Auvik Network Monitoring

7 Business Email Security Best Practices

Business Email Security Best Practices

Diego Asturias

As of 2022, email is still the number one target of cybercriminals and fraudsters. According to Cisco’s last year’s (2021) cybersecurity threat trends report, at least one person in around 86% of organizations clicked a phishing link. That is a lot of unintentional and untrained people clicking into danger.

These highly motivated criminals are no longer just shooting everywhere and spending resources on spam; they are becoming more sophisticated, accurate, and persistent. They attempt various social engineering techniques, from phishing to spoofing, pharming, whaling, spear-phishing, ransomware, or impersonation.

This article will go through the seven business email security best practices that will help email managers and IT admins utilize email securely and efficiently, and avoid such dangerous email-borne threats.

1. User Awareness and Training

“Amateurs hack systems, professionals hack people” — Bruce Schneier

Email-borne threats prey on human weakness. They use social engineering techniques (usually phishing) to trick people into opening an email, clicking a link, or downloading a malicious attachment. If a single user can be easily fooled by such “social engineering” tricks or is careless about security, then a single human error can easily break the whole cybersecurity chain. Having a complex and robust business email security strategy is useless if humans are not trained to use it.

The most critical email security best practice is to conduct cybersecurity awareness programs and training across all the business personnel. Solid training will help personnel know how to respond (or ignore in most cases) to such deception and manipulative attempts. Personnel will learn how to identify such schemes, including phishing attempts, fake URLs, spoof addresses, unknown email attachments, impersonation, etc.

Best practices for security awareness (but not limited to):

  • Limit the amount of information displayed publicly (especially on social media).
  • Learn how to detect spoof websites and never enter credentials.
  • Always be suspicious when opening an email, and be extra careful when clicking a link or attachment.
  • Awareness also entails logging out once finished, never sharing passwords, and never using other devices to log in.

2. Take Passwords Seriously

“Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers” — Chris Pirillo

The second most crucial email security best practice is to take passwords seriously. Passwords, even complex ones, can get hacked. Passwords can be hacked with dictionaries, rainbow table attacks, or brute force attacks. Using popular free password crackers like John The Ripper can let anyone perform dictionary attacks in an attempt to crack an email address. To avoid weak and vulnerable passwords, business security managers should set up strong password policies so that people are forced to create complex, long, unique, and expiring passwords. Using the same tool black hackers use (JtR, for instance) can help security managers audit password strength.

An email security best practice is to use password managers to protect users from dictionary attacks, brute force, data leaks, etc. A password manager saves all credentials in a secure virtual vault and auto-fills complex (forgettable) credentials and sensitive information when needed.

Best security practices for passwords

  • As a security manager, require unique, strong, and long passwords for every email account.
  • Configure password-setting, expiration, and rotation policies.
  • Enforce the use of 2FA along with a strong password.
  • Use a password manager that offers zero trust (zero encryption knowledge).
  • Use advanced password managers that provide dark web monitoring, easy integrations, SSO, and MFA.
  • Use password crackers such as JtR for auditing passwords.

3. Set up Two Factor Authentication (2FA)

“You may be wondering to yourself, “If passwords are not secure, what do we do to keep our applications and accounts safe?” Enter multi-factor authentication” Kevin Mitnick

Most of the time, email users prefer convenience over security. For instance, users prefer a single (either easy or hard to crack) password to log into multiple websites and apps. A convenient method but highly insecure. Relying on something that people know (such as credentials and passwords) to access an email account is another weak link in the cybersecurity space.

Email users must protect their email accounts using Two-Factor Authentication (2FA). In a 2FA environment, a password is just one piece of the puzzle to access an email account; users need the other pieces to authenticate and gain access. 2FA comes from MFA (Multi-Factor Authentication), which is an authentication method that uses two or more factors, including something users, know (i.e., password), have (i.e., a mobile device), are (i.e., fingerprint), do (i.e., behavior), and location.

2FA email safety best practices

  • Use reliable 2FA services like Google Authenticator or Authy.
  • Make sure your email services support 2FA, as not all do.
  • Use the “something users have” such as a mobile device to receive SMS or voice.
  • You can also configure email, Time-based One-Time Passwords, or PUSH as 2nd factor.
  • Other types of authentication factors are biometric (something users are). The best but the most expensive.

4. Reduce email’s Internet exposure

“If it’s on the Internet, it isn’t private” — Anonymous.

Nowadays, people use email for much more than simple communication; They use it for registering for services, receiving notifications, account recovery, etc. For these people, having a single email login id (and most of the time, password) to register for all these services is more convenient. They don’t have to manage and remember all these multiple credentials.

Unfortunately, using single email information on many Internet services and websites increases exposure and attack surface. It creates a single point of failure. These third-party services could be hacked and suffer from data breaches, where data is unintentionally exposed to the public (usually dark web forums). Web services like Haveibeenpwned are popular to learn if email information was ever compromised. Plus, the more exposed an email address is to the public Internet, the more prone to spam and phishing attempts.

Best Practices for Reducing email exposure

  • Compartmentalizing online accounts (that require email) is one of the best email security practices to help isolate and identify data leaks, spam, and phishing.
  • Don’t use business email for personal use (and vice versa). Have separate email accounts for business, personal use, banking & financial, social media registration, recovery email, etc.
  • Email aliases can help with the management. They create an additional email address (or addresses) for a single email account, which is helpful for forwarding or receiving emails.
  • Email forwarding services like AnonAddy or SimpleLogin can help create dedicated (disposable) email addresses for each subscription/membership.

5. Use End-to-end Email Encrypted Services

“The US government still has no idea what documents I have because encryption works”— Edward Snowden

Email data could be stolen or compromised while in transit or at rest. While your data is being transferred via email, it can be intercepted (eavesdropped) by third parties, including network admins, ISPs, governments, or hackers. In addition, when email data is stored in mail servers without any encryption, it could be easily accessed by the provider (or compromised if hacked). These types of problems make end-to-end encryption a vital business email security best practice. 

End-to-end encryption ensures that data is encrypted all the way, in transit and at-store. It ensures that the email client encrypts the message and that only the recipient can decrypt it with a key (or share password). Most modern email providers encrypt email contents while in transit with TLS (HTTPS) or with stronger methods like PGP. While in-store (so that email can be indexed and searched through), email data can be encrypted with methods like AES. Encrypting emails gives senders more control to see when emails were opened, by who, and revoke access if necessary.

Best email encryption practices to keep in mind

  • Ensure the email client is encrypting data in transit (transport-level encryption) with TLS.
  • Sending email over a VPN-encrypted tunnel can also build up another line of defense if the email is being sent from public networks.
  • End-to-end encryption such as PGP or S/MIME ensures that only the destination will be able to read the email.
  • Ensure that the email service provider is storing email data in an encrypted format (AES) and that only you hold the key to unencrypt it— this is referred to as zero-knowledge encryption.
  • Services like Protonmail or Tutanota are popular encrypted email providers. These email providers also allow you to send an end-to-end encrypted message to readers who don't support encryption. A message is encrypted with a passphrase (not with a key as TLS does).

6. Employ Endpoint Protection

“I just sneezed next to my computer and the anti-virus popped up” — Anonymous

Malware or virus threatens email in two ways: one uses email as a delivery method, and the other uses Malware to hack email clients. The first threat is a common one; when email phishers or hackers distribute Malware using email. The second one is when the email client (the device where a user is accessing the email) is compromised by Malware like ransomware, backdoors, trojans, RAT, downloaders, keyloggers, etc. For instance, hackers could use Malware to log your keystrokes on the computer and steal your email password and bank credentials. Malware or virus could also be used to steal your email session’s cookies after being authenticated.

You can deploy an email dedicated anti-virus/anti-malware solution to scan files, attachments, and websites and identify email-borne attacks, including malicious attachments and fake URLs. This solution could stop Malware and prevent users from opening attachments or malicious links. Traditional anti-malware technology can also help protect the endpoint from already compromised systems that can steal email information by scanning, identifying, and quarantining any threats.

Best email anti-malware practices

  • Make sure spam filters include Antivirus protection.
  • Ensure your email provider scans email malware/viruses to protect you from spam and Malware.
  • Advanced email providers or email protection software can protect you from advanced threats like spear-phishing, ransomware, and zero-day threats.
  • Use Sandbox technology, an advanced email protection feature where email attachments are analyzed for zero-day Malware.
  • Use updated endpoint protection systems to safeguard systems from viruses and malware that can compromise email.

7. Use Email Protection Software

“Ideas are easy. Implementation is hard” — Guy Kawasaki

If business email users are still careless and unaware of email security, you'll have to use software to take your email security best practices to the next level. Business email protection software will not only safeguard email users from email-borne threats but will also provide additional capabilities such as reporting, management, and automation.

Business Email protection software provides basic email security capabilities, including anti-phishing, anti-spam, anti-malware, and anti-virus. But next-gen software can take it beyond by monitoring massive amounts of inbound and outbound emails, blocking the ones containing threats, and providing additional capabilities like reporting and alerting. The state-of-the-art email protection software for business will extend capabilities by providing AI/ML (for detection and response), access to intelligent feeds, sandboxes, and more.

The top four business email security software:

  • N-Able Mail Assure This is a robust cloud-based email security software designed for MSPs and enterprises. It provides email protection for phishing, spam, malware, ransomware, impersonation, spoofing, and more.
  • Proofpoint Email Protection Global market-leading email security solution designed to protect employees (and their data) from advanced email-borne threats. In addition to the basic email protection, Proofpoint provides BEC defense, advanced malware protection, and ML technology to improve detection accuracy.
  • Avanan Email Protection An enterprise cloud email security solution that provides a multi-layered security approach to email. It uses AI/ML to improve email scanning and detection. It provides security to cloud email suites like O365, GSuite, and Slack.
  • Mimecast A robust cloud-based email protection tool that safeguards from basic threats like spam, phishing, malware, and advanced ones like spear-phishing, BEC, ransomware, and impersonation.
Auvik Network Monitoring