggest Greathorn, Mimecast, Proofpoint, or some other third-party email security.

Communication is the lifeblood of any company; compromising your email system can give attackers rich insight to everything you do. It’s a very desirable target – protect it accordingly!