In this time of pandemic and uncertainty, organizations’ network perimeters are being redefined and may actually disappear. This could lead to potential increases in certain types of security threats such as email phishing attacks. Phishing attacks are commonly used in times like these because they are highly effective in taking advantage of the fact people are more disconnected than they’ve ever been.
Now is a great time for a refresher on practicing basic email handling procedures. CBI recommends the following steps for individuals and organizations to increase email security.
A recent challenge with maintaining email security has been remote and more recently at-home users. The endpoints (laptops/desktops) being used by remote and at-home users may not have the same layers of protection as they do when they are connected to or working within the corporate network.
Users are bombarded with an increasing number of sophisticated phishing emails. Technology definitely plays a part in the email security program, but we find a well-educated user is the single best deterrent when thwarting a phishing email. Organizations should continue to develop and promote a security-minded culture. A major component when developing this culture is end-user security awareness training, specifically, how to identify a phishing attack. The content and structure of these phishing emails varies greatly, but they all have certain components that can be identified if you know what to look for.
Consider the Cloud
The organizational workforce continues to work remotely. Cloud-based email security offerings offer a distinct advantage to their legacy-based counterparts. Cloud-based solutions provide much less administrative overhead while continuing to provide a much-needed level of granular control and visibility for email security.
Cloud based solutions tend to be more stable, while providing a much higher limit on scalability. They also scale down to smaller and medium-sized businesses via their cost-effective pricing models.
Keep a Clean House
When employees leave the organization, you need to make sure to complete disable or ideally remove their user accounts as quickly as possible. These accounts pose an ongoing risk. Cybercriminals have ways to identify these accounts and launch highly effective email phishing campaigns.
Organizations should not share any personal information including email addresses on public facing websites. Don’t publish non-essential contact details on your website or on any public directories, including phone numbers or physical addresses. All of these are pieces of information that can help attackers engineer a more effective email-based attack.
Pre-Flag Incoming Email
Organizations can do themselves and their users a big favor by inserting a small sentence at the top of all incoming email. One way to ensure your email domain is kept secure is by adding an external tag line or message warning the recipient that the email originated from outside of the organization. If a user receives an email from an internal user and it has the external tag it should be an immediate red flag.
Implement SPF, DKIM and DMARC
Don’t let the technical names scare you. These are things all organizations should implement immediately. There are many technical solutions that can be purchased that enforce these critical email security components.
Some may say it isn’t a matter of “if” you or your organization will fall victim to an email phishing/malware attack, but “when.” In that case, you need to already be thinking about how you can protect your users and the organization’s sensitive data.
One of the most cost-effective ways to accomplish this is to implement a two-factor authentication (“2FA”) solution. Modern 2FA solutions can be rapidly deployed and have little impact on users.
2FA is already a part of our lives. Consider how you log into your own personal online bank account. Most banks and credit unions are using 2FA already. CBI recommends extending that same level of security to your organization. 2FA is most effective in stopping a cybercriminal from doing anything with your credentials. Consider the typical phishing attack. A user receives an email with short message asking them to click a link and provide their credentials. The user falls for the attack and unknowingly provides a cybercriminal with their credentials. With 2FA these credentials are useless.
Home and Public Wi-Fi
Recent times require all of us to work from less secure locations than we are used to. It is extremely important that you and your end users understand the risks associated with opening your local email client while connected to a remote Wi-Fi network.
Public networks (by design) are never secure, meaning cybercriminals have a variety of ways to steal information that passes through the network. It is far too easy for a cybercriminal to intercept the network traffic coming from and going to your remote endpoint. Users credentials can easily be obtained using what is known as a “man-in-the-middle” attack.
Fortunately, users and organizations have options to prevent this.
The Email Security Bottom Line
Ideally, for an effective email security solution, you are going to want to deliver on some or all of these above listed recommendations—in some capacity—in a highly scalable, flexible way—with minimal impact to end-users and administrators.