June 13, 2016

Email Security for Small Businesses

Laurent Slutzky

Author

In December 2015, more than half of the phishing attacks executed were against small and medium businesses. If you think that your business is immune to the risks associated with email attacks, think again. Learn how businesses are at risk of email attack, and how to protect your employees.

The Risk to Small Businesses

Email is attractive to hackers because it’s easy to use, and it’s easy to target a lot of businesses at once. Businesses everywhere have and use email, and most have general accounts that can be guessed by adding a prefix like "help desk" or "sales" to the company’s domain.

From a hacker’s perspective, all that’s needed to mount an attack is a false email address and a phishing or spear phishing email. These emails may at first appear legitimate, but contain a nasty file, link, or other hidden surprise. Simply by reading the email on their office computer or their smartphone and clicking a malicious link, staff introduce the threat to your network.

Hackers often target small businesses because many do not have stringent cyber security measures in place. If your small firm contracts with large businesses, you could be seen as an attractive "back door" to big firms. If the attacker can gain access to your organization, they can then target the big firm you contract with.

Typical email threats facing small businesses include:

  • Ransomware – In a typical ransomware incident, malware delivered via email encrypts enterprise data. For a fee, the attackers purport to deliver the encryption key. 
  • CEO fraud – Upon illegally gaining access to high-level accounts, an attacker can impersonate the high-level employee and authorize a payment, thereby defrauding your business. 
  • Data theft – After gaining access to employee credentials, hackers can steal enterprise data. Product data, customer information, financial information, and other business critical information could be at risk.

When speaking about the email risks to small businesses, you must think about the potential for human error. It is a generally accepted concept that people are the weakest link in the cyber security chain. All it takes is one accidental click to open a phishing email or one download of a corrupted file to put your enterprise data at risk.

Humans can also purposefully introduce a cyber threat. While you may hate to think about it, a rogue employee denied a promotion or a former staff member whose credentials were not revoked could attack from within.

According to the Cisco 2015 Midyear Security Report, it takes businesses an average of 100 to 200 days to detect malicious activity. That’s as much as half a year’s access to your enterprise data, your client’s data, and your intellectual property. If you think that you’ll know immediately should a hacker infiltrate the network, think again.

The best defense against these email threats is a good offense, and partnership with organizations that can implement best in breed cyber security solutions to protect your business.

If your business does suffer a cyber attack, the average business costs run over $188,000. The ramifications to your business reputation may be steep. If you have been holding off on investing in cyber security due to the cost of paying for threat detection, know that you face much steeper fees when you are attacked. For it is no longer a question if your business will face a cyber threat, but when.

Education Best Practices for Email Security

Safeguarding staff email begins with education. Many employees are unaware of the risks associated with certain behaviors.

InfoSight studies show that 50 percent of businesses spend less than 1 percent of their security budget on employee education around cyber security risks. Yet 85 percent of these same businesses have found viruses, and 64 percent have suffered financial loss due to cyber attacks. Clearly, education is an underfunded and critical area of cyber protection.

To mitigate your risks, educate staff on how to spot and avoid phishing emails as a first line of defense. Phishing emails usually incorporate a legitimate business, down to using the business logo. Yet these emails usually promote something that seems too good to be true, or ask for sensitive information.

Your bank will never ask you to confirm account numbers or provide a user password over email, for example. While your bank may email you regarding your account if you have opted into email communication, they will use postal mail or telephone to transmit sensitive information.

If an employee opens an email that seems suspicious, they should do two things. First, they may call the institution directly to ask whether the recent email was legitimate. Second, they may type in the URL mentioned in the email. Staff must never click on links in emails that seem suspicious as this will introduce the threat to your network. Staff can also check in with the IT department if they feel unsure about a recent email.

Many businesses are already informing staff about the risk. Yet too many firms think it is their responsibility to only educate staff on cyber security one time. By regularly bringing up cyber security issues with staff, you can keep email security at the top of employee minds. This subtly encourages good behavior and helps staff remain vigilant to phishing threats.

Along with education, set a policy regarding safe email usage in the workplace. Your email policy should be part of your overall cyber security plan, which focuses on ways to protect enterprise data from attack via email, website, payment system, network, or other access point. If you allow staff to use personal devices for work, your policy must cover smartphones and tablets. To protect these devices, mandate the use of device passwords and prohibit connection to unsecured wireless networks.

Weak passwords allow attackers to gain easy access to an employee’s credentials – and your system. Many staff select easy-to-remember, easy-to-guess passwords. Worst offenders include "password" or "12345678." Enforce strong passwords for computer logon and email account to limit your risk. Strong passwords consist of letters (upper and lower cases), symbols, and numbers. As a best practice, have staff change their passwords seasonally. Insert any password rules into your email policies, so that staff are aware of the importance of strong passwords to cyber security.

Email policies may prohibit email attachments that exceed a certain size, curtail personal emails sent over the network, or bar staff from transmitting confidential or sensitive business data via email. If you plan to monitor staff email for cyber security, your policy should mention this. Finally, a policy should outline any consequences of policy violation, such as a write-up or termination.

By educating staff and maintaining a policy around email use, you create a culture of awareness. This can greatly reduce the potential for human error regarding cyber security.

Software Solutions for Email Security

Threat monitoring software analyzes incoming email, seeking to identify threats before they access your network. Threat monitoring can keep you safe from phishing, ransom attacks, and data loss by identifying suspicious senders or suspicious attachments, and quarantining email before employees view it.

Encryption software seeks to protect outgoing emails by encrypting data prior to transmission. Since encrypted emails cannot be read without a decryption key, an attacker who intercepts the email cannot harvest its data to harm your company.

Along with specific email threat protection, you need a strong security suite that checks for malware and viruses.

It’s also a good idea to invest in an internal firewall. Too many organizations only patrol the perimeter. Unfortunately, this falsely assumes that all threats will be turned away. By placing internal firewalls at the access point to sensitive business data, you can safeguard against internal threats and attackers who have gained access.

If your organization uses Office365, it comes with several built-in security protections, including management for mobile devices, data loss prevention tools, and email encryption.

It’s recommended to work with a managed services provider to implement email security tools. If your head is spinning after reading about the different protective measures to implement, a managed service provider can explain in plain language what you need and why. They can answer any questions you have, so you feel fully informed about the threats and confident in taking action to protect your business. A managed services provider can recommend the best combination of software tools for your business, put these protective tools in place for you, and subsequently monitor your network for faster response to threats.

Cyber security is not a "one and done" affair. After you implement email security tools and educate staff on how to avoid the risks, review your controls. If you bypass the review phase, then you will only know that you have a vulnerability when a hacker exploits it. Together with a managed services provider, stay informed on the latest threats and always revisit the protective measures you have in place. Through a cycle of continuous assessment and improvement, you can stay ahead of the threats and safeguard your hard-earned business reputation.