6 Best Practices to Secure Your Organisation against Malicious Email
By Brian Boyd (CISM), Head of Technical Delivery at i-confidential
There's no doubt that, for most of us, the amount of email we send and receive has ramped up in recent years. According to Statista, the number worldwide was 333.2 billion emails daily in 2023. That number is expected to rise to 376 billion by 2025. That means an average person receiving close to 100 emails a day. And for some that would be a good day.
While I have no stats to back this up, I know that when working from home I tend to document more in email as I'm not sitting next to people so can't have the same dialogue. Yes, we also use collaboration tools such as Teams, or Slack, but that’s a topic for another day.
Email has long been an attack vector to either compromise an organisation or simply gain access to sensitive information. There are a lot of stats on this. I think it’s fair to say, however, that the vast majority of cyber-based attacks (some put it in the region of 94%) start with a malicious email. The consequences of that compromise can be financial, data, or reputational loss.
The three most prevalent attacks are phishing, ransomware, and spoofing. In the Mimecast SOES report, 97% of respondents had been targeted by email-based phishing attacks. It also states that there was a 13% rise in ransomware attacks - an increase as big as the last five years combined. For spoofing, 44% saw an increase in activity.
Protecting email against attack can therefore defend your organisation’s brand, reputation, and balance sheet. You can also protect against downtime and, in some cases, ensure compliance against regulations, such as GDPR. Email typically contains a lot of information.
What Are the Best Practices to Protect against These Threats?
1. Awareness and Training
There’s always going to be a debate over tools vs people. It’s helpful though to ensure people understand how to spot some of the common traits of phishing or ransomware mails and be able to report them to you.
Going one stage further, it's easy to introduce a scheduled set of simulations to further educate staff on how to spot and report a suspect email. Most of these tools, including the one I use, allow you to add some additional training into the process. You just need to be aware of some of the potential ‘gotchas’ when reading simulation results. For example, all mails going through certain filters will show as read regardless of whether the end user even looked at them.
3. External Email Warning Headers
It’s possible to ensure all emails originating from an external source have a header added to them so people know they came from outside the organisation. This is a simple thing to do that can make a lot of difference. While external emails can be identified in many ways, staff often don't have the time and knowledge to do so. Coupled with awareness and training, headers can help people think twice about opening an attachment.
4. Multi Factor Authentication (MFA)
This raises the barrier to account access by requiring additional proof of identification, such as a PIN, or token. It doesn't stop all attacks but does make compromising an account a bit harder once a phishing mail link has been clicked.
DMARC (Domain Based Message Authentication Reporting and Conformance) is a protocol for authenticating that an email sent from an organisation's domain is a legitimate message and not fraudulent. It’s a technical solution, but with more companies getting spoofed it’s time to take advantage of DMARC to protect against this risk. If your organisation sends a lot of external mails it gives you a chance to ensure only the legitimate ones get through.
6. The Board
It's important to make sure the threats from email are being talked about at the right level of the organisation. Email is such a basic tool that it's easy to forget the risks involved. With strong awareness of this among senior leaders it's far more likely they will support investing in the other best practices outlined above.