Whenever we hear of a new security threat or a major attack, such as the recent WannaCry ransomware attack that effectively crippled hundreds of thousands of computers around the globe, there are calls for stronger, more powerful security measures. Security teams begin looking at vulnerabilities and shoring up defenses, often forgetting that the greatest threat to any business’s security is one that employees use every day, and probably couldn’t work without: Email.
Now, you’re probably wondering how email could be such a threat. After all, don’t we all know by now that we shouldn’t respond to the Nigerian “prince” or click on links in emails from people we don’t know? Not to mention, spam filters and email security programs have come a long way, meaning that a lot of bad stuff never even lands in the inbox at all. Still, because email continues to dominate corporate communications, it’s still the preferred method for many hackers, who are constantly finding new ways to deliver their malware via email. So while most people might not fall for the old e-card scams or open emails from strangers anymore, it’s very possible to fall for other clever schemes.
Phishing isn’t necessarily a new tactic, but it’s still effective. By impersonating a legitimate business or person, hackers can trick people into divulging sensitive information, including usernames and passwords. While the majority of phishing attacks are still crimes of opportunity – in which hackers send out spam emails en masse just to see what they can catch – businesses need to be cautious of spear-phishing attacks, which are more not only more effective but also more dangerous.
For example, a hacker may use your online employee directory to gather employee names and roles, and then impersonate an executive and send an email to an administrative assistant asking him or her to review an attached file. Nothing appears amiss with the email – it even comes from the executive’s email address – so the assistant downloads the file, which unfortunately contains malware that will now compromise the entire network. Spear-phishing attacks are usually designed to deliver malware, but they’ve also been used to request payments, intellectual property, or access to secure databases.
Because these attacks are so sophisticated, it’s important to takes steps to protect against them. Antivirus protection, firewalls, intrusion detection, and protection can all help stop known malware from taking hold, but the best protection comes in the form of education and training. Employees should be taught to recognize the signs of phishing emails (often, they contain misspellings, grammatical errors, or subtle differences from a legitimate address or email) and to question any requests that are out of the ordinary. Consider offering a secure sandbox for opening attachments or links, to ensure that any infected emails do not deliver their malware to the network.
In addition, you can prevent social engineering attacks by limiting the information that is publicly available online. Many companies have stopped publishing employee directories on their websites, and limit how much information is shared on social media that could be used to launch an attack.
Hackers are often looking for information that they can use to launch bigger, more profitable attacks. One way they get this information is via man-in-the-middle attacks, in which they spy on emails being sent to and from your company. Email encryption can stop this from happening, as well as a policy that prevents employees from using any personal or unsecured/unencrypted accounts to send work-related messages.
Allowing employees to flexibility to work anywhere is a sought-after perk, but it can also lead to security risks. Again, employees should not use personal emails for work, and should only access company emails on secure networks. Using unsecured networks – like those in most coffee shops, airports, etc. – can allow hackers to see everything that an individual is sending and receiving, putting your company’s network and data at risk. Offering a VPN that employees can use when they aren’t in the office reduces the chances of prying eyes gathering information from emails.
Email is an important means of communication for businesses, and it’s not going anywhere any time soon. However, it does present some security risks, so paying close attention to what is coming in and out of the mailbox is an important part of preventing a data breach.