Why is email security important?
Emails are one of the easiest routes for hackers to spread malware or for criminals to undertake scams. Malware can be very sophisticated, often loading ransomware or viruses which have the ability to access data or disable your systems. Attackers are increasingly finding new and more complex ways to exploit our reliance on emails and the fact that busy humans often cut corners and don’t follow security protocols.
Most cyber-attacks occur through emails, known as phishing emails. Whilst emails may be the ‘way in’ to the network for attackers, it is not simply business data that can be breached. If an attacker accesses your network, they may also be able to access your financial information, bank accounts, social networking accounts and any of the many Internet of Things (IoT) devices managed online.
Email safety is therefore extremely important to all organisations, regardless of size.
How can I remove the threat from emails?
It is unlikely that any system or training will remove the threat of attacks on our networks via emails entirely. The key to stopping email threats from becoming actual attacks is relatively simple. Implement strong email security protocols and use email security software and tools. There are also some easy steps that users can undertake, but they need to be taken all of the time and with regular reminders and follow-ups.
It is recommended that organisations consider undertaking Cyber Essentials or Cyber Essentials Plus accreditation. These are both Government-backed schemes that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber-attacks. Not only will the accreditation assist you and your staff in understanding threats and preventing security breaches, it will also reassure customers and suppliers that you take cybersecurity seriously.
What security tools should I have in place?
As with any security system, there are many options, some more effective than others. It is worth talking to experts such as Mintivo to discuss the best solutions for your particular business and for them to check if you have already been targeted.
These tools work alongside any protocols or training that you put in place for your team. The tools usually suggested are:
- Antimalware – a software program which will protect your IT systems by preventing, detecting and removing malware.
- Antispam – this software aims to block potentially dangerous emails from inboxes.
- Antivirus – this can be one or many programs which are designed to prevent, search for, detect and remove viruses such as worms or trojans.
- Email filtering – an email filtering service will check inbound and outbound email traffic scanning messages to classify them into categories such as spam, malware, adult, virus or suspicious links.
- Email security gateways – sometimes known as SEGs, these devices or software also monitor emails being sent and received in a similar way to email filtering. They tend to sit inline on an email’s path from the public internet to a corporate email server, so may be less effective with cloud-based email solutions.
- Email Monitoring systems – whilst many monitoring systems ensure that your mail server runs smoothly, checking volume and storage capacity, they can also assist with security.
- Firewalls – filter spam following a set of rules created by the email server.
- Endpoint protection – possibly one of the most important parts of your security. Endpoint security helps keep all the devices that connect to your network secure by detecting suspicious activity – scanning files, networks and websites for potentially malicious activity and preventing malware from being delivered or downloaded to devices – no matter where employees are.
What other email best practices should I implement?
As organisations rely heavily on emails as a means of communication with customers, partners, suppliers and between team members, it is essential that an email protocol is put into place and adhered to. The weakest links in any cyber security protocol or best practice are your team, and succumbing to an erroneous email is all too easy when staff are busy and their focus may be elsewhere.
If you haven’t implemented any email protocols, we would suggest that you start with these:
1. Training your employees
Hold security awareness training, to outline to employees the security best practices that you expect. Update your staff handbook to outline these and ensure that staff are aware of the potential threats and why email security is so important to protecting your organisation and its reputation.
2. Strong passwords
Password security advice has tended to differ in recent years. It is no longer recommended to have a complex password as it has been found people end up writing them down or saved insecurely elsewhere. The National Cyber Security Centre recommends using a separate, strong password specifically for your email account which should not be used elsewhere. In addition, it recommends using three random words to create a password which is difficult to guess, but perhaps easier for you to recall.
3. Password Management
Similarly, it used to be recommended that passwords should be changed regularly, but it was found that this led to simple passwords with only a number or digit changing each time. As easier passwords are more readily identified and exploited by attackers, keeping stronger passwords for longer is recommended. Passwords should not be reused across a variety of accounts. If one account is accessed by hackers, they can more easily obtain other data using the same credentials.
4. Use multifactor authentication (MFA)
MFA is the use of more than one method to authenticate the user’s right to access an account or website. This can include combining a user name and password with a biometric (fingerprint or face recognition) software or by using specific MFA applications such as Microsoft Authenticator, which provide time-sensitive codes to be entered before access is given to the account.
5. Be aware of phishing, spear and whaling emails
Phishing emails or schemes are becoming very sophisticated and realistic. These are emails that appear to be from a legitimate source and look genuine, but may direct you to an incorrect link or provide incorrect account details to pay money to. Phishing is not a targeted attack, whereas a spear phishing email is sent to a specific individual and a whaling email is an email that targets a high-ranking victim.
6. Consider attachments as potential threats
It is possible for attachments to contain malicious code which can be executed once opened. These may be inadvertently sent by a trusted source who has been attacked themselves. Whilst attachments with unusual extensions such as EXE (executable program), JAR (Java application program) or MSI (Windows installer) are often utilised by hackers, even standard Microsoft office extensions can carry hidden malicious code.
7. Don’t click hyperlinks
Whilst these can be useful and timesaving when sent by trusted sources, they can easily be sent by criminals with connections to a different web domain to the one it appears to be. By hovering over the link, it will display the actual domain it will take you to, although this can still replicate a correct domain name. If there is any doubt, type the domain into a browser and avoid clicking any links within emails.
8. Keep business and personal emails separate
It is recommended that organisations ensure that their staff don’t use business emails for personal use and vice versa. Personal emails are likely to have much reduced security to that of an organisation, and therefore any business emails sent from a personal account could be more easily compromised.
9. Specified device usage
It has become the norm for people to use their own devices for work use – often referred to as bring your own device (BYOD). If company emails are opened on a device that doesn’t have suitable security controls, credentials, emails and data could be targeted. It is important therefore to set out acceptable devices for use.
10. Use encryption
If an email is encrypted it means that the plain text it is written in will be converted to ciphertext. This means that if the email is intercepted, it won’t be readable. It is good practice to encrypt attachments for the same reason. Whilst email services offer encryption for messages, it is recommended that encryption also occurs between the email provider and the organisation.
11. Avoid public Wi-Fi and use VPNs
Public Wi-Fi is provided to make life easier for users, but they can make it easier for attackers to access information, too. Anyone using the open Wi-Fi network could access emails and account credentials, so it is particularly important for employees not to use public Wi-Fi for business emails. Using a business Virtual Private Network (VPN) can securely connect users to an organisation’s data, tools, applications and resources whilst working remotely. A personal VPN, however, tends to only mask IP addresses and keeps identities private, as it lacks the more advanced security features of a business VPN which are needed by organisations.
12. Logging out
Whilst it may seem obvious, if users have logged out of their accounts when they are not in use, it will prevent others accessing them and causing security breaches.
How can Mintivo help?
There are a number of ways that Mintivo can help. If you are concerned about the risks to your business, we can offer a Risks & Recommendations Audit which will consider all aspects of your IT security, but if you’d like to initially chat through your email security concerns, please contact us and one of our friendly and expert team members will give you a call.
