Make cybersecure emails your resolution for 2023
Let the information in, not the cyber attacks
Email lets information flow freely. It’s why email has become the main communications tool for business – and why it’s by far the most common vector for cyberattacks. It’s essentially the front door of your digital fortress.
Business leaders know the risks in theory but are still surprised by the impact when something goes wrong – business, at every level, grinds to a halt. Here are seven critical steps for defending your email, while keeping information coming in and out.
1. Understand what you have
To improve your email set up, you need to get to know it. Identify the users or mailboxes especially at risk of phishing and other attacks, and check none are published on public sites. Clearly document any compliance obligations, the policies you have in place and any that you’re not quite hitting.
Next, it’s time to describe how your workflow uses email and take a good look at the general architecture. If it’s on premise, note down the versions and support info. Check on your email provider – are they meeting all your requirements?
2. Un-pick the complexity
If your organisation is like most, your email security will be a Frankenstein’s monster, with bits bolted on over the years. It probably has obsolete rules or to caters for non-existent domains or user groups. This is inefficient for you and much easier for attackers to find a way in. Tangled set ups can also be intimidating for support staff who might be unwilling or unable to properly support your email environment. Unpicking this complexity can be time consuming, but worth it – aggregate your sending sources as much as possible, remove MX records from domains where no email is received and trim obsolete rules.
3. Put new controls in place
While your organisation’s policies – and the controls you put in – will be unique to you, they should also:
- Clearly report and describe what they’re doing in your admin console or security ops manual.
- Manage staff in groups and integrate Active Directory (AD) help ensure you’re correctly capturing and classifying data.
- Keep staff informed and upskilled in security awareness. You need them to know how to spot potential attacks and what to do if something goes wrong.
4. Take control of your domain and email reputation
You might be paying attention to what emails are coming into your organisation, but do you know what’s being sent from your domain? DMARC, DKIM and SPF allow owners to control who can send emails from their domains preventing bad actors from sending emails that look like they’re from you. This protects against domain reputation damage, which can mean emails get rejected, blocked or junked. A first priority should be rolling out DMARC, and DPS from SMX makes that simple. Combining a proven process with expert people and best of breed technology, we can implement DMARC in as little as five weeks. You’ll also then get ongoing monitoring to keep DMARC working as it should.
5. Use SSO and 2FA
Email is a relative dinosaur – the first ever internet service – so it’s often operated without the modern security mechanisms designed to sidestep human error. It’s fast and easy to deploy single sign on (SSO) and two-factor authentication (2FA) on your domain. This reduces the chance of stolen credentials, fraud, data loss and identity theft.
While both are easy to use, SSO is particularly useful. It improves security while also making it easier for users to sign in.
6. Outsource to specialists
Outsourcing your email security management to a specialist cloud provider isn’t just a good idea – it’s best practise, according to The Radicati Group.
That’s because email is complex, specialised and, for most businesses, mission critical. You can’t afford downtime. Outsourcing to specialists is nearly always more cost effective that hiring trained engineers to look after on-premise servers and appliances.
Outsourcing also speeds up updates, so you stary ahead of any new attacks and techniques.
It’s a good idea to choose a provider in your region who has a great track record of protecting organisations your size or larger. They’ll know how to support you, be better at helping you meet compliance requirements and will have their eye local threats. But whoever you hire, remember you’re still liable for any issues. Make sure you keep an eye on your provider’s, with a third-party audit or internal validation.
7. Keep looking for gaps in your email security
There is no such thing as a watertight email security system. You need to keep looking for gaps, so you find them before the hackers. This requires getting the right information to the right people, something most providers can deliver, with scheduled reports to feed into your SIEM systems.
Some providers will also offer extra reporting relevant to different stakeholders and if DMARC reporting and conformance tools show information recipients of email from your domain. This shows you where your domains might be unprotected and other gaps in your email security.
Derisk your 2023
Securing your email is arguably the most critical part of protecting your people, business and brand. Achieving this can take a bit of upfront work – and ongoing attention – but minimising the risks to your business will make it worth the effort. Start the year by assessing and documenting your current email set up, then set about tidying up any complexity. Once your email house is in order, put new policies in place, make sure your staff know how to spot and deal with an email attack and make use of simple, effective tech, like SSO, 2FA and DMARC. Part of this can be taken care of by an outsourced specialist, who can also ensure you’re continuing to check and fill any gaps in your security.
For more advice on how you can work towards better email security, get in touch with the team at SMX.