These email data security best practices will help your employees and company stay safe all year long
When we were kids, many of us were taught by family or teachers not to talk to strangers. Yet, somehow, in the virtual world of the Internet, people seem to have forgotten this essential lesson of “stranger danger” and willingly engage with these emails. This puts your customers, data, and organization as a whole in danger. This is why implementing email security best practices is so vital.
It seems like every day a new type of phishing attack or malicious spam (“malspam”) attack is making itself known in the headlines. Most recently, a new form of malware named GermanWiper has been targeting primarily German businesses. Like most malware, it messes with the victims’ files and demands payment for their safe return. However, rather than encrypting the data like traditional ransomware, this non-traditional form of ransomware re-writes a user’s files to zeros and ones, ultimately destroying the data.
Despite leading cyber security companies shouting from the rooftops about the importance of email data security and promoting the use of employee awareness training and implementing other preventative measures, we continually see reports about businesses that have fallen victim to various types of phishing attacks and malicious spam email attacks. And the resulting losses are anything but “chump change” — these attacks have been known to result in tens of millions of dollars being lost to cybercriminals.
So, how can you help your company avoid the undesirable title of being the next victim of a data breach due to phishing, malspam, and other predatory tactics? By following email security best practices.
Let’s hash it out.
Email security best practices in 2019 that will strengthen your cyber defenses
AT&T Cybersecurity, formerly AlienVault, reminds us that to be compliant, enterprises are frequently required to host their own email servers rather than relying on third-party email services. This is a great thing if you’ve taken the time and invested the resources necessary to strengthen your defenses. However, it can be a bad thing if you haven’t bothered with those things and suddenly find your email under attack. Not only does this leave your data at risk, but it leaves your organization open to noncompliance fines, penalties, reputation loss, and lawsuits from customers who data and information are affected.
As much as we’d like there to be, there’s no silver bullet — no one-size-fits-all approach to securing email communications to protect your company from those who attack via email. Unless, of course, you count not opening emails as an effective solution… But in our modern digital and connected world, that simply isn’t feasible.
This is why a multi-layered approach to cyber security is imperative. Not all email-based cyberattacks are successful when you and your employees follow set guidelines for secure use of email. This list of best practices includes a combination of technologies that you should integrate as well as behaviors that you and your employees should adopt.
Looking for some good business email security best practices? Here are things you can do to protect your business from employees engaging with phishing emails, malspam, and other malicious messages:
Email security best practices tip #1: Create a comprehensive cyber security plan that includes email
Having a developed and comprehensive cyber security plan can help your business avoid or be prepared to face many of the threats that lurk online. No matter how big or small your organization is, if you don’t yet have a cyber security plan, you need to get one. Now.
If you’re not sure where to start when creating a cyber security plan, look at the Federal Trade Commission’s (FTC’s) Cyberplanner 2.0. Though it was designed with small businesses in mind, this online resource was created with the goal of helping organizations map out a customized cyber security planning guide. Just keep in mind, however, that this is just a starting point and shouldn’t be your final product. Your cyber security strategy should include guidelines, policies, recommendations, and requirements regarding the implementation and use of technology. This includes email communications.
Sadly, yes, we need to stipulate that because some people (not you, of course) will just run with the content that’s provided by the FTC’s cyberplanner tool. So be sure to really review, strategize, customize, and make the plan your own to suit the specific needs of your organization.
Email security best practices tip #2: Regularly hold employee cyber awareness training
Cyber security awareness training is vital for every employee at every level within every organization. It doesn’t matter whether you’re a Fortune 100 company or a small mom-and-pop operation — whether you’re working the CEO, a middle manager, or a staff assistant — you’re still a potential target for cybercriminals. This means you need to be able to properly react to email-based threats.
When one of your employees receives a phishing email with some type of an attachment, there are two main ways they can respond:
- The end user engages with the attachment, enabling their computer or device to become infected with malware, potentially resulting in a breach of your network or even a ransomware attack.
- They choose to flag the email as junk or spam — perhaps even taking a moment to send an email to your company’s IT team to let them know about what just occurred.
As the example above shows, effective cyber awareness training can help your employees learn to identify and safely handle spam and phishing emails. This includes training them to correctly flag spam and other malicious emails. However, it’s essential to stress that this training is not a one-off solution. It’s something that continually needs to take place because email scam tactics have evolved past the conventional African prince scam we all know and (don’t) love. In fact, some phishing emails are so convincing that they can fool even experienced IT security experts and c-suite executives.
How you choose to implement the training is up to you — some companies prefer computer-based training. Other prefer face-to-face or an integration of the two methods. Do whatever works best for your company and end users. Just be sure to keep doing it and to periodically test your employees with phishing simulations.
Cyber security awareness is like a muscle: The more you work it and keep it engaged, the stronger and more honed it will become. If you become complacent — the cyber security equivelant of a “couch potato” — you’ll see your employees’ sense of cyber awareness gets “out of shape” and becomes ineffectual, leaving your organization defenseless against email-based cyber threats. I’d say nobody wants that, but then I’d be lying — cybercriminals are hoping for exactly that.
Email security best practices tip #3: Invest in quality antivirus measures
Many antivirus programs come equipped with many features — and mail filters and scanning capabilities for files and websites may be among them. If so, put these capabilities to work for your advantage. These can help you identify some forms of malware and other threats to help prevent your devices or network from becoming infected. If you can, set the antivirus program to work with your mail proxy/relayer to scan emails to filter out potentially malicious emails to keep them from being delivered to your (or your employees’) inboxes.
Really take the time to familiarize yourself with all of your antivirus program’s features. This way, you’re not paying for a system and end up leaving some of its benefits unused. Also make sure to include information about the antivirus program as part of your employee cyber training — after all, what’s the good in having a strong antivirus program if your end users are just going to ignore it?
Email security best practices tip #4: Create email blacklists and whitelists
If you aren’t already maintaining a current list of banned email addresses (a blacklist), what are you waiting for? This list helps to prevent known spammers or cyber threats from ever making through to your inbox. Whether you’re doing it in-house or are using a third-party blacklist authority, just make sure that it’s being done at all. There are a few ways to maintain the list — it can be maintained by domain, email address, and IP address/range.
Nearly as important is what’s referred to as a whitelist — or the list of email addresses that are permitted through your filters and server. This list also can be maintained through those same three components (domain, email address, and IP address/range).
Email security best practices tip #5: Use strong, hard-to-guess passwords
Cyberattacks frequently involve credential compromise because it provides the greatest access for the attacker. Wombat Security’s 2019 State of the Phish report shows that credential compromise increased by more than 70% since 2017. Research from Verizon’s 2019 Data Breach Investigations Report (DBIR) shows a “98% rise of compromise of web-based email accounts using stolen credentials – seen in 60% percent of attacks involving hacking a web application.”
These statistics underscore the importance of having a complex, hard-to-guess password. After all, what’s the point in investing thousands of dollars every year in IT security measures if you’re simply going to hand a hacker the keys to your kingdom? A strong password is one that:
- Includes a combination of upper and lowercase letters, numbers, and symbols.
- Avoids using words that can be found in the dictionary.
- Does not include the names of your pets, family members, favorite teams, or other information that can be found easily on your social media profiles.
Password-guessing tools can submit hundreds or even thousands of words per minute in brute force attacks. To make your password more guess-resistant if you want to use words that are semi-easy to remember, intersperse numbers or symbols in place of letters throughout them. For example, instead of using kittycat or ilovecatssomuch as your password, use something like K17tyC@t! or I<3C@tSs0Muc#.
Email security best practices tip #6: Use the S/MIME protocol for data encryption and email signing
What if there was a way that you could prove your identity to your email’s recipient(s) while also helping to protect the integrity of its data? Enter S/MIME, or the “secure/multipurpose internet mail extension (S/MIME) protocol” — an advanced email security best practice.
This term refers to an email signing protocol that increases email security by:
- Creating a timestamped digital signature to confirms the sender’s identity to the recipient;
- Encrypting and decrypting the contents of emails to provide at-rest and in-transit data protection; and
- Facilitating the secure sharing of documents across networks.
By installing an S/MIME certificate, you’re demonstrating your dedication to data security. Though these certificates used to be tedious to install — requiring individual, manual installation on every device — some modern certificate management solutions now make the process simple by automating the process from one single pane of glass.
Don’t let your company become a cyber security couch potato. Read more about some of these and other email security best practices to learn about basic and advanced methods you can implement to increase email data security and keep your organization safe.
As always, leave any comments or questions below…