The importance of email
In 2023, an average of 350 billion emails are sent every single day. By comparison, only 23 billion texts are sent and 13.5 billion phone calls are made per day. Something that was once thought to be a fad is now the most popular method of communication across the world by far.
Criminals use email a lot too. Last year, 39% of UK businesses experienced a cyber attack, with the most common vector being phishing attempts (83%), where staff receive fraudulent emails or are directed to illegitimate websites where they are prompted to enter their data. Successful attacks of this type cost UK businesses billions of pounds a year, and so the importance of adequate email security cannot be understated.
The multiple layers of email security
Email appears simple but in fact the mechanics and how we interact with them is quite complex. That provides lots of opportunities for defrauding us of our money. So, we need layers of protection; each layer reduces our risks a little more.
The first thing that comes to mind when you think about malicious emails might be a poorly structured and badly written message with incorrect grammar, received from a random Gmail or Hotmail address.
But the reality is that scams are becoming more and more sophisticated and we cannot rely solely on users to determine what is and isn’t a legitimate email. Whilst user knowledge and older tech are still useful in protecting against known threats, the landscape is constantly evolving with new threats emerging all the time, hence the need for multiple layers of security.
Layer 1: Restrict attackers from reaching users via email
Your email system needs to be implemented in the best possible way with essential protocols to ensure that genuine emails are properly sent and received, and any emails that might be considered harmful are filtered or blocked.
DNS records, SPF, DKIM, DMARC. You may have heard these acronyms before or they may be complete gibberish – what’s important is not what they mean, but what they do for you and your business. These controls verify your legitimacy as an email sender, restrict other entities from impersonating you, and tell your system what to do if it thinks it’s received a harmful message.
It is important for all businesses to setup these controls to prove legitimacy, as you don’t want emails to your clients ending up in their spam folder or being completely blocked.
You need controls in place to determine what can get through to your inbox and what should be filtered out. Filtering also promotes productivity, as users will spend less of their own time deleting emails or marking them as junk.
Whilst there are options for built-in filtering systems from most email providers, we would recommend a third-party provider, so that if your email provider has a blip, your filtering system will still remain solid. A third-party provider will also allow for greater control with more customisable options.
Progressive filtering systems such as Advanced Threat Protection (ATP) that we use at The Final Step take suspicious emails and opens them securely inside of a sandbox to check whether there is a threat. This same tool can also be used to restrict more advanced spoofing techniques to keep users safe from impersonation attempts.
Layer 2: User training and reporting
Whilst the aim of anti-spoofing and filtering controls is to restrict as many malicious emails as possible, it will always be the case that some emails will slip through the net. As such, not only is the tech behind email important, but also the human that’s operating it.
Phishing emails can be notoriously hard to spot, but knowing the basics as well as encouraging users to report incidents is crucial. We recommend that users receive regular security awareness training given the ever-changing nature of email attacks.
Steps that we would take to train users can be anything from how to create a strong, unique password and where to store it, to on-site security awareness training and simulated phishing emails to determine which users might need further guidance.
An open culture of reporting
At The Final Step we talk about building a security first mindset – being personally responsible and sacrificing some convenience for the sake of better security. There is a balance to be struck so you know now to overwhelm your IT department with constant reports and yet not persist in dangerous activity. These days, that means regular, bite-sized testing and training in security awareness, as well as an open culture that means you feel comfortable reporting incidents where you may have caused an incident.
Users struggling with training should be reassured that it’s not an easy task, and encouraged to always seek extra help if they are unsure. If users are punished if they fail to recognise phishing emails in training, they are less likely to report incidents in a timely manner, if at all, when it comes to the real thing.
Credit to National Cyber Security Centre, Guidance on Phishing
Layer 3: Damage mitigation
Whilst we hope that anything that slips through the filtering system is reported by users, it’s only a matter of time until somebody clicks on a malicious link or enters their details somewhere they shouldn’t. Thus, it’s important to implement security measures elsewhere in your infrastructure.
Protect against viruses and malware
Anti-virus solutions are a standard implementation nowadays. If you click on a link that attempts to install malware on your device, a good anti-virus solution can stop criminals dead in their tracks. A similar solution should be used to stop users visiting malicious or insecure websites.
You should also keep all devices up to date to stop any attackers exploiting vulnerabilities in older software versions.
Protect your accounts
This starts by having a strong, unique password for each of your accounts, and then adding further layers of protection. Make sure that you never write down your passwords and you only store them in a dedicated password manager, such as Keeper.
You should then add Multi-Factor Authentication (MFA) to all of your accounts. MFA requires an extra step to verify the legitimacy of any login attempt, ideally via a dedicated app like Microsoft Authenticator. Whilst MFA adds another level of security, you may encounter MFA fatigue attacks, where hackers will spam your phone with approval requests hoping that you approve it out of frustration or the belief it is genuine. It should be noted that adequately securing the phone which contains your Authenticator app is of equal importance.
To further protect against fatigue attacks, we would recommend the latest MFA technology, ‘number matching’. This adds a third step to any login attempt, whereby the user will be prompted to enter a two-digit code in the authentication device. This means MFA works in both directions to ensure login attempts are legitimate, rather than relying solely on a user tapping accept.
Conditional access allows a company to set policies and requirements that determine which devices can or cannot access data on their systems. For example, I cannot log in to my work email from my personal computer, as the machine is not recognised as part of the company’s infrastructure. The same is true of my mobile device, as my personal phone is not a part of the company’s Mobile Device Management solution. Conditional access can help thwart criminal attacks and also stop users from accessing company data from devices outside of your environment, keeping your data secure.
Layer 4: Recovery plan
If the worst happens and an attacker gets into your system and is causing havoc, you need to be able to detect and respond to the attack quickly. This requires a recovery plan which must be planned in advance so that you can execute all of the required steps as efficiently as possible. Most organisations will experience a breach at some point, so implement the steps in this layer to put you in the best stead to recover your data.
Install a security logging system that detects and reports issues. Having a logging system in place will help determine when the breach took place and how, so you know to which point you should recover. Users that notice suspicious activity or anything out of the ordinary should also report it immediately.
Having a backup will allow you to recover to a certain point in time after a breach, and it can also help to recover documents if a user deletes them by accident. This is often done without malice and without external threat, but if an important document is deleted by mistake it could lead to a security issue.
Incident response plan
This will be developed alongside your colleagues and should include every step of the recovery process, including who will do what and when. This will include things like forcing password resets, removing viruses, recovering to a backup and more.
Crucially, this response plan must be practised in a simulation exercise, and not trialled for the first time after a breach occurs where working quickly is imperative.
The proactive or reactive approach
Email is inherently an insecure system. A considerable proportion of the 350 billion emails sent per day will be spam, junk or malicious attempts to compromise your email accounts by phishing or malware for example. To put you in the best possible position to fight off attacks, you need to add multiple layers of email security.
As you navigate an evolving landscape of email-related cyber crime, spammers and attackers are constantly finding new ways to exploit weaknesses in your system. It’s important to keep your team informed about industry standards and your user training up to date so you know how to identify and respond to malicious emails.
Where to start? If you are proactive, do a risk assessment that identifies gaps in your security and helps you decide what are the most cost-effective options to reduce your risk. If you are reactive, you will fix a gap once a problem occurs and is costing you time, money and embarrassment.
Our email security service prevents, detects, responds to and recovers from email attacks to ensure your peace of mind. If you’re not speaking to somebody about email security already, come and speak to us for no strings attached advice on how you can ensure the security of your business.