How to keep your email secure is a popular topic recently as many workers are still working from home due to the outbreak of COVID-19.
Therefore, some organisations are trying their best to protect their employees from falling for email scams. The advice here on how to keep your email secure is not unique to a pandemic, organisations can implement these measures to support a wider cybersecurity strategy.
"Now is not the time to reduce cybersecurity budgets" - Although it doesn’t seem practical considering some businesses have been squeezed to their absolute limits; however, that doesn’t mean IT leaders and C-Suite executives can’t get creative with budgets to ensure that special attention and the right resources are given to email security.
Of course, the UK has been easing lockdown measures but it's expected that many organisations and institutions will be encouraging employees who can continue to work from home, to do so. That being said, there will be a mixture of internal and external employees going forward, so organisations will have a more complex network to keep their email system secure.
In this article, we’ll be looking at top 6 tips that you can leverage to keep your email secure.
Tip 1. All staff need user accounts and access to corporate networks
Whether you’re a large organisation managing these things with Active Directory or you’re a small company managing access to each SaaS service individually, staying on top of access rights and user management is a key component to ensuring successful cybersecurity programs.
Here are some rules for access management:
- Employees must only access what they need to do their jobs.
- Access must be revoked when they leave the organisation.
- Access rights must be managed and maintained by a central admin user.
- Admin users must have stricter access requiring multi-factor authentication and stronger passwords.
- Admin access in the organisation should be kept to a minimum and only be granted to trusted employees.
- Good password management tips and training should be given to employees.
- Multi-factor authentication should be required for most sensitive access (i.e. to the CRM or financial databases).
So how do these measures help keep your email secure?
If an employee falls for a phishing email that downloads a keylogger, for example, a hacker can get access to the usernames and passwords being entered by employees on a daily basis.
By ensuring users only have access to what they need, putting extra barriers around more sensitive data and minimising the number of admins, you reduce the likelihood that an attack can lead to a data leak.
Of course you don’t want to get to the point where an employee’s email is hacked, but it’s always better to be prepared for the inevitable.
Tip 2. Encrypt your emails
There are many different ways you can encrypt email, below are options to consider:
- S/MIME – using S/MIME certificates to identify senders and encrypt emails.
- PGP – using PGP to encrypt and verify emails.
- TLS – to encrypt the connection between servers.
- PDF Encryption – to protect attached documents from being read or altered.
Usually, a mixture of these elements will be required. It’s not enough to simply encrypt the connection because the connection can be compromised. It’s also not enough to encrypt the message because you still cannot be certain the recipient will receive the email in the way that you delivered it.
The difficulty that SMEs will have in delivering a fully encrypted email solution is deploying and integrating the right technology for the job.
Gmail and Microsoft do not cover all these grounds on the basic level and it can get very expensive when purchasing business or enterprise licenses for every employee. Thus, it is inevitable that SMEs will have to get creative and look for solutions that they can trust to fill the gap within their budget.
Check out zsah's encrypted email solution, designed specially for SME's, here.
Tip 3. All outgoing and incoming emails to be scanned for viruses and phishing
A lot of email tools struggle with scanning encrypted emails since a decryption key is needed and encryption needs to happen before sending the email on to keep security.
Email scanning should be able to scan links and URLs, scan for keywords in the header and content that are used frequently in phishing and quarantine or flag emails to employees that it deems are dangerous.
This makes it easy for employees to keep their emails secure and they can see which emails have been flagged and delete them or flag the email as safe to the tool so that emails from that sender are not flagged again.
Tip 4. Using data loss prevention tools
Another important feature to protect work emails is the use of a data loss prevention (DLP) feature. DLP tools will be responsible for scanning outbound emails for keywords, recipient emails, data and URLs that can trigger a certain response from the email tool.
For example, from the admin level, encryption can be forced on emails that include the word “password” because you might assume that there will be sensitive information in those emails. You will be able to action incoming emails that meet your configured requirements in the following ways:
- Warn - send an email containing a warning. Depending on the DLP settings, the warning email will be sent to the sender of the email and/or to the DLP managers.
- Encrypt - flag the email to mandatory encryption. When flagged, If the email cannot be encrypted, the email will not be sent and the sender will be notified.
- Quarantine - put the email into quarantine. Depending on the DLP settings, the sender of the email and/or to the DLP managers will be notified.
- Block - drop the email, i.e., the email will not be delivered. The sender of the email will be notified.
It’s important to note that quarantined emails are not delivered to the recipients inbox, greatly reducing the risk they will be opened on the end-user’s (employee’s) device and potentially spread a virus or malware.
There is some work involved for admins when it comes to creating DLP rules that best secure the organisation but the great news is that employees don’t have to do anything at all. This helps employees keep their emails secure without having the burden of new processes and tools they have to learn how to use, especially in a time where there is already so much to worry about.
Tip 5. Analyse and archive your email databases
Organisations will have complex regulatory landscapes to navigate – many of these can be helped by DLP. For example, you can look for financial information in emails and force encryption on those to meet the demands of the PCI DSS regulation.
Ultimately, organisations need a way to analyse and archive their email databases. Across a wide range of industries, data security and retention are critical when it comes to regulatory compliance.
Depending on your particular industry, there will be specific rules for email archiving compliance and how to store data and documents. Archiving your emails on an organisational level allows you to store this data in a way that is easily accessible and where retrieval is in its original format - making data compliance simple for your business.
Organisations often fall into issues when their email tools archive encrypted emails as the retrieval of these emails in the future are fraught with difficulty. To access the encrypted emails, a decryption key is needed and finding the key after archiving the emails for years is a struggle many organisations have faced.
A better solution would be to decrypt the email before archiving and encrypt the entire archive instead.
Tip 6. Understand your email security strategy
No email security strategy is effective without proper implementation, training and awareness for employees.
If you’re taking on a new tool to meet the gaps your current email infrastructure has, go for something that is going to take less time to implement and make the least difference to the end-user. That way, employees need little training on the new processes and you can ensure that business as usual is a little more secure.
During this pandemic, more than usual, IT admins can make employee life a lot easier by documenting processes and creating as many guides as possible. When employees experience difficulties at work, they can then be guided to easy to read documentation and support.
Another effective tool is known as phishing simulation, where you can create fake phishing emails and monitor employee responses to flag specific teams or employee’s who are repeat offenders and give them additional training.
This may not be helpful to implement during the pandemic as it’s catching people out who are already struggling, but it will be an effective tool to keep your email secure when organisations start to ramp up again after the lockdown measures are fully eased.
How zsah Can Help
A recent study from leading cybersecurity professional organization (ISC)² points out that the shortage of cybersecurity professionals is around 4 million, and it would require a 145% workforce increase to mitigate the gap.
Here at zsah, we offer a range of cloud and SaaS-based cybersecurity services to help keep your organisation secure.
From encrypted email solutions to network security monitoring and management, to digital certificate discovery, zsah is committed to bringing the very best solutions to our customers using our own products and services as well as from our specialist cyber-sec partners.
Why spend time working towards cybersecurity, when you could be working towards what you do best?
zsah combine secure email, secure web, encryption and our private cloud platform to remove your cybersecurity stress.
Now It’s Your Turn!
Apart from the top 6 tips we mentioned, there are many different options to keep your email secure even you're working from home.
Do you know any tips that can protect your work emails?
Leave a comment below right now and let us know, we would love to hear from you.