6 Best Practices For Email Security (Or, How Not to Be the Source of a Ransomware Attack at Your Company)

Posted on December 4, 2019 - by Laird Wilton - in Building Your InfoSec Program

Your email accounts are where you are most vulnerable to being a victim of a cybercrime. Yet email security is often forgotten, even though a surprising number of attacks use phishing attacks to infiltrate a company.

Because our inboxes are connected to nearly all the critical systems used in business operations now.

Cybercriminals are attacking email accounts on a daily basis with phishing scams. Ransomware attacks, many introduced to a company network through a malicious email, are on the rise. The numbers don’t lie. Between the first and second quarters of 2018, email attacks against businesses rose 36 percent. Industries like retail, healthcare, and government saw the highest volume of attacks. But phishing attacks have hit every industry at this point.

Regular employees made up for 60% of targeted malware and phishing attacks while executives received 29% of attacks. While the percentage for executive attacks may seem small, the fact that the number is growing shows the cybercriminals are becoming bolder in their attempts to steal sensitive information. 

Employees are also receiving fraudulent emails from stolen identities of their coworkers requesting personal information such as social insurance numbers and banking information.

Besides starting a security awareness training program at your work, what can you do right now to increase your email security against these attacks?

1. Pick Strong Passwords 

We’ve been preaching this gospel of strong passwords for years, and we’re not stopping anytime soon. Strong passwords are the most basic requirement for email security. You can also write a requirement to use a password manager into your email security policy. A weak password is never going to protect your email and company data that is contained in your email account. A strong password should follow these guidelines:

  • Upper and lower case letters
  • Numbers and special characters
  • Avoid words that can be found in a dictionary
  • Do not include any information that someone could easily guess based on your identity:
    • Phone numbers
    • Dates of birth
    • Anniversaries
    • Children’s or pets’ names
    • Home addresses
    • Avoid common letter/number substitutions
    • Use phrases rather than words
    • Update passwords on a schedule

2. Use Two-Factor Authentication

This step may sound difficult or a hassle but it is becoming a more common practice. And it’s actually an easy tool to boost your email security. Two-factor (or multi-factor authentication) creates another level of security beyond your password. Typically two-factor is connected to your cell phone or an app like Google Authenticator. After signing in with your password, you will be prompted to enter a code that has been sent to you via text message or app notification.

If a cybercriminal does crack or guess your password, they will now need your cell phone or access to the authenticator app. You should not have the two-factor message sent to your computer because if your device was stolen the code is then being sent directly to the attacker.

3. Never open unexpected attachments

You can’t get through a day in the office without receiving an email with an attached file. It’s almost instinctive to immediately open a file when you see it. But you should pause, take a breath, and review the email before you click “open.”

Verify the email address itself; do not trust the display name, this can be spoofed. An email from a manager, coworker, or client that commonly sends you attachments is most likely safe to open. By default, many email applications have virus scanning abilities and can filter common spam and known offenders. You can review these settings in your email or have the IT department review them with you.

4. Never use company email for personal reasons

Your company should have a policy in place that clearly outlines the security and acceptable use for email. It will tell you what you can, and can not, use company email for. Restricting email usage to only business activities reduces the number of areas where your email is exposed on the internet.

If you’re using your company email to shop online, sign up for subscription services, or emailing friends you’re broadening the exposure to cybercriminals. Everyone should have their email use restricted, from the newest employee to the CEO, nobody should use their company email for personal reasons. If upper management follows this email security policy, every worker in the company should as well.

5. Avoid Public Wifi (or Use a VPN)

Are you sometimes working from a coffee shop, sipping espresso and answering emails? More often than not if you’re in this scenario you’re using public access wi-fi. Anybody sitting in that same coffee shop can hack your data via the public wi-fi connection. An attacker could be sniffing all the data that is going across the local coffee shops wi-fi, including emails with company data. Installing and using a VPN (virtual private network) when working on unsafe networks is essential for security.

Not only do VPNs encrypt the data but it allows you to work safely and securely in public. The data will be encrypted from end-to-end by your VPN, offering you security and keeping your company data private. VPNs are not very difficult to implement, depending on your organization. You can use a VPN service that is usually quick and easy to set up or your IT department can create their own VPN depending on the structure of your network.

6. Be Careful What You Click

Many attempted attacks appear in your inbox looking like an email from a person or service that you trust. It could be PayPal or your bank. If it looks unusual, feels unexpected, has any typos, or it just seems “odd” then do not click any of the links.

One way to verify the link before you click it is to hover over a hyperlink in your inbox, without clicking. When you hover over a hyperlink, you’ll see the target url in the lower-left corner of your browser. However, this won’t help if it’s a redirected link – even a legitimate redirect through a marketing tool.

If you can, call the person or business at a phone number you trust and ask them if the suspicious email is valid. This gives you a second method of communication to verify the email.

Tax season is especially rife with fraud targeting small businesses or individuals, as like this story about a tax-season phishing scam. Let your employees know how they will be getting tax documents and warn them to be watchful.

If an email is phishing? Many businesses, especially financial institutions, have an inbox specifically designated for you to report scams and phishing. That way employees, vendors, or customers can notify the security team so they can respond quickly.

In the end, you should mark a suspicious email as spam and delete it. You don’t want it hanging around in your inbox the next time you search for an emailed receipt.

Don’t Overlook Your Email Security Policy

You also want to make sure that you’re not the only person at your business on the lookout. It’s important to make sure you have security policies in place, that everyone knows to follow them, and that you have a security awareness training program. If one person at your company clicks the wrong link, that could be an entry point to compromising your computer and every other device in the company network.

So start using these tips to secure your email now. Even simple actions can thwart a cyber attack. Keep your security high and risk exposure low.

Get custom information security policies generated for your business in minutes. Securicy guides you through creating, implementing, and managing your cybersecurity plan.

Try Securicy Free

About the author

Laird Wilton is a tech entrepreneur, Techstars alumni, board member, and the COO and Co-Founder of Securicy. Securicy’s SaaS offering guides businesses through creating, implementing, and managing their information security and privacy compliance program.

Laird lives in Cape Breton, Nova Scotia with his wife and young family. When not working, he spends his time traveling with his family, coaching minor football, playing hockey and volunteering at his community’s recreation center.