Email Security Best Practices Guide
Updated October 2018
We have broken down some of the most important factors and best practices we believe good Email Security to be consisted of.
These are (in no particular order):
- 2 Factor Authentication
- Phishing Training
- Outbound Filtering
The rough guide will hopefully help both IT Administrators and Commercial Leaders the confidence and insight into what should really be in place to protect the number 1 attack vector for all businesses today.
Passwords – the oldest trick in the book
Passwords are one of the most important factors in keeping your email information safe. A good strong password is the first level of defence against a security breach.
Don’t use generic passwords. Things like CompanyName123 and FirstLastname! aren’t secure – especially when it comes to admin level accounts. Here’s a nice little comic that we reference to make strong passwords for ourselves.
Platform – Hosted Exchange Services or On-prem?
Many companies still have emails hosted in on-premises environments, and whilst there is now “one-size-fits-all” approach, we generally recommend hosted environments such as Microsoft Office 365 for many of our customers as it removes the maintenance overhead associated with such an environment, which is typically more secure by design.
Factor in the benefits of having Microsoft’s weight behind the service level support, email services that don’t rely on your connectivity or infrastructure and is redundant across multiple EU datacentres, it’s typically very compelling to consider Hosted Exchange services.
Here are some of the top benefits of moving your clients to a Hosted Exchange service.
With a service like Office 365, Microsoft support the service layer, and as such issues are resolved relatively quickly, reducing costs on labour and maintenance for your Internal IT team or MSP.
Disasters can have a significant financial impact on small businesses, and most cannot simply will not spend out on redundant connections. When their system goes down, they rely on the either their Internal IT Team or their MSP to bring them back online. A Hosted Exchange service can continue to provide email services no matter what is impacting your client. They can use their smart phone or take their laptop to the nearest Wi-Fi hotspot to enable their clients to continue with their business.
Storage and Archiving
Additionally, with a Hosted Exchange Service, they come with large mailboxes, archiving and even Legal Hold facilities for professional service providers like Layers and Accountants.
While user counts are predictable, storage requirements can grow exponentially, and email systems are always attempting to meet an ever-increasing demand. Network storage space is costly, and back up must be provided to restore all the data. Hosted Exchange service providers offer hosted archiving for a small additional charge, without having to worry about storage capacity or additional servers to handle the growing email archive.
2 Factor Authentication – what, how and why?
Critical email accounts should ideally always be protected by 2 factor authentication. Most modern online services take your security extremely seriously and have taken the necessary measures to make sure your information stays protected using 2 factor authentication. If you bank online, you will already have used an equivalent.
For a hosted exchange environment like Office 365, Microsoft allow users to configure 2FA for specific accounts.
In the best-case-scenario, protect all accounts. When this isn’t feasible, we suggest aiming to ensure any accounts that deal with finance, billing, hr and other sensitive data, and of course directors, have this in place as a minimum.
You can set 2FA up with Microsoft Authenticator or if you are using a platform like G-Suite, then Google Authenticator will be the best option.
However, for these online security protocols to be 100% effective, it’s crucial that you’ve taken your
Encryption – Use Encryption to protect sensitive emails
With the introduction of GDPR back in May 2018, email encryption has been a hot topic for organisations that are thinking about how to best protect the data they are sending both internally and externally.
Most people think of the process of encrypting emails with a very simple metaphor – a secret agent writing a message in code, perhaps. This is accurate, but only paints part of the picture. Most enterprise grade email encryption solutions actually work on three distinct levels. The first one is actually encrypting the message itself – the spy writing in code, in our example.
Then, they must encrypt the connection between your computer and the server actually sending the mail. This ensures that the mail actually gets to the mail server, and then the final recipient that you intended it to get to, instead of being hijacked and passed along to an intruder. Using the spy metaphor, you can compare this to having a secret and secure location to exchange information with your sources.
Finally, the encryption solution needs to make sure that the copy stored locally on your computer or in your cloud mailbox is also encrypted and secure. This is like making sure you keep your spy orders in a locked briefcase at all times. An encryption solution that does just one or two of these three things leaves you with a massive vulnerability, and can actually be more dangerous than no encryption at all, since it can lead to a false sense of security.
If you’ve decided that an email encryption may be right for your company, the next step is to choose the type of encryption and encryption method you’ll be using. Keeping your email encrypted between your computer and the email server is fairly straightforward – most email providers now do so for you. To verify, check your URL bar (if you use webmail) for the “https” prefix in the address.
If you use Outlook or a similar program, you often have the option of choosing to use TLS/SSL when communicating with the server. This is a secure protocol that makes sure your messages aren’t tampered with en-route to their destination. If you’ve decided that email encryption is a must-have feature, but your current mail service provider doesn’t support “https” in webmail or SSL/TLS, consider switching mail providers.
The next step is to secure the message itself. This is where things start to get a little bit complicated. The first thing you will need is a security certificate. This certificate, given out by a company or organisation that is trusted as a source of identity verification, is like your digital fingerprint. It tells everyone who sees it that you are, in fact, you. To do so, though, the people you are communicating with need your public key. This is like your ID card that can be matched up to your fingerprints to verify your identity.
The downside of this process is that you have to make sure that everyone you message has a copy of your public key ahead of time so that they can verify your identity and decrypt the message. The alternative is to use one of the many available software solutions that automate much of the process. That also comes with downsides, though – you have to put your trust in a third party, and many of these software solutions still require some extra action on the part of the recipient (such as verifying their identity, signing up for a membership, or other such actions).
Finally, you have to make sure that your archived messages are adequately protected. If you use a webmail client, you are stuck with whatever protection the mail service provider gives you. Fortunately, this is usually quite good. Mail service providers have long ago learned that getting caught being hacked is very bad for business. If you have a self-hosted server or you use an email client like Outlook, though, you have some options. The simplest is to encrypt your entire hard drive.
This method is simple and reliable. However, you have to make a trade-off between security and usability – the stronger the encryption methods and protocols, the slower data access (and your computer) becomes. The better option is to encrypt just the location of the stored/archived email. This gives you the best compromise between strong security and functionality. And don’t forget, encrypting your laptop does little good if you have all your emails also stored on your un-encrypted mobile phone.
Attachments – Trust issues & Scanning for threats
Always make sure to scan all attachments with a good antivirus software program before opening and be especially aware of any zipped attachments, ones with unusual file types, and Office documents with macros. Scammers use all of these tactics to install malicious software on your machine.
We typically recommend solutions that scan emails at both the Service Level (e.g. Hosted Exchange) and then at the Client Level (e.g. Outlook).
Any modern Antivirus software will take care of this from the Client Side, and many Hosted Services have some form of Antivirus Scanning capability, but we see it all too often where a company has a system that is simply insecure, or lacks even these basic functions.
Whilst native protection offered by services such as Office 365, most businesses would benefit from enhanced security offered by specialist products such as Edge Email Security which is deployed easily and seamlessly words with all major email platforms.
Training – Anti-phishing & Email Security Training for employees
Phishing, also known as “brand spoofing” or “carding”, is a term used to describe various scams that use (primarily) fraudulent e-mail messages, sent by criminals, to trick you into divulging personal information.
Criminals use this information to steal your identity, rob your bank account, or take over your computer or even email account, sending fake invoices on your organisation’s behalf!
Counterfeit web sites, using “hijacked” company brands and logos, are created to lure you into revealing information you would not want to be public knowledge. These digital thugs are “phishing” for any data they can obtain to prey on people and further their criminal activities.
Even the most experienced internet user can be duped into entering information based on a targeted phishing email. Often phishing emails are sent to a small number of users in order to avoid detection. This is why protection at click-time is so important in today’s ’email to web’ communication world and is offered by high-level email security products.
However even the best cloud-based email security solution can’t catch every malicious email missive. It’s important to educate your staff as to the fundamental signs that an email may not be entirely legitimate.
Even if you use a secure email provider, users need to protect their privileged credentials. “Weak and recycled passwords are common, something that inherently makes everything less secure,” notes Lee Munson, a security researcher at Comparitech.com in West Kingsdown, UK.
Don’t allow sharing passwords among team members – what this practice gains in convenience it certainly loses in security. Two-factor authentication (2FA) is a baseline defense as we mention earlier on in this post. Make it so your staff can’t give away their credentials! Business Impact: Sloppy password management creates an open door for hackers: 80% of security breaches involve privileged credentials, according to The Forrester Wave: Privileged Identity Management, Q3 2016.
Don’t trust emails, even if they’re from inside. Research found that business email compromise (BEC) tactics get through enterprise email security solutions 7 times more than email-borne malware. But threats can come from a bad actor inside your organisation may use internal phishing to spread an attack. Business Impact: During a three-month period in late 2016, the FBI’s Internet Crime Complaint Center recorded 40,203 BEC incidents globally, costing affected organisations $5.3 billion. Mimecast research shows that 90 percent of global IT security decision makers rank threats on the inside as a major challenge to their organisations’ security, and almost half (45 percent) feel ill-equipped to cope with them.
Check URLs “on-click/every click”. We don’t look at – much less closely examine – URLs, which makes us prone to malicious URL phishing. Skillful cyber thugs capitalize on this weakness with typo-squatting(URLs that look correct at a glance)and other sneaky techniques. Your best defence is automated real-time, on-click/every click URL scanning. Business Impact: Cybercriminals are increasing their use of malicious URLs to trick you into giving up credentials or installing malware, which can cost even small companies large amounts of money in recovery costs and downtime.
Solutions from providers like Proof Point include URL Defence mechanisms that can scan the link at the time of entry and when the user clicks on the link. This helps mitigate attacks for Spear-Phishing attacks; sophisticated attacks involving initially “clean links”. Speak to your current provider to see if
All these tactics may seem overwhelming, but you need a lot of email protection to safeguard against savvy cybercriminals that are after your money and data. Learn more about what could be getting through in your employees’ email.
Outbound Filtering – Do you really have visibility?
The general focus of email security in the media today is based on inbound email threats; phishing, ransomware attacks and of course spoofing. Email administrators often overlook the significance of outbound email misuse and the trouble it can cause an organization.
To give you an example, let’s assume your environment was compromised a few months ago via an employee entering in details into a phishing email. The “bad-actor” sends a client an email, which they now have complete access to. The email is sent from your company email address and it’s loaded with viruses. Would you have visibility on this? How would you discover this? Is there anything in place that could stop such an attack?
Good email security solutions offer outbound filtering content analysis that is designed to protect your business against exactly this type of attack and safeguard its reputation. It is possible to scan all outbound messages, the attachments including those from whitelisted senders and then trigger a notification for the sender when an outbound message is blocked due to attachment content filtering.
You should look for solutions that fully integrates with G-Suite, Office 365 or any on-premise mail server to add vital outbound data loss prevention and reputation analysis.
Continuity – What happens if it all goes down?
So, all your data is backed up, but what happens if that Exchange Server goes down, or indeed the Hosted Exchange Service that you so heavily rely upon has an outage (and it does happen!). Then what?
Most small and medium sized businesses simply must wait for services to be restored by the provider or IT Team that is administering the server. For many companies this is not a big cost or issue and is perfectly acceptable; for others however, it’s is considered extremely costly from a time, resources, lost revenue and reputational damage perspective.
If you are prepared to accept up to a day’s down-time, then a service like Office 365 should hold up well. But if this is deemed unacceptable then email continuity should be high on your Disaster Recovery Plan and priority list.
Again, there are several good solutions that can be put in place to protect against email downtime. It’s important to assess based on existing but also future projects to business impact. Restoration times, failover and monitoring should also all be evaluated in-line with the considerations above.