A person practicing their email strategy

It’s time to rethink our e-mail security strategy

E-mail is an important part of your company’s IT strategy and external communications. When was the last time you reviewed your e-mail security? Are you aware of how e-mail is being used in your business?

Up to 91% of cyber-attacks start with email. It’s the weakest link in the cyber security chain and the one that’s the most open to exploitation through targeted and sophisticated methods.

What is phishing?

Phishing is socially engineered to trick a human victim into paying money, revealing private information (that could lead to a very costly data breach), or launching malware with the intent of bribing the victim (ransomware).

The focal part of the dictionary definition of phishing should be the word “human”. Humans are emotional, we can override our best judgement, we can be manipulated by convincing tactics or a bit of creative graphic design. It’s called human error for a reason. The soft-bodied bit of our IT estate accounted for a whopping 90% of cyber data breaches in 2019.

A man checking his emails after work

The susceptibility of human nature

E-mail security software is amazing, but it can’t catch every maliciously intended e-mail. The few that make it through firewalls depend on a human decision-making process. Artificial Intelligence (AI) and machine learning processes are ever-evolving to the e-mail security threat landscape.  

However, there’s not an algorithm on the planet that can replicate the emotional reasoning process that goes on inside Melanie in Account’s brain when she’s baited into clicking that button. This is why e-mail security processes can never fully depend on a piece of software or an algorithm. They must extend into HR processes and a highly adopted company-wide culture and awareness of security.

It’s no surprise that most phishing attacks are conducted via e-mail. More than half of UK businesses have been targeted by ransomware cyber-attacks in the last twelve months. It’s easy to see why criminals favour e-mail as the best way to exploit people. Worldwide, there are over 3 billion spoofed e-mails (from fake e-mail accounts) sent every day.

The rise of phishing attacks in 2020

The COVID-19 pandemic gave cybercriminals all the time and incentive they needed to redouble their efforts to launch more sophisticated phishing attacks. Quarter four of 2020 saw a 100% increase in e-mail attacks vs 2019.

E-mail-based cyber security threats are rife. Despite this, most businesses have not changed the way they use e-mail or reviewed their e-mail security policies. As IT experts, we keep our finger on the pulse of some alarming e-mail statistics within the technology industry.

At ITVET, we recently conducted a robust review of our e-mail usage and policies. The strategy and process that went into this exercise tell us unequivocally that we should do everything we can to combat this serious threat to all businesses.

Some of the things e-mail users can be tricked into

  • Sharing business or personal data  
  • Wiring money or making other fraudulent monetary transactions  
  • Visiting corrupt websites
  • Downloading or clicking links containing malware-laden attachments

The outcomes above could be so serious as to put a company out of business. It all starts with just one simple click. So, let’s explore the options open to your company to mitigate your risk and make e-mail more secure.

Email usage in the workplace

End-user training

A vast number of successful e-mail attacks rely on your people simply clicking links in e-mails. Given the risks, it seems unbelievable that most businesses don’t provide employees with any e-mail training on security policies.

Providing end-users with e-mail security training should be an essential part of your business’ IT and cyber security policy. Remember that no matter how good the e-mail security systems you have in place, there are always compromised e-mails that can evade them to land in a user’s inbox. Given the complexity, ingenuity, and technical capabilities of these highly skilled criminals, compromised e-mails are very hard to detect. Fines from a data breach can run to the millions. Losing all your company data to a ransomware attack could destroy your reputation and force you to cease trading.

The use case of e-mail

All companies and end-users use e-mail differently, and sometimes quite inappropriately, which can cause issues with security. It’s important to clarify the who, how, what, and why of e-mail use in your business.

Who?

You may think that all employees need to use e-mail, but these days that’s often not the case. During the COVID-19 pandemic, Teams usage doubled worldwide. With the adoption of Teams and similar internal messaging systems, there’s been a significant reduction in the use of e-mail internally. There are many articles in the tech community heralding the “death of e-mail” as a platform. Statistics certainly back this up as workplace behaviours shift to faster, more collaborative ways of working. Reducing email usage is an instant security improvement. On reviewing your team’s usage of e-mail, you may find that one central e-mail account is sufficient to capture inbound e-mail and overcomes the challenge of what happens to e-mails when people are on holiday. Your team members will most likely still need an e-mail account but without the ability to send externally. Reducing access to e-mail is the first line of defence to mitigating your risks.

A team of colleagues working together

How?

Many e-mail users click links inadvertently, which is a huge risk. The majority of phishing e-mails are sent from spoofed e-mail addresses, so they may look completely genuine to an innocent recipient. The field name may be a known contact, but upon closer inspection, the actual e-mail address is slightly different. Could your employees spot the difference? Training employees on how to use e-mail safely and securely is an essential part of reducing the risk of a targeted attack via your company’s e-mail.

What?

Understand what your business needs from your e-mail system and determine what is appropriate to send or receive.

  • Employees distributing and sharing files or links internally should be avoided if there is an internal messaging system like Teams.
  • Sending or receiving e-mails with content that isn’t relevant or appropriate is more common than you might think.
  • It’s possible to control and regulate e-mail content using an e-mail security system such as Trend Micro’s e-mail Security System. However, the e-mail security system must be tailored to your company’s requirements
A woman checking a long list of emails

Why?

The number of e-mails sent globally is increasing, this is mainly due to the vast amount of spam and fraudulent e-mails being sent. In contrast, e-mail usage for businesses has declined steadily. Many companies have also come to understand that e-mail is an insecure form of communication. So, as well as adopting Teams and similar platforms, many companies have also adopted secure cloud-based platforms to share files and data like SharePoint.

Although e-mail security systems can greatly reduce the amount of unwanted or dangerous e-mails, large amounts of spam are still accepted. This is often caused by employees not opting out correctly when registering for a service. Why accept these e-mails into your company’s e-mail system?

Want to find out how you can improve your email security? Get in touch with our expert team at ITVET and transform your email security strategy.


UltraHR Infection Control Feature Release

Press Release: Returning to a ‘New Normal’ at Work: UltraHR Adds New Infection Control Feature to HR Software to help fight COVID-19

Businesses across the United Kingdom have been adversely affected by the outbreak of Coronavirus and the introduction of strict lockdown measures in March 2020. With non-essential business premises now being encouraged by the Government to open their doors and resume trading from 15th June, owners and HR Managers are facing growing concerns about how they can keep their workforce safe.

The good news is: UltraHR has got it covered. With a brand-new Infection Control and Alerting feature, you can use your UltraHR software to screen employees across the whole company.

So how does it work?

Gone are the days of calling up your boss to report sick. UltraHR is a mobile-enabled sickness app that records symptoms, absence and lateness and alerts management automatically.

The advanced tracking features of this HR software make it easy for Managing Directors to quickly identify symptoms of Coronavirus in the workplace and reduce the risk of spreading the disease further. If an employee displays symptoms of COVID-19, for example, they are told by their app to self-isolate and seek medical advice. Meanwhile, Management can instantly notify colleagues via text and email of any contamination at their place of work, ensuring the safety and wellbeing of the wider team.

The alerting system uses prompts to assess an individual’s suitability to return to work. For instance, the software will trigger them to answer questions about their health and any symptoms they might have experienced during the last 48 hours. According to their responses, the app will either ask the person to stay at home or will notify them that a member of staff will be in contact to discuss their return. As well as ‘Yes’ and ‘No’ answers, the software also enables employees to provide more detailed information about the nature of their illness.

As we begin to return to this ‘new normal’, we must also find ways to effectively manage time and resources. At just the touch of a button, employees using the UltraHR software package can alert their managers that they are running late using their mobile device. Captured data can then be used to produce powerful insights into individuals’ attendance patterns as well as assess a team or department as a whole. Lateness frequency, common reasons for absence and the amount of work time lost are among some of the statistics that may be logged and used to identify ways to maximise staff efficiency.

“UltraHR is simple to use and provides us with an overview of personnel status at the touch of a button. We are able to oversee our staff from one dashboard and keep on top of everything we need to, streamlining our HR management.” – Leitz (UltraHR client)

For more information, visit uhr.org or get in touch with the lovely UltraHR team on 01279 464470.

UltraHR HR Software Sickness Infection Control


Is Your Shopping Centre IT & Data Compliant?

There are a variety of different IT systems and services installed at every shopping centre, including the Car Park, CCTV, BMS and Footfall, to name but a few. It would be easy to think that the respective providers of these systems would manage and maintain the networks they are installed on to make sure they are secure from hackers and other online threats, however unfortunately this is often not the case as many third-party providers will only accept liability for their own equipment and not the data network they are installed on, or the Internet connection which is used to remotely access them. This leaves a huge black hole in the IT security at each centre and could potentially lead to catastrophic failures and expensive outages if the systems go down. We have already seen several shopping centre’s car park systems unable to take payment for several days, costing the landlord thousands of pounds in lost income. Aside from this, there is the data security aspect, for which the potential fines for non-compliance are huge.

It is worth pointing out that many of these third-party systems such as the Car Park or BMS may have been installed several years ago, with the data cabling and infrastructure being even older. We have seen some cable installations dating back as far as 20 years! In many cases, they have not been maintained or checked for quality or security and are simply left untouched from the day of installation. Unlike electrical installations, which require certificated installers and regular maintenance, data networks are not afforded the same regulatory checks.

Hackers and online scammers are becoming more and more sophisticated and we are seeing an increase in third party systems being hacked into as these criminals broaden their target area. One of the highest profile cases was the hacking of the display screens in Cardiff Town Centre, where inappropriate political messages were displayed on them. Sadly, this was not an isolated incident, as there are far more hacks like this that happen but do not get publicised.

So, what can be done to firstly protect your centre’s IT systems but also make sure they are compliant? In the first instance, we advise contacting the third-party provider and check if the system is installed on a data network, and if it is, whether they support and maintain it. If the answer is no, then the next step would be to contact your IT support provider and ask them to carry out an audit of the various third party systems. They will most likely need to liaise directly with the system provider, so that they have all of the information they require to access the system.

ITVET have been providing managed IT and communication services to the shopping centre industry for over 10 years. If you would like us to carry out an in-depth IT audit of your centre, please contact our network security team on 01279 464470.