Billions of emails transverse networks across the world daily. Email enables businesses to communicate effectively, but it also provides potential ways for cybercriminals and hackers to gain access to your data or intellectual property. Ensuring that the right processes and security measures are in place to protect your company’s data and keep email up and running is crucial. In this post I will share some important actions you can take to improve your company’s email security.
Fear the Spear
Phishing and Spear Phishing* continue to be a top threat to organizations, and is often linked to successful social engineering and malware attacks. There are several measures that can be implemented to protect against spear phishing, a few of which are listed below:
- Sender Policy Framework (SPF) is one of the first lines of defense for email security. It allows companies to designate which IP addresses/hostnames are authorized to send from a specific domain.
- Domain Keys Identified Mail (DKIM) records are the next layer that should be implemented in the fight against spear phishing. By using public/private key pairings, DKIM increases sender verification, making it harder for hackers to find a way into the organization.
- Rounding out the trusted trio is Domain-based Message Authentication, Reporting & Conformance (DMARC). Email spoofing is a common path that criminals use to get organizations to send Automated Clearing House (ACH) payments to them. DMARC is a free way that greatly helps protect against these attacks.
* Learn about the difference between phishing and spear fishing in this post on the blog.
An Ounce of Prevention
- Multi-factor Authentication (MFA) adds an extra layer of protection beyond password protection. Email systems exposed to the internet are vulnerable to “password spray” attacks when MFA is not in use.
- Anti-Spam. Protection against spam isn’t an option in today’s world, it is an absolute requirement. In ZAG’s experience, a cloud-based solution is optimal as on-premise solutions add unnecessary maintenance overhead.
- Data Loss Prevention (DLP) is a method which allows clients to protect from accidental or malicious data loss by ensuring that data isn’t sent outside of the corporate network.
- Single Sign-On (SSO) provides a way for employees to authenticate to several systems in the organization using a single login ID and password. This not only simplifies the login process, but also limits the chances of employees storing login IDs and passwords in insecure location (aka Post-It notes on their monitor).
- Advanced Threat Protection (ATP) is deployed to protect against malware coming in through email. Bad PDF and other attachments are a consistent way that viruses enter a network.
- ACH Fraud Protection. Ensuring that sufficient rules are in place to fight ACH fraud is crucial. ACH fraud, which normally comes through email spoofing, is a major way that criminals are stealing money. Accounting rules to verify ACH requests are needed to prevent this type of financial loss.
Education is Key!
Putting technical protections in place is a great start. However, educating employees about the types of risks they will encounter and how to avoid them is another key element in preventing security breaches. There are several educational tools out there like (KnowBe4) that have established and effective training plans.
KnowBe4 starts out with a baseline test to measure the company’s risk of getting hit by a phishing attempt. After the baseline is established, regular campaigns are sent out to test employees. If an employee is “caught” by one of the test emails, they are added to a “clickers” group and security trainings are assigned to them. As the company’s risk score decreases, the complexity of the campaigns escalates, raising the overall awareness of the types of tricks those seeking mal-intent use to worm their way into an organization.
This type of consistent “surprise” training can be extremely effective in raising overall email security awareness and reducing the company’s risk of being compromised.
Office Suite Maintenance and Tuning
Another important area to pay attention to is the support levels of the Office suite and fine tuning for performance.
- Office Client Software. Put a policy in place to ensure that the Microsoft Office suite software meets the minimum support requirements. Running an unsupported version will increase the security risks but will also make troubleshooting and resolving any compatibility issues extremely difficult.
- Outlook Local Cache. Outlook clients should be configured to at least a 6-month cache setting. Keeping 6 months of cached email is usually sufficient for the typical user without overloading the hard drive with a large OST file.
Don’t Forget License Management
Last, but not least, ensuring that the proper licensing for email and the deployed security products will keep things humming along. Here are some items to consider about licensing:
- License Plan/Type. Many vendors have complicated license structures. These should be reviewed on a regular basis to determine that the type of licenses owned are sufficient for the company’s requirements.
- Billing & Renewal. Billing and auto-renewal should be set to prevent any service outages.
- Unassigned Licenses. Make sure that inactive user’s licenses are removed regularly. Leaving licenses assigned to inactive users incurs unnecessary costs.
Email security settings, preventative actions, employee education, and maintenance are all essential areas to focus to increase security. Paying attention to the above can be the difference between email being a powerful and productive company tool or a wide-open door for criminals to exploit. Take the time to put the proper measures in place to maintain email as an asset and prevent it from becoming a company liability.