It’s time to rethink our e-mail security strategy

E-mail is an important part of your company’s IT strategy and external communications. When was the last time you reviewed your e-mail security? Are you aware of how e-mail is being used in your business?

Up to 91% of cyber-attacks start with email. It’s the weakest link in the cyber security chain and the one that’s the most open to exploitation through targeted and sophisticated methods.

What is phishing?

Phishing is socially engineered to trick a human victim into paying money, revealing private information (that could lead to a very costly data breach), or launching malware with the intent of bribing the victim (ransomware).

The focal part of the dictionary definition of phishing should be the word “human”. Humans are emotional, we can override our best judgement, we can be manipulated by convincing tactics or a bit of creative graphic design. It’s called human error for a reason. The soft-bodied bit of our IT estate accounted for a whopping 90% of cyber data breaches in 2019.

A man checking his emails after work

The susceptibility of human nature

E-mail security software is amazing, but it can’t catch every maliciously intended e-mail. The few that make it through firewalls depend on a human decision-making process. Artificial Intelligence (AI) and machine learning processes are ever-evolving to the e-mail security threat landscape.  

However, there’s not an algorithm on the planet that can replicate the emotional reasoning process that goes on inside Melanie in Account’s brain when she’s baited into clicking that button. This is why e-mail security processes can never fully depend on a piece of software or an algorithm. They must extend into HR processes and a highly adopted company-wide culture and awareness of security.

It’s no surprise that most phishing attacks are conducted via e-mail. More than half of UK businesses have been targeted by ransomware cyber-attacks in the last twelve months. It’s easy to see why criminals favour e-mail as the best way to exploit people. Worldwide, there are over 3 billion spoofed e-mails (from fake e-mail accounts) sent every day.

The rise of phishing attacks in 2020

The COVID-19 pandemic gave cybercriminals all the time and incentive they needed to redouble their efforts to launch more sophisticated phishing attacks. Quarter four of 2020 saw a 100% increase in e-mail attacks vs 2019.

E-mail-based cyber security threats are rife. Despite this, most businesses have not changed the way they use e-mail or reviewed their e-mail security policies. As IT experts, we keep our finger on the pulse of some alarming e-mail statistics within the technology industry.

At ITVET, we recently conducted a robust review of our e-mail usage and policies. The strategy and process that went into this exercise tell us unequivocally that we should do everything we can to combat this serious threat to all businesses.

Some of the things e-mail users can be tricked into

  • Sharing business or personal data  
  • Wiring money or making other fraudulent monetary transactions  
  • Visiting corrupt websites
  • Downloading or clicking links containing malware-laden attachments

The outcomes above could be so serious as to put a company out of business. It all starts with just one simple click. So, let’s explore the options open to your company to mitigate your risk and make e-mail more secure.

Email usage in the workplace

End-user training

A vast number of successful e-mail attacks rely on your people simply clicking links in e-mails. Given the risks, it seems unbelievable that most businesses don’t provide employees with any e-mail training on security policies.

Providing end-users with e-mail security training should be an essential part of your business’ IT and cyber security policy. Remember that no matter how good the e-mail security systems you have in place, there are always compromised e-mails that can evade them to land in a user’s inbox. Given the complexity, ingenuity, and technical capabilities of these highly skilled criminals, compromised e-mails are very hard to detect. Fines from a data breach can run to the millions. Losing all your company data to a ransomware attack could destroy your reputation and force you to cease trading.

The use case of e-mail

All companies and end-users use e-mail differently, and sometimes quite inappropriately, which can cause issues with security. It’s important to clarify the who, how, what, and why of e-mail use in your business.

Who?

You may think that all employees need to use e-mail, but these days that’s often not the case. During the COVID-19 pandemic, Teams usage doubled worldwide. With the adoption of Teams and similar internal messaging systems, there’s been a significant reduction in the use of e-mail internally. There are many articles in the tech community heralding the “death of e-mail” as a platform. Statistics certainly back this up as workplace behaviours shift to faster, more collaborative ways of working. Reducing email usage is an instant security improvement. On reviewing your team’s usage of e-mail, you may find that one central e-mail account is sufficient to capture inbound e-mail and overcomes the challenge of what happens to e-mails when people are on holiday. Your team members will most likely still need an e-mail account but without the ability to send externally. Reducing access to e-mail is the first line of defence to mitigating your risks.

A team of colleagues working together

How?

Many e-mail users click links inadvertently, which is a huge risk. The majority of phishing e-mails are sent from spoofed e-mail addresses, so they may look completely genuine to an innocent recipient. The field name may be a known contact, but upon closer inspection, the actual e-mail address is slightly different. Could your employees spot the difference? Training employees on how to use e-mail safely and securely is an essential part of reducing the risk of a targeted attack via your company’s e-mail.

What?

Understand what your business needs from your e-mail system and determine what is appropriate to send or receive.

  • Employees distributing and sharing files or links internally should be avoided if there is an internal messaging system like Teams.
  • Sending or receiving e-mails with content that isn’t relevant or appropriate is more common than you might think.
  • It’s possible to control and regulate e-mail content using an e-mail security system such as Trend Micro’s e-mail Security System. However, the e-mail security system must be tailored to your company’s requirements
A woman checking a long list of emails

Why?

The number of e-mails sent globally is increasing, this is mainly due to the vast amount of spam and fraudulent e-mails being sent. In contrast, e-mail usage for businesses has declined steadily. Many companies have also come to understand that e-mail is an insecure form of communication. So, as well as adopting Teams and similar platforms, many companies have also adopted secure cloud-based platforms to share files and data like SharePoint.

Although e-mail security systems can greatly reduce the amount of unwanted or dangerous e-mails, large amounts of spam are still accepted. This is often caused by employees not opting out correctly when registering for a service. Why accept these e-mails into your company’s e-mail system?

Want to find out how you can improve your email security? Get in touch with our expert team at ITVET and transform your email security strategy.