When looking at the challenges of information security, email, and electronic communications are among the single greatest sources of business risk. It is estimated that over 90% of data breaches begin with some form of phishing, where hackers send an email fronting as a reputable company to try and get a credit card or other personal information. Over a 3-year period, from June 2016 to July 2019, the FBI estimates total losses from business email compromise to be over $26 billion worldwide. While email is a primary vector for cyberattacks, it is also vital to the survival and operation of most businesses. Your organization needs to be vigilant to ensure email communications are secure and that your employees know the best practices for email safety.
What Is Email Security?
Email security describes the techniques you can utilize to protect your email accounts and content from hackers. Malware, phishing, and other spam are a threat to email communication, and proper email security can ensure that you stay safe.
What Types of Email Scams Are There?
There are three major types of email scams, and they are: Malware: Viruses worms, Trojan horses, and spyware are common types of malware. These types of scams allow attackers to take control of workstations or entire servers. Hackers can then compromise secure information.
Spam: Spam is a common transportation method for malware, can add viruses to your computer that slows it down, and can still result in hackers compromising your information.
Phishing: Phishing scams convince victims to give personal or sensitive information, or give access to computer systems. Phishing appeals to be real or reputable which can convince the victim to give their information away.
How Can I Increase My Email Security?
There are many ways you can work to increase email security for yourself and your organization. These include:
1. Invest in a secure email gateway. Even small and mid-sized businesses can afford this must-have security technology—so don’t feel like it’s not an option for you. For companies that utilize Office365, Microsoft Exchange offers excellent email security capabilities and may be the best path. Proofpoint and several other email security gateway products can help increase your organization’s overall email security. These secure email gateways will generally be a cloud-based service, regardless of whether your company still operates an on-premise email server infrastructure.
2. Block spam and malicious email. Once you have an email gateway, there are a few tuning options you will need to consider. One of the capabilities of the email gateway will be to block spam and malicious email from delivery. Email senders identified as “known bad” can be blocked, based on reputation. In many cases, spam and malicious email sources are changed quickly, to try to stay ahead of automated blocks. A good email gateway will have analytics to identify sources and content that are considered suspicious, even if not known as bad by reputation. Gateway customers will have options to increase or decrease the sensitivity of the filters to reduce as much spam and malicious email as possible while minimizing the impact on legitimate email.
3. Block executable email attachments. It is highly recommended that companies block all executable email attachments—this includes not only compiles .exe or .com file extensions but also most scripting languages (VB, Java, Powershell, etc.) There are over 50 file extension types that could potentially be considered dangerous. To conduct normal business, it will likely be necessary to allow Microsoft Office documents to be sent and received as attachments. These files can contain malicious code in the form of embedded macros. Remember to configure Microsoft Office applications to disallow macros by default, and educate users on how to evaluate risk before enabling macros.
4. Implement anti-spoofing controls. This is done to reduce the risk of malicious emails impersonating company executives. This can be done in a couple of ways. Custom email filters that block any incoming emails from an external email system that sends a company executive is the sender can be created. It’s unlikely that a CFO is going to communicate a need for payment from his personal email! You can also create an email sender authentication protocol such as SPF, DKIM, or CMARC, that will seek to validate the authenticity of the sender information associated with an email message.
5. Implement user education and training. User education and training are some of the most important controls in managing email risk. Users of your company email system need to receive ongoing training on inherent risks associated with email so they can be prepared. To ensure your organization stays safe, you should always utilize strong authentication practices, including multi-factor authentication, when remotely accessing email systems and ensure your employees all do as well. Having specific requirements for your employees will be helpful in creating the most secure options for email. If you want your organization to stay safe and secure, enhancing your email security is key. There are many things you can do right away to increase security for your organization, and email security is one of the simplest to implement and most effective for lowering your risk.
Learn more about security fundamentals:
We’re committed to helping you learn all about security systems you can implement to improve security at your organization. Our articles are devoted to ensuring your organization can reduce risk in a way that is manageable and affordable. Check out our Penetration Testing Framework and let us know if we can help you with your next pentest!
Cyber Incident Planning & Response
Paul Huttenhoff is an experienced leader of CyberSecurity Programs in several of the largest companies in the Energy sector, serving as an executive consultant for Emagined Security. In this series of Security Fundamental articles, he examines the “essential few” elements that every company, large or small, needs to address to manage critical cyber risk.