The Verizon Data Breach Investigations report states that emails are the primary source of two-thirds of malware. Email is an easy target simply because there is more human touch involved in the case of emails. There’s always a stray chance that someone will end up clicking on a phishing link or downloading the wrong attachment or simply including sensitive, confidential information in an unencrypted email. The first step to securing your email systems is training your employees. Train your employees to identify harmful email messages and to be aware of your firm’s IT protocols and rules. There are 4 major ways in which your employees may end up compromising your email security. These are
- Falling for phishing scams: These emails will appear to have come from an authentic source and urge the reader to take an action. Usually the action involves clicking on a link and/or sharing sensitive information via an online form that looks authentic. The phishing links and the webpage clone the original site so well that it is easy to mistake them for their authentic counterparts. For example- an email that looks as if it is from the IRS, asking for sensitive financial data, or an email that seems to be from the bank asking you to log into your account, etc.
- Mistaking hacked emails to be authentic ones: These emails are actually from an authentic sender account, but their account may have been hacked. One of the ways to spot such email messages is if ‘something feels amiss’. For example, an email that’s ridden with typos, spelling and grammar errors, or if the writing style is different, or includes an unexplained instruction to download an attachment, fill a form or install a patch.
- Not following strict password hygiene: There are 2 angles to this. First is password sharing. Sharing passwords indiscriminately puts your email systems at risk. Often, people trust their coworkers and end up sharing system or email passwords without realizing the possible consequences. Sometimes, it is just so much easier to share the password than follow the protocol. For example, Bob from sales is too busy to prepare his commission report. So, he gives his password to Lisa from accounting so she can calculate his commission for the month and Lisa shares with her team so they can work on the reports. See…before you know it 3 other people apart from Bob have access to his system including his emails!
The second issue in password hygiene pertains to ignoring password basics. For example, having passwords that are too simple or obvious such as dictionary words, names, etc. or not changing passwords as recommended or having the same password for multiple accounts.
- Exposing their own devices to safety threats and then using them for work purposes due to the BYOD environment: This is a threat brought into the picture due to the flexibility-oriented culture of the modern workplace. Businesses allow their employees to work from anywhere, using their own devices. For example, someone could be accessing and replying to an email from work, using their phone or iPad, connected to the open wifi at the mall’s food court. The risk such open networks bring to the table is unimaginable.
As discussed in the beginning of this blog, emails are a soft target because of the human element. You can organize classroom training sessions to educate your employees about your IT usage policies related to password management, use of personal devices, data sharing and internet access. You can also conduct IT drills and workshops to help your employees identify possible IT security threats and steer clear of those. If you don’t have the resources to do this, check with a MSP in your area. They might be able to help.