Ten top tips for improving your company’s email security
Chances are, your company uses email extensively on a daily basis to interact internally, externally, and simply to get things done. Email is one of the most enduring workplace services, and it's often taken for granted - yet despite its history, it continues to cause IT departments difficulties when it comes to security.
Because of the long-term use of emails, there is a sense of security, and users are aware of email security. However, this can be a false sense of security based on outdated knowledge. Email may be a mature medium, but as assaults that use email as an entry point get more technically and creatively complex, so must the countermeasures.
Here are some things to look out for and our top 10 ideas for strengthening your organization's email security, starting with the most basic precautions and working up to more advanced solutions.
For decades, the security community has worked to educate consumers on how to prevent risks, such as not opening emails from unknown senders, double-checking an email address to ensure it isn't a spoof, and exercising caution when opening files or clicking on links. Although this is an old hat, employees are frequently pushed, and junior staff fears when the CEO sends an urgent email - and it's amazing how many of these strategies still work. With the advent of consumer services that demand an email login, the nature of the danger has also altered over time. We discovered that 25% of UK employees had used their work email account to authorise access to other services such as games, productivity apps, or social media in a study we did earlier this year. While this may appear to be innocent, it implies that employees are exposing their work credentials to the public, where they could be stolen and used against the organisation.
Hackers are increasingly targeting the CEO, both as a possible victim of phishing and as bait for phishing others. Whaling is a phishing effort that targets CEOs or prominent people, and it's motivated by the high-value information these people have. CEO impersonation is also on the rise, with hackers utilising a nearby domain (if they're clever) to deceive employees into releasing important information via simple plain text email messages. It's a deceptively simple attack because if the "boss" instructs an employee that financial information must be supplied promptly, the individual may not hesitate to comply. To combat the current email threat, good email security solutions are multi-layered, and they support email authentication standards such as SPF and DKIM/DMARC, for example, to reduce impersonation and spoof communications.
Link scanning software can protect you from attacks that rely on harmful links. These systems look for suspicious URLs in incoming emails, eliminating the danger of an employee missing the carefully constructed domain in the page address or clicking on a link to a completely legal site that has been momentarily compromised. Some link scanners allow you to scan links at the time of email delivery as well as at the moment of click, allowing you to safeguard your users based on real-time reputation and content analysis.
Many businesses are unaware that the fundamental email protocol, simple mail transfer protocol (SMTP), lacks any encryption. Many individuals believe that email is safeguarded in transit because it is encrypted between the mail client (for example, Outlook) and the email server (for example, Exchange). In fact, email that leaves the server is in clear text and can be intercepted and read as it bounces between servers, often in many places, before reaching the recipient's destination email server. Email security solutions can impose encryption (using TLS) on specified domains or try to use TLS opportunistically, falling back to an unencrypted session if a secure connection can't be established. Policy-based encryption is a term used to describe this type of encryption. Email encryption from site to client (business to consumer) is difficult because there is no one standard. To encrypt individual communications, several email security systems allow the user to tag an email (possibly with SECURE) at the beginning of the subject line. Rather than receiving the message itself, the recipient receives a link to a HTTPS site where they can see it (which would be sent in the clear). This is also known as user-based encryption.
Services that assure an organization's ability to comply with legislative and regulatory compliance obligations, or that sustain operations and user productivity in the case of an email outage, are almost as vital as email security (email is after all a critical business application). Simple email backup services save copies of all inbound (and optionally outbound) messages for a set period of time (usually several years). With features like tamper-proof storage and functionality to conform to ediscovery requests or warrants, email archiving solutions help regulated firms achieve compliance. Email continuity gives customers access to a 'Emergency Inbox,' which is normally accessed through a browser and comprises Inbox and Sent messages from the previous 7 to 30 days. Users can still view and respond to email until service is restored if their primary email provider (or server) fails. These services aren't glamorous, but they provide peace of mind, especially when moving email off-premises.
Outbound email filtering focuses on preventing sensitive material from being sent out, whereas many of these methods focus on preventing bad actors from getting in. Companies can prevent data from being released by accident or identify employees who may be exploited by reviewing what is going out as well as what is coming in by checking what is going in. Furthermore, if one employee's email account is infected with malware, outbound filtering should prevent the malware from spreading to other accounts and damaging them.
Algorithms are one of the most effective techniques of protecting against modern email risks when it comes to identifying and blocking threats. Email security technologies have traditionally relied on pattern-based approaches, scanning messages for items that have previously been seen in a live spam run or a previous spam run. Although this strategy is still useful, if primitive, as threats have developed, email security measures have had to evolve as well. A CEO impersonation attack, for example, would be able to get around a pattern-based approach because a plain text email from one email account to another appears to be harmless on the surface, especially if it is customised specifically for the victim. As a result, algorithmic analysis is critical for detecting advanced threats. Rather than focusing on the text of the email, algorithmic analysis dissects it into its fundamental traits and attributes, assigning each one a weighted score based on how suspicious it is. Organisations may go a long way toward preventing incoming threats by combining this significantly more complex analysis with pattern analysis, which still has its role.
In many facets of security, including email security, the most recent threat intelligence is becoming increasingly relevant. If an attacker sends a simple plain text email from a legitimate server/domain that hasn't just been registered, where the server matches the domain, with an IP address that isn't blacklisted, and with a valid MX and SPF record, there may be nothing that can identify the email as malicious – algorithmically or otherwise. Threat information could add an important layer of defence. If the registrant has a criminal history of registering domains and utilising them to launch attacks or distribute malware, domain-based threat intelligence will assign a high-risk rating.
Email security is important, but it's only one route for hackers to gain access. Other sources of weakness in your organisation, such as cloud applications you use and websites your employees frequent, are also being targeted by criminals. It's critical to utilise technologies to safeguard all of these channels at the same time, but they're frequently isolated. This means that individuals in charge of protecting their employees' digital environments don't have complete visibility into what's going on. Look for a system that integrates effectively with existing security features.
For fully breaking down those silos, autonomous security is the way to go. A platform like Censornet, which includes all of an organisation's essential security functions, can feed data from one service to the next. If a link in an email is suspected of being malicious, it will be added to web security and prohibited for all employees. This is the way email security will be in the future.
Because of the long-term use of emails, there is a sense of security, and users are aware of email security. However, this can be a false sense of security based on outdated knowledge. Email may be a mature medium, but as assaults that use email as an entry point get more technically and creatively complex, so must the countermeasures.
Here are some things to look out for and our top 10 ideas for strengthening your organization's email security, starting with the most basic precautions and working up to more advanced solutions.
1. Employee education is the bare minimum of email security
For decades, the security community has worked to educate consumers on how to prevent risks, such as not opening emails from unknown senders, double-checking an email address to ensure it isn't a spoof, and exercising caution when opening files or clicking on links. Although this is an old hat, employees are frequently pushed, and junior staff fears when the CEO sends an urgent email - and it's amazing how many of these strategies still work. With the advent of consumer services that demand an email login, the nature of the danger has also altered over time. We discovered that 25% of UK employees had used their work email account to authorise access to other services such as games, productivity apps, or social media in a study we did earlier this year. While this may appear to be innocent, it implies that employees are exposing their work credentials to the public, where they could be stolen and used against the organisation.
2. Be aware of the CEO
Hackers are increasingly targeting the CEO, both as a possible victim of phishing and as bait for phishing others. Whaling is a phishing effort that targets CEOs or prominent people, and it's motivated by the high-value information these people have. CEO impersonation is also on the rise, with hackers utilising a nearby domain (if they're clever) to deceive employees into releasing important information via simple plain text email messages. It's a deceptively simple attack because if the "boss" instructs an employee that financial information must be supplied promptly, the individual may not hesitate to comply. To combat the current email threat, good email security solutions are multi-layered, and they support email authentication standards such as SPF and DKIM/DMARC, for example, to reduce impersonation and spoof communications.
3. Email link scanning
Link scanning software can protect you from attacks that rely on harmful links. These systems look for suspicious URLs in incoming emails, eliminating the danger of an employee missing the carefully constructed domain in the page address or clicking on a link to a completely legal site that has been momentarily compromised. Some link scanners allow you to scan links at the time of email delivery as well as at the moment of click, allowing you to safeguard your users based on real-time reputation and content analysis.
4. Encryption has its place
Many businesses are unaware that the fundamental email protocol, simple mail transfer protocol (SMTP), lacks any encryption. Many individuals believe that email is safeguarded in transit because it is encrypted between the mail client (for example, Outlook) and the email server (for example, Exchange). In fact, email that leaves the server is in clear text and can be intercepted and read as it bounces between servers, often in many places, before reaching the recipient's destination email server. Email security solutions can impose encryption (using TLS) on specified domains or try to use TLS opportunistically, falling back to an unencrypted session if a secure connection can't be established. Policy-based encryption is a term used to describe this type of encryption. Email encryption from site to client (business to consumer) is difficult because there is no one standard. To encrypt individual communications, several email security systems allow the user to tag an email (possibly with SECURE) at the beginning of the subject line. Rather than receiving the message itself, the recipient receives a link to a HTTPS site where they can see it (which would be sent in the clear). This is also known as user-based encryption.
5. Backup, archiving, and continuity
Services that assure an organization's ability to comply with legislative and regulatory compliance obligations, or that sustain operations and user productivity in the case of an email outage, are almost as vital as email security (email is after all a critical business application). Simple email backup services save copies of all inbound (and optionally outbound) messages for a set period of time (usually several years). With features like tamper-proof storage and functionality to conform to ediscovery requests or warrants, email archiving solutions help regulated firms achieve compliance. Email continuity gives customers access to a 'Emergency Inbox,' which is normally accessed through a browser and comprises Inbox and Sent messages from the previous 7 to 30 days. Users can still view and respond to email until service is restored if their primary email provider (or server) fails. These services aren't glamorous, but they provide peace of mind, especially when moving email off-premises.
6. Outbound email filtering
Outbound email filtering focuses on preventing sensitive material from being sent out, whereas many of these methods focus on preventing bad actors from getting in. Companies can prevent data from being released by accident or identify employees who may be exploited by reviewing what is going out as well as what is coming in by checking what is going in. Furthermore, if one employee's email account is infected with malware, outbound filtering should prevent the malware from spreading to other accounts and damaging them.
7. Algorithms are king
Algorithms are one of the most effective techniques of protecting against modern email risks when it comes to identifying and blocking threats. Email security technologies have traditionally relied on pattern-based approaches, scanning messages for items that have previously been seen in a live spam run or a previous spam run. Although this strategy is still useful, if primitive, as threats have developed, email security measures have had to evolve as well. A CEO impersonation attack, for example, would be able to get around a pattern-based approach because a plain text email from one email account to another appears to be harmless on the surface, especially if it is customised specifically for the victim. As a result, algorithmic analysis is critical for detecting advanced threats. Rather than focusing on the text of the email, algorithmic analysis dissects it into its fundamental traits and attributes, assigning each one a weighted score based on how suspicious it is. Organisations may go a long way toward preventing incoming threats by combining this significantly more complex analysis with pattern analysis, which still has its role.
8. Threat intelligence
In many facets of security, including email security, the most recent threat intelligence is becoming increasingly relevant. If an attacker sends a simple plain text email from a legitimate server/domain that hasn't just been registered, where the server matches the domain, with an IP address that isn't blacklisted, and with a valid MX and SPF record, there may be nothing that can identify the email as malicious – algorithmically or otherwise. Threat information could add an important layer of defence. If the registrant has a criminal history of registering domains and utilising them to launch attacks or distribute malware, domain-based threat intelligence will assign a high-risk rating.
9. Don’t keep email security in isolation
Email security is important, but it's only one route for hackers to gain access. Other sources of weakness in your organisation, such as cloud applications you use and websites your employees frequent, are also being targeted by criminals. It's critical to utilise technologies to safeguard all of these channels at the same time, but they're frequently isolated. This means that individuals in charge of protecting their employees' digital environments don't have complete visibility into what's going on. Look for a system that integrates effectively with existing security features.
10. Autonomous Security
For fully breaking down those silos, autonomous security is the way to go. A platform like Censornet, which includes all of an organisation's essential security functions, can feed data from one service to the next. If a link in an email is suspected of being malicious, it will be added to web security and prohibited for all employees. This is the way email security will be in the future.