Although Email has become essential as means of business communication, the potential threats are often overlooked or underestimated. Employees go about their daily duties sending, receiving, opening emails and attachments with little, if any, thought given to security and the potential risk that unsecured email poses to the enterprise. This may be due to a combination of complacency and lack in training regarding respect of security and the risks involved.
All employees should be made aware of the security risks posed by unsecured emails. It is important that employees are educated to communicate via email in a secure manner to ensure the safety of the enterprise, the employees, the customer/clients and also the valuable data that the enterprise processes, stores and communicates on a daily basis.
There are a few simple ways in which enterprises can better secure their email communications:
- Encryption and authentication is essential
Enterprises should not be communicating emails in clear text (unencrypted). If an enterprise were to choose to follow only one of these five suggestions-this one should be it! Good encryption can be simple to achieve with little impact on enterprise operations and can be user friendly. All email communications should be encrypted, end-to-end, from the sender right through to the recipient.
Proper authentication should be utilised as part of a comprehensive solution to ensure that the emails uphold integrity throughout the process. This is key to ensure emails remain unchanged and that the email sender is always legitimate. Encryption of communications should be made standard practice within enterprises, thus every employee communicating via email should utilise it.
Without encryption, emails are susceptible to malicious attack. The reliability and confidentiality of unencrypted emails is also easily compromised and since email is used to communicate sensitive and official documents, in many forms, this is not an acceptable practice.
- Educate all employees
This can not be emphasised enough! Education is key. People are unfortunately the weakest link in cybersecurity. Research has shown that errors brought about through people, account for majority of all security incidents. These challenges must be addressed in order to improve the security posture. Contributing factors include: lack of knowledge, personal devices, identity, insider threats, outsider threats and third party threats- all of which are heavily reliant on people. The risks brought about by people continue to exacerbate.
All employees- no matter the department or position they hold- should be knowledgeable of the dangers and potential security risks involved with email communication. Employees must be aware of the procedures to follow after a breach to circumvent all potential risks.
Far too often, only the IT department holds this knowledge and the rest of the enterprise remains oblivious. A proper security strategy can only be a success if all employees of all levels are made knowledgeable and kept-up-to-date with the security challenges and preventative procedures and practices necessary.
Accidental human error is responsible for many major security breaches and so this should be addressed on a human level – The first step to achieving this can only be reached by allowing the entire enterprise on board and ensuring all employees are educated.
Below suggested practices for organisations and/employees are seen:
- Refrain from leaving unlocked computers unattended. All devices should be password protected and secured as company policy.
- Ignore emails soliciting passwords and personal information.
- Make sure employees are never to follow links or download attachments within emails received from an unfamiliar sender.
- Ensure contacts are legitimate through an independent source.
- Educate all employees. Ensure that they know what scams entail, what to look out for, precautionary processes to take and how to react. If they are to unfortunately fall victim, they should know which measures to take (a plan of action should be documented and followed to help minimise the damage occurred and to remain legally compliant).
- Ensure the organisations network, computer and mobile devices are appropriately secured with maintained security.
- Install all updates for anti-virus and anti-spy software.
- Encrypt all emails containing sensitive data.
- Refrain from using company email for personal messages.
- Be careful when exposing information on social media. Scammers utilise information that appears publicly available for spear-phishing/whaling scams. Consider the level of risk associated with the information you choose to make public and determine if the risk is tolerable to the organisation.
- Dispose of documents, data, devices- anything holding information in a secure and appropriate manner to avoid the data getting into the wrong hands and used fraudulently.
- Utilise encryption! For all communications- both in transit and in storage.
- Delete or archive all emails 60-90 days from sending/receiving.
- Only install trusted and enterprise approved applications.
- Do not overcomplicate your security as to avoid employees trying to circumvent security procedures in place. Get the balance right!
- Keep software up-to-date and systems patched
It is very important to ensure email software is kept up-to-date. To avoid security issues always install the latest updates and patches. Sometimes this is seen as an arduous task but it is essential that this is kept a priority and not disregarded.
- Follow password best practices
Each employee should have their own unique passwords for work computers and email accounts. Passwords should be created for strength: hereby incorporating 12 or more characters that include numbers, symbols, lower-case letters and also capital letters. Avoiding common knowledge or personal details is recommended when creating passwords. Stay clear of utilising the same passwords for more than one account or site.
Passwords should be reset at specified intervals, every three months is a good practice.
- Be vigilant of web-based emails
Web based emails can be particularly vulnerable to attacks and should be used with restraint. If you must utilise this form of email always encrypt the connection.
Enterprises are challenged on many fronts in their efforts to protect themselves, their customers, partners and suppliers from cyber threats. Through constant innovation, cybercriminals are developing increasingly sophisticated means of attack. Advanced threats continue to evolve and an abundance of resources is ensuring attacks carried out are more professional and successful. Email is widely utilised and serves as an efficient form of communication but also an effective attack vector and way of infiltration into an enterprises network and systems for the capture of valuable data and to undertake malicious activity.
Heeding these five integral recommendations should stand an organisation in good stead.