Email protection is definitely one of the most important issues facing businesses today. Here is a guest post by one of our Senior Engineers – Andrew Young. Andrew works fervently every day to build out top notch security for our clients. This article is a long read. But, your safety is worth the investment.
Email has slowly become one of the most important applications for nearly every business on the planet. Companies spend an enormous amount of resources and effort every year on maintaining and providing training for their critical line-of-business applications. But, companies often neglect email, viewing it as just another communication tool. However, few things frustrate and annoy users as much as a flood of email spam and attacks. This whitepaper will explore some ways to help keep your email safe and secure.
Spam and Virus Filtering
When someone mentions email security, the first thing that most people tend to think about is spam. Spam emails have been around just about as long as email itself. It is nearly unthinkable for any company lack basic spam protection in 2017. However, blocking spam is not enough anymore. Scammers are using more sophisticated tricks now than just trying to get you to buy a fake Rolex watch. What they really want is your personal information or even access into your network. These new malicious emails are very convincing. And, it can take time for a user to be able to identify them amidst a sea of benign emails.
In order to combat the ever-growing landscape of malicious email attacks, more sophisticated spam and virus filtering is required, such as offered by Mimecast. Not only should such a system block the obvious bulk spam emails, but it also needs be aware of all of the newest techniques being used to circumvent spam detection. It should also be able to block all potentially dangerous file attachments, scan any other attachments for virus payloads, and even open those attachments in a sandbox to make sure they are harmless. The best email filtering systems can also protect against phishing attacks. Because phishing attacks are a growing portion of all email spam.
Phishing is the practice of sending emails that purport to be from reputable companies in an effort to convince individuals to reveal personal information, such as passwords and credit card numbers. These types of emails are analogous to a con man. He is not going to make it obvious that he is trying to swindle you. He just wants you to give up some useful information so that he can use that information later to steal from you. Phishing emails often look harmless on the surface, but usually have a sinister plot hiding beneath.
In recent years, more targeted types of phishing have appeared. Spear phishing is a specific type of phishing, where the email appears to be sent from a known or trusted sender. For example, you receive an email from a person you infrequently work with at another company. He is just asking for some account information for a mutual client of yours. However, the email was really from a scammer who happened to know that your companies work together and that you have that specific mutual customer. Your website probably has that information for public view. He is looking for any information that can help him further compromise one or more of the involved companies. These usually end in fraud, theft, or even blackmail.
Another type of phishing is Whale Phishing. These attacks involve wealthier individuals, often the owners or CEOs of companies. A common variant is for the accountant of the company to receive an email from the boss asking for an immediate wire transfer of some amount of money. The initial email won’t mention a payee, and often the amount is not either. What the scammer wants is for the recipient to respond to the email asking for further direction (they’ve been “hooked” at this point). A few emails back and forth is often all it takes for the scammer to either receive the money or have enough additional information to adjust his attack and try it somewhere else.
Training and Policies
Even the most sophisticated email and virus filtering systems are not foolproof. It takes at least some small amount of time for them to adapt to the newest types of malicious email. So, the last line of defense is the user. The best way to empower your users is to train them to identify fraudulent emails and understand the important role they plan in your company’s email security. Such training should be a regular part of new employee onboarding as well as regular refresher training. In the past, this might have meant a classroom full of disinterested people, but there are many on-demand video training services that allow users to learn at their own pace. This also helps avoid the scheduling difficulties of group training.
Email security training should be part of an overall company security policy that includes guidelines regarding the use of company email. You should review these guidelines regularly with all employees. It is also becoming more common for companies to disallow access to personal email from secure corporate networks. This helps prevent users from opening emails that did not go through your corporate spam and email filtering.
Outside of such a company policy, train users to avoid accessing their personal email while at work. Chances are good that their personal email is not nearly as secure as your corporate email.
So far, we have only mentioned safety precautions when receiving emails. However, companies need to be careful about the emails that leave their organization. Sometimes they just want to make sure the emails are secure, so that unauthorized users cannot intercept or view the contents. The most common solution to address this need is to encrypt the email. Other times, they want to prevent certain content from ever leaving the organization. This is typically called Data Loss Prevention, or DLP.
Encryption is a common phrase in recent years. Essentially, it is just rearranging the parts of the message using a predetermined method (called the cipher). So, only person who can read it is someone who also knows the same cipher. A cipher is also often paired with a unique key, so that you must know not only the way the message was encoded, but also the key. The entire goal of encryption is so that nobody other than the authorized recipient can view the message. Many companies today offer email encryption as a service, including Mimecast.
Data Loss Prevention
Data Loss Prevention is a strategy (or service) for making sure that users do not send sensitive information outside your network. Examples of sensitive data include PII (Personally Identifiable Information), financial information, or trade secrets. DLP typically works by monitoring, detecting, and blocking sensitive data while in-use, in-motion, or at-rest. DLP works by blocking emails from being sent at the perimeter of the network, typically through the use of specific rules or policies that are defined by the company. For example, a company may wish to block Social Security Numbers from being emailed, so they enable a policy in their DLP service to block all possible SSN numbers. That way, if a user inadvertently sends an email with that information, it will be stopped before it can make it out of the network.
P.S. Entrust has been protecting San Antonio companies and supporting their IT needs for 25 years. We have helped hundreds of organizations make IT work, make IT better, and make IT safe. What can we do for you?
Learn more at: www.entrust.us.com
Contact us at: [email protected]
Call us at: 866-863-4738