Unfortunately for today’s businesses, email continues to be the hacker’s favored attack vector, primarily because users–even those who have undergone training and should know better–continue to click on innocent- or official-looking, but highly dangerous, links and attachments. Right now, about 85% of all malicious emails have a .DOC, .XLS, .PDF, .ZIP, or .7Z attached, according to Finnish security provider F-Secure, with 92% of all malware attacks occurring through email. All that to say this: locking down secure email practices (and locking out cybercrooks) remains one of the most important and effective defensive strategies you can employ.
For most companies, securing email begins with defining and enforcing password-hygiene best practices, and training employees to spot and report suspicious-looking messages. While this is a great start, more proactive business leaders will take it a step further–several steps, in fact–by asking their in-house IT pro or IT Managed Service Provider (MSP) whether (and which) other proven preventive measures should be included in your mix. These examples covered by security experts at WeLiveSecurity.com, might help you begin the conversation:
1) Email authorization and authentication. When core email protocols lack proper authentication techniques, email ‘spoofing’ (or faking) is trivially easy for crooks to pull off. Spoofing occurs when hackers forge or fake a sender’s address and/or identity, and pose as someone else to look legitimate. Their goal is to trick recipients into doing or divulging something that grants them access to your networks. The big question for your team is whether you’re doing enough in this area (and these that follow).
2) Account protection. If not already in use at your company, it makes sense to also better understand the pros and cons of multifactor authentication (MFA). Rather than providing a single ‘factor,’ such as username and password, to grant system access, MFA also requires a second factor, oftentimes a one-time ‘key,’ which is sent to the requesting user by text or email. MFA can tie directly to the email app’s login process or to the network login, depending on your particular risk profile. Your MSP or security pro can help with all of this.
3) Validating and securing content. Identifying the best approach in this area will center on what level of protection and encryption (if any) best suits your company’s needs. It’s also a good idea for your team to understand how much ‘filtering’ is being applied to your company email, and whether current attachment-type restrictions provide adequate protection.
4) Software updates. Regular patching and updating is a basic best practice for any and all applications, including your operating system, browser and browser extensions, and the email program itself. This one step alone can reduce your security exposure significantly. While you’re discussing general email practices with your provider or team, it wouldn’t hurt to assess your practices in this area, too. If you’re not certain about the strength or resilience of your company’s email security, contact the security experts at TeamLogic IT today. A strong password policy is essential. But in today’s environment, it’s only a small piece of a much bigger picture.