The single biggest threat to your business’ online security is malicious emails. We have seen this happen to organizations where they have lost vital client data in recent cyber breaches and received a lot of bad press that severely damaged their brand. Most of these breaches happen due to poor email security practices. The latest Data Breach Investigations Report (DBIR) suggests that 66% of malware installed on breached networks come through email attachments. Even the best email security solution cannot catch every malicious email. Phishing email attacks remain the most common and devastating attack. According to Symantec in 2016 “One in 131 emails sent were malicious”. In this article, we will discuss how implementing email security best practices can minimize your organization’s vulnerability.
- Use a strong password that is unique and be careful with your credentials. Weak passwords are easy to crack using special password guessing software. Do not share your credentials with anyone. You should be the only one logging into your email. If someone else needs access to your email, your IT department can set that up. Sloppy password management creates an open door for hackers. According to The Forrester Wave: Privileged Identity Management, Q3 2016, 80% of security breaches involve privileged credentials.
Essentials for a strong password:
- Use complex passwords. Many sites and applications will require you to use upper/lower-case, numbers, or special symbols. If a site limits the number of characters, like “Passwords must be 8-20 characters”, aim for the upper end of that range.
- Never use your birthday, hometown, school, university, brand name
- Avoid common letter-number substitutions – password-cracking software will guess “p@55w0rd” almost as quickly as it will guess “password”
- If a site allows long passwords, think in terms of phrases rather than words – “My granddad grew up on Chocolate Bayou!” actually contains more complexity than hard-to-remember random strings like “ccUhxi7vQ20w2PwIqVk4”
- Never re-use your password on multiple sites. If your Facebook account gets compromised, you don’t want the hacker to be able to get into your email account, too.
- Don’t trust emails, even if they appear to be from inside your organization. Hackers can easily “spoof” email addresses so it looks like it came from someone you know. You can validate the sender by hovering your mouse over the “from” name field which will show you the actual email address of the sender. If the two email addresses don’t match, the email is likely fraudulent and should be marked as spam and deleted. Mimecast research found that business email compromise (BEC) tactics get through enterprise email security solutions seven times more than email born malware. Phishing attacks are usually not perfect. Often they come from a strange address like firstname.lastname@example.org, the formatting is off or there’s a lot of typos.
Here’s an example of what can happen with a phishing email:
- The hacker sends an email that contain a link to a site you know
- You click the link and end up on a website you may normally go to, like your bank, but the site is actually a fake mock-up of the real banking site
- You then enter your username and password
- The phishing site then steals your username and password and sends it to the hacker who can now use those credentials to log into the REAL banking site
- Beware of links and attachments. Don’t click on links or attachments without verifying the source and establishing legitimacy of the link or attachment. This is one of the easiest ways for a security breach to occur within your organization. Attachments can contain malware like ransomware or spyware, which can cause a security breach. Don’t open attachments that end with .exe, .scr, .bat, .com or any other executable extensions. Make sure that the attachment doesn’t have a double extension. A file named “mail.txt” is safe where a file named “mail.txt.exe” isn’t. If the URL looks fishy then it probably is.