Email Security Best Practices

Rising incidents of email scams, phishing attempts, ransomware, and compromised accounts have made it more important than ever to protect your email against ongoing and newly emerging threats.

Almost every business relies on email to some degree. From communication with employees and clients to marketing and billing, email is one of the most important tools businesses use and has also become a prime target for cyber-criminals.

So how do we keep our email communications safe from these threats? We will go over (4) email security best practices that will help strengthen your defenses against malicious actors looking to take advantage of your business.

Password Specifics

Having a good password is one of the best defenses against unauthorized usage. By implementing strong password guidelines and policies, it will help set a standard in your business and prevent accounts from being compromised by brute force attacks and other means.

Some general password guidelines include:

• Create strong passwords. The NIST has recently updated their password guidelines with new recommendations.
• Don’t reuse passwords across accounts.
• Don’t share passwords with other employees.
• Don’t write down passwords. Use password managers instead.

Multi-factor Authentication

Another way to secure your email is to have Multi-Factor Authentication enabled. Multi-Factor Authentication, or MFA, is a technology that requires the user to verify their identity with their password in other ways. For example, a user that signs in with their password would also be instructed to put in a number they received via text or an authenticator app on their phone or PC.

MFA is a great way to secure your email. Even if a malicious actor has your email password, it will require them to have the number only you would have access to. Some examples of these MFA tools include the Microsoft Authenticator App, Google Authenticator App, Duo Security, and Authy. There are many different authenticators available and ultimately, the decision is up to the individual or IT department.

Spam Filtering / Gateway Defense

Every business should be utilizing spam filtering or perimeter/gateway defense. An email gateway will act as your first line of defense against threats and stops most before they ever reach your inbox. They scan incoming and outgoing emails for threats including viruses, phishing attempts, and spoofing.

Other advantages of email scanning include stopping spam before it reaches your employees inboxes. This helps save your employees time from being wasted going through hundreds of spam emails and allowing them to focus on other tasks at work.

Some gateway defenses will also provide a 24×7 emergency inbox to users when the normal email environment is unavailable. If your business hasn’t experienced an email outage yet (looking at you Microsoft 365), it’s only a matter of time before you do.

End-User Training

Unfortunately end users are one of the weakest links when it comes to email security. But with proper training, you can teach your employees how to spot, avoid, and report real-world attacks from phishing attempts to impersonation and other social engineering attacks.

Security-awareness training should include courses that end-users can understand and are not boring or hard to get through. Some courses can be overly time-consuming and poorly conceived making it harder for the end user to properly digest the material. Interactive materials can help with this.

Phishing simulation training should also be conducted. By sending out realistic phishing emails to employees, you can gauge their awareness of attacks and what to do with the emails when they receive them. This helps identify users that may need additional training and works well with the security-awareness training on teaching employees how to identify, avoid, and report email threats.