Cyber security threats hiding in plain sight
Sometimes the best hiding place is the one in plain sight. That’s exactly where the greatest vulnerability of your office environment is hiding. It’s the gateway of communication to your organisation…and, if you haven’t already guessed it, it’s your email platform.
Email is the weakest point in most security strategies. It’s a direct route into your environment for security threats like ransomware, scams, phishing and other malware. This isn’t the only way for hackers to compromise security, there are other more creative ways to do this, but email remains the easiest.
Everyone is at risk of being a target for hackers, so email security should be a priority across the whole business. If you haven’t ever received a phishing scam, consider yourself lucky, it’s a lot more common than you might think.
What email cyber security threats are out there?
The threats to your business are varied. There has been a rise of ransomware-as-a-service (Raas) which is designed to make cybercrime accessible to anyone1 through hacker forums and the dark web. The ability to use ransomware for your own agenda, irrelevant of your skills, is a scary thought.
Old cyber threats like Cryptowall and Locky, target individuals and usually demand small amounts of ransom money to recover files2. New versions such as Cryptolocker which affected more than 500,000 people in 2015, and WannaCry which cost NHS Trusts £92m in direct costs and output in 20173 have all caused havoc and considerable financial damage.
Currently one of the most common methods of ransomware entering your environment is through spear phishing. This is an email with malicious files attaced4. If you click an embedded link or open an attachment, your computer can be infected, so you must be careful.
Innovative risk management could protect you from ever evolving forms of ransomware5. To protect your business from the threat of improper email use, you should create an email security risk management strategy.
When preparing your strategy you should consider these 3 things:
1. Raising awareness of email security issues
The human element is critical in email-related breaches. User awareness is key in keeping your business safe and not allowing breaches through email. Educating your staff on phishing and general email security will reduce the risk of a breach. And will prevent staff clicking an unsafe link, opening a malicious attachment or giving away sensitive information.
Your training on email security should match the different types of risks that apply to different roles in the organisation. This will help staff to know exactly what to watch out for in their specific role.
You should test how your training is received by staff. This will ensure that it’s understood. Phishing email tests are a good way to see how staff react. They can help you assess the risk and whether you need to re-visit any previous training. Cyber threats are constantly evolving, so scheduling regular sessions can go a long way towards maintaining a secure environment.
2. Preventing malicious email attachments from reaching your environment
As mentioned, disguised documents are a popular and effective way for criminals to enter your company’s environment. Reducing this type of breach is an important part of your staff training, but it’s not the only thing you can do.
There are a variety of email security solutions such as Mimecast, which allow attachments to be scanned for malware. They can also recognise new forms of malware, even those that are unknown.
If you use Microsoft Office 365 or Exchange Online you’re able to set up mail flow or transport rules that quarantine emails with attachments. These can then be inspected by your IT team before they reach the rest of your staff.
As a general rule it’s a good idea to reduce the amount of attachments in emails. By moving to a collaborative digital environment using file sharing, you’re minimising the risks of a breach. And, as an added bonus you won’t get as many large files that clog up your inbox!
3. Using a robust email security gateway
A robust email gateway should be an essential part of your email security strategy. Your gateway will provide necessary protection against email threats. All inbound emails are scanned for malicious content or programs. Having a gateway can reveal hidden programs that otherwise could go unnoticed.
Signature-based scanners can also be useful. They stop threats by looking at a database of signatures for malicious threats, but the issue here is the signatures must be added to the database first. So this method becomes useless against unknown or new security threats
Your email security strategy should be part of your wider risk management program. It plays a vital role in protecting your business from cyber threats. But it will never be prefect. It’s important to re-evaluate your companies risk profile regularly as things can change quickly, especially in the world of cyber security.