Despite the rising sophistication of cyber-attacks, it remains the case that email is the primary attack vector used by criminals to compromise businesses. In fact, recent research suggests that as many as one in every one hundred emails sent around the world has malicious intent.
Many organizations make use of firewalls and secure email gateways to restrict emails that contain unsuitable content, including malicious links and attachments. However, due to the evolving nature of threats, these systems cannot be relied upon to block everything.
It is necessary then, to take further measures to ensure your business is able to mitigate the risk of email-borne attacks. Here are five key ways for your organization to enhance its email security.
Despite frequent warnings about the risks of poor password hygiene, many employees are still failing to set strong enough passwords. A recent analysis conducted by the National Cyber Security Centre found that ‘123456’ was the most widely-used password on accounts that suffered breaches. Essentially this shows that having a poor password makes it easier for your account to be compromised.
It’s essential then, for organizations to enforce a strong password policy. Insist that employees use passwords that comprise of at least eight characters, but the more the better. Additionally, make sure that staff is not using passwords that solely contain words in the dictionary – all passwords should be a mix of upper- and lower-case letters, numbers, and special characters.
If staff have to access many different systems and remembering passwords is becoming a challenge, then consider providing password management tools, which can help to keep track of all of your passwords and even generate new ones.
Multi-factor authentication (also known as two-factor authentication and two-step verification) is a security process for email accounts that requires users to provide two separate authentication factors – such as a password and a unique passcode generated by a mobile application. In the event that a cyber criminal is able to obtain a user’s password, MFA, provides an additional layer of protection to prevent the attacker from being able to access the account.
A recent hack on containerization platform Docker resulted in the compromise of 190,000 accounts – but the whole thing could have been less severe had the business offered its users the option of multi-factor authentication. Authentication is precisely the sort of security control that reduces the likelihood of accounts being compromised in the event that usernames and passwords are stolen.
It is essential that staff is trained to identify the tell-tale signs of email phishing attacks so that they know what to look out for and avoid opening unsafe links and attachments. Training sessions should be held regularly and be updated to ensure that the information provided is up-to-date and relevant to each organization.
To help better improve awareness, it is worth considering scenario-based penetration testing assessments.
“Penetration testing (pentesting) is the process of assessing computer systems, networks, and applications to identify and address security vulnerabilities that could be exploited by cybercriminals.” - Redscan
During such engagements, cyber security specialists replicate the attack techniques used by criminals to evaluate how systems and employees respond to social engineering and other attacks.
Transport Layer Security (TLS) is a security protocol that is widely used to secure the data that travels between a web browser and a website via HTTPS.
TLS can also be used to encrypt the contents of emails to ensure they can’t be read by anyone other than the intended recipient. This means it is its highly effective at preventing eavesdropping – the practice of hackers reading and/or tampering with communications. Of the various mechanisms available to encrypt communications between email servers, TLS is the easiest to set up.
Email authentication technologies such as SPF and DMARC provide another layer of security protection by helping to prevent email spoofing – the practice of criminals using an organization to send fake emails.
Sender Policy Framework (SPF) restricts who is able to send emails from your domains, while Domain-based Message Authentication, Reporting, and Conformance (DMARC) provides directions to the recipient organization on what to do if a message not been properly authenticated - such as to reject or quarantine it.
Email isn’t the only place where businesses should ensure they are checking their security. Download our free checklist Website Security Tips for Small Businesses and make sure your email and website are secure.
We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to Amazon.com and affiliated sites.