5 Commonly Overlooked Security Threats

 The Internet is a vast place that brings amazing information to our fingertips in a matter of seconds. While this is a wonderful attribute, it also can be dangerous to your personal information or business’s data. That’s because there are hackers out there just itching to access your information and email is still a common way they accomplish this feat. And as we’ve seen through several recent examples—including the 2015 Pentagon and 2014 Sony email hacks—simply having a “strong” email password isn’t enough to keep your data from being compromised.

While some may jokingly (or not-so-jokingly) call for less email usage and more frequent use of the phone to communicate important information, it’s not always possible in our highly digital world. So in addition to being cautious about what is communicated in your emails, it’s important to understand how to protect those emails in the first place. To ensure secure email on your personal and work devices, you first have to recognize threats to your email system—including the less common ones.

Overlooked security threats

Here are five often overlooked threats to your email security:

  1. Social engineering schemes that use your mobile number—Did you know that attackers only need your mobile number to trick you into giving access to your email? Essentially, they’ll send you a text posing as your email provider (e.g., Outlook) and tell you you’re about to receive a code to ensure your email account is secure. This text will then ask you to reply with the code to confirm. Then, they’ll trigger the password reset process, you’ll receive a real message with the unlock code—and if you send it to the attackers unknowingly—they’ll use it to reset your password without your knowledge. Check out this video if you want more specifics on this scheme.
  2. Sharing your access credentials with others—It’s common for some employees to share their credentials—including their password—with a fellow employee or manager when they’ll be out of the office, whether on vacation or during short-term or long-term disability. If organizations don’t have defined security policies for these situations, a lack of accountability could lead to compromised email security.
  3. Loss of a phone with pertinent information—Password management applications are wonderful tools that help you keep track of all the passwords for all of the email accounts you undoubtedly have. But if this application is installed on a phone that is lost or stolen, that can be a problem. Of course, it’s important that your phone is also password-protected, but organizations should take security one step further when it comes to work or personal devices that carry business data or information. Specifically, a business should standardize acceptable use policies regarding the local storage of files, remote wipe capability and network connectivity.
  4. Lack of email encryption—Just because data is passed via a secure email server doesn’t mean it’s 100 percent safe. To add an extra layer of protection, companies should invest in an encrypted email service, which seals email messages and ensures only those with a decryption key can read and access sensitive information.
  5. Crypto-ransomware—Ransomware is nothing new, but it’s a nasty way for hackers to operate. They essentially take the files on your computer or devices hostage until you pay a ransom to have them released. Crypto-ransomware is even nastier, as the hackers encrypt your computer’s files and will only surrender decryption keys upon payment. How is this related to email? These attacks are typically triggered through the opening of some sort of email attachment (e.g., an invoice, energy bill, image, etc.) and they often look legitimate. According to Symantec’s 2015 Internet Security Threat Report, attacks of this nature are highly profitable (bringing in approximately $34,000 per month for one group alone) and growing in popularity.

Whether through phishing schemes or direct malware attacks, email security threats are prevalent—and as we’ve seen, even the mighty can fall prey to them. That’s why it’s more important than ever for organizations to invest in a secure email service that will help them keep their data safe. In addition, employee education is a large part of maintaining a secure email environment. When people know what to expect, they’re better equipped to protect themselves and their companies from liability.

Get more out of your email to help grow your business with solutions from Atidan and Microsoft. Contact us today at office365@atidan.com

 

Blog credit to Microsoft: https://blogs.office.com/2016/01/28/overlooked-email-security-threats/

The Small Business’s Guide to Secure Email

It probably comes as no surprise to most business owners that email is a primary way hackers can gain access to sensitive company data and information. But it may alarm you to know that small businesses are particularly vulnerable. Specifically, overall cyber-attacks on companies with 250 or fewer employees doubled in the first six months of last year—and the loss per attack was more than $188,000 on average. The effect of cyber-attacks on the American economy as a whole is a high cost of $100 billion annually, according to the Center for Strategic and International Studies.

That’s one reason the great Sony email hack of 2014 was such a big deal—it left every business wondering how they could avoid the same fate. It stands to reason that if such a large company, with multiple layers of security, can be hacked, small businesses with fewer resources have no hope, right?

Maybe not. There are many ways to ensure your business is protected through secure email. Since your business’s security is only as strong as your weakest link, the secret is to get employees involved and invested in the success of your security. Here are seven tips to get you started.

  1. Make it a top priority to create and implement a cybersecurity plan.

Of course, this involves more than simply considering how to ensure secure email service—it should also include strategies for keeping your website, payment information, and other information safe—but addressing email security should be a main part of your plan. The Federal Communications Commission created a handy tool, the Small Biz Cyber Planner 2.0, to assist you in creating a customized plan.

  1. Consider email encryption.

Email encryption helps to protect personal information from hackers by only permitting certain users to access and read your emails. There are several methods of email encryption depending on the level of security—and convenience—you require. For example, you could download or purchase extra software that will plug in to your Microsoft Outlook. Gpg4win is one such free privacy email guard software for Windows. Or, you could install an email certificate like PGP (Pretty Good Privacy), which allows your employees to share a public key with anyone who wants to send them an email and use a private key to decrypt any emails they receive. Another simple solution is to use a third-party encrypted email service.

  1. Ensure passwords are secure.

All employees should have their own password for their work computer and email system. These passwords should be reset every three months; also consider requiring multifactor authentication when employees change their passwords. The strongest passwords consist of at least 12 characters and a combination of numbers, symbols, lower-case letters, and capital letters. Passwords should not be something obvious (e.g., birthdays, children’s names, etc.) but should be memorable. In other words, employees should steer clear of the two most common—and worst—passwords of 2014: “password” and “123456.”

Also, employees should not use the same password for multiple accounts or websites. Consider allowing the use of a password manager or single sign on function. Some great solutions for small businesses looking for tools to store codes, bank accounts, email accounts, PIN numbers, and other account information in one place include CommonKey, LastPass, and Password Genie.

How do you know whether your password has been compromised? Sign up for watchdog services like PwnedList or Breach Alarm, which monitor leaked passwords and will report automatically to you if any of your email addresses are vulnerable.

  1. Develop an email retention policy that makes sense.

With the cost of storage today, there’s no point in keeping old emails that are no longer useful. Ask employees to purge emails that do not support business efforts and implement a policy to ensure compliance. Many companies institute a 60-90-day standard, with steps toward automatic archiving and permanent removal after a set time period. Remembering to delete emails that don’t comply with this standard can be difficult for some employees, so frequent reminders may be necessary.

  1. Train employees in email security.

Employees play a crucial role in keeping data secure through email. They should be trained on what types of behaviors to refrain from and what types of emails to avoid. Unfortunately, according to InfoSight, nearly half of all companies spend less than 1 percent of their security budget on programs that train employees on how to be aware of security threats. Yet 64 percent of organizations experienced some level of financial loss due to computer breaches and 85 percent detected computer viruses. Wouldn’t it be worth the low cost of training to mitigate the potentially large cost of a hack?

Specifically, employees should be trained to comply with the following rules:

  • Never open links or attachments from unknown persons.
  • Don’t respond to emails that request a password change and require you to divulge personal information—no matter how official the source appears.
  • Ensure antivirus and anti-spy software is updated on your computer.
  • Encrypt any emails containing sensitive data before sending.
  • Don’t use your company email address to send and receive personal emails.
  • Don’t automatically forward company emails to a third-party email system.

In addition, some companies have found success in instituting programs that test employees with phishing campaigns, spear-phishing emails, and other cybersecurity threats and then reward them when they pass these tests.

  1. Maintain strict standards for company-related mobile device usage.

When using a company-issued mobile device, or a personal mobile device where you send and receive company emails, employees should encrypt data, keep the device password-protected, and install approved security apps so hackers cannot access devices via shared WiFi networks.

  1. Avoid common pitfalls when securing email.

Besides all of the things we’ve already discussed, email can remain unsecured in other ways as well. Be sure to consider the following:

  • All computers—not just a few—should use email encryption. There’s no point in encrypting emails unless the same standard is applied across the board.
  • Unlocked computers should never be left unattended. Make it company policy for employees to lock their computers (which should be password-protected at login) before getting up from their desks.
  • Store emails in a secure location behind a firewall. Do not allow employees to store copies of emails in their personal cloud or any other such location.

By being purposeful when creating policies involving your small business’s emails, you will head off a lot of issues before they even come to pass. Get employees on board and reward them for assisting in developing an environment where information is secure. Together, it’s possible to keep employee, customer, and business data safe—one email at a time.

Reference: Microsoft Office Blog: http://blogs.office.com/2015/05/12/the-small-businesss-guide-to-secure-email/