Despite the proliferation of new communications tools, from WhatsApp to Slack to Microsoft Teams and more, businesses still rely heavily on email to communicate internally and beyond.
Email is huge. There were over 4 billion email users worldwide in 2022. Users sent an estimated 281+ billion personal and professional emails per day in 2018.
Yet, because of its widespread use, email remains a massive cyber security threat, with an estimated 92% of malware being delivered by email, and 56% of IT experts pointing to phishing as the top security threat.
So what can you do to protect your business? Here’s a look at the main security threats to expect in 2023, and a few best practices you should adopt to keep your business safe.
Why Email Security Matters in 2023
Email security hacks are expensive. According to the Cyber Security Ventures, cybercrime will cost the world in excess of $10.5 trillion annually by 2025. That’s up from $6.5 trillion in 2021.
Additional Reading: 13 Best Security Chrome Extensions for 2023
Three of the most prevalent email security risks businesses will face this year are:
Malware is malicious software that deliberately corrupts, destroys, or gains access to a computer, and is typically delivered via a link or download within an email. Recently, malware has become more sophisticated with the ability to mine cryptocurrencies and steal credentials. Ransomware has been a growing trend, with criminals infecting the end user’s computer with bitcoin mining viruses.
2. Spoofed domains
This involves hackers disguising themselves as reputable individuals or brands in order to trick email recipients into handing over sensitive information.
One spoofed domain scam that is becoming more prevalent is your company “bank” asking you to confirm some personal information.
You might receive an email that seems to come from your bank’s domain name but has a letter or number incorrect. This can be difficult to spot.
If you don’t notice the trick, you might end up handing over vital information like account numbers, social security numbers, or other data that a hacker can use to steal your financial assets and even the company’s treasury.
Even emails without links or attachments can be dangerous, particularly if they’ve been designed to trick the recipient into disclosing sensitive data.
One phishing scam that you should be aware of is the “relative gift scam.” This phishing email scam involves someone claiming to be a distant relative that is coming to town for the holidays this year.
Conveniently, they are organizing a “secret santa” gift exchange where everyone mails a $10 gift to each other, and one lucky family member gets a $100 gift at the end of it.
If you receive any emails from someone you don’t know, avoid answering it until you can confirm their identity via a third party such as a friend or family member you already are in contact with.
Once they gain access to your business email, they can use this to access other accounts or phish others within your company.
Email Security Best Practices
1. Implement an email security protocol and train your employees
Because human behavior is cited as the biggest challenge in email security, it’s imperative that businesses prioritize education and training.
It’s estimated that 2 out of 3 email hacks happen as a result of employee or contractor negligence, costing companies an average of $280,000 per incident.
According to research from Panda Security, 52% of people reuse their passwords for multiple sites or use simple passwords that are easy to guess. On top of this, only 28% of people use a two-step authentication process when accessing their emails, leaving them wide open to hackers.
Given stats like these, it’s clear that investment in staff training could save companies millions of dollars a year in security hacks.
This means addressing what has been termed the “Golden Triangle” of information security: investing in people, process, and technology for a well-rounded and sustainable email security program.
The first part of this should focus on drawing up an email security protocol to form the basis of your cybersecurity training.
Within your protocol, you might include some or all of the following:
- Check the “from” field before opening an email.
- Hover over email hyperlinks before clicking.
- Create a strong password and change it regularly.
- Log out of your email account at the end of a session.
- Block emails with large attachments.
- Beware of password reset emails – they could be a phishing tactic.
- Keep up to date on how to keep Google account secure.
- Use a VPN when working remotely or using Wi-Fi hotspots.
- Use DMARC authentication protocol that fights agains phishing, spoofing, and email compromise.
This isn’t an exhaustive list, but it does show some of the areas of day-to-day business where opportunities for extra email caution lie.
The second part of this process is making a serious investment in training your staff in cyber threats of all kinds, and email security in particular.
The data suggests that cyber security education works. According to SANS, 85% of cyber security awareness professionals have said that their work has had a positive impact on the security of the company.
The focus of the training will depend on how your business is set up. If your company embraces remote working, or has a number of employees who work in the field, then you’ll need to focus on issues pertaining to remote work.
For example, because Wi-Fi networks are typically insecure, your staff needs to be encouraged to use a VPN when they’re out of the office.
Additional Reading: How to Password Protect a Google Doc
2. Carry out phishing simulations
Phishing threats are becoming more sophisticated and are making a comeback. Despite this, people are getting much better at recognizing them for what they are. According to research by Verizon last year, 73% of people surveyed did not click on a single malicious email all year.
That said, vigilance is still key. One way you can ensure your staff is up to par on phishing is to implement a simulated phishing attack. This is a safe way to test your staff’s knowledge and teach them how to make the right choices in their day-to-day work.
These phishing-specific trainings should help your staff to:
- Not believe everything they see. Just because an email appears to be from an authentic email address, it’s not necessarily legitimate.
- Look for threatening/urgent subject lines.
- Analyze salutations. Emails starting “Dear valued customer” should ring alarm bells.
- Look first, before clicking a link.
- Check emails for spelling mistakes.
3. Use a password manager and multi-factor authentication
Creating strong passwords is rule number one in email security, yet surprisingly, many employees still use weak or repeat passwords. Creating unguessable, hack-proof passwords is something all your staff should be encouraged to do.
But to eradicate user error completely, consider setting up a company-wide password manager.
Tools like LassPass ask the user to enter a unique unhackable master password to unlock a password vault. The vault then generates a unique password each time the user logs into an account online. This is a step up from the traditional password auto-filling process, which carries risks of its own.
These tools are also highly encrypted using the AES-256 and SHA-256 standards, and are the most sophisticated way of ensuring password security online.
Another way to improve email account security is by introducing single sign-on (SSO) and multi-factor authentication (MFA), both of which reduce the margin of error when your employees access their email accounts.
MFA is a security system that asks a user for multiple credentials at the point of login rather than the traditional username and password. These multiple layers of security might involve a fingerprint, security question, facial recognition, or a code from the user’s smartphone.
SSO is a system that lets a user access a multitude of services with just one set of login credentials. It’s best used in conjunction with MFA because if a cyber criminal gains access to the user’s credentials, it means all the user’s online accounts will be compromised.
4. Implement regular data backups to the Cloud
There’s no question that malware or ransomware attacks are a big deal for email security. But backing up data can help to reduce the damage if the worst were to happen.
Whether your business outsources to a security organization or uses the Cloud in-house, regular data backups should be standard practice for securing emails.
Keeping files Cloud-based adds an extra layer of security. Especially if data is encrypted while in transit to the Cloud service provider.
Looking into the future
Email security threats continue to morph and change, often quicker than businesses can keep up with them. But that doesn’t mean the fight is lost.
The challenge is for businesses to keep up-to-date on the changing threats be it on Slack, Pumble or Gmail. You can do this either by partnering with a professional security company or by creating an internal security role.
Given that user behavior is the biggest challenge for email security, every business should invest in the right data protection processes. Along with relevant protocol, guidelines, and training.