Email is a popular messaging method used by many, particularly in organisations. However, dangerously it is also an effective entry for cybercriminals to enter your domain with spoofing and phishing attacks becoming common via emailing.
In an organisation, it could only take one employee not being sufficiently vigilant about email security to compromise the safety and security of countless others, and even the whole enterprise.
In fact, your employees are the biggest vulnerability you have, so an email security plan really starts there. It will only be a matter of time before your organisation falls victim to an email hack attempt, but its impact doesn’t have to be devastating if you’ve got a ‘best practice’ in place and know exactly what to do.
So here are 18 tips your company can adopt to improve your Email Security:
1) Use stronger passwords
Believe it or not, one of the primary ways hackers get inside email accounts is by guessing usernames and passwords. If you can make your password so complex that it can’t be easily guessed – either by a person or a password generator – then you stand a much smaller chance of being successfully attacked.
The more complex the password, the more time it takes for the software to figure it out. The passwords that follow the best practices outlined below would take 200-500 years to break.
Here are the essentials for a strong password:
- Use upper and lower case letters
- Use numbers and special characters
- Use random numbers and letters rather than words
- Never use your birthday, hometown, school, university, or brand name
- Avoid common letter-number substitutions
- Think in terms of phrases or passphrases rather than words
Not only should passwords be complex, but you should use a different one for every account you have. And if you find it difficult to memorize passwords then use a password manager, but never write down passwords or store them in files. Implement a password management system like two-factor authentication (2FA) for an extra layer of security. Organizations have started using SMS codes for employee logins as a secondary authentication to passwords.
2) Using two-tier authentication
It might sound technical, but using two-tier authentication is quite straightforward. Moreover, it is guaranteed to add an extra layer of protection to your emails. There are often options within your email client that will enable you to add that service. You can also download specialized software or use a different cloud email provider if you cannot add two-tier authentication with the system you use at the moment.
The concept is simple. But it is an excellent data loss prevention practice as it makes life much more difficult for hackers and those who wait to sneak a peek at your emails.
Even if a criminal manages to guess or retrieve the passwords to your account, two-tier authentication will mean that the individual will still require a code to get your messages and cause issues. That code is usually sent to your phone via a text message. Do not make the mistake of sending it to your computer because you never know who is watching.
Two-tier authentication is one of the best ways to protect social media or a web application from a data breach. It also works with virtually any cloud storage service you might be using.
3) Use SSL (Secure Sockets Layer) or TLS (Transport Layer Security)
Transport Layer Security (TLS) is a security protocol that is widely used to secure the data that travels between a web browser and a website via HTTPS.
TLS can also be used to encrypt the contents of emails to ensure they can’t be read by anyone other than the intended recipient. This means it is its highly effective at preventing eavesdropping – the practice of hackers reading and/or tampering with communications. Of the various mechanisms available to encrypt communications between email servers, TLS is the easiest to set up.
SSL and TLS are very similar. When used for sending emails, both result in your emails being sent securely between your computer and your SMTP service. Your SMTP service should also properly encrypt emails (using the latest version of TLS) between itself and the recipient’s mail server. This step in the email delivery process requires the recipient’s mail server to support SSL/TLS. SMTP2GO always encrypts emails wherever technically possible.
4) Be extremely careful about opening attachments or links
If you ever see an unknown link in an email – especially from a sender you don’t recognize – do not click on it. Hackers like to use malicious links to compromise a recipient’s computer system and will disguise them as something else. The same goes for attachments. If you don’t recognize an attachment or aren’t sure why one was sent, ask for confirmation before downloading it.
If possible, scan any email with an attachment before you open it, especially if it is from someone you don’t know. Nine out of ten viruses or malware get on to computers via attachments.
5) Don’t reply to spam or phishing schemes
Replying to spam just notifies the spammer they’ve “got a live one”. Don’t do it. Besides, more than 3% of spam carries malware. If that sounds like a paltry percentage, go look in your “bulk” email folder, aka your spam folder. You’ve probably got a couple hundred spam messages in there right now. That translates into six or more malware emails, just sitting there, waiting for you to click them.
Now what is phishing you may ask?
Phishing is a straightforward concept many hackers will use to steal email and account information by tricking individuals into handing over their details.
The process usually works like this:
- The hacker sends emails that contain a link to a site you know.
- The victim clicks the link and finds themselves looking at a familiar website. That is often their bank or something similar, but the site is fake.
- The victim then enters their email address and password to log into their account.
- The fake phishing site steals the email and password before passing it back to the hacker.
- When someone at a company falls victim to advanced malware attacks and phishing emails, it can become a disastrous situation.
That is especially the case in instances where the business uses the same passwords for everyone in their office. Hopefully, that should help to highlight how important it can be that you develop strong and unique passwords for all your workers.
However, a phishing attack is no longer as apparent as it used to be. Hackers are becoming increasingly sophisticated, making it more difficult to identify it unless you pay attention to details.
6) Never click the “unsubscribe” link in spam emails
Let us presume for a moment that an email managed to get through your spam filter and antivirus programs. You open the message and then discover that it looks like a phishing scam or something similar. There is an unsubscribe link at the bottom of the page, and you wonder if it is sensible to click that to prevent further emails from the unwanted source. Whatever happens, make sure you never click that unsubscribe link. Hackers will often place them in emails in an attempt to fool you.
If you decide to click the unsubscribe link or do it by mistake, there is a reasonable chance you will land on a phishing site that will attempt to steal any information it can gather. The link could also provide hackers with a backdoor into your system, and that is why you must never click it. Just mark the message as spam, so your spam filter picks it up next time around, and hit delete.
7) Consider not showing your email address in public places where it can be scraped
If you have to include a working email address on a public document (like a press release), consider using a secondary email account. Using an email address tied to an account that you could do without will keep things neater later on, should that email account become compromised.
This tactic won’t work for everyone, but it should at least serve as a reminder: Keep your email address as private as possible and you’ll avoid many potential problems. An ounce of prevention is still worth a pound of cure.
It’s a good idea to Google your email address every so often, to see if it is listed on any page in the results. If your email address does show up in the results, see about getting it removed from those pages.
If you have your own domain name, consider using a private WHOIS service to hide your email address. Or, use a different email address (e.g. beginning with domain@), so you at least know where a spammer harvested your email address. If you receive spam at a domain@ email address, it gives clear evidence the person emailing you harvested your email address from your WHOIS record, and is therefore spamming you. You can then complain to the spammer’s ISP (see point 10 for how to report spam).
8) Don’t include sensitive information in your email messages
If you need to communicate important information to others, try to do so without sending it over email. Go see that person on the fifth floor instead of sending them a message, or try to set up a meeting with somebody outside the organisation if you can. Obviously this isn’t always feasible, but when possible try to share sensitive information face to face. If you do have to send important information, consider breaking it up somehow. This can be done by sending multiple messages to and from different email accounts.
This is known as “data leakage” among security experts, and email is one of the primary sources of it. If you have to give someone sensitive information, consider calling them. If you have to send a sensitive document, perhaps snail mail might be worth the wait.
9) Consider encryption for sensitive emails
You absolutely have to use some sort of encryption service in today’s cyber security landscape. There are multiple kinds of encryption, but data-centric seems to be less risky than point-to-point encryption and the variety of other types you’ll find.
“If you use data-centric encryption for email security, you no longer depend on a bunch of random servers to protect you. Even if a hacker intercepts it, they won’t be able to read it. This doesn’t make breaches impossible — a hacker could use malware to spy on the data while the recipient is accessing it, for example — but it greatly reduces the odds of a successful attack.”
Unencrypted emails remain vulnerable to phishing attacks and can lead to serious data breaches. Instruct employees to use an encrypted ZIP file and share the password with the recipient separately whenever they send any sensitive information via emails. This gives an additional layer of protection to email correspondence and stops online intruders from unauthorized access to email content. Remember, effective encryption practice starts again by choosing a complex password for decryption.
If not, break sensitive information into two or more parts, then send each part in a separate email. That at least makes it harder for unscrupulous people to get the information they need to do damage.
10) Use updated Email systems and Antivirus software
This is one of our recommendations that will certainly help your email security, but also the security of everything else on your computer.
Hackers use sophisticated methods to obtain unauthorized access to sensitive information. Keep your email systems patched and use updated anti-virus software that scans both incoming and outgoing emails to prevent viruses, malware, trojans, and any other potential threats. Make sure it’s updated continuously with the latest virus definitions to defend against newly discovered vulnerabilities.
11) Scan all emails for viruses and malware
Some of the top virus screening solutions on the market will also scan all incoming emails and check them for vulnerabilities as they come into your inbox. The software will present you with an alert if there is any reason for concern. You can usually quarantine the affected email before it has enough time to cause any damage.
However, it is also your responsibility to check your security settings and enable specific options. Sometimes you have to pay for that service as an extra feature, verify your account now and make sure your provider scans all emails with antivirus solutions.
If you do not have protection, now is the best time to add it.
12) Use a robust spam filter
One of the best things about cloud-based email services these days is that they tend to come with excellent spam filters.
Make sure you turn your spam filter on or look for a provider who offers better security solutions than those you have right now. Spam filters are an email specialist’s way of attempting to sort the wheat from the chaff and ensure you are not bothered by hundreds of marketing messages and “do you want to lose weight” emails every week.
You can often change the settings on your spam filter to block out any emails that contain specific words or phrases. That can come in handy if you know about some scams going around at the moment because you can block most of the keywords. That should help you to prevent any of your employees from opening a spam email that contains dodgy links or malware by accident.
13) If you have many different people sending emails in your business, create a different SMTP username for each sender
SMTP, or Simple Mail Transfer Protocol, is a protocol for sending e-mail messages between servers. Most e-mail systems that send mail over the Internet use SMTP to send messages from one server to another; the messages can then be retrieved with an e-mail client using either POP or IMAP.
That way, if someone’s computer gets hacked and that computer starts sending spam, then it’s easy to disable that one SMTP username without affecting any other users.
Of course, we also recommend you change the password on that infected computer and SMTP account immediately.
14) Consider multiple email accounts
Think of your email account like the first domino in a long line of hundreds of other dominos. If that first domino gets knocked over (compromised), then the rest of them are also going to fall. In order to reduce the risk of having hundreds of dominos fall over when an email account is hacked, it’s wise to use separate accounts for different purposes.
For example, you should have one email account for all of your social media notifications and website accounts, another email account for financial information, and another email for sales and networking. This might make things slightly more complicated on your end, but it significantly reduces the likelihood of a negative chain of events.
There’s wisdom in this. It’s called not putting all your eggs in one basket. Don’t put all your emails in one inbox, either, because if that inbox gets compromised, you’re in trouble. Besides, many email services will request you submit a backup email address, just in case there’s trouble with your account.
But of course, having more than one email account both helps and hurts email security. On the good side, it lets you hedge your bets, in case one account goes down. But it also creates another account, and thus another access point for trouble.
15) Be careful about public Wi-Fi
I know, I know: You have to check your email for work. And so you have to use the MRT station’s public Wi-Fi, or a café’s public Wi-Fi. We all understand. But also understand that public Wi-Fi is a fantastic opportunity for hackers, and for people who aren’t even crafty enough to deserve to be called hackers. Public WiFi is never secure, and there are many ways in which hackers can steal all the information that passes through a network.
If you just have to use that Wi-Fi network, at least verify you’re on the actual free network, not the “free” network a hacker set up to look like the café’s or MRT station’s network. Next, make sure there’s a “https:” at the beginning of the url where you log in. If you don’t see the “s” in the “https”, or if you get a warning that there’s a problem with the security certificate, don’t use that network.
What’s more is that criminals only require a laptop and basic software to hack into public WiFi networks and then monitor all the traffic. If you or anyone at your company access emails via a service of that nature, you will make it easy for anyone with the will to steal your passwords and view your sensitive data. That could result in a targeted attack further down the line.
If people need to access their messages outside of the office, there are a couple of options on the table that should not make your operation vulnerable to data theft.
- Firstly, if unable to connect to a secure WiFi, your employees could use their smartphone and mobile data. That is much more secure than any public WiFi service, and the move should protect your cloud data and your interests.
- Secondly, you might consider paying for mobile internet dongles that workers can use with their laptops outside of the office. Both of those options tend to work well, and they should help to protect all your company emails.
16) Enforce an Email Policy
Organizations should create and maintain a documented policy for email usage and instruct employees to adhere to that policy. Employees must be aware of emailing procedures that satisfy data safety requirements such as, what kind of data can and can’t be sent via emails, who are authorized to send company sensitive information, and what kind of files should not be downloaded.
17) Security Awareness Training
Despite using it every day in both their personal and professional lives, some people might be unaware of the dangers lurking within their email. In fact, according to a recent survey, 90% of all successfully cyber attacks are caused by human error, and 70% of employees do not understand cyber security!
Therefore, it is crucial that organizations must invest in security training sessions that make employees prepared to manage information security risks. An employer needs to be more certain that their staff is aware of how to handle the sensitive data on their devices and the risks that are associated with information security. The critical information might fall into the hackers’ hands if the organization fails to provide its staff with effective cybersecurity awareness and capabilities.
So, hire a training room and teach your team about what to do and what not to do when it comes to email security. Discuss the tips found in this blog and tackle any questions or concerns your team might have about email in general and your organisation’s chosen provider.
18) Just be Smart
The final tip is to just be smart. Don’t do anything that seems fishy or dumb. Make sure you’re the only one who knows your password. Always log out of your accounts when they’re not being used. Don’t click on links from people you don’t know. Common sense is typically the best defense.
Want to find out more about eVantage’s Cyber Security Awareness Training? Click the green button to contact us today!
eVantage Technology is a professional and trusted IT solutions provider, dedicated to providing exceptional service to companies in Singapore and across Asia.