Today’s attack methods are broad, ranging from malware spam and “phishing” attempts to unsafe public Wi-Fi — and hackers’ tricks are only getting more devious and sophisticated. Not only can hacked emails expose sensitive-data-bearing messages, but malware and mal-URLs may also provide cybercriminals an access route into IT systems to infect and compromise other accounts and systems across your business.
Fortunately, there are steps that companies can take to help prevent these attacks from succeeding: a mix of policy and procedure, security products, and employee involvement. Here’s a quick cautionary look at some of the new ways your email is being threatened — and what companies and employees can do to keep using email safely:
CONSIDER ENCRYPTED EMAIL
If your company wants secure email, it can be done. Setting up email that’s encrypted, using PGP or some other encryption toolkit, will take some IT work. But once it’s set up, all an employee should have to do is click the “encrypt me” icon in the mail client.
Note: there’s currently technical debate whether webmail MUAs (Mail User Agents) provide end-to-end encrypted email reliably — so until the kinks are worked out, do not use webmail to do encrypted email.
LOCK DOWN DATA ASSETS
On TV and in films, heroes and villains alike seem to always be surreptitiously copying data onto flash drives, or emailing it out. To avoid data leaving your network without authorization, look into DLP (Data Loss Protection), which — often combined with “digital fingerprinting” of data assets — monitors ports and outbound traffic, logging and ideally, blocking.
USE ONLY SECURE MAIL CLIENTS AND SYSTEMS
Keep your operating system, Web browser(s) and browser plugins up to date and configured for high security. (And define and publicize the list of approved email clients and Web browsers among your employees.)
Make sure all Web email account access is secured (“HTTPS” or “SHTTP” should be in the URL). For webmail, use a provider like Gmail that encrypts the entire session, not just the initial login/password exchange.
HAVE ANTI-VIRUS, ANTI-MALWARE & URL/CONTENT FILTERING
This should be done both at the network gateway and on each client machine. Use policy management, e.g., Mobile Device Management (MDM), for mobile devices, to ensure all employee machines are running the required securityware and that all tools and databases are up to date. If your company allows/encourages BYOD, make sure these devices are also in MDM’s control.
STRENGTHEN USER LOGINS
If you’re just using plain old passwords, it’s time to double down and go to two-factor authentication, like an RSA token, or SMS-ing one-time codes to smartphones, etc. And make passwords be stronger (longer and less guessable).
MANDATE MOBILE/OUT-OF-OFFICE SECURITY
When employees are out of the office (away from the company network), consider the following:
- Promote BYOAD — Bring Your Own Approved Device — with devices and services that have Wi-Fi supporting Hotspot 2.0 and Passpoint. And use them, to make authenticating and encrypting more reliable and automatic. For example, the Boingo Wi-Fi hotspot connection service does this, assuming your device supports these technologies, putting you securely online automatically.
- Require employees to use VPNs to connect to company email and other resources. If you’re seriously concerned, have them use VPN for all Internet activity. And of course, provision them with VPN clients and accounts, and make sure they know how to use them — ideally, make VPN the default.
EDUCATE YOUR EMPLOYEES
Write up a reasonably short, concise, clear list of email do’s and don’ts that addresses company policy (e.g. what work email can and can’t be used for) and security concerns. Don’t forget to include policies about accessing personal email through company machines and networks. Review and update this document annually; require employees to read and sign each update.
And, as always, make sure employees are reminded:
- Don’t respond to suspicious-looking or unexpected messages, even from sources you know.
- Don’t open unexpected or suspicious attachments.
- Don’t click on URLs or attachments in email to perform password resets.
- If your email has been hacked — or even if you suspect it but aren’t sure — alert IT immediately, and stop using email until any problem has been resolved.
FINAL THOUGHTS: IF NOT EMAIL, THEN WHAT?
Is it time for companies to stop using email?
Answer: whatever other communication mechanisms you try using instead will have the potential security risks — in particular, everything is vulnerable to user errors.
Plus, the rest of the world uses email. While you might be able to migrate some activity elsewhere, like Twitter, LinkedIn, Facebook, or whatever, you’ve still got to swap messages, including URLs and documents. Create security policies for this, and provide security tools, reporting, audit trails, compliance and more. That way, until some more secure messaging ecosystem comes along, you can work to cover your bases and keep your company’s email secure.
Feeling secure? Take steps now to beef up your information security.