According to Verizon’s 2019 Data Breach Intelligence Report 94% of malware was delivered via email. There are approximately 306.4 billion emails sent every day in 2020. Email remains one of the most commonly used methods of communication, particularly for businesses.
When incorrectly managed, however, email often serves as the primary entry point for malicious attachments and phishing attempts. Without the appropriate email cybersecurity measures implemented, your business email accounts can be a source of massive vulnerability, giving malicious individuals a potential gateway into your systems and your data.
To help prevent this, this guide will outline six critical email cybersecurity best practices to adopt. These practices will help establish an extra layer of protection and ensure business email continuity in the event of a disaster.
What is email spoofing in cybersecurity?
Email spoofing is a tactic cybercriminals use that involves fabricating an email header to trick a recipient into believing the email originated from a trusted or reputable source. Because basic email protocols do not have a built-in way to authenticate the sender, email spoofing is popularly utilized in spam and phishing campaigns.
By duping the recipient into trusting the origin of the message, individuals are far more likely to open the email without proper consideration. The end goal of email spoofing is to get the victim to open (and sometimes respond to) an email, which may request personal information or include links that automatically install malware on the recipient’s computer.
While most spoofed emails are easily detected and require little else beyond deletion, more malicious email spoofing varieties can lead to serious security risks and issues. As an example, a spoofed email might pretend to be from a popular shopping website, asking the recipient to provide confidential details related to a recent purchase. This might include their password or credit card number. If the spoofing is convincing, these details can then be used to hack the victim’s account or steal money.
One type of spear-phishing attack often used in an attempt to compromise a business email account involves deceiving company employees into believing they have received an email from someone prominent within their company, such as the CEO or CFO. Such emails will usually request a wire transfer or internal system-access credentials.
6 Business email cybersecurity tips
The following tips will help your MSP protect its business email accounts from the threat of email spoofing and other email-borne cyberattacks.
1. IMPLEMENT AN EMAIL SECURITY SOLUTION
If you want to increase the security of your email for your customers and your own business, mail protection and enterprise malware protection tools are a great place to start. Enterprise-grade mail protection solutions reduce the likelihood of human error compromising your business email and can also help protect and detect targeted threats.
When choosing an email security solution, ensure that SPF, DKIM, and DMARC are supported. When used in combination, these three email security protocols make a significant difference in combatting spoofing. It is also important that your mail protection tool allows you to customize filtering rules. The ability to whitelist and blacklist senders can give you peace of mind and helps prevent email-borne threats.
A blacklist helps prevent known spammers or cyberthreats from ever making it into your inbox. With the right tool, your MSP will have the option of creating your own custom blacklist in-house or using a third-party blacklist authority. Lists can be maintained by email address, domain, and IP address/range. A whitelist, on the other hand, is a list of email addresses that are considered to be safe.
2. TRAIN YOUR EMPLOYEES TO INCREASE EMAIL CYBERSECURITY AWARENESS
Cybersecurity awareness training is crucial for every employee at every level of an organization. Whether you’re a small business or a global enterprise, a CEO or a staff assistant, you remain a potential target for cybercrime. As such, it is key that you have an understanding of email-based threats and how to best respond when you believe you have received a malicious email.
If one of your staff members receives a phishing email, they can respond in one of two ways. Either they can engage with the attachment, enabling their device to become infected with malware and potentially resulting in a network breach or ransomware attack—or, they flag the email as junk and send it on to the IT department to keep them informed of potential threats.
As this example demonstrates, effective cybersecurity awareness can be the difference between a breach and an appropriately managed threat. Training should teach employees how to recognize and flag malicious emails to avoid them from bringing harm to your organization. It is important to remember, however, that this training shouldn’t be a one-off. Email scam tactics are evolving every year, so it is crucial that cybersecurity awareness training is regularly updated.
During your training sessions, you should also emphasize the importance of keeping personal and business emails separate, and encourage employees to avoid using their business email accounts for personal purposes (i.e., signing up for online subscriptions). Another email security risk to make your employees aware of is checking business emails from mobile devices. Mobile devices make it challenging to check the headers and where links direct to, which increases the likelihood of a malicious email flying under the radar.
How you choose to deliver email security awareness training is entirely your choice. While some companies prefer face-to-face training, others use computer-based training. Whichever way you decide to train your staff, ensure that training is conducted periodically according to a carefully considered schedule.
3. USE A PASSWORD MANAGEMENT SOLUTION
A password management solution will help you ensure all your passwords are unique, hard to guess, and sufficiently complex. Password management tools are able to generate complex passwords for you and store them securely in an encrypted vault. Vaults are often protected by multi-factor authentication or role-based permissions.
Using strong passwords is a crucial part of protecting your business email accounts. By utilizing complex and unique passwords, you can help ensure only authorized individuals have access to business email. With a password management tool, you can set specific requirements for password complexity, such as the need to combine both upper and lowercase letters, or guidance to avoid using names of family members, pets, or other information that can be easily found on users’ social media profiles.
4. DEVELOP A CYBERSECURITY PLAN
A well-developed, comprehensive cybersecurity plan can help your business avoid—or be prepared to face—many of the risks and threats that lurk online. When creating your cybersecurity plan, ensure email-based threats are included and accounted for. Your plan should include guidelines, policies, recommendations, and requirements regarding the implementation and use of technology, including email communications.
5. USE AN ANTIVIRUS SOLUTION
Antivirus tools can come equipped with a range of features, which often include mail filters and scanning capabilities for websites and files. These utilities make it possible for you to identify many forms of email-based malware and other threats, helping you prevent your network and devices from becoming infected. If possible, set up your antivirus solution to work with your mail proxy/relayer. This will allow your antivirus tool to scan emails and filter out potentially malicious communications, keeping them from being delivered to your employees’ inboxes altogether.
6. PRACTICE CYBERATTACK DRILLS
While having a cybersecurity plan in place is a good starting point, practice makes perfect. In a real-world incident, a strategy is only able to succeed if it can be implemented quickly. It is highly recommended that businesses conduct organization-wide incident-response training. This entails running disaster response drills designed to reduce response time and test the protocols outlined in your cybersecurity plan. For email-based threats, this might include replicating spoofed emails and asking your employees to identify legitimate threats.
Choosing the right mail protection tool
As this guide has demonstrated, one of the best ways to protect your business email from cyberrisks and threats is to implement an enterprise-grade email security solution. SolarWinds® Mail Assure is a cloud-based email security tool designed to help your customers stay in control while providing email protection for both inbound and outbound email.
Mail Assure processes email data from over two million domains, with a 99.999% filtering accuracy to help safeguard users against emerging threats. This tool also offers real-time threat pattern recognition, leveraging a range of filtering technology to include anti-phishing and impersonation protection. Mail Assure offers support for SPF, DKIM, and DMARC email protocols, so you can take every possible measure to prevent email phishing attempts and spoofing emails.
Mail Assure also makes use of enterprise-grade encrypted email archiving to allow you to retrieve an old email when necessary—meaning your customers can avoid data loss. With an unlimited retention period, you can store email for as long as you need.
With its Intelligent Protection & Filtering Engine and machine-learning technology, Mail Assure delivers a highly sophisticated solution that can help you protect users against even the newest emerging email-borne threats. To try it free for 30-days.