An employee at an Omaha-based commodities trading firm received a fake email, which claimed to be from the CEO. In it, the sender asked for money to be wired to a recently acquired business based in China. Since it appeared to come from the CEO and referenced a real scenario, the employee transferred the money. Even after the FBI got involved, the firm was not able to retrieve the money as the account had been closed and the money had been transferred elsewhere. Unfortunately, this situation is all too common among businesses today.
Email is one of the easiest ways for hackers and nefarious actors to gain access to your business. One source reports that 90 percent of attacks originate via email. And all it takes is one incident or bad email to bring your operations to a halt. It’s a concern not just among business leaders, but also among tech experts themselves. In Southeast Asia, nearly half of IT professionals said email security was a top priority for the year. Even if you operate a small start-up, your inbox is still at risk – the number of attacks against firms with 250 or less people doubled last year. Further, the cost to the U.S. economy is not small. Combined, attacks like these carry an annual price tag of $100 billion.
Email intrusion is a real and present threat. And yet today, many firms continue to follow highly insecure email practices. The good news is, there are effective and affordable strategies that you can implement to secure your inbox, and, by extension, your business. Here, we share our top tips for keeping your organization's email secure and your data safe.
Email Security Tips
1) Has anyone seen my keys? Encrypt your Email
Our first tip to secure your inbox is to protect the content of your emails from being read by unintentional recipients. This process is called email encryption. Essentially, email encryption applies a code or scheme to your content which scrambles the message into an unreadable format while it is being transmitted.
There’s a range of encryption approaches and options available depending on the level of security or convenience you require, your budget and resources, or how much peace-of-mind you and your team seek. For example, there are plug-ins available for existing email clients such as SafeGmail, a free extension for Google Chrome, or third-party email services, such as Office 365 Message Encryption from Microsoft. You can also install email certificates for your team, in which they would share a “key” with anyone they communicate with to encrypt and decrypt email content.
We suggest that you research whatever email client you use to understand its protections and limitations. Google’s Gmail, for example, will automatically encrypt all of your emails, “if it can”. However, if the recipient doesn’t have the same platform or level of encryption, your email might not be secure.
2) It’s OK to pass the buck. To a good password manager.
If email encryption is your first line of defense, you can think of password management as your first level of protection. Unfortunately, online email clients like Google and Yahoo are prime targets for data breaches. At the same time, we’re not that good at creating strong passwords, or changing them as frequently as they should be changed (many sources suggest a reset every three months).
A password manager is a tool to help you and your team create strong, unique passwords for each of your online accounts and exponentially increase your security. Password management, in general, refers to the ability to centrally manage and store passwords within an online “password vault”. This vault also helps you and your IT team remember all of those strong passwords. There are many options to choose from, such as MyGlue, which also tracks who is accessing and changing information and retains version history. For more, please see this earlier post we wrote on the four benefits of using a password manager.
3) Reduce Anxiety with Two-Factor Authentication
If password management is the first level of protection for your firm, then two-factor authentication (2FA) offers the next level. 2FA can help prevent hackers from accessing your account, even if they’re able to crack your password.
2FA supplements the traditional username-plus-password approach to email. It uses a code that is unique to a specific individual, and asks people to prove who they say they are though both a password and a unique code. An Android Central article summarizes it well: “Two-factor authentication means that you need to present two different things from two different sources that prove who you are.” Nefarious actors would need access to both a physical device and a virtual password, making intrusion more challenging.
Often, these 2FA codes are locally generated and delivered to a user’s device via a voice call, an SMS text message, a secure email, or through an app. Google Authenticator, for example, provides another layer of security for phones and Google accounts by generating and asking for a second code verification to sign in.
As with encryption and password management tools, there’s a wide range of options available depending on your unique business needs.
4) Secure your Devices and your WiFi
At your office or place of business, it’s good practice to set up two distinct WiFi accounts – one for staff and one for guests. This will help reduce the number of unknown entries accessing your network.
Today, many firms work with remote employees or consultants who will use both company-issued and personal laptops or mobile devices for work purposes. If these people are on a shared or unsecured WiFi network, it’s possible that hackers could access their devices, and its contents. One solution is to adopt and use actual physical devices with enhanced security options for greater control. Microsoft, for example, suggests devices that offer conditional access, device management, and selective data wiping of sensitive information, in the event a device is lost or stolen.
Another recommendation is to set up WPA2 encryption on your network, and to provide employees with VPN so they can securely access the network remotely. If this is starting to sound a bit like alphabet soup, don’t worry! We can walk you through each and every recommended measure to secure your devices and your network.
5) Equip your Front Line (Your People)
One of the most important tips we can offer is all about your employees. After all, your technology is only as secure as your people are. Arm your staff as your front line of defense with up-to-date training and resources. For example, you might want to put together a basic curriculum on topics ranging from the landscape of threats that exist today, examples of common phishing attacks, best practices to prevent email intrusion, and what to do should something go wrong. For more, please see this earlier post on employee cybersecurity training tips, including:
When it comes to protecting your operations, cybersecurity is everyone's responsibility.
Train early and often.
Make training holistic and impactful.
Make the training fun and enjoyable.
Another idea comes to us from Microsoft. It suggests testing your employees with email threats like phishing campaigns and spear-phishing emails, and recognizing or rewarding people when they pass the tests. However, if you do this, make sure you provide the proper education first so people know what to look for and avoid.
We hope this post helps you understand why email security should be a top priority for your business and a key component of a robust cybersecurity plan. Email intrusion will remain a threat to your business because everyone uses it. On average, people have just less than two email accounts each.
At N8 solutions, we’re experts in all things email security. We can walk you through the above tips and share other effective strategies to keep your inbox secure. We’re also available to discuss some of the different tools we presented, from implementing the perfect password manager to developing a fun and effective training course for your team – it’s a custom, affordable, and effective way to safeguard your business. Please get in touch with us today to start feeling better about your email tomorrow!