It’s almost a cliché now to say that email has become a leading business communication tool because we’re all deeply familiar with the important role it plays in facilitating the exchange of information between businesses and their customers and partners.
The importance of email makes it a prime target for cybercriminal activity. It’s estimated that over 90 percent of all cyber attacks begin with a malicious email sent to an unsuspecting victim, and both large enterprises and small and midsize businesses are commonly targeted.
To protect themselves against email-based threats, businesses need to proactively strengthen their defenses by implementing the email security best practices described below.
A study by Custard Technical Services revealed that weak email passwords accounted for nearly all security breaches in the workplace that were reported last year. Apparently, many businesses still protect their email accounts with passwords like “12345,” “qwerty,” or “password,” making it way too easy for cybercriminals to brute force their way in.
To address this problem, businesses should enforce strong passwords and combine them with multi-factor authentication. On its own, a strong password like “42sjg31of@#5r” protects against brute force attacks, but it doesn’t protect against password theft, which is where the requirement to present at least one additional piece of evidence during authentication in the form of a one-time password or SMS code comes in.
Phishing scams have become so widespread and costly because small and midsize businesses often make it way too easy for cybercriminals to spoof their domain names in order to craft malicious messages that appear as if they were sent by a legitimate sender. How exactly do they make it easy? By not authenticating messages with SPF, DKIM, and DMARC.
The three confusing acronyms stand for Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication, Reporting & Conformance. Together, they are used to authenticate and digitally sign messages to make it impossible for attackers to forge the “From” address. When configured correctly, they also increase deliverability, so messages won’t end up in the recipients’ spam folders.
Electronic messages travel across the public internet, hopping from server to server until they reach their destinations. Unless encrypted, they can be intercepted along the way and tampered with. Fortunately, virtually all reputable business email providers encrypt messages by default when they are in transit using cryptographic protocols like Transport Layer Security (TLS).
To go a step further, businesses can also encrypt messages at rest using technologies like S/MIME encryption and Microsoft 365 Message Encryption (available only to Microsoft 365 subscribers). At rest encryption essentially converts the text of an email message along with all metadata into scrambled cipher text that can be deciphered only using the correct decryption key. As a result, the message can’t be read even by an attacker with direct access to the inbox.
It’s fairly common for small and midsize businesses to not feel the need to set out expectations on acceptable use of email at work by creating a comprehensive email policy, but that’s a huge mistake, and its consequences can be far-reaching.
At the very least, all businesses should prohibit employees from using their work email for personal purposes, such as online shopping and communication with friends. Employees should also not be allowed to open their inboxes on devices that have not been approved by the IT team because such devices may be unsecure and infected with malware. Mobile devices (especially those running the Android operating system) are no exception in this regard.
Effective email security strategies always include multiple layers of defense, and one of them should be the active scanning of incoming messages to protect against malicious links leading to credential-stealing websites and attachments containing dangerous malware.
Microsoft, for example, protects Office 365 users by automatically performing anti-spam and anti-malware scans of inbound email messages and providing features like Safe Attachments and Safe Links to give businesses extra protection against malicious attachments and links, respectively.
Email retention periods required by various regulations for different message types can range anywhere from a few months to multiple years. To make things easier for themselves, many businesses store all messages to the maximum retention period even though they technically don’t have to. Unfortunately, there are two major problems with this approach. First, it greatly increases the total size of stored messages. Second, it makes potential data breaches more damaging.
Instead of using one retention setting for all messages, it’s much better to implement granular email retention policies by type of content. Yes, their initial setup does take some extra time and effort, but they seldom need to be updated once they’re up and running.
Employees who are not aware of the existence of phishing scams, malware disguised as legitimate attachments, and other common email threats are easy prey for today’s cybercriminals. Since the strength of the cybersecurity defense chain is always determined by the strength of its weakest link, it’s a good idea for businesses of all sizes to invest in email security training.
Instead of boring employees with stale PowerPoint presentations, it’s usually possible to achieve better results by giving them access to a self-paced online course that’s split into bite-sized lessons. The course can be complemented by phishing simulations designed to put employees’ newly acquired email security knowledge to a test.
Electronic mail may be more than half a century old, but email security is still a hot topic because of how ubiquitous email has become as a business communication tool. Small and midsize businesses that are still relying on outdated email security practices should update them as soon as possible because most cyber attacks these days begin with a malicious message.
Aligned Technology Solutions can help you implement the best practices described in this article so that you can keep all email-based cyber threats at bay and focus on what you do best—making your customers satisfied. Contact us to book a free consultation.