We live in an email-centric world. Whether it be an invoice from a vendor or a memo from the CEO, email is typically the preferred means of communication within an organization. Email’s ubiquity – and inherent vulnerability to cyberattacks – makes email security best practices more important than ever.
The Verizon Data Breach Investigations Report, a collaborative study done by Verizon and several major security entities, found that 94% of malware was delivered via email and 32% of data breaches involved phishing email attacks.
By following this email security best practice list and email security tips, you can improve corporate email security. These improvements will protect your company from falling victim to one of the largest attack vectors in existence.
Good email security requires the participation of all internal stakeholders in an organization, though the strategies are different.
Most employees are not responsible for major IT decision-making, such as updating outdated email clients, protecting email servers, or creating security-focused policies. These responsibilities rest with the employer.
While these email security best practice decisions will likely be the most impactful, employees and other end-users have their own set protection strategies at their disposal.
Email Security Best Practices for Employees
In order to maintain proper corporate email security, your business should follow these four email security best practices:
- Use strong passwords
- Use multi-factor authentication
- Exercise prudence when dealing with email attachments, links, or unrecognized senders
- Know how to identify phishing emails
Using strong passwords can help protect your email account from being compromised. Your password should be a minimum of 10 characters long and include mixed capitalization as well as special characters (example: &, #, $, @).
As part of the best practices for email security, you should also avoid using personal information in your password. This increases the chance of an attacker successfully executing a dictionary attack or guessing your password, as much of this information is available via social media.
Reusing passwords is also bad practice. If your email account and Facebook account use the same password, the attacker only needs one password to access both accounts to hack your account and pilfer your personal information.
Password managers are the solution to this problem. They allow you to securely store multiple passwords so you don’t have to remember them.
Doing so enables you to use unique passwords for each account, which aligns with email safety best practices. Many password managers on the market will even auto-generate a complex password for you.
Interested in learning more? Check out these blogs:
- Network Security Vulnerabilities and Threats
- Incident and Data Breach Response Best Practices
- Identifying Different Network Security Types Within Your Environment
Use Multi-Factor Authentication
Multi-factor authentication is another layer of authentication that can protect your email account. Authentication credentials fall into one of three categories:
- Something you know (password or pin)
- Something you have (smart card, security token, etc.)
- Something you are (face, fingerprint, iris)
Multi-factor authentication combines two or more of these categories to enhance security.
Most modern email providers support multi-factor authentication using your password and a one-time password on a smartphone (something you have).
This one-time password can come via text message or authenticator applications, though authenticator applications are widely regarded as more secure.
Some popular authenticator applications include Google Authenticator, Microsoft Authenticator, and Authy.
Exercise Prudence When Dealing With Email Attachments, Links, or Unrecognized Senders
Email attachments can contain malicious executable code. Attachments with .exe, .msi, or .jar file extensions should be approached with caution.
Malicious code can even be embedded in Word, Excel, and other Microsoft Office application files in the form of macros. Be cautious with any email communications that direct you to enable macros before downloading Word or Excel files.
In order to follow email attachment security best practices, attachments must not be opened unless you know the sender and they were expected.
Links should be approached with just as much caution. They are used to steal personal information, login credentials, and financial information.
They can also install malware onto your device. The phishing emails will contain something that influences you to click the link. This could be fear-inducing, like a notice for an overdue bill, or a deal you cannot refuse, like a complimentary gift card.
These links will likely bring you to a spoofed website. For example, if the email was regarding issues with your Bank of America account, the website would look just like Bank of America’s site. The goal is for you to input your credentials on this fake site so that the attacker can steal them.
For links that contain malware, it is the actual site that the link brings you to that downloads the malware.
If you do accidentally click a malicious link or download a malicious file, immediately disconnect your device from the internet to contain the infection. Scan your device using antivirus or antimalware software and remain disconnected during the scan.
Awareness training for phishing also exists. Companies like KnowB4 offer simulated phishing campaigns to test employee reactions to phishing emails in a safe environment.
This is a good way to improve employee understanding for corporate email security. Teaching your staff how to identify phishing as part of email safety best practices could potentially protect your company in the future.
Implement Email Safety Best Practices
Partner with Quadrant and ensure your business is safe through email security best practices.
Identify Phishing Emails
There are a few ways to identify phishing emails. If the message is from a public domain, that is suspicious.
Real organizations will never use a @gmail.com address to send an email, not even Google. You can find the legitimate domain name by running the organization’s name through a search engine.
Many phishing emails will have a “display name,” meaning they can mask the actual email address that the spam emails originate from.
The email will appear as “Bank of America Customer Service” instead of firstname.lastname@example.org (the actual sender) to gain your trust. Look at the actual email address to determine the true source.
There are a few more suspicious indicators that can help to identify phishing attacks. For example, phishing emails are known for being poorly written. If you see an email that is full of spelling and grammar mistakes, it warrants suspicion.
Phishing, as previously discussed, utilizes a sense of urgency to trick you into clicking malicious links or downloading malicious files that could install malware. If you have time to think over the email, you may realize that something is suspicious.
Be dubious of emails that require an urgent response. This could be a phishing attempt.
Other Helpful Tips
Spam emails, while not inherently malicious, are unwanted noise in your email account inbox. While it may be tempting to click the “unsubscribe” button found in many of these emails, avoid them.
These buttons can be used against you by spammers. It tells them that your email account is active and could result in even more spam. In some cases, the unsubscribe button is used to redirect users to a malicious website which could install malware.
As part of email security best practices, the safest way to cut spam emails is to mark them as spam. If that does not do the trick, use filters across your email client and email servers to cut down on the noise.
Enhance Your Corporate Email Security
Using these four email security tips to improve your email security best practices will not only protect your company from a potential data breach but also ensures its sensitive data and personal information stays out of harm’s way.
While educating your employees about phishing emails, strong passwords and security best practices is crucial, so is receiving real-time information that alerts you of potential phishing attacks and other suspicious activities that could impact your network.
Partner with Quadrant to take advantage of the Sagan Solution, our all-in-one security offering. Enjoy continuous network monitoring, accurate reporting, malware detonation and more from certified engineers based at our Security Operations Center (SOC).
Get complete peace of mind with a fully-featured solution that has no upfront costs. For more information on Sagan and how you can benefit from a free trial, please contact us today.