1. First and foremost, provide professional training for the company’s workforce According to IBM’s Cost of Data Breach Report 2020, the cost of breaches caused by human error stands at an average of $3.8 million.
So, one slip-up is costly when it comes to email security.
No matter what threats the organization is up against, relying on just tools won’t protect assets 100% of the time. You will still have gaps in your security system. And when the system fails, capable employees are the only thing standing between the attacker and your assets, whether it’s sensitive data or funds.
Be absolutely sure the last barrier of defense is performing just as well as other parts of the system by training your workforce.
Security awareness training for your team should be mandatory. Training programs to update workers on email attacks and how to handle them is a priority you need to put on your calendar. Regular simulations and training programs ensure that front-facing users are aware of the ever-evolving cyber threats against the company’s data. It also makes sure that employees apply what they’re learning and keep an eye out for malicious emails that land in their inboxes.
2. Use strong, unique passwords
A workforce that uses predictable passwords, like ‘password’ or ‘123456’ is the easiest way to hand over your accounts to attackers. Other predictable passwords, like the names of spouses or birthdays, also aren’t good enough when every piece of our personal lives is easily accessible through social media.
According to Verizon’s 2019 Data Breach Investigation Report (DBIR), 80% of hacking-related breaches are still connected to passwords.
Encourage team members to change their passwords (preferably, every 6 months) and use unique passwords that no hacker can guess. A password mixing lower cases, upper cases, numbers, and symbols can do the trick most of the time.
You can also use password management software, such as 1Password or LastPass. These platforms automatically create a random password and store them so employees only have to remember (and regularly change) one master password.
3. Enable two-factor authentication
When strong passwords fail, it’s time to add another layer of security.
By implementing two-factor authentication for all of your end-users, especially for the ones with authorization over your funds and important data, you’re ensuring that every login is intended by someone on your side.
Two-factor authentication comes in two main forms. One of them is sending an OTP (one-time-password) to users’ phones or other messaging services. The other one is by workers confirming on devices that they’re trying to log in by answering a prompt on the phone.
The bottom line is this: Attackers can’t access emails unless they also have the phone or mobile device.
Two-factor authentication ensures that even if a password is compromised, attackers won’t be able to log in since they need proof from two different devices.
4. Be aware of phishing emails
Phishing emails are emails sent by scammers to mislead employees.
Commonly, attackers use impersonation to trick an employee into downloading malware, filling in sensitive login information on a false website, or even wiring funds to their bank account.
Prepare employees on how to spot and handle phishing attempts using customized training programs. While this may be effective for some time, comprehension in training differs from real-life scenarios.
Employees also need to get used to advanced phishing techniques like spear phishing. Sometimes, a phishing email is so convincing that workers still fall for it when scrolling through inboxes.
In addition to security awareness training, you can also do regular phishing simulations to keep employees alert and aware of emails with signs of phishing scams.
5. Do not open unexpected or untrusted email attachments
Email attachments are a common way for malware to infiltrate.
Before opening an attachment, educate employees to ask:
- Am I expecting this attachment?
- Is the sender someone within my organization or someone I can trust?
- Does the format look right for this type of attachment?
- Does the email itself mention anything about an attachment?
When in doubt, do not open an attachment. It’s best to confirm the content of the attachment with the sender, just to make sure that it doesn’t contain anything malicious that can break into the system and leak data.
Better yet, protect your workforce’s inbox by using endpoint email security solutions. These solutions usually include an antivirus to make sure malicious links and attachments have little impact on the company system.
6. Do not allow employees to use company email for personal reasons
Minimize the opportunity for cybercriminals to get into the company system by making sure that business accounts (and networks) are only used for business.
Allowing employees to use their business email account for personal reasons, such as sending a personal email, shopping online, or signing up for services, opens the organization up to more risks.
Likewise, prevent employees from sending business emails through a personal account. The company data is at risk if someone hacks a personal email account.
You might get some questions from employees here, since mixing email accounts is so convenient. Explain why the rule is in place through regular cybersecurity awareness training so that this rule makes sense to your employees.
7. Use a spam filter
Spam filters are usually already baked in with your email services providers, such as Gmail or Outlook, and your secure email gateway. It helps filter spam emails from the inbox so only emails that are relevant to business are seen.
Spammers may also send malware, ransomware, or suspicious links, so it’s best to weed them out before users see them. According to Statista, roughly 306.4 billion emails were sent per day in 2020, and almost half of it (43%, to be exact) of email traffic spam occurred in September 2020.
Spam filters make inboxes less overwhelming. Without a landslide of spam to face, employees will also be more focused when navigating inboxes and more alert to suspicious activities.
Note: If you do open a spam email, do not click the unsubscribe button in them. These are actually another way to infiltrate your inbox.
8. Periodically review and update your security and privacy settings
Cybersecurity is a field that’s continuously evolving. New cyberattacks keep rolling out and new security measures are developed to solve them.
It’s important to keep the organization’s system, policies, and employees updated on the threats, vulnerabilities, and risks.
Create a regular schedule to make sure that there are no suspicious activities on employees’ accounts, such as unauthorized logins. Update settings to tailor the configuration to the current threats to your organization.