Spectrumwise’s Ultimate Guide to Email Security

The rise of technology in the last 10 years has seen a parallel in the rapid increase in cybercrime. At one end of the scale, you have the so-called “script kiddies” infecting single computers for small profit. At the other end, there are the state actors that use ransomware and other malware to spy on or cripple government agencies.

Businesses find themselves in the middle of it all, attracting the most attackers. It’s alarming how easily criminals can steal confidential and sensitive data just by gaining access to email addresses and login credentials. Still, there are things you can do to combat these cybersecurity risks.

In this blog, we’ve compiled everything you need to know to help maintain a secure business email:

What is email security?
Why is email still the number one target?
The impact of spam emails on your business
Important email security tools
Protecting your business email
Spotting a scam email

Related article: What is email security and why do you need it?

A harmful email can wreak havoc throughout your organization. At times, critical data will be stolen, tampered with, or even hijacked, often leading to significant losses such as regulatory fines, reputation damage, and operational paralysis.

Hackers are continuously developing sophisticated tools and techniques that bypass traditional email security solutions. Anti-malware solutions alone will no longer suffice. The growing challenge for any business is to ensure that it has the right combination of defenses to detect and stop these threats.

Enterprise email security today often uses multiple layers of defense, using different solutions and techniques to keep inboxes safe. These include security awareness training for employees, strong passwords and password management, firewalls, anti-malware and antivirus solutions, spam filters, transport layer and end-to-end encryption, best practices for BYOD, multifactor authentication, mobile device management, and more.

Related article: Why are emails still the number one target for cyberattacks

The FBI reported in 2019 that deliberate attacks on business email have cost organizations over $12 billion in the last five years. That’s a lot of profit for hackers. Here are some other reasons why email remains a focus for malicious activity.

• People are fallible. In spite of their education in email security best practices and red flags, they will make mistakes. In fact, human error and negligence were responsible for most of 2018’s self-reported data breaches, according to this report.
• Using personal emails for business communications. Employees continue to use their personal inboxes on free consumer email services that have minimal security measures.
• It’s easy to fool people. Spoofing names and email addresses are enough to fool the average person into thinking that their boss sent them an email.
• Cybercriminals are smart. Hackers and spammers quickly alter their approaches as soon as the security industry develops a defense against their attacks.Underground marketplaces like the dark web are not only locations to buy and sell hacked data, but also to contract expert services dedicated to putting email at risk.
• Businesses don’t have enough protection. Many enterprise email inboxes are just sitting there defenseless due to a lack of expertise, an underestimated need for security, a lack of budget, or an overlooked vulnerability.

Related article: Spam Emails Are Far Costlier than You Realize

In its 2018 Internet Security Threat Report, Symantec revealed that the average user gets 16 malicious spam emails every month; that’s 192 spam emails a year for every employee. For a small company, that means receiving thousands of spam yearly, each with varying potential for harm.

Spam is costing businesses around the world billions of dollars in reduced productivity, security breaches, and other issues. For a single business, this cost will vary on the organization’s specific computing environment. Knowing the following should help give one an idea.

Malware

According to one report, 92.4% of spam email messages contain malware attachments. Malware is constantly evolving as a threat, so much so that defenses have to try to keep up.

The infamous WannaCry ransomware of 2017 arrived in inboxes by way of spam. Cybersecurity was so unprepared that it disrupted 200,000 IT systems around the world, including those of large organizations.

According to Adam Sheehan, behavioral science lead at MWR Infosecurity, “Spam is becoming an increasingly successful attack vector.” Criminals are often using malware to do two things: gain access to a computer network and damage it. This leaves businesses to pay for compromised employee and customer data, legal fees to deal with disgruntled customers, forensic fees, regulatory fines, and cybersecurity costs to prevent future attacks.

Related article: Ways malware can disrupt your business

Phishing attacks

Phishing, or emails that seem to come from a legitimate source, is a very effective tactic (increasing the chance of a click on a link or email attachment by 12%) that dupes victims into giving away confidential information like payment details or login credentials.

Unproductive employees

The time your employees spend checking irrelevant messages and updating spam filters can cost you many thousands of dollars over the course of a year. Dealing with those tasks could otherwise be better spent on core business operations.

• Email encryption

  Email encryption, also known as end-to-end email encryption, is a solution that changes the content of the sender’s email message into an unreadable form to protect potentially sensitive information from unauthorized individuals. It can only be changed into a readable form by the recipient authorized with a decryption key.

  With end-to-end encryption, the message can’t be read or modified by anyone while in transit. It becomes a valuable tool to protect messages as they travel from sender to receiver, since email is unsafe in public networks or can be intercepted by hackers on unsecured networks.

  Related article: Why Every Business Needs Email Encryption

  A personal email certificate is another encryption tool that places a digital signature on your messages. This lets recipients know if a message with your name or from your account is authentic. Spoofed messages and spam will not have your digital signature.

  It is best to consistently encrypt all messages your organization sends as a standard practice. Encrypting only messages with sensitive data such as payment information will just paint a target on those messages for hackers.

• Email filtering

  At best, spam is a nuisance that lowers your productivity, and at worst, a serious threat to your business’s network security. One way to avoid spam and other email threats is to use email filtering for your entire organization.

  Email filtering systems act as gatekeepers for an organization’s inbound and outbound email traffic. An inbound email filter scans inbound messages and classifies messages into different categories, such as spam, bulk, virus, impostor, and others. On the other hand, outbound email filtering scans messages before any potentially harmful messages can be delivered to outside users and organizations.

  Related article: How important is email filtering for your business?

  Email filtering can be deployed as a cloud service or as an on-premises tool and uses a number of techniques: reputation-based email filtering, whitelisting, blacklisting, greylisting, anti-virus, and content analysis. It can protect your business in the following ways:

  Sort annoying spam out of your organization’s inboxes, optimize email communications, and highlight information vital to business operations

  Promote employee productivity by eliminating distractions such as social media, promotional messages, and other non-business emails in their inboxes
  Protect your organization from malware delivered via spam email including ransomware by scanning messages for malicious code and blocking suspicious mail from your inbox

• Multifactor authentication (MFA)

  Rather than relying on passwords alone to access accounts and systems, enable MFA across the entire organization. MFA adds an additional layer of security. For example, after a user has entered the correct credentials (username and password), the system asks for additional login credentials, such as a numerical code sent to the authorized user’s smartphone. Similarly, when you use your credit or debit card to pay for something online, you might be asked to enter a secret passcode before you can confirm your purchase.

  Related article: What Is Multifactor Authentication, and Why Is It So Important?

  MFA uses two authentication methods, typically a combination of two or more of the following:

  • Something you have, such as a bank card or mobile authenticator
  • Something you know, such as a password or PIN code
  • Something you are, such as a fingerprint or facial features

  Some of the most secure systems, however, may incorporate a third or even a fourth authentication method.

  The most obvious reason MFA is so important is that it greatly strengthens security. To successfully log in to an MFA-protected system, a hacker would need access not only to the password, but also the extra authentication method, such as your smartphone or fingerprint.

Related article: How to protect your business emails from low-tech breaches

Protecting email communications from scam-ridden spam starts with the right security policies the right tools, paramount among them are email filtering systems. The right email filtering have advanced features such as spam detection protocols, strict anti-phishing rules, and user-based filter settings to eliminate spam before it lowers staff productivity and threaten network security.

But policies and tools aren’t enough. You also need to know how to respond correctly when your business email has been breached. First,

1. Cut off access through the breached email address.
2. Change your passwords or tweak other account settings.
3. Implement MFA.
4. Employ IT expert to assess the damage, stop the breach, and secure your network.
5. Identify what went wrong through a security assessment.
6. Prevent damage and breaches from spreading.

Related article: 10 Email Red Flags: Can you tell a scam email from the real one?

Employees should be your first line of defense, not your weakest link. Given the role that human error plays in most breaches and attacks, your employees must learn to distinguish between a harmful email and a safe one. Here are the red flags of an email threat.

• #1 Don’t ignore outlook warnings because email clients have built-in antispam and anti-malware protection.

#2 Be suspicious if banks or other financial institutions ask you to settle issues over email. Emails are usually for notification purposes only.

#3 Keep an eye out for grammar and spelling errors, signs of online translation services used by cybercriminals for email scams.

#4 Watch out for typosquatting, a phishing method that uses a subdomain to create a seemingly trustworthy domain.

#5 Don’t click on any links in an email without checking whether it’s safe.

#6 Don’t trust any link that claims to be a known organization but uses link shortening services, such as bit.ly or goo.gl.

#7 Don’t download any attachments from unexpected emails from an organization, especially if it comes with an exciting offer or a warning.

#8 Don’t fall for scare tactics like “…or face litigation” or “you will be charged a fine unless you act now.”

#9 Be wary of any email that claims you owe an organization money, even if it’s the IRS.

#10 Treat with suspicion any email from a seemingly reputable organization starts with “Dear customer” or a generic greeting.

As an MSP, Spectrumwise guides, assesses, and sets up email security for your organization. We can also identify opportunities to optimize your IT systems and business processes cost effectively. Talk to us today.