Best practices for enterprise email security

With 90% of cyberattacks now carried out by email it’s never been more important to make sure your email security strategy is fit for purpose

phishing threat
Thinkstock

Last year, 44% of IT professionals in Southeast Asia said email security was their top priority for the coming year.

In a world where 66% of malware is installed by malicious email attachments and a ransomware attack is carried out every 40 seconds, it’s never been more important to ensure your business is up to date with its email security practices.

As the threat landscape continues to expand, allocating the security budget is becoming an increasingly difficult task. Organisations tend to spend big bucks on endpoint and network security solutions but end up neglecting email security, despite the fact 90% of cyberattacks are perpetrated via email.

Phishing continues to be one of the biggest threats facing the enterprise and a successful attack can have dire consequences – remember when hackers used a phishing attack to gain access to emails relating to Hilary Clinton’s Presidential run by getting her campaign chair to hand over his Gmail password?

It can only take one incident of lax email security to bring your organisation to its knees. With that in mind, here are a number of best practices for enterprise email security to help protect your organisation.

Make sure you’re getting the basics right

Like a lot of things in life, email security can be complicated. However, if you’re getting the fundamentals right then the rest of your strategy won’t end up being a headache.

Ultimately, a good email encryption solution needs to be easy for both senders and recipients to use while keeping any personal information that isn’t already in the public domain secure.

Without an effective spam filter, attachment scanning or email encryption, your email security strategy will be a non-starter. It doesn’t matter how much advanced technology you deploy to keep your organisation secure, without these basic tenets you’ll always be vulnerable to email-based cyberattacks.

Identify your weaknesses

Every organisation has blind spots. No matter how big your budget and how many security solutions you invest in, it’s near-impossible to protect every attack vector at all times. Therefore, it’s important you identify these weaknesses and how they could potentially lead to a breach.

Underestimating how vulnerable you are is a sure-fire way to make yourself a target. While buying the latest and greatest security offering isn’t always a viable option, making your employees aware of how your organisation could potentially be breached and what they can do to ensure they don’t let that happen is a much cheaper – and sometimes a more effective – way of keeping your company secure.

Which brings us nicely on to our next point…

Educate your employees

As a CIO, you know the importance of email security. You understand how valuable data is and the consequences of someone outside your organisation getting their hands on it. But do your employees share those values?

Are those working in your HR department aware that they shouldn’t open attachments from email addresses they don’t recognise? Do your finance employees understand the importance of updating their passwords regularly with a unique and complex password that contains upper and lowercase letters, numbers and symbols? Does your sales team know what a phishing scam is and how to spot one?

Because if not, your organisation could be in trouble. The unfortunate reality is that vast most email enabled attacks are a result of human error however, while your employees might be the weak link they are also your first line of defence.

Providing regular and comprehensive security training to your employees will help to minimise threats and stop silly and preventable mistakes that could see you become the victim of a serious data breach.

Don’t forget about mobile

BYOD (Bring Your Own Device) is a practice that has exploded over recent years however, while it might save a company costs, it brings with it a whole host of security problems.

Even when employees have company issued devices they can still be easily compromised. Mobile malware infection rates are dramatically on the rise; with a 250% increase in mobile ransomware attacks reported in 2017.

It’s also a lot easier to lose your mobile device or have it stolen, incidents which could both result in a serious security breach. It’s therefore important that any security strategy your organisation implements takes BYOD policies into accounts and makes safeguarding provisions for mobile devices.

Know your protocol

If the worst should happen and an employee’s email account does become compromised, it’s important that you and your employees know who to notify about any potential breach.

If your company handles personal data relating to citizens inside the European Union, GDPR now means there are very specific steps you need to follow in order to remain compliant with the regulation.

Under GDPR, you have 72 hours to inform the Information Commissioner's Office and contact any customers or third-parties potentially affected.

Internally, you need to let your system administrator aware of what has happened and put a temporary block on all incoming emails in case the malicious email has been sent to multiple employees at your organisation.

It’s then important to look at what went wrong; was the problem a result of employee behaviour or is the email provider your using unable to meet the security requirements of your organisations? Go back over your email security strategy and make sure there’s no gaps that could be making you vulnerable.

It’s important to make sure your email usage policy treads the line between being comprehensive and user-friendly.

There’s no point putting a strategy in place that none of your employees can follow. Once you’ve updated your policy, let your entire organisation know and, if necessary, offer additional training to stop a similar incident happening again in the future.