Email continues to be the most important digital business communication tool more than half a century after its invention. It also continues to be a source of data breaches and other cybersecurity incidents because many businesses, especially smaller ones, still don’t follow all the email security best practices described in this article.
Email Threats You Need to Know About
In 2022, businesses of all sizes are exposed to more email-based cyber threats than ever before, including:
- Malware: Cybercriminals continue using electronic messages to deliver malicious code to unsuspecting victims via attachments and links. In recent years, fileless malware techniques have gained popularity due to their ability to circumvent traditional malware detection tools.
- Phishing: Researchers estimate that 91 percent of all cyber attacks begin with a phishing email, a message designed to trick a person into revealing sensitive information. This makes phishing one of the greatest email threats out there.
- Business Email Compromise (BEC): This relatively new threat (the term “business email compromise” was first coined in 2013) is a type of spear-phishing email attack that involves convincing wire transfer requests that appear to come from a known source. Despite their young age, BEC scams are already among the most financially damaging online crimes.
To defend your organization against all common and not-so-common email threats, you need to strengthen your defenses by implementing the following best practices.
Download
DoD Contractor’s Guide to CMMC 2.0 Compliance
1. Email Security Awareness Training
Employees who are not aware of the existence of email threats like fileless malware or sophisticated phishing scams may work under a false sense of security and greatly underestimate how far-reaching the consequences of a single wrong click can be.
Since the cybersecurity defense chain is always only as strong as its weakest link, it’s important to support the implementation of email security best practices with ongoing employee training.
It’s a good idea to conduct simulated email attacks against employees to test how likely they are to recognize phishing attempts and avoid malicious links and attachments. Employees who score poorly should be provided with additional training opportunities.
2. Strong Password Security
Verizon’s 2019 Data Breach Investigation Report (DBIR) revealed that 80 percent of hacking-related breaches that year were caused by weak passwords, and the situation hasn’t improved much since then.
Way too many email-related cybersecurity incidents could have been prevented if only employees had used strong passwords like “fkl23;DSF52]s” instead of weak passwords like “123456789” or “qwerty.”
To improve email password security, organizations should:
- Require employees to protect all accounts with unique passwords.
- Enforce minimum password strength rules.
- Use multi-factor authentication to add at least one extra layer of protection.
Password management software can make it easy for employees to remember and use strong passwords, and there are many low-cost solutions to choose from in 2022.
3. Cloud-Based Email Filtering
More than 300 billion emails are sent every day, and malicious messages form a bulk of this figure. Cloud-based email filtering solutions can greatly reduce the number of malicious messages that end up in employees’ inboxes.
The best solutions available, such as Microsoft Defender for Office 365, combine multiple technologies to detect and prevent most email threats, including spam, phishing emails, malware, impersonation attacks, and others.
Without an endless deluge of malicious messages to avoid, employees can better focus on their work and are much less likely to make a costly mistake when distracted.
4. Company Email Policy
A company-wide email policy can be used to clearly spell out expectations for the appropriate use of email at work. Without it, employees could use their work email accounts in ways that can lead to the disclosure of sensitive information and, ultimately, a data breach.
Here’s what many company email policies prohibit:
- the use of work email for personal purposes;
- sharing of non-work-related attachments with colleagues;
- handing out email passwords to colleagues;
- accessing work email accounts from personal devices;
- connecting to work email accounts using unsanctioned clients.
- using third-party inbox cleaners and other similar software.
Companies with industry-specific regulatory obligations related to the use of email should include them in their email policies as well so that all employees are aware of them.
5. Email Encryption
The purpose of email encryption is to ensure that messages can be read only by their intended recipients. Without it, messages would be traveling from server to server in plain text and could be intercepted and read by anyone with the right combination of skills to do so.
The good news is that all reputable business email providers, like Microsoft, already encrypt messages in transit by default using technologies like Transport Layer Security (TLS). Even when intercepted, encrypted messages can’t be read without the correct decryption key.
For additional protection, messages can also be encrypted at rest using Microsoft 365 Message Encryption (available only to Microsoft 365 subscribers) and S/MIME. At rest encryption protects messages in storage, so even the email provider can’t read them.
6. Email Authentication Standards
Email authentication standards protect against spoofing, the creation of email messages with a forged sender address. Spoofing is commonly used by phishers as a vital component of their increasingly sophisticated attacks, and it can trick even the most cautious email users when organizations don’t implement the following three email authentication standards:
- Sender Policy Framework (SPF): used to specify the servers and domains that can send electronic mail for organizations.
- Domain Keys Identified Mail (DKIM): used to add encrypted digital signatures to messages.
- Domain-based Message Authentication, Reporting & Conformance (DMARC): used to instruct receiving email servers how to handle messages that don’t pass SPF and DKIM checks.
Microsoft and other reputable providers of email services support SPF, DKIM, and DMARC email authentication right out of the box, but some additional work is required to take advantage of the three standards.
Final Thoughts on Email Security Practices
The email security best practices described in this article can go a long way in helping you protect your business email accounts against email-based threats, but they work as intended only when implemented as part of a multi-level cybersecurity defense strategy.
We at OSIbeyond know what SMBs with limited IT budgets need to do to thrive in today’s cybersecurity threat landscape, and we would be happy to share years of expertise with you.
Schedule a free consultation to get started.