Email security risks
Every business, large or small, relies heavily on email to communicate. It’s convenient, simple, easy to use, and instantly delivered, making it ideal for business communications, whether they’re business to business or business to customer. And with more people working from home than ever, email can be vital for keeping remote workers in touch with their colleagues.
However, there are always cybercriminals aiming to take advantage of any system weaknesses and exploit vulnerabilities. Email systems are often attacked for various reasons, including monetary gain, stealing data, taking over business computers for denial of service attacks, and more.
“Threat actors distribute malware via email approximately 92% of the time.” - from 2021 Cyber Security Statistics: The Ultimate List Of Stats, Data & Trends.
What are the main email security risks?
There are many ways a criminal can attack your company’s email systems and below you can find the main tactics they use:
1) Phishing
From Guardian Digital, “Over 90% of all cyber-attacks begin with a phishing email.”
Attackers will send an email that looks like it is from a trusted company or someone you know, and the email will contain a link that looks important to entice you to click. If you do, your computer may become infected with malware, or attackers may ask you to provide sensitive information, such as passwords or credit card details.
One of the latest variants is emails about the coronavirus, claiming to have come from the CDC or the World Health Organisation. During a pandemic, it’s all too easy to click on one of these email links and input information you really shouldn’t give out.
2) Spam
Having your email account filled with spam is exceptionally annoying, but it’s more than just frustrating. Too much spam can slow down systems and cause problems for your IT department.
Spam is also often a carrier of malware, containing trojans, viruses and ransomware, which can cause havoc on business systems if unwary users click on the attachment or click a link to an infected site.
Malware can perform a range of unpleasant tasks, including stealing your data, finding login details for further use, encrypting your data and demanding a ransom to get it back, and even causing damage to hardware.
3) Scams and Social Engineering
Most of us have had the ubiquitous email from a Nigerian Prince offering us millions if we can only pay a small fee to transfer the whole amount into our bank account. Also known as 419 fraud, this scam, in different forms, has been around since before there was internet or email.
Surprisingly, it still works, and like phishing, it works because of social engineering, where criminals use various strategies to manipulate people into paying money or giving out their private information, which criminals can then use for other attacks.
Another variant is the CEO scam or business email compromise (BEC). BEC is where scammers target an employee with access to financial information by pretending to be the CEO or a director. BEC scammers then order the business to pay an invoice immediately, which will transfer money to the scammer’s account. And a variant on this one is the vendor email compromise (VEC), where the spammer spoofs a vendor’s email address, sends in an invoice and gets paid.
How can I protect my business against email risks?
Suppose you deploy a mix of mechanisms your IT department can incorporate to protect your email systems and regular cyber security training for your staff. In that case, your business will be in a much better position to prevent email attacks.
1) Email policy
Create a firm email policy covering acceptable use, when users shouldn’t use email, how users can access email, what content is not allowed, and whether email use is monitored. You can also include information on company style and tone here.
The policy should also educate your employees on handling confidential information and that an email can be considered contractually binding.
Finally, there should be information on email security, and your email policy should be enforced by HR, company owners and managers.
2) Staff training
Back up your email policy with thorough staff training on what cyberattacks are, how attacks can come via emails, what phishing scams are, and everything they need to know to protect themselves as much as possible.
Also, ensure that your employees know what to do if they’ve accidentally clicked on a spam email or a suspicious attachment or link.
3) Enforce strong passwords
It might seem unbelievable, but ‘password’ and ‘password1’ are still often used, even today.
Cybercriminals far too easily guess those, and your IT department should have a policy on using strong passwords. They should also use a professional business password management system that requires staff to use strong passwords, including numbers and symbols. They should also use different passwords for each application or system and regularly change them.
Staff can use a password manager, such as LastPass, to generate long, strong passwords and remember site logins.
Other measures to take include: frequent email backups, introducing two-factor authentication, and running good antivirus software.