What are best practices for email security?
Every year, there are new security threats to your company. From denial of service to ransomware, your information is under potential attack at every hour of every day.
Like a hole in a wall, the number one point of entry to your data is your email system. This weakness, through which hundreds or thousands of pieces of information pass each day, can be the perfect entry point for malware, ransomware, and much more.
Unlike some business functions, email is necessary. Of course, every couple of years someone declares the death of email, but there’s no reason to think that’s true.
So, in 2018, email security is even more important than it has ever been.
Below is a list of 7 email security best practices that we advise our clients to put in place.
Train users regularly – Nearly all email threats require some type of human activity. A person needs to download an attachment or follow a link to an outside website. The very first thing to do is train your staff. A comprehensive training will teach your staff to avoid risky behaviors that jeopardize your system:
- Don’t download documents from an unknown sender
- Don’t click any link from unknown senders
- Call and verify anything from a trustworthy source that asks for personal or business information
- Have a policy for handling sensitive data through email
- Have a policy in place to quickly react if your computer appears to be infected
As with any other crisis, like fire or earthquake, you should have a plan in place that will contain and eliminate an infection. Letting your team know exactly whom to call and what to do if their screen tells them that they have an infection in their computer.
Stop using an internal email server– There are number of reasons to switching to a cloud based email service.
- The first and most important is that the email service company will keep the hardware and software up to date on the latest threats. This alone can prevent many malicious attacks.
- There’s a lower risk of losing your email data. Since it’s all stored off-site and replicated between, a server crash won’t cause your emails to stop flowing.
- It’s scalable as you grow without jeopardizing your system or safety. If an on-site email system is stretched to capacity, there is higher likelihood of expensive downtime and hardware upgrades.
- Easier to add on features – with an on-site server, to add many features requires another device or upgrading the current hardware.
- Minimal management – if the mail server goes down then it is up to the IT staff to get it fixed and all eyes are on them. In the case of Office365 for example, in the rare event they go down then it is their responsibility to fix the system.
Add an email disclaimer – One of the simplest ways to keep malicious software out of your system is to mark messages with a clear warning: “This email is from an external source.” By making emails clearly as being from outside the company makes it easier for employees to know what emails should be opened and which ones shouldn’t. This is particularly effective for defeating spoofing where someone sends and email pretending to be someone else. You can imagine how much damage could be caused if a company-wide email went out that seemed like it was from the CEO. Even if the name and message seem right, the system would tag it as being from the outside and will decrease the likelihood of anyone in the company following through on it.
Utilize an advanced, cloud-based email security service such as ContentCatcher (we recommend a 3rd party email security even with Office365 filtering as it is not very accurate, lacks features, granularity and fast support). You need to be scanning every email for ransomware, malware, phishing, spoofing, and much more. The best of these services utilize system emulation to scan unknown attachments and links.
With cloud-based email security, you benefit from big data, machine learning and the minute-to-minute updates gained from global visibility of threats.
Allow only the file types users need. Some file types such as .doc .docx .ppt .pptx .xls .xlsx are commonly used in malicious email, but they are also too commonly used in legitimate emails to be outright blocked. The type of extensions listed previously should be allowed but need to be scanned by your email security service, ContentCatcher attachment defense is the perfect solution. For the following though, there are very few legitimate reasons they should ever be in an email: .adp, .app, .asp, .bas, .bat, .cer, .chm, .cmd, .cnt, .com, .cpl, .crt, .csh, .der, .exe, .fxp, .gadget, .hlp, .hpj, .hta, .inf, .ins, .isp, .its, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .maq, .mar, .mas, .mat, .mau, .mav, .maw, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc, .msh, .msh1m, .msh2m, .mshxmlm, .msh1xml, .msh2xml, .msi, .msp,.mst, .ops, .osd, .pcd, .pif, .plg, .prf, .prg, .pst, .reg, .scf, .scr, .sct, .shb, .shs, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .tmp, .url, .vb, .vbe, .vbp, .vbs, .vsmacros, .vsw, .ws, .wsc, .wsf, .wsh, .ade, .cla, .class, .grp, .jar, .mcf, .ocx, .pl, .xbap
Be suspicious even of internal business emails. There are several forms malicious internal emails can take. 1. Spoofed emails are the most common way that you will see internal email 2. Compromised internal email – it is not uncommon for someone’s Office365 of G-Suite account to be compromised and targeted malicious emails to be sent out through them, these attacks are dangerous because they will bypass most security measures. 3. Internal users sending from personal email – bad actors will either gain access to a co-workers personal email and send targeted emails, or create one themselves in Gmail or Outlook and claim to be a superior.
These 6 ideas important for keeping your network secure by controlling your email security. There are other measures that you should take, but these are the fundamentals that will likely save you and your company a great deal of pain and loss.
If you find yourself confused about what to do next, please give one of our email security experts a call. We’re happy to provide you with advice and guidance on the best ways to protect your server and your company.
Don’t use business email for anything but business – One of the best ways to prevent anyone from even attempting to send you malicious files is to never use one email address for everything. For example, if you use your business email address for shopping, subscribing to forums, and other activities, you are increasing the risk that you will be targeted. We recommend having a personal email, an email for online shopping and your business email.