The importance of email makes it a prime target for cybercriminal activity – like social engineering – and the main reason employees need to use email security best practices. In fact, it’s estimated that over 90 percent of all cyber attacks begin with a malicious email sent to an unsuspecting victim. And cybercriminals don’t discriminate.
They target organizations of any size.
To protect your small or medium-sized business against email-based threats, you need to strengthen your defenses proactively. Start by implementing these email security best practices.
7 Email Security Best Practices
1. Enforce Strong Authentication
NordPass revealed that exceptionally weak email passwords are still being used worldwide – despite growing cybersecurity awareness. Many people still protect their email accounts (and others) with passwords like “12345,” “qwerty,” or “password,” making it easy for cybercriminals to brute force their way in.
To address this problem, businesses should enforce strong passwords and combine them with multi-factor authentication. On its own, a strong password like “42sjg31of@#5r” protects against brute force attacks.
However, it doesn’t protect against password theft – which is where the requirement to present at least one additional piece of evidence during authentication in the form of a one-time password or SMS code comes in.
2. Enable Spoofing Protection
Phishing scams are so widespread and costly because small and midsize businesses often make it too easy for cybercriminals to spoof their domain names. So, they can craft malicious messages that appear as if a legitimate sender sent them.
How exactly do they make it easy? By not authenticating messages with SPF, DKIM, and DMARC. These three acronyms stand for:
- Sender Policy Framework
- DomainKeys Identified Mail
- Domain-based Message Authentication, Reporting & Conformance
Together, they authenticate and digitally sign messages to make it impossible for attackers to forge the “From” address. When configured correctly, they also increase deliverability, so messages won’t end up in the recipient’s spam folders.
3. Use Email Encryption
Electronic messages travel across the public internet, hopping from server to server until they reach their destinations. Unless encrypted, they can be intercepted along the way and tampered with. Fortunately, nearly all reputable business email providers encrypt messages by default when they are in transit using cryptographic protocols like Transport Layer Security (TLS).
To go a step further, businesses can encrypt messages at rest using technologies like S/MIME encryption and Microsoft 365 Message Encryption (available to Microsoft 365 subscribers).
At rest encryption converts the text of an email message and all its metadata into scrambled cipher text, which can only be deciphered using the correct decryption key. As a result, even if an attacker gains direct access to the inbox, they cannot read the message.
4. Create an Email Policy
It’s fairly common for small and midsize businesses to not feel the need to set out expectations on acceptable use of email at work by creating a comprehensive email policy. However, that’s a mistake, and its consequences can be far-reaching.
At the very least, all businesses should prohibit employees from using their work email for personal purposes – such as online shopping and communication with friends.
Additionally, employees should also not be allowed to open their inboxes on devices that have not been approved by the IT team because. Such devices may not be secure and infected with malware. Mobile devices (especially those running the Android operating system) are no exception in this regard.
5. Scan Messages for Threats
Effective email security strategies always include multiple layers of defense. One of them should be active scanning of incoming messages to protect against malicious links leading to credential-stealing websites and attachments containing dangerous malware.
Microsoft, for example, protects Office 365 users by automatically performing anti-spam and anti-malware scans of inbound email messages. They also provide features like Safe Attachments and Safe Links to give you extra protection against malicious attachments and links, respectively.
6. Practice Granular Email Retention
Email retention periods required by various regulations for different message types can range anywhere from a few months to multiple years. To make things easier, many businesses store all messages to the maximum retention period – even though they technically don’t have to.
Unfortunately, there are two major problems with this approach:
- It greatly increases the total size of stored messages.
- It makes potential data breaches more damaging.
Instead of using one retention setting for all messages, it’s much better to implement granular email retention policies by type of content. Yes, their initial setup does take some extra time and effort, but they seldom need to be updated once they’re up and running.
7. Invest in Email Security Training
Employees who are not aware of the existence of phishing scams, malware disguised as legitimate attachments, and other common email threats are easy prey for today’s cybercriminals. Since the strength of the cybersecurity defense chain is always determined by the strength of its weakest link, it’s a good idea for businesses of all sizes to invest in email security training.
Instead of boring employees with stale PowerPoint presentations, it’s usually possible to achieve better results by giving them access to a self-paced online course that’s split into bite-sized lessons. The course can be complemented by phishing simulations designed to put employees’ newly acquired email security knowledge to the test.
Update Outdated Email Practices
Electronic mail may be more than half a century old, but email security is still a hot topic because of how ubiquitous email has become as a business communication tool. Small and midsize businesses that are still relying on outdated email security practices should update them as soon as possible because most cyber attacks these days begin with a malicious message.
Discover how a managed service provider, like Teal, can help your business enhance your cybersecurity and help you grow.