Why email security matters
Email security hacks are expensive. According to the different reports, cybercrime will cost the world in excess of $6 trillion annually by 2021. That’s up from $3 trillion in 2015.
Password security: Set a strong password, change it regularly
The key is to set a strong password and change it regularly.
“Strong passwords should contain three out of four things: lower-case letters, upper-case letters, numbers, and symbols.”
They also shouldn’t contain obvious personal information (like names of your pets or family, hometown, alma mater, or your fave sports teams), the word “password,” or common letter/number substitutions (such as I/1, S/5, etc.) Typically a strong password should be at least eight characters, but when possible go long, such as at 16–30 characters.
Strong random password generator tools can help you create a strong password. Or, instead of a password, use a passphrase. Where a strong password can become a hard-to-remember combination of characters, a passphrase combines multiple words into something that can be both harder to crack but easier to remember.
Regularly hold employee cyber awareness training
Because human behavior is cited as the biggest challenge in email security, it’s imperative that businesses prioritize education and training.
It’s estimated that 2 out of 3 email hacks happen as a result of employee or contractor negligence, costing companies an average of $280,000 per incident.
According to research, 52% of people reuse their passwords for multiple sites or use simple passwords that are easy to guess, leaving them wide open to hackers.
Given stats like these, it’s clear that investment in staff training could save companies millions of dollars a year in security hacks.
Don’t login via links sent in email.
If you receive an email that says you need to login to service X, and you do have an account with X, ignore any login links in the email itself. Find your own way to the login page (for example, bookmark it yourself), even if you think the email is genuine. That way you won’t fall for bogus links by mistake.
Consider a password manager
Password managers not only pick strong and random passwords automatically, but also associate each password with a specific URL. That makes it much harder to put the right password into the wrong site, because the password manager simply won’t know which account to use when faced with an unknown phishing site.
Tools like LassPass ask the user to enter a unique unhackable master password to unlock a password vault. The vault then generates a unique password each time the user logs into an account online. This is a step up from the traditional password auto-filling process, which carries risks of its own.
These tools are also highly encrypted using the AES-256 and SHA-256 standards, and are the most sophisticated way of ensuring password security online.
Familiarize Yourself with Common Phishing Schemes
Phishing is a common scamming practice that is quite sneaky. Scammers pose as well known companies and request private information about its recipients.
Since these emails often seem to come from reputable sources, such as PayPal, banks and other large companies, they often are effective in their data collection. Many people don’t think twice before entering their information in order to continue their subscriptions or collect a prize or payment.
One of the telltale signs of a phishing email is poor spelling, improper grammar and an uncomfortable or robot-like writing style.
There are a few major phishing practices that you should look out for so that you can avoid jeopardizing your email security.
5 Common Phishing Practices
- Deceptive Phishing: Deceptive fishing is when a scammer sends an email under the guise of a reliable company.
- Spear Phishing: Spear phishing uses information about the target in order to build trust and increase the chances of the scam working.
- Whaling: This type of phishing targets CEOs so that hackers can penetrate the company from the top.
- Pharming: Pharming is when scammers redirect safe domains to unsafe ones by toying with IP addresses.
- Google Drive/Dropbox Phishing: This type of phishing is among the most difficult to detect. It duplicates cloud folder login pages and requests your login info. When scammers have these login credentials, it usually opens access to a plethora of sensitive information.
Don’t click unsubscribe or reply to suspicious emails
If the email looks like it’s from a brand that you have an account with, delete the email, go to your browser, type in the URL for the site (or hit the link from your bookmarks), and log in directly. Unless you are expecting an email with a link—a list you know and trust, a confirmation for something you just registered for or ordered online, etc.—don’t click the links in emails. Don’t copy and paste links either.
Leaving links alone also extends to any innocent-looking “unsubscribe” links in that suspicious email. Clicking that only confirms to the hacker or spammer that your email address is legitimate—so they’ll start sending you more malicious junk. Same thing if you reply to the email, so don’t reply to suspicious emails either.
Only open attachments from trusted contacts—and still check those first
Attachments are one of the top ways hackers install malware, steal information, and compromise systems. If you are being wary of attachments, even from trusted contacts, you have a much lower chance of having your email hacked.
For starters, attachments should never be a surprise—and large files are a giant, flaming, screaming red flag. When an attachment comes through, it should be something that you knew would be on the way. If you have any doubt at all, don’t open the attachment. Instead, via a call, text, email, or quick face-to-face, verify whether or not the email and attachment are legit. After all, even trusted contacts can be hacked—and if that happens, some attacks use that compromised email account to send out malware, phishing attacks, ransomware attacks, and more.
If the attachment has a .exe extension, send the email to spam and notify IT. If opened, a .exe file will execute some sort of program—and it will be somewhere between bad and catastrophic.
Files such as Word and Excel can also contain malicious software, especially via macros. Only consider opening these files if you knew they were coming. Even files such as JPGs (images) and PDFs can be faked.
If an unsolicited attachment comes from someone you don’t know, just delete it.
Implement 2FA Authentication
2FA is short for two-factor authentication, typically based on one-time codes that are sent to your phone or generated by a special app. 2FA makes your password alone much less useful to the crooks, just in case you ever do give it away by mistake.
Never access emails from public WiFi
Public WiFi is never secure, and there are many ways in which hackers can steal all the information that passes through a network.
Indeed, criminals only require a laptop and basic software to hack into public WiFi networks and then monitor all the traffic. If you or anyone at your company access emails via a service of that nature, you will make it easy for anyone with the will to steal your passwords and view your sensitive data. That could result in a targeted attack further down the line.
If people need to access their messages outside of the office, there are a couple of options on the table that should not make your operation vulnerable to data theft.
Firstly, if unable to connect to a secure WiFi, your employees could use their smartphone and mobile internet.
That is much more secure than any public WiFi service, and the move should protect your cloud data and your interests.
Secondly, you might consider paying for mobile internet dongles that workers can use with their laptops outside of the office. Both of those options tend to work well, and they should help to protect all your company emails.
Implement regular data backups to the Cloud
There’s no question that malware or ransomware attacks are a big deal for email security. But backing up data can help to reduce the damage if the worst were to happen.
Whether your business outsources to a security organization or uses the Cloud in-house, regular data backups should be standard practice for securing emails.
Keeping files Cloud-based adds an extra layer of security. Especially if data is encrypted while in transit to the Cloud service provider.
Look for an anti-virus with live web filtering
Products such as Sophos Home (free for Windows and Mac) not only block malware from arriving onto your computer but also prevent web connections going out to risky sites in the first place, even if those sites themselves don’t actually contain malware.