Whether you like it or not, email is commonplace in the business world. With the ubiquity of emails comes a hoard of attacks to gain access to confidential information. According to the Center for Strategic and International Studies, cyber-attacks on organizations with 250 or fewer employees cost, on average, $188,000 per successful attack.
The attack on Sony Pictures in 2014 is a prime example of this. It is widely suspected that email was the entry point of the hackers. It is believed that the attackers had access to the Sony Pictures network for over a year and extracted over 100 TBs of data, including personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, and copies of then-unreleased Sony Pictures films. Sony Pictures set aside $15 million to deal with ongoing damages from the attacks as well as increase the organization’s security posture.
With a mixture of training, policies, and security products, you can help increase the security posture of your organization as well as help reduce the odds that your organization is a victim of cyber crime.
Cybercrime is not just about going after large targets – small businesses are just as vulnerable. 50% of SMBs have been breached in a course of a year.
The most prevalent attacks against small organizations originate on the web, with phishing and social engineering being dominant methods.
Do not be a victim of cybercrime. Below are six actionable items to get you started on the email security for business.
1. Create and maintain proper passwords
Did you know that 59% of SMBs have no visibility into employee password practices? Each employee should have their own unique and complex passwords, for both their work computer as well as their email account. These passwords should be different to ensure that if there is a compromise, the attackers can only gain access to one system and not another. Passwords should also be changed regularly, ideally every three months.
Strong passwords should also be used. A strong password is at least eight characters with a combination of numbers, symbols, lowercase and capital letters. The password should not be easily guessable – birthdays, addresses, phone numbers, etc should not be used when creating a password. An example of a poor password choice would be “password” or “123456.”
Unique passwords should be used for different accounts. For example, unique passwords should be used for your work computer, email account, websites, and social media accounts. If an individual has a lot of passwords to manage, consider using a password management tool rather than a pad and paper.
2. Encrypt Email
If sensitive data is sent via email, such as Personal Identifiable Information (PII), Electronic Personal Health Information (ePHI), or passwords, the organization may want to consider using an email encryption solution. An email encryption solution helps protect emails containing sensitive information from hackers by only permitting the intended recipients from viewing it.
Users can encrypt emails by either using a paid email encryption service or installing a PGP (Pretty Good Privacy) key in their mail client, such as Outlook. The method used depends on the level of security and convenience required by the organization.
3. Develop and implement a cybersecurity plan
65% of SMBs that have a password policy do not strictly enforce it. Policy enforcement is one of the most essential steps every organization and individual must understand and live by. The organization’s cyber security plan should not be limited to email security, it should include measures on how the organization keeps all IT related items safe, such as servers, websites, payment information, and sensitive data. This should be a living document and adapt as the organization changes. The Federal Communications Commission created the Small Biz Cyber Planner 2.0 tool to assist an organization in creating a customized security plan.
4. Train your employees
The one thing that any technology or cyber security plan cannot control is the mouse click of an employee. Ultimately, organization members play a key role in email security. Employees should be trained on email best practices as well as how to spot and avoid suspicious emails or attachments.
An employee training program should include the following:
- Do not open links or attachments from unknown senders.
- Do not open attachments with .exe extensions.
- Never respond to emails that request a password change or require you to submit personal or company information.
- If available, always encrypt any emails containing sensitive data before sending, such as PII, ePHI, or passwords.
- Do not use your company email address to send and receive personal emails.
- Do not forward company emails to a third-party email system.
- If an official email looks suspicious, do not respond, but rather call the sender to confirm if the request is legitimate.
Many organizations also use software that test employees with phishing campaigns, spear-phishing emails, and other cybersecurity threats to test their knowledge with real world scenarios.
5. Secure the organization’s email server
Complex email passwords, user training, and cyber security planning will only go so far if the email server is not secured. An internal email server should be patched with the latest updates, configured to not act as a relay, and use TLS encryption to send and receive email. Antivirus and anti-spam software should be installed on the mail server as well as using a hardware firewall in front of the mail server to protect against cyber-attacks.
6. Use hosted email solution
Ideally, an organization should look to outsource the hosting of their email services. This ensures that the mail server is hosted in a secure, compliant data center with dedicated staff working to secure any vulnerability. Additionally, if a hosted solution is used, typically they come with an SLA indicating an uptime of nearly 100%.
7. Implement and enforce organization-wide mobile device usage policy
Email is mobile and controlling where employees access to email can be a challenge. A combination of a mobile device policy and mobile device management software should be used to ensure any mobile device is secured. Whether the mobile device is company owned or personal, employees should encrypt the data, ensure the device is password protected, and install company-approved security apps.
Lastly, mobile device management software should be installed on all mobile devices to allow the organization to enforce company-wide mobile device policies as well as perform actions such as locate or remote wipe.
Ultimately all computers should have the same level of protection. This includes antivirus software, firewalls, password policies, etc. If only one computer lacks protection, it can act as an entry point for an attacker. By being purposeful when creating policies involving your small business’s emails, you will head off a lot of issues before they even come to pass. Get employees on board and reward them for assisting in developing an environment where information is secure. Together, it’s possible to keep the employee, customer, and business data safe – one email at a time.