Posted on June 24, 2020 - by Laird Wilton - in Building Your InfoSec Program
The average work inbox is something of a minefield. According to Verizon’s yearly data breach report, phishing ranked as one of the top cybersecurity threats resulting in breaches in 2019. Then during the early months of the coronavirus pandemic in 2020, researchers identified a 350 percent increase in phishing websites. While email is a convenient tool that accelerates communication, organizations need an email security policy (like we have included in the Securicy platform) that reflects the modern nature of threats that leverage it.
In 2019, we saw several shifts in the way leaders in the information security sector approached security. Many of those shifts occurred in what we now view as best practices. Now with the sudden move to working from home, these and other security best practices for remote work are even more important. Read on to learn about the latest in email security policies, and how best to secure email in your organization during 2020.
Good security balances accessibility and workflow optimization with restrictive access that protects the company’s assets. In 2020, operational efficiency is critical for companies that want to remain responsive and relevant to shifting markets. However, security also remains a top concern as cybercriminals grow emboldened by previous successes. This year protect your company email with a security policy that works using these six tips.
Most companies already use an email service like Gmail or Outlook, so this first one is easy. It’s a good first step, but saying “we use Gmail” doesn’t count as an email security policy or procedures with a SOC 2 auditor.
It’s simple to set up a work email on the internet, especially if you start with a reputable service. Many popular email service providers, like Gmail and Microsoft, provide all the tools that a company needs to host a business email. Likewise, modern host exchanges represent another route that companies can take to create an organization email. Whichever route you choose, modern email services are essential to maintaining a safe email environment. They include things like:
Modern email service providers already filter out a certain amount of emails from ever reaching your inbox (or spam folder). However, that shouldn’t stop you from developing an effective set of spam filters on your own. Most providers allow you to adjust the spam filters on account to further restrict what makes it to your employees. Consider:
Check your built-in spam tools and see if you need something to supplements them. These filters are critical for flagging suspicious emails before an employee gets tricked into clicking a malicious link.
Phishing is getting harder to spot. Although many people feel confident in recognizing a phishing email, 2019 saw a rise in highly personalized and targeted phishing attacks. Some of these fooled even the most astute recipients because they’re so well put together and personalized. Check out this email sent to a Securicy employee, claiming to be from our CEO asking them to complete a quick task. This would lead to social engineering by text or phone to get even more information or access.
A security awareness training program that focuses on spotting phishing emails can reduce the likelihood that an attempt will be successful. Make sure to talk about some of the latest innovations in phishing, such as the business email compromise attack.
Make these trainings routine. They’re not effective if they only happen annually. Aim for a refresher on email security every few months.
You can also help users avoid phishing emails by establishing clear policies on email communication. Layout guidelines on:
Attachments and links are the biggest ways that malware infects a system. Make sure your email security policy addresses them.
Attachments can prove easy to overlook. In 2019, Trend Micro found that the most common file types containing malware were those that an office worker might expect to receive. These included PDFs, Excel spreadsheets, Word documents, and zipped folders. Additionally, many of these arrive disguised as invoices, database exports, or some other seemingly legitimate business document. Hackers can easily embed code into an attachment that activates once the file has been downloaded.
Links are also dangerous. They’re easy to spoof (or make it look like it goes somewhere other than where it does) and may send a user to a legitimate-looking login page that collects credentials.
Establish a policy against downloading attachments or clicking on links from unknown senders. Support this policy with:
For email accounts that only receive internal communications, it’s helpful to adopt a whitelisting strategy, where only approved contacts make it into the inbox. For accounts that receive emails from external sources, that’s not practical. Therefore, train users to treat unsolicited correspondences with care, especially if they seem to be offering something. Some policies to adopt might be:
To arrive in an inbox, a hacker first needs the email address. Therefore, train users to treat email addresses as “need to know” information. In other words:
There are no shortcuts when it comes to email security. A policy that involves best practices can help keep a company safe, preventing malware or phishing attacks from damaging the business. Turn your inbox into an efficient, effective communication tool that it is by keeping spammers and hackers out.
If you’re looking for new security tools to protect data at your company? Check out what we have inside the Securicy platform.