For cybercriminals, email scams and attacks, including phishing and malware attacks, are some of the oldest tricks in the book—and they are still extremely effective. In fact, eight out of ten successful hacks and data breaches start with phishing scams.
As with all of today’s cybercrime, the bad actors’ tactics have become extremely sophisticated and their attack emails are now composed by marketing teams working with advanced technologies. Fortunately, cybersecurity tools and procedures have also evolved. Here are some steps you can take to protect your organization right now.
1. Build a human firewall
It’s an unfortunate fact that most of the time when a cybercriminal manages to plant malware, steal information, or do some other damage, it’s because an untrained person let them in by opening a malicious email message. That’s why the first thing I’m going to suggest is that you teach your employees to recognize and avoid email threats.
It is a proven fact that employees who undergo regular security training make smarter security decisions. This is such a crucial element to real email security that cybersecurity awareness training is required by law in many industries. There are tools and services available that will help your employees effectively handle front-line cyberattacks and act as your first line of defense.
2. Be smart about passwords
You undoubtedly know that strong passwords are important. Unfortunately, this is something that everyone knows but not everyone does. I recommend that you set policies for your organization. Establish rules requiring that all passwords be at least 14 characters long and contain upper and lowercase letters, numbers, and special characters. Reset passwords with some frequency, and disallow their reuse.
3. Add multi-factor authentication
This may seem counterintuitive, but adding one extra step to the login process with two-factor authentication does not make your system twice as secure—it actually increases security exponentially. This is a situation where putting a little bit of friction in the workflow actually forces people to think twice and focus.
With two-factor authentication, whenever anyone tries to log in to a network, service, or app, a message is sent to a second device or location associated with that person. It sounds too simple, but it works. It’s important to be sure that whatever devices your employees are using—which can be vulnerable endpoints—are themselves secured. If your team members do not have access to company-issued mobile devices, there are numerous authenticator apps available on the market.
4. Subscribe to a managed Email Security service
Because email has become a portal for so much damage, IT service providers offers cloud-based data and search tools that provide deep visibility and protection. Multiple layers of protection and AI/machine learning are built-in and can accurately detect threats that helps you continually assess your email data in the cloud, or on-prem installation and determine whether to accept, reject, or quarantine specific email connections.
5. Deploy secure hardware and protect it
If your organization’s IT ecosystem contains any amount of sensitive information and you want to be vigilant about your email security, I recommend that all computers and devices be equipped with email-encryption functionality. I also recommend that you establish a policy that encourages your employees to lock their computers if they are not at their desk. Cyber criminals today are not beyond old-fashioned breaking and entering, and this is the only way to ensure that, in the event your physical security is compromised, your network will still be safe.
6. Create flexible policies
In many organizations, email security best-practices call for creating separate sets of rules for different global groups, which are often organized by department. You will want to create custom rules at the global, group, and user level. Each level will have its own set of acceptable-use policies. In order to do that, you need to develop a set of protocols and tools that give you a certain amount of flexibility. You also need to put measures in place to provide visibility in order to enforce these policies.
7. Leverage AI/Machine earning
Machine learning provides the most effective tool yet devised to detect spam and malicious email. This form of AI software is trained to recognize known bad emails and instantly deflect them. It can also go beyond that and create a predictive model based on attributes such as text in the body of the email, attachments, HTML, and MIME, and put these puzzle-pieces together to recognize patterns associated with bad actors. This technology has already gotten to the point where it is indispensable, and of course the best thing about it is that it continually learns as email threats evolve.
8. Consider a ‘Zero Trust’ approach
In some instances, it is prudent to adopt what is called the “Zero Trust” framework. In what is probably the most dependable foundation for email security, senders must prove, or have already proven, that they belong in your inbox before they are given access. This can be rather resource intensive and time-consuming, and it frequently adds friction to the workflow of people with whom you’re communicating, but, again, in some cases this is the only way to absolutely guarantee email security.
9: Leap into the future with biometric logins
Because human error in the form of weak passwords and imperfect judgement has been with us forever, “passwordless authentication” has been developing in the security industry for years. Many people already use facial recognition, fingerprint scanning, and other forms of bio-identification on their phones. It is quite possible that biometric authentication will be ubiquitous in the near future, and it is also possible that your organization is already there.
10: Be proactive about email security
The message I hope you take away from all of this is two-fold: the danger posed by an email system that isn’t hardened with advanced tools and protocols is vast and increasing; meanwhile, there are steps you can take right now to protect you and your organization from these threats. I invite you to take a hard look at your current situation with the help of a trusted security expert to find your best path forward
I hope you found this information helpful. As always, contact us anytime about your technology needs.
Until next time,
Tim
