Email is one of the most common methods of distributing malware. It’s also among the most common means by which sophisticated threat actors steal personal or business information.
And yet email is overlooked as a threat vector. Many organizations have used the same email security practices — if not the same outdated email suites — for years or decades. That could leave them vulnerable to compromise, perhaps even without their knowledge.
To be sure, many organizations “get it.” To cite just one example, email is one of several potential threat vectors that Il Shin and Asiaciti Trust recognized following its involvement in the Pandora Papers, a massive data incident involving more than a dozen global firms. Although there was no evidence that those behind the Pandora Papers exploited email security lapses, Asiaciti Trust and its peers recognized the possibility of such an outcome in the future and took steps to minimize the risk.
You can do the same. Do these things now to shore up your email security practices.
1. Always Use Unique Passwords
Never reuse the same password for different email accounts. This goes for business and personal passwords — if you use a particular password for a personal email account, you should never use it (or anything similar) for a business account.
Make this a mandatory rule across your entire organization. Where possible, configure your programs to require password changes at regular intervals, ideally at least once per month.
2. Add a Second Credential to Log in (Two-Factor Authentication)
At least. If you want to require true multifactor authentication — three or more login credentials for a successful attempt — that’s your right. But even one additional credential makes it much more difficult for bots to guess your password in a brute-force attack.
3. Avoid Clicking on Links in Emails
This should be another mandatory rule across your entire organization. Nothing good can come of clicking links in emails from senders you don’t know. And while the vast majority of in-email links are benign, it’s difficult for non-experts to assess the authenticity of a message in real-time.
4. Keep Business and Personal Email Separate
We’ve already touched on the importance of not reusing business email passwords for personal accounts and vice versa. It’s nearly as important to keep business, and personal email siloed — that is, to not conduct business over personal email or use business email to send personal messages.
This helps reduce each user’s threat footprint. The tighter the circle of trusted contacts with knowledge of the user’s business email, the lower the risk of successful phishing or spearphishing attacks. Likewise, it’s more likely for personal email accounts using standard-security email clients to be compromised without the user’s knowledge; maintaining a high wall between the two reduces the risk of spillover.
5. Don’t Download Attachments From Unknown Senders (Even If They Work for a Trusted Organization)
The risks of downloading email attachments from unknown senders are every bit as serious as the risks of clicking unknown links. Even if the sender works for a trusted organization (or is a colleague), it’s best not to take the risk, as their account could be compromised. Use your email suite’s preview mode if possible, and save file sharing for more secure cloud-based collaboration apps.
6. Never Provide Sensitive Data or Passwords Over Email
You can’t be sure no one is snooping on your email communications. That’s why it’s important never to share sensitive data, such as account numbers or passwords, over unencrypted email. Save this for encrypted apps (see below) or old-fashioned pen-and-paper.
7. Use Encrypted Email for Important Communications
Use an encrypted email suite like ProtonMail to secure communications that you definitely don’t want anyone but the intended recipient to read. This goes for file-sharing, too — though, again, it’s best to use a secure cloud app for that purpose. For SMS communications, use an encrypted messaging app like Signal.
You’re Only As Strong As Your Weakest Link
And for many organizations, email is the weakest link.
Is that true for yours?
The good news is that there’s still time to do something about your vulnerability. If you haven’t yet been the victim of email-assisted data theft or hack, consider yourself lucky and use the reprieve to make such an event less likely moving forward.
You know what needs to be done. From unique passwords and multifactor authentication to using a second encrypted email suite for sensitive communications, none of this is particularly surprising or technically challenging. The main obstacle is execution.
Clear that obstacle today — and look ahead to a more secure email posture in the near future.