Despite the rise of collaboration tools such as Skype and Slack, email is still the most common tool for businesses to communicate and manage their day-to-day operations. However, email is one of the easiest ways for cyber-criminals to target organisations because of its easy access and risk of vulnerability from human error.
As a result, business email services continue to be a great channel for cyber-criminals to spread spam, attempt phishing attacks, and send attachments and links that automatically install malware on the user’s device. According to Cofense’s Enterprise Phishing, Susceptibility and Resiliency Report, 91% of cyber-attacks begin with a phishing email. This is clear warming on how much of a risk email can pose to cyber-security and how vulnerable companies are because of their email systems. Therefore, phishing attacks remain as one of the largest security challenges for organisations.
While most large organisations have systems and processes in place to avoid cyber-criminals accessing their emails, it is mostly SME businesses who do not have the appropriate resources to dedicate enough time and money to their cyber-security, and who may not even have IT departments to manage their cyber-security.
Email security should be one of the most important factors of an organisation’s safety. There are many methods which IT managers in organisations should take into consideration to enhance their email security.
Email Security 101
Email security entails various methods for securing sensitive information in email communication and accounts against unauthorized access, data loss, or compromise. Email is a very common channel for the malware spread, spam, and phishing attacks. Hackers use sneaky messages to coax recipients to expose sensitive information, open attachments or click on hyperlinks that install malware on the victim’s device. Email is also a widely used entry point for hackers in search of gaining a foothold in an enterprise network and breach valuable company data.
One of the most popular threats that organisations face is the traditional hacking method where hackers use business e-mail compromise (BEC) method through an individual’s corporate e-mail account. The password might have been stolen either because the victim looked over their shoulder in a coffee shop, in the office or through various other methods.
Another common threat, which is regularly overlooked by organisations, is the misuse of admin platforms. Misuse of these platforms means anyone in the company can access and control sensitive data. From the company CEO to business partners to managers and executive. Hackers can impersonate almost anyone at any given time.
Given the scope of damage that these two common types of breaches can cause, not only to individuals but to entire organisations, it is crucial for businesses to protect their employees and the devices they use through comprehensive security measures that include threat protection of sensitive information and deploying e-mail security solutions to safeguard e-mail accounts.
For example, two-factor authentication should be enforced to protect individuals and make it harder for hackers to steal passwords as well as enforcing strong password policies.
Organisations can also deploy secure e-mail gateways which deal with e-mail protection through preventing data loss during outbound email communication. These enforce spam filters which check incoming email messages as well as scanning for e-mail threats such as phishing links and suspicious email attachments and blocking them.
Email encryption should also be configured for each email account in the organisation to enforce data protection for all email communication both internally and externally.
While these tactics can offer protection to a certain extent, there are still various security issues and high costs related to the deployment of these technologies. Therefore, the critical key to a company’s defence strategy must be Detection, which in practice means that when an account is compromised, employees should be able to detect this immediately and the appropriate action taken.
Like most approaches to the security focus on protecting the network infrastructure of an organisation, there is little or no attention on staff and end-users. Although the security of the network and connected devices play a major role in the overall security of an organisation, security awareness training for all users can play a crucial role in building robust cyber defences.
Employees should be provided with comprehensive security training to allow them to instantly identify real breaches when they occur. Once an account or application is accessed in an unusual way, the user knows best whether they are responsible for this behaviour change or if it’s an attacker who has breached the system.
In the event where a new user is added to an account, documents are shared with unauthorised accounts or outside the network, or rights are granted to other users, it is the account owner who is solely responsible to know if these are legitimate actions. This information contains everything needed to understand if an account has been compromised.
Ongoing cyber-security awareness and training empower users to monitor their own accounts, devices and other company assets. A user-centric approach, that builds around the intelligence of email users rather than just relying on an IT department, is the only way to speed up the identification of security breaches and ensure a quick response to resolve issues. It has been said for a while that data security is everyone’s responsibility. An approach where e-mail users play a vital role in detection makes this a reality.