What employees should and should not do to avoid targeted email attacks
Even the best cloud-based email security solution can’t catch every malicious email missive. Here’s a list of do’s and don’ts for employees to augment your email security and improve your cyber resilience for email.
- Do be careful with passwords and credentials. Even if you use a secure email provider, users need to protect their privileged credentials. “Weak and recycled passwords are common, something that inherently makes everything less secure,” notes Lee Munson, a security researcher at Comparitech.com in West Kingsdown, UK. Ditto sharing passwords among team members – what this practice gains in convenience it certainly loses in security. Two-factor authentication is a baseline defense. Make it so your staff can’t give away their credentials! Business Impact: Sloppy password management creates an open door for hackers: 80% of security breaches involve privileged credentials, according to The Forrester Wave: Privileged Identity Management, Q3 2016.
- Don’t trust emails, even if they’re from inside. Mimecast research found that business email compromise (BEC) tactics get through enterprise email security solutions seven times more than email-borne malware. But threats can come from a bad actor inside your organization may use internal phishing to spread an attack. Business Impact: During a three-month period in late 2016, the FBI’s Internet Crime Complaint Center recorded 40,203 BEC incidents globally, costing affected organizations $5.3 billion. Mimecast research shows that 90 percent of global IT security decision makers rank threats on the inside as a major challenge to their organizations’ security, and almost half (45 percent) feel ill-equipped to cope with them.
- Do check URLs “on-click/every click”. We don’t look at – much less closely examine – URLs, which makes us prone to malicious URL phishing. Skillful cyber thugs capitalize on this weakness with typo-squatting(URLs that look correct at a glance)and other sneaky techniques. Your best defense is automated real-time, on-click/every click URL scanning. Business Impact: Cybercriminals are increasing their use of malicious URLs to trick you into giving up credentials or installing malware, which can cost even small companies large amounts of money in recovery costs and downtime.
- Don’t trust attachments. “Clients typically call or email our support desk indicating they were in a hurry and clicked on something they shouldn't have,” says Curtis Partridge, senior systems engineer for Orlando-based Lotus Management Services, Inc. By then, of course, it’s probably too late. That pesky malware or ransomware is already having its way on your network. Remind end-users not to open attachments they’re not sure about. And, of course, use an email security system that applies sophisticated techniques to detect email-borne malware. Business Impact: Data from Verizon’s Data Breach Investigation Report for 2017 shows that two-thirds of cybersecurity breaches result from malicious email attachments.
One more thing: Annual email safety training doesn’t cut it. Given the volume of emails and types of email-borne attacks end-users encounter, regular training and reminders are required to supplement your security solutions.
All these tactics may seem overwhelming, but you need a lot of email protection to safeguard against savvy cybercriminals that are after your money and data. Learn more about what could be getting through in your employees’ email.