Since slightly after the dawn of the internet, many companies have transitioned to using an email client for sending regular communications in-house. This transition has opened up a world full of productive conversations that have optimized the time of organizations large a small. Unfortunately, it also has opened them all up to increased risk.
Since 92.4% of malware is delivered via email and that the average cost of a cyber-attack is nearly $3 million, we can see the need to spend considerably more time and resources on keeping these cyber-attacks at bay. Using your organization’s cyber resources wisely to combat these threats takes implementing a series of strategies outlined in the rest of this article. Let’s walk through the email guidelines in the workplace that employees can use to help ensure the safety and security of their company’s data.
Business Email Compromise Attacks are Growing in Severity
Businesses of all sizes are constantly getting bombarded with email compromise attacks. According to the FBI, business email compromise attacks accounted for just 6% of attacks, but they have caused more than $12.5 billion in losses in the past 5 years. It is because of these crippling attacks that businesses must take the appropriate preventative measures to ensure the security of their company data and the purity of their brand remains intact.
One of the most notorious business email compromise schemes that hackers employ is known as a phishing scam. These phishing scams can take the form of a simple email that requests the user to reset their account or password so that the hacker can gain access to a myriad of secure information that the company is storing on their server. By focusing on all these types of authentication compromises organizations can approach email security as a whole, developing a clear, preventive game plan.
In most business email compromise attacks, hackers mimic an employee within the organization using their stolen login credentials. These attackers then use this information to steal sensitive financial and personal information related either to that employee, an executive with administrative access, or the customers and clients that the organization serves. More than 1,000 unique email domains are used to launch business email compromise attacks, but just 10 top domains are used in 62% of all attacks.
It’s important to note that hackers spend a great deal of time and energy researching an organization and its employees before they even launch their attack. They impersonate an executive or another employee in an email, requesting a wire transfer or personally identifiable information (PII) from finance department employees and others with access to sensitive information. Once the money has been transferred to a fraudulent account, it’s nearly impossible to get back.
Understanding What Business Email Compromise Attacks Look Like
Many types of business compromise emails that do not contain malicious links or attachments often are able to bypass traditional email security measures (spam filters, etc.). Common business email compromises are related to fraudulent wire transfer instructions that appear to be from the company’s CEO or another C-suite executive with instructions to immediately process payment for a new vendor.
These emails are specifically sent to finance and accounting employees. If these employees do not use company email security policies, it will lead to a compromise of their finances and risk the destruction of their company accounts.
Another example of a W-2 scheme is where a hacker impersonates a C-Suite officer who directs an employee in payroll to send copies of W-2 tax forms to them via email. This W-2 information helps the attacker get refunds from fraudulent electronic tax returns and rack up a plethora of fees that the individual can’t afford to pay.
The Importance of Email Security Awareness
Often, these highly personalized email attacks do not contain malicious links or attachments, making them very difficult to detect with traditional email security. This is why it’s imperative that businesses must teach their employees the importance of email security awareness to keep their data safe.
Emails require robust protection on different levels, be it authentication processes, content, sender identity or the functionality of the setup itself. Regardless of the number of tools and strategies that are floating around the internet that have the ability to give businesses a leg up against these types of email attacks, reports about businesses that have fallen victim to various types of phishing attacks and malicious spam email attacks are still commonplace. The resulting losses from these attacks have been known to result in tens of millions of dollars being lost to cybercriminals which can be a veritable death sentence for many small businesses.
By creating a comprehensive cybersecurity plan that includes email, businesses can be prepared to face many of the threats that lurk online today. No matter the size of the organization, a cybersecurity plan is important. If you don’t have one constructed and in play currently, now is the time to get one.
Cybersecurity awareness is vital for every employee at every level of any organization because everyone in an organization is a target to a cybercriminal. Training your organization from the top down to be able to properly react to email-based threats, can help you become more flexible to defend against cyber threats of all sizes.
Email Security Tips for Employees
Cybersecurity is no longer a technical problem. It’s a people problem. By ensuring the people in your organization have the know-how to defend themselves and their organization against threats is a critical component of a robust cybersecurity program.
According to a recent 2018 survey, the average cost of insider-caused incidents is $8.76 million. That’s more than twice the $3.86 million global average cost of all breaches in the same year. A 2019 report also highlights that 34% of data breaches involved internal employees. This is the type of eye-opening data that business leaders need to focus on to ensure that their email communications do not serve as a type of backdoor for hackers.
A recent report outlined how there has been a massive 250% increase in phishing attacks from the year prior, making phishing attacks the most frequent attack vector that hackers use to penetrate a businesses’ network infrastructure. Teaching employees to recognize these malicious attacks and employ fundamental email security measures is what will keep your business soaring in the future. Let’s look at some of the top email security guidelines that businesses should instill in their employees to increase the effectiveness of their cybersecurity plans.
Using Strong Passwords is Important
Strong email passwords that are changed on a regular basis are key to ensuring robust protection against cyber threats. Using a mix of alphabet letters in lowercase and uppercase that also includes numbers and special characters is extremely important. If your employees find that their complex passwords are difficult to memorize, then it might be a good idea to use a password manager that ensures that passwords are never written down or stored on the company server.
By implementing a password management system that includes two-factor authentication (2FA), companies can get an extra layer of security that is important to their long term success. With mobile devices becoming more prevalent in organizations due in part to BYOD policies that all for increased productivity, it’s also important to configure secure SMS codes for employee logins as a secondary authentication to their strong passwords.
Although taking this type of approach to their email passwords does not entirely overcome poor practices on the part of the organization, it will help defend against attackers seeking to target weak passwords. If your organization gets in the habit of reusing passwords across different systems, that could cause those systems to be exploited if an attacker gains access to passwords on any of those systems.
However, no matter how well-protected an organization’s email security employee measures are, they can still be exploited by a poorly-protected infrastructure. Attackers know that trying a re-used password associated with a person’s account on a breached system often will work to unlock other accounts. Of course, the benefits of changing passwords quarterly or monthly must be balanced with users’ tendency to use weaker passwords that are easier to remember, and thus easier for attackers to exploit.
Investing in Email Security Training
Consistent email security training sessions are a great tool to ensure that employees are prepared to manage all types of information security risks. Companies from all over the world are addressing email security through email awareness training that is tailored to emphasize the types of threats facing employees and industries at large.
Employers need to be more certain that their staff understands how to handle sensitive data on their devices (whether it be mobile or desktop) and the risks associated with information security in general. Employees can use the email security training that they receive to aid in their ability to identify problematic messages and learn how to avoid clicking on the wrong links or opening the wrong attachments. Don’t forget though, email security training can also be used to inform employees about the types of security tactics used in the organization.
Enforcing an Email Policy
While training is the cornerstone of a solid email security plan, the only true way to ensure that email attacks are put to rest is if email and cybersecurity policies are built around the needs of the users. Email security providers can build software that automatically detects suspicious emails, but oftentimes, these emails slip through the cracks.
It only takes one email to create a massive data breach, which is one of the many reasons why enforcing an internal email policy is important to keep your employees constantly vigilant in the face of these terrible attacks. By documenting a policy for email usage and instructing employees to adhere to that policy, employees will be much more adept at working autonomously to identify and mediate these bad actor emails on the spot.
These policies must ensure that employees are aware of emailing procedures that satisfy data safety requirements. These requirements can focus on what kind of data can and can’t be sent via emails, who would be authorized to send company sensitive information, and what kind of files should not be downloaded. By talking to your employees and understanding the specifics of their jobs, you can build a plan to ensure that these email security policies are balanced and allow them to do their jobs reasonably, but safely and securely.
The Human Factor of Email Security
Of course, when it comes down to it, technology and processes can only do so much because the predominant driver of most company interactions falls on the hands of humans. Even the most skilled IT experts cannot do much to decrease the likelihood of attacks that are driven by employee negligence. Providing email security tips for employees gives them a better understanding of IT literacy and the best security habits that should be cultivated.
If the human side of the equation is not figured out quickly by an organization, then it is most likely that critical information might fall into hackers’ hands. Giving employees the tools and training they need to master crisis management scenarios will keep your organization afloat long after a breach occurs.
The Effectiveness of Email Security Awareness
Approaching your company’s email security plans requires the awareness of the specific business email compromise scenarios that were outlined in this article. Take the time to measure the impact of your training at various intervals throughout each calendar year to ensure you can measure the effectiveness of your email awareness training and policies.
By creating an internal-only communication channel for members of your key financial and data teams to talk about sensitive information that you don’t want to fall into the wrong hands. You can also set up an exclusive email or an internal chat application where they can safely and securely share this information and keep everyone in the loop at all times.
If all else fails, a simple phone call to IT clarifying emails regarding payment can eliminate a lot of risks and data breach headaches down the line. If at any time you think that the email either doesn’t sound like something that the sender would request, calling the individual directly to verify that their request is valid can help to shut down a malicious attack on the spot.
Contact RSI Security to get help on developing an email security program for your organization today.