These email data security best practices will help your employees and
company stay safe all year long
When we were kids, many of us were taught by family or
teachers not to talk to strangers. Yet, somehow, in the virtual world of the
Internet, people seem to have forgotten this essential lesson of “stranger
danger” and willingly engage with these emails. This puts your customers, data,
and organization as a whole in danger. This is why implementing email security
best practices is so vital.
It seems like every day a new type of phishing attack or
malicious spam (“malspam”) attack is making itself known in the headlines. Most
recently, a new form of malware named GermanWiper
has been targeting primarily German businesses. Like most malware, it messes
with the victims’ files and demands payment for their safe return. However,
rather than encrypting the data like traditional ransomware, this
non-traditional form of ransomware re-writes a user’s files to zeros and ones,
ultimately destroying the data.
Despite leading cyber security companies shouting from
the rooftops about the importance of email data security and promoting the use
of employee awareness training and implementing other preventative measures, we
continually see reports about businesses that have fallen victim to various types
of phishing attacks and malicious spam email attacks. And the resulting
losses are anything but “chump change” — these attacks have been known to
result in tens
of millions of dollars being lost to cybercriminals.
So, how can you help your company avoid the undesirable
title of being the next victim of a data breach due to phishing, malspam, and
other predatory tactics? By following email security best practices.
Let’s hash it out.
Email security best practices in 2019 that will strengthen your cyber
Cybersecurity, formerly AlienVault, reminds us that to be compliant,
enterprises are frequently required to host their own email servers rather than
relying on third-party email services. This is a great thing if you’ve taken
the time and invested the resources necessary to strengthen your defenses.
However, it can be a bad thing if you haven’t bothered with those things and
suddenly find your email under attack. Not only does this leave your data at
risk, but it leaves your organization open to noncompliance fines, penalties,
reputation loss, and lawsuits from customers who data and information are affected.
As much as we’d like there to be, there’s no silver
bullet — no one-size-fits-all approach to securing email communications to
protect your company from those who attack via email. Unless, of course, you
count not opening emails as an effective solution… But in our modern
digital and connected world, that simply isn’t feasible.
This is why a multi-layered approach to cyber security is
imperative. Not all email-based cyberattacks are successful when you and your
employees follow set guidelines for secure use of email. This list of best
practices includes a combination of technologies that you should integrate as
well as behaviors that you and your employees should adopt.
Looking for some good business email security best
practices? Here are things you can do to protect your business from
employees engaging with phishing emails, malspam, and other malicious messages:
Email security best practices tip #1: Create a comprehensive cyber security
plan that includes email
Having a developed and comprehensive cyber security plan
can help your business avoid or be prepared to face many of the threats that
lurk online. No matter how big or small your organization is, if you don’t yet
have a cyber security plan, you need to get one. Now.
If you’re not sure where to start when creating a cyber
security plan, look at the Federal Trade Commission’s (FTC’s) Cyberplanner 2.0. Though it was
designed with small businesses in mind, this online resource was created with
the goal of helping organizations map out a customized cyber security planning
guide. Just keep in mind, however, that this is just a starting point and
shouldn’t be your final product. Your cyber security strategy should include
guidelines, policies, recommendations, and requirements regarding the
implementation and use of technology. This includes email communications.
Sadly, yes, we need to stipulate that because some people
(not you, of course) will just run with the content that’s provided by the
FTC’s cyberplanner tool. So be sure to really review, strategize, customize,
and make the plan your own to suit the specific needs of your organization.
Email security best practices tip #2: Regularly hold employee cyber awareness
Cyber security awareness training is vital for every
employee at every level within every organization. It doesn’t matter whether
you’re a Fortune 100 company or a small mom-and-pop operation — whether you’re
working the CEO, a middle manager, or a staff assistant — you’re still a
potential target for cybercriminals. This means you need to be able to properly
react to email-based threats.
When one of your employees receives a phishing email with
some type of an attachment, there are two main ways they can respond:
- The end user engages with the attachment,
enabling their computer or device to become infected with malware, potentially
resulting in a breach of your network or even a ransomware attack.
- They choose to flag the email as junk or spam —
perhaps even taking a moment to send an email to your company’s IT team to let
them know about what just occurred.
As the example above shows, effective cyber awareness
training can help your employees learn to identify and safely handle spam and
phishing emails. This includes training them to correctly flag spam and other
malicious emails. However, it’s essential to stress that this training is not a
one-off solution. It’s something that continually needs to take place because
email scam tactics have evolved past the conventional African prince scam we
all know and (don’t) love. In fact, some phishing emails are so convincing that
they can fool even experienced IT security experts
and c-suite executives.
How you choose to implement the training is up to you —
some companies prefer computer-based training. Other prefer face-to-face or an
integration of the two methods. Do whatever works best for your company and end
users. Just be sure to keep doing it and to periodically test your employees
with phishing simulations.
Cyber security awareness is like a muscle: The more you
work it and keep it engaged, the stronger and more honed it will become. If you
become complacent — the cyber security equivelant of a “couch potato” — you’ll
see your employees’ sense of cyber awareness gets “out of shape” and becomes ineffectual,
leaving your organization defenseless against email-based cyber threats. I’d
say nobody wants that, but then I’d be lying — cybercriminals are hoping for
Email security best practices tip #3: Invest in quality antivirus measures
Many antivirus programs come equipped with many features
— and mail filters and scanning capabilities for files and websites may be
among them. If so, put these capabilities to work for your advantage. These can
help you identify some forms of malware and other threats to help prevent your
devices or network from becoming infected. If you can, set the antivirus
program to work with your mail proxy/relayer to scan emails to filter out
potentially malicious emails to keep them from being delivered to your (or your
Really take the time to familiarize yourself with all of
your antivirus program’s features. This way, you’re not paying for a system and
end up leaving some of its benefits unused.
Also make sure to include information about the antivirus program as
part of your employee cyber training — after all, what’s the good in having a
strong antivirus program if your end users are just going to ignore it?
Email security best practices tip #4: Create email blacklists and
If you aren’t already maintaining a current list of
banned email addresses (a blacklist), what are you waiting for? This list helps
to prevent known spammers or cyber threats from ever making through to your
inbox. Whether you’re doing it in-house or are using a third-party blacklist
authority, just make sure that it’s being done at all. There are a few ways to
maintain the list — it can be maintained by domain, email address, and IP
Nearly as important is what’s referred to as a whitelist
— or the list of email addresses that are permitted through your filters and
server. This list also can be maintained through those same three components
(domain, email address, and IP address/range).
Email security best practices tip #5: Use strong, hard-to-guess passwords
Cyberattacks frequently involve credential compromise
because it provides the greatest access for the attacker. Wombat Security’s 2019 State of the
Phish report shows that credential compromise increased by more than 70%
since 2017. Research
from Verizon’s 2019 Data Breach Investigations Report (DBIR) shows a “98% rise
of compromise of web-based email accounts using stolen credentials – seen in
60% percent of attacks involving hacking a web application.”
These statistics underscore the importance of having a
complex, hard-to-guess password. After all, what’s the point in investing
thousands of dollars every year in IT security measures if you’re simply going
to hand a hacker the keys to your kingdom? A strong password is one that:
- Includes a combination of upper and lowercase
letters, numbers, and symbols.
- Avoids using words that can be found in the
- Does not include the names of your pets, family
members, favorite teams, or other information that can be found easily on your
social media profiles.
Password-guessing tools can submit hundreds or even
thousands of words per minute in brute force attacks. To make your password
more guess-resistant if you want to use words that are semi-easy to remember,
intersperse numbers or symbols in place of letters throughout them. For example,
instead of using kittycat or ilovecatssomuch as your password, use
something like [email protected]! or I<[email protected]#.
Email security best practices tip #6: Use the S/MIME protocol for data encryption
and email signing
What if there was a way that you could prove your
identity to your email’s recipient(s) while also helping to protect the
integrity of its data? Enter S/MIME, or the “secure/multipurpose internet mail
extension (S/MIME) protocol” — an advanced email security best practice.
This term refers to an email signing protocol that
increases email security by:
- Creating a timestamped digital signature to
confirms the sender’s identity to the recipient;
- Encrypting and decrypting the contents of emails
to provide at-rest and in-transit data protection; and
- Facilitating the secure sharing of documents
By installing an S/MIME
certificate, you’re demonstrating your dedication to data security. Though
these certificates used to be tedious to install — requiring individual, manual
installation on every device — some modern certificate
management solutions now make the process simple by automating the process
from one single pane of glass.
Don’t let your company become a cyber security couch
potato. Read more about some of these and other email security best practices to
learn about basic and advanced methods you can implement to increase email data
security and keep your organization safe.
As always, leave any comments or questions below…
*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Casey Crane. Read the original post at: https://www.thesslstore.com/blog/6-email-security-best-practices-to-keep-your-business-safe-in-2019/