The aim of this post is to provide you with some easy to adopt email security best practices that will greatly improve your organization’s security posture.
Email is the Most Common Attack Vector!
It is a certainty that business email systems will be attacked so email security measures must be implemented. The best form of email security is to do away with email altogether, but since businesses rely on email to communicate with customers, partners, and suppliers, that simply isn’t an option.
Email not only makes it easy to communicate with the people you need to for your business to operate, it also allows cybercriminals to easily communicate with your employees and conduct phishing attacks, spread malware and, if a corporate email account is compromised, communicate with your customers, partners and suppliers.
Email security is therefore essential, but there is no single solution that will protect the email channel. A spam filtering solution will stop the majority of spam and malicious email from reaching inboxes, but it will not block 100% of unwanted emails, no matter what solution you implement. The key to robust email security is layered defenses. If one defensive measure fails, others are in place that will provide protection.
You need a combination of technical, physical, and administrative safeguards to secure your email. Unfortunately, there is no one-size-fits-all approach that can be adopted to secure the email channel but there are email security best practices that you can adopt that will improve your security posture and make it much harder for cybercriminals to succeed.
With this in mind, we have outlined some of the most important email security best practices for your business and your employees to adopt.
Email Security Best Practices to Implement Immediately
Cybercriminals will attempt to send malware and ransomware via email, and phishing tactics will be used to steal sensitive information such as login credentials, so it is important to be prepared. Listed below are 8 email security best practices that will help you keep your email system secure. If you have not yet implemented any of these best practices, or have only done so partially, now is the time to make some changes.
Develop a Cybersecurity Plan for Your Business
We have included this as the first best practice because it is so important. It is essential for you to develop a comprehensive cybersecurity plan for your entire organization as not all threats arrive via email. Attacks come from all angles and improving email security is only one of the steps you need to take to improve your overall cybersecurity posture.
There are many resources available to help you develop a cybersecurity plan that addresses all cyber risks. The Federal Communications Commission has developed a Cyberplanner to help with the creation of a custom cybersecurity plan and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has recently issued a Cyber Essentials Guide for Small Businesses and Governments. Take advantage of these and other resources to develop an effective cybersecurity plan.
Implement an Advanced Spam Filtering Solution
A spam filter serves as a semi-permeable membrane that prevents email threats from being delivered to inboxes and lets genuine emails pass through unimpeded. This is the single most important security measure to implement to protect against email threats and productivity-draining spam.
If you use Office 365 you will already have some protection, as Office 365 includes a spam filter and anti-virus software, but it falls short on phishing protection and will not block zero-day malware threats. You need layered defenses to secure email which means a third-party spam filter should be used on top of Office 365. Research from Avanan showed that 25% of phishing emails bypass Office 365 defenses.
There are many spam filtering services for SMBs, but for all-round protection against known and zero-day threats, ease of implementation, ease of use, and price, SpamTitan is the best choice for SMBs.
Ensure Your Anti-Virus Solution Scans Incoming Emails
You will no doubt have anti-virus software in place, but does it scan incoming emails? Email is one of the main ways that malware is delivered, so anti-virus software for email is a must. This does not necessarily mean you need a different antivirus solution. Your existing solution may have that functionality. Your spam filter is also likely to include AV protection. For example, SpamTitan incorporates dual anti-virus engines for greater protection and a sandbox where email attachments are analyzed for malicious actions. The email sandbox is used to detect and block zero-day malware – New, never-before-seen malware variants that have yet to have their signatures incorporated into AV engines.
Create and Enforce Password Policies
Another obvious email security best practice is to create a password policy that requires strong passwords to be set. There is no point in creating a password policy if it is not enforced. Make sure you implement a control measure to prevent weak passwords from being set. Weak passwords (password, 123456, or dictionary words for example) are easy to remember but also easy to guess. Consider that cybercriminals are not sitting at a computer guessing passwords one at a time. Automation tools are used that make thousands of password guesses a minute. It doesn’t take long to guess a weak password! You should also make sure rate limiting is applied to block an IP from logging in after a set number of failed login attempts.
It is a good best practice to require a password of at least 8 characters to be set, with a combination of upper- and lower-case letters, numbers, and symbols, and to block the use of dictionary words. Consider allowing long passphrases to be used as these are easier for employees to remember. Check the National Institute of Science and Technology (NIST) advice on secure password practices if you are unsure about creating a password policy.
Implement DMARC to Stop Email Impersonation Attacks and Domain Abuse
DMARC, or Domain-based Message Authentication, Reporting & Conformance to give it its full name, is an email protocol that uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to determine whether an email is authentic.
By creating a DMARC record you are preventing unauthorized individuals from sending messages from your domain. DMARC also lets you know who is sending messages from your domain, and it lets you set a policy to determine what happens to messages that are not authenticated, I.e. quarantine them or reject them. Some email security solutions, such as SpamTitan, incorporate DMARC authentication.
Not only DMARC help you block email impersonation attacks, it also prevents abuse of your domain. Your DMARC record tells receiving email servers not to accept messages sent from authenticated users, thus helping protect your brand.
Implement Multi-Factor Authentication
Multi-factor authentication is yet another layer you can add to your anti-phishing defenses. Multi-factor authentication, as the name suggests, means more than one method is used to authenticate a user. The first factor is usually a password. A second factor is also required, which is something a person knows or possesses. This could be a mobile phone, to which a one-time PIN code is sent, or a token on a trusted device.
This safeguard is vital. If a password is obtained, in a phishing attack for example, the password alone will not grant access to the email account without an additional factor being provided. A combination of a password, token, and one-time PIN is a good combination.
Train Your Employees and Train Them Again
No matter how tech savvy your employees appear to be, assume they known nothing about cybersecurity. They will certainly not routinely stick to email security best practices unless you train them to do so and then hammer the message home.
Before letting any employee have access to email, you should provide security awareness training. Your training should cover email security best practices such as never opening email attachments from unknown senders, never enabling content in documents unless the document has been verified as legitimate, and never to click hyperlinks in emails or send highly sensitive information such as passwords via email.
You must also train your employees how to recognize phishing emails and other malicious messages and tell them what to do when suspicious emails are received. Anyone with access to email or a computer must be provided with security awareness training, from the CEO down.
One training session is not enough. Even an annual training session is no longer sufficient. You should be providing regular training, be sending cybersecurity newsletters warning about the latest threats, and using other tools to help create a security culture in your organization.
Conduct Phishing Awareness Simulation Exercises
You have provided training, but how do you know if it has been effective? The only way to tell is to conduct tests and that is easiest with phishing simulation exercises. These are dummy phishing emails that are sent to employees when they are not expecting them to see how they respond. You maybe surprised at how many employees respond and disclose sensitive information, open attachments, or click links in the emails.
The aim of these emails is to identify people that have not taken their training on board. The idea is not to punish those employees, but to tell you who needs further training. There are several companies that can assist you with these exercises. Some even offer free phishing simulation emails for SMBs.
TitanHQ is Here to Help!
TitanHQ has developed SpamTitan to be easy for SMBs to implement, use, and maintain. It requires no hardware, no software, and all filtering takes place in the cloud. Not only does SpamTitan offer excellent protection against the full range of email-based threats, it is also one of the lowest cost solutions for SMBs to implement.
Give the TitanHQ team a call today for more information on SpamTitan and to find out about how you can also protect your business from web-based threats and meet your compliance requirements for email.