Almost every business relies on email as one of our modern ways of communicating. However, despite the vast number of us using email, many of us are unaware of the cyber security threats which email poses.
Did you know emails can contain malware, such as ransomware and viruses? For example, an email you receive could contain malicious code which is designed to run when you open the email. Although, the most common type of malware is found within email attachments or links within the email itself.
Another major issue is the rise of phishing emails, which claim to be from reputable businesses and financial institutions. These emails are carefully designed to mimic emails which the user would expect to receive, so recipients are enticed to visit fake websites and enter confidential information. These websites could ask for personal details and bank account information, which is then sold to criminals via the dark web.
The most sinister email threats are designed to gain access to companies email systems, by contacting the employee which is responsible for making payments. The attacker will pose as a senior executive and ask an employee who is responsible for payments to send a substantial sum to the attacker’s bank account. They may even pose as another company and inform an employee that the payment details have changed, so future payments are sent to the attacker’s bank instead.
These are examples of monetary losses; however, attackers may focus on stealing data, reducing productivity and even alienating customers. As you can see from these examples, email security should be a top priority for all businesses.
The majority of email security threats occur when an email enters a company’s email system. This means companies are able to detect these emails when they enter the system and also when they are delivered to the recipient. To increase the chances of these emails being detected at one of these points, it is possible to install an email security gateway.
A gateway is often a type of software which companies can install on their email server or via a gateway appliance. However, there are also some email server products which already include email security software. There are a variety of functions which email security will provide, including:
1) Filtering spam - The majority of malicious emails are sent out in vast numbers, in the hope of infiltrating as many systems as possible. However, up to date spam filters will spot these emails and prevent them from being delivered.
2) Attachment scanning - Effective gateways are designed to connect to networks which detect threats. These detection networks recognise millions of malicious attachments around the world. This means that if a malicious attachment is sent, the gateway will block the email before it is even able to enter a company email network.
3) Scanning links - These scanners are designed to check the links contained within emails as they are received at the email gateway. The scanners will check what happens when the link is clicked to find out whether it is malicious before it enters a company network.
4) Protection against data loss - There are some email gateways which are designed to check the data within emails sent by companies themselves. This is designed to prevent the sending of emails which contain sensitive information. The software may even encrypt the data within the emails, as part of GDPR compliance.
5) Blacklisting - This is designed to block all emails which are received from known malicious domains or email addresses. It is even possible to block emails received from specific countries.
There are many email security gateway providers available, including Mimecast, Proofpoint, Barracuda Networks, Cisco, Email Laundry and Fortinet.
Email security gateways can provide some protection to organisations; however, they are unable to protect against threats which are delivered straight to an employee’s computer. For example, if an employee accesses their own personal email account via their work computer. This means all businesses should run protection software on individual computers, to protect against malicious software, viruses and ransomware.
Despite email security software being very effective, it is never 100% effective. However, by training employees to spot email threats, it is possible to add another layer of protection. There are some simple rules which all employees should be aware of:
1) Never click links from unknown sources
2) Never open an email attachment from an unknown source
3) Never follow any links within emails pointing to financial institutions
4) Always consult another senior executive or manager before transferring funds
5) Never use a public WiFi spot to connect to a business’s email system
As part of employee training, it is possible to send simulated phishing emails, which will help employees learn to spot them.
Email systems were never designed with security in mind, so message contents, usernames and passwords are sent without encryption. This means it is possible for attackers to access a mailbox and read all messages.
To prevent eavesdropping, employees should never use a public WiFi connection to access work emails. If the internet connection is protected using WPA-based encryption, the email login details should be protected. However, this encryption only protects the email credentials, so emails are still vulnerable.
It is possible to encrypt emails which are sent or received via email servers via an SSL/TLS connection. Although, if this type of connection is not supported a VPN connection can be encrypted. The only person who can decrypt the email is the intended recipient. Most systems are designed to use symmetric encryption which sends an encrypted email with a private key, to ensure it is only opened by the matching recipient.
Many email providers will handle private keys and encryption automatically. For example, within Outlook both parties can send encrypted emails by digitally signing their emails. Although, some organisations will install addition encryption gateway software, which will ensure employees comply with security policies.