Aug 15, 2023
Despite email providers’ best efforts, business emails are still a prime target for cyber criminals. Attacks targeting email accounts rose by 48% in the first six months of 2022 alone,1 including 2.8 billion malware attacks and 255 million phishing attacks.2
Email is critical to business success, so staying on top of email security best practices can help protect your sensitive data and keep your network malware-free. If you’re due for a refresher, here are eight essential email security practices to incorporate today:
As your first line of defense against cyber attacks, your employees can only protect your business if they know what to look out for. Conduct employee training regularly to educate your staff about email security best practices, potential security risks, and each individual’s role in maintaining security.
Granite provides cyber security training to help organizations teach employees about protecting email accounts with strong passwords, avoiding suspicious links or attachments, and what to do if they encounter an attack. By promoting these best practices, you can strengthen your overall security posture and foster a more security-conscious culture among your workforce.
Weak passwords contribute to 30% of data breaches,3 so encouraging employees to create strong passwords is a must. But while experts previously believed complex passwords were the solution, password security advice has changed in recent years. Forcing your staff to create a complex password (e.g., *_8bPr@3%2Km) without a password manager often results in employees forgetting or writing their passwords on a sticky note.
Current National Institute of Standards and Technology (NIST) recommendations include:
Passphrases refer to combining several words, such as loveMountaincliMbing, and are one method for making passwords that are easy for your staff to remember – but difficult for hackers to guess. Plug this example into Security.org‘s password security tool, and you’ll see that it’d take a computer 16 quadrillion years to crack it. Compare that to 34,000 years for our previous example, *_8bPr@3%2Km.
Stringing together unrelated words can help your employees create even stronger passwords. For example, the passphrase cliMbingaMberbuMpydruMs would take 2 sextillion years for a computer to guess, according to Security.org.
If your password policy still requires special characters in passwords or prohibits consecutively repeated characters, it may be time for a change. NIST recommends emphasizing password length over complexity to make it easier for your employees to follow password security guidelines.
Employees using the same passwords for multiple accounts can pose a major threat to your network. If one account, personal or corporate, is compromised, hackers can easily gain access to any other account using that password.
Encourage your staff to use unique passwords for each account. Since this can be tough for users with dozens or hundreds of logins to remember, using a password manager or implementing single sign-on can help.
Multi-factor authentication (MFA) and two-factor authentication (2FA) require multiple authentication methods to verify a user’s identity, such as a one-time code or fingerprint biometric, in addition to a username and password. MFA helps businesses defend against common email security issues like brute force attacks and can block over 99.9% of account compromise attacks.4
Implementing MFA across your organization typically takes several steps, but you can simplify the process by:
Minimize disruptions to your staff by introducing MFA gradually. Start by implementing MFA for your most critical systems, administrative accounts, and privileged user accounts, then expand it to cover more applications and business email accounts.
Set a deadline for your employees to enroll in MFA and make it mandatory. The enrollment process should be user-friendly, but make sure to provide assistance to users who may struggle to adapt to newer technologies.
Regularly update and patch your MFA solutions to address any new security vulnerabilities, and stay informed about the latest best practices to get the most out of your MFA implementation.
Employees shouldn’t use a business email account to send personal emails and vice versa (no sending work-related emails from personal accounts!). Mixing personal and business matters can contribute to security risks like spear phishing (more on that in the next section), so make sure to outline your email use policies and restrictions.
While many email security measures aim to prevent spam from reaching your employees, phishing emails can still slip through these defenses. Phishing scams are becoming increasingly common – so much so that they make up 36% of all data breach attacks in the U.S.5
Keep your employees educated on how to identify and report a phishing attack, which can include:
General phishing campaigns aim to trick users into revealing sensitive information, such as credentials, credit card details, or social security numbers. They’re often designed to impersonate a reputable person or business and include a sense of urgency to encourage recipients to click on malicious links or attachments.
While general phishing attempts are sent to multiple recipients at once, spear phishing emails are highly personalized to target a specific person. Attackers research the recipient to make their scam more convincing, and these emails typically appear to come from someone their target trusts, such as a manager or coworker.
Whaling attacks focus on high-profile targets within an organization, including senior executives or other employees with access to sensitive information or financial details. Attackers impersonate CEOs, CFOs, or other top-level executives to trick recipients into sharing confidential data or authorizing fraudulent transactions.
Pharming attacks aim to redirect recipients to malicious websites that mimic legitimate ones. Phishing emails can be used to initiate pharming attempts by convincing your employees to click on a harmful link, which then redirects them to a fake website designed to steal personally identifiable information, financial information, or other data.
Email scams often include attachments that contain malicious code. Anti-malware software can detect and block malicious sources, but sometimes these attachments are sent by trusted sources that were exploited by hackers. No matter the source, employees should be wary of suspicious messages and only open attachments after scanning them with an anti-malware program – or avoid opening them altogether.
A recent survey found that 43% of employees have been targeted for work-related phishing attacks on a personal device.6 With hybrid and remote work on the rise, many employees use a personal mobile phone or laptop to access business emails. Ensure these devices are secure by:
Develop a BYOD policy that outlines the acceptable use, security requirements, and responsibilities for any employee using their own device for work. The policy should cover device security settings, software updates, data protection, and user responsibilities.
Your employees should have strong security settings enabled on any device used for work purposes, including biometric authentication methods (fingerprint, facial recognition), device encryption, and automatic lock screens after a period of inactivity.
Keeping devices updated with the latest operating system patches, security updates, and application updates is integral for protecting against new cyber threats. Encourage employees to enable automatic updates whenever possible so that their devices always have the latest security tools in place.
When an employee logs into their business email using a public Wi-Fi connection, anyone on that network can access their email. Malicious parties often use open-source packet sniffers to monitor and access personal information via email. Even if your remote employees don’t actively check email on public Wi-Fi networks, nearly every service automatically updates inboxes when a device connects to a network. Ensure your employees only use secure, trusted Wi-Fi networks to check emails and update their inboxes.
Implementing proper email security protocols can help to safeguard your sensitive data. These protocols include:
DKIM, which stands for DomainKeys Identified Mail, verifies the authenticity of emails. It uses cryptographic techniques to check if an email originated from the domain it says it’s sent from to prevent email spoofing.
The Sender Policy Framework (SPF) verifies whether a source is authorized to send an email from that domain. It allows domain owners to specify which mail servers can send emails on their behalf, making it easier for receiving mail servers to verify an incoming email’s authenticity.
DMARC, or Domain-Based Message Authentication, Reporting, and Conformance, extends the DKIM and SPF protocols by providing more control and visibility over how domains are used in email communications. Using DMARC, a domain owner can publish DKIM and SPF requirements and specify what happens when emails fail to meet their requirements.
Beyond implementing email security protocols, there are several tools you can use to help maintain email security across your workforce. Popular email security solutions include:
Anti-malware software filters out unsolicited or malicious emails using machine learning (ML) algorithms and content analysis. These tools can identify and block spam emails, phishing attempts, and potentially harmful attachments or links to reduce the risk of your workers falling victim to scams or accidentally downloading malicious files.
Antivirus software uses signature-based detection to identify known viruses by comparing the characteristics of files and programs against a database of virus signatures. These tools provide real-time protection against viruses by actively scanning and analyzing files and programs as your employees access them.
VPNs create a secure connection between your network and employee devices. Any information transmitted over a VPN connection is encrypted, including email messages, attachments, and any other data exchanged between the device and email server.
Protecting your network from cyber attacks should be a top priority, no matter the size of your business. If you need support implementing these email security best practices or guidance on finding the best solutions to protect your network, Granite can help.
We’ve served clients throughout Montana and the surrounding states for over 25 years with end-to-end technology solutions supported by people who care. We have the experience and knowledge needed to ensure your business is as secure as possible with services including:
Get in touch with our security experts today to learn more about how we can help keep your business – and your sensitive information – safe.
Sources: