An IT Director’s Best Practices for E-Mail Security
By Brian Downey | September 8th, 2016
E-Mail is one of the most commonly used applications in the world. It provides organizations with a quick and cost effective means to communicate and, from inception, it quickly became a necessity most businesses could not live without. However, hackers are keenly aware of this fact as well and continuously devise new creative ways to exploit any possible vulnerabilities for profit. At TSI, we strive to provide our clients with the knowledge and tools they need to mitigate this ever-present threat. We have outlined some key areas to developing a comprehensive E-Mail Security implementation.
Spam Filtering: Spam filters are appliances that can be deployed on-premises or in the cloud and are the first line of defense against E-Mail attacks. Not only can they drastically reduce the amount of junk mail users receive, they can also block E-Mail from blacklisted unsafe senders, remove messages with harmful verbiage and/or attachments as well as warn users if the sender of a message is impersonating someone else.
Firewall: Most SMBs know what a firewall is, but many are unaware of their full capabilities. Modern firewalls have the ability to detect anomalies in network traffic in real-time and discard/quarantine anything deemed unreliable before it ever reaches the intended recipient. Firewalls also have built-in content filters capable of preventing users from browsing potentially harmful websites that contain malicious URLs embedded in E-Mail messages. They can also be configured to only allow E-Mail traffic that has been routed through an organization’s spam filter before delivery.
Antivirus & Antimalware: Antivirus and Antimalware applications are a small but significant component of an E-Mail security strategy. They can remove dangerous attachments from E-Mail messages and prevent users from unknowingly navigating to a suspicious link. However, in order for these applications to be effective, it is imperative that they be maintained and kept up to date. IT Security is only as strong as its weakest link and missing a single maintenance window has the potential to wreak havoc on a network. A vigilant, consistent approach to AV/Antimalware maintenance should be a crucial part of your IT Security policy.
Password Management: Password management is often overlooked by many SMBs today, but it is a huge factor in a properly designed security strategy. 30% of investigated data breaches last year were found to be caused by the use of weak passwords, yet surveys indicate that 49% of passwords are still considered to be weak. Insecure passwords can be exploited by hackers to gain access to your E-Mail. Once access is obtained, attackers will then use your E-Mail account to attempt a number of malicious attacks such as Phishing campaigns and wire transfer scams. They will also have access to any sensitive information that may be stored in the account.
The problems that arise from the use of weak passwords are compounded by the fact that 70% of people admit to using the same password for multiple systems and that 51% are opposed to having to remember yet another complicated alphanumeric password. A proper password policy should follow the guidelines in the infamous “Underwear Analogy” which states:
Passwords should be treated like underwear.
You should not be able to guess what they look like.
They should be changed frequently.
They shouldn’t be left out in the open for everyone to see.
They should not be shared with anyone.
Password management applications ensure all of these guidelines are met, while increasing the productivity of employees. They ensure complex passwords are used, regularly changed, and eliminate the need to memorize them. They allow a user to log into a system with a single click of a mouse. Further, passwords are stored in the application using military grade encryption, which satisfies password compliance requirements from regulatory agencies such as HIPPA, PCI-DSS and SOX.
User Education: End User Education is by far the most critical component of an Email-Security Strategy. There is no such thing as a bullet proof security policy; threats will inevitably find their way to an organization’s user base. The sooner this realization is accepted; the sooner it can be properly mitigated.
The most devastating breaches are rarely the result of a sophisticated attack. Rather, they are the consequence of employees who unknowingly provide hackers the keys to the kingdom. It is imperative that a healthy degree of paranoia is instilled in end users so that it becomes second nature to think twice before clicking on links or attachments in E-Mail messages, even those that appear to come from legitimate sources within the organization.
One of the most effective ways to develop this awareness is to conduct routine Phishing Drills in which regular, targeted E-Mail messages containing suspicious attachments and links are sent to all employees. The results are then analyzed and detailed reports are generated that indicate which employees may need to refresh their training on E-Mail security best practices.
Users should also undergo regular training on the proper use of E-Mail. Messages containing sensitive information such as social security numbers, employee tax or salary information, credit card numbers, etc. should be avoided. If sensitive information must be sent via E-Mail, use an application capable of encrypting the contents of the message, both at rest and in transit.
Business E-Mail should be kept separate from personal E-Mail at all times. All of the E-Mail security tools in the world cannot help a company whose employees regularly conduct business with their own personal E-Mail accounts, outside of company control. Consider monitoring and/or blocking access to personal email accounts from company resources and forcing remote users to connect to a corporate VPN before using company E-Mail.
Final Thought: Although E-Mail security risks have increased dramatically in recent years, there are a number of tools and strategies that can be implemented to mitigate these risks. Work proactively with your IT Team and/or Managed Services Provider to identify and remediate potential threats as well as ensure company employees are educated in security best practices. Work with a security professional to develop a WISP (Written Information Security Policy) specific to your organization, review the document regularly to ensure that the policy is being followed and enforced.
Unfortunately, there is no way to prevent all E-Mail attacks from reaching a user. The good news is most hackers are lazy and rely on automated processes to do their dirty work for them. An organization that implements E-Mail Security practices is far less likely to be a victim of a breach, and will likely be passed over by a potential attacker. To learn more on how TSI can help you with E-Mail Security, Contact Us today!