Even though there is now a huge range of ways to communicate, email is still very much the default option in most situations. Email does have a whole lot of benefits. It does not, however, offer a lot of in-built security. Fortunately, you can take steps to rectify this. Here are some tips.
Make sure your own network is secure
All business-related cybersecurity starts with a secure network. No matter how big or small you are, security should be “baked in” to the design of your network. If it isn’t, then it’s time for an update. This may require an investment you’d rather not make when money is tight. It is, however, vital that you find the budget. The survival of your business could depend on it.
If you’re using remote workers, then make sure that they only ever connect to the company servers over a VPN (Virtual Private Network). This ensures that your data is secure, even if their connection isn’t.
Keep end-user devices secure
Insecure end-user devices, of all descriptions, are basically open targets for cybersecurity attacks. Your first step in keeping your emails safe is to ensure that all your employees are using suitable equipment.
There is a general expectation that employers will provide their employees with any equipment which is necessary for their job. It is usually to the employer’s advantage to do this as it means that you have full control over this equipment. For example, in the case of IT equipment, employers can choose the operating system and software and keep both updated.
You can also set more specific rules on how the equipment is to be used. In particular, you can restrict access to certain websites. You can also block certain peripherals from being used with the main devices. For example, you can prevent employees from using non-approved storage devices.
When employees are using their own devices, then the situation can be a bit more complicated. As their employer, you can set rules about what they can and can’t do in their work time. You can also set rules about access to your corporate network and the resources it contains. You are, however, unlikely to be able to set rules about how they can use their own equipment.
If money is tight and/or you are unsure how long remote working is going to last, you might want to look at leasing equipment. This gives you all the advantages of owning (and controlling) your employees’ equipment without the upfront expense of having to buy it.
Use a reputable email provider
If you’re using a free webmail service for your business, then stop now. Firstly, these free services typically have little to nothing in the way of security. Secondly, you are unlikely to have much, if anything, in the way of a comeback if there is a breach. One of the reasons for this is that these free services tend to have terms and conditions which say that they are for private use only.
If you need a web-based solution, then you could consider the paid version of Gmail and Outlook.com. These are both reputable and reliable. They’re also mainstream enough that many staff will be at least somewhat familiar with them. There are other secure webmail vendors but the learning curve for staff may be steeper.
If you’re running your own email server, then there is a wide range of options with excellent security credentials. There are, however, two key points to note. Firstly, you need to ensure that your client is configured to reflect your needs. For example, you may need to turn on encryption rather than having it turned on by default.
Secondly, you will be responsible for applying updates promptly. It is impossible to overstate how important this is for security. If you want a case study in why it matters, try searching on “WannaCry Attack 2017”.
Have strong authentication policies
Firstly, you need to put a stop to employees using weak passwords. This includes passwords which ought to be strong but have been reused so often they have become compromised. In the real world, there are only so many unique, strong passwords a person can remember by themselves. This means that you need to use a reputable password manager.
It’s true that password managers do create a single point of failure. It’s also true that they are open to compromise themselves. Overall, however, at this point in time, the advantages of password managers generally outweigh their weaknesses.
Secondly, you need to implement two-factor authentication. In practical terms, the best way to do this is by using an authenticator app. This is more economical than using RSA tokens (even without accounting for them being lost). It’s also vastly more secure than using SMS-based authentication.
One of the many advantages of two-factor authentication is that it provides a lot of protection against your password being compromised. This counters the only serious argument against using password managers.
Implement robust email scanning
There are, literally, countless attacks made against email every second let alone every day. Fortunately, the vast majority of them are unsophisticated and can be easily detected by automated monitoring systems. In principle, they should be easily detectable by humans. In practice, if email were let through unfiltered, there would be so much of it, the average employee just wouldn’t be able to monitor it properly.
Keep in mind that any automated monitoring system is only as good as the people managing it. These days, it’s unlikely that many SMEs will have the resources to recruit and retain in-house cybersecurity staff. This means that you need to find a managed IT security company you can rely on.
Do your research thoroughly before you sign up to a contract. A reputable vendor of any description should be happy to explain their offering in plain English. They should also be willing to answer any questions you may have. Managed IT security vendors should be no exception to this. If you get any hint that a vendor is trying to “blind you with science” or any bad feelings at all, then it’s time to look elsewhere.
Educate your employees
With the bulk of the security-checking handed over to computers, your employees should have more time to check the emails they do receive. You will, however, need to train them to spot the red flags which can identify malicious emails.
Luke Watts, director, RoundWorks IT