As an IT professional, no doubt you’re familiar with the ongoing security risks with business email, but the remainder of your business might not be. Despite rumours to the contrary, email is still an incredibly popular form of corporate communication. But, with one in every 100 emails disguising a hacking attempt and the majority of workers unfamiliar with the security flaws of emails, organisations must be extra vigilant to the risks.
We’re seeing an influx of SAML-based SSO business collaboration tools like Slack, yet a huge amount of sensitive information is still shared via email. And, to the majority of your workforce, email is perceived as the most trusted, secure and reliable mode of communication. Despite this, when it comes to securing email communications, many organisations tend to rely on legacy, rule-based security platforms.
Here’s what your staff may not be on the lookout for, and how to keep your internal and external email services secure:
Does your whole workforce know what a phishing attempt is, and what to look for?
With phishing, the goal of the perpetrator is to fool the recipient into providing personal information. To you, the signs may be obvious, but this may not be the case for less technical staff members. Preying on the least vigilant, the hacker’s job is made far easier when the staff member is blind to the key signs of a ‘phishy’ email. And this could be anyone from members of the C-suite to your summer interns.
The simplest solution? Run regular (and thorough) phishing vigilance workshops to educate all your staff. If your business has a high staff turnover, once a year is probably not often enough.
In your training, provide multiple visual examples. Explain never to pass over sensitive usernames, passwords, internal information or credit card numbers. It’s worth also outlining that some phishing emails are incredibly realistic, trying to hoax users into believing that their business account, password, or credit card has been compromised, directing them to a fake site.
Ensure your staff know who to contact — and not what to do — if they suspect a phishing attempt.
Your staff may have heard of a Trojan, but do they know when and how they may be at risk?
Although ransomware, Trojans and worms can originate from a number of external sources, most malicious viruses can find the way into business systems through your workers’ email attachments and compromised links.
Most viruses are activated when your users open an attachment or clicks a link, but if your email client allows scripting, they can receive this virus by simply opening a message. But, how can your staff be aware of suspicious content before they’ve even opened their mail?
As you probably know, the safest way to view email messages is in plain text. Yet not all your staff will be prepared to change their view settings for security reasons. In that case, it’s essential that your email security software has next-generation firewalls and robust email filtering to catch such emails at the source. This should include antispam and antivirus services which examine your emails, searching for and removing viruses, Trojans and worms.
Sophisticated hacks can be incredibly tricky for your operational staff to spot, particularly if they’re expecting communication from a real businesses that’s used as a spoof.
In 2017, there was a huge surge in the number of email intercept fraud cases. In many cases, criminals hacked into real accounts and emailed their customers, masquerading as an employee from that business. As you know, these threats are evolving in sophistication and emerging every day.
“Email hacking due to increased use of web-based mail applications and a lack of basic security controls amongst SMEs will lead to a huge increase in social engineering scams. Cyber criminals will craft increasingly convincing emails to con unwitting recipients into transferring funds directly into the criminals’ bank accounts.”
– Graeme Newman, chief innovation officer at CFC Underwriting
So, what is the best solution from a technical position? Ensure your managed or internal security solution has a sandboxing feature.
There are dozens of new email threats that appear every single day, many not yet discovered by email filters. Whilst traditional inbound email filters scan for known malicious senders, URLs and file types, sandboxing ensures any email that passes the filter containing unknown components can be tested before they reach your network or mail server.
The sandbox must be a secure, virtual environment that accurately emulates the CPU of your production servers.
To your staff, it’s just an innocent typo. To your business, it could generate a mission-critical data breach.
According to IBM, 95% of all security incidents and data breaches involve some level of human error. This can be as simple as an address typing error, which then puts sensitive information directly in the hands of a perpetrator.
In fact, misaddressed email was one of the biggest forms of data loss, last year. Such data breaches — those that are a result of human error — are unhostile and unmalicious. But if anything, this makes them harder to prevent, and the consequences can be just as catastrophic as an external hack.
A misaddressed email can be blamed on any number of factors, including human laziness and email autocomplete gone awry. You can, firstly, impress upon your staff the importance of re-reading and confirming their send addresses. But on top of this, consider the strength of protection against accidental misuse in your security solution.
For example, Touch Secure, Intercity Technology’s managed, cloud-based Security as a Service (SECaaS), has layers of security between end users and the Internet, protecting against accidental misuse by external and internal agents.
The answer? Education and technology.
Despite the increased risks, email will continue as a popular form of business communication for many years to come. And it will continue to be trusted and relied upon by all your workforce.
So, ensure you have regular and thorough staff education. Advise your email users:
- Never to open anything that is attached to an email message, or send over critical information, unless they recognise the sender and the contents of the file.
- If they receive an attachment from a familiar email address, but were not expecting it, they should contact the sender before opening the attachment.
- If they receive a message from an unknown user with an attachment, they should just delete the message.
Secondly, it’s imperative to keep your email security services up-to-date and ensure they are up to the task. If your business is lacking a set of reliable internal security controls, why not work with a trusted a third-party security provider insead?
For example, Touch Secure is a managed, next-generation SECaaS which provides control over all your IT applications and email services. It includes sandboxing features, robust intrusion protection as well as traditional firewall features, and anti-spam filters.
So, as an IT professional, you may be fully-aware of the high-profile risks associated with emails, but don’t assume your staff are as up-to-speed. You may never entirely eliminate the risks of email security, but with internal education as well as cloud-based SECaaS, you will cover as many bases as possible.