Ever hear the statistic that we spend a third of our entire lives asleep? It can feel like we spend a similar proportion of our working lives reading and sending emails. Email accounts continue to be the central hub for most communication within many businesses, even as platforms such as Slack and Teams are starting to gain ground.
The more time we spend on one particular digital platform, the greater the security risk it poses. While many of us are vaguely aware of the risk that comes with opening email attachments or clicking suspicious links, few quite understand the importance of email security, or think about a coordinated way to implement it. Here then are five simple tips on how to secure your email accounts, and improve your business’ cybersecurity.
1. Utilise Tools for Office 365
For many people, Microsoft Outlook is the go-to email application. The popular software has been the backbone of businesses for almost 25 years, and continues to add new features and services. As part of the Office 365 suite, Outlook now offers close integration with Microsoft Teams and other software, and includes a variety of tools for communication and planning.
If you’re using Outlook as part of Office 365, there are a range of security features you should consider enabling. While Exchange Online Protection offers a basic level of protection against spam and malware for all accounts, Microsoft Defender will also provide added protection on different levels, depending on your Office license.
All Microsoft 365 Business Premium license holders receive Defender for Office 365 Plan 1, while Office 365 E5, Office 365 A5, and Microsoft 365 E5 license holders gain access to Plan 2. While Plan 1 includes real-time detection and protection measures for links, attachments and phishing attempts, Plan 2 offers a more advanced suite of features to help track and investigate attacks, and formulate more formal responses.
There are also other security features unique to Office 365. The Security Compliance Center allows you to configure alerts for suspicious activity, and immediately notify administrators, while the Unified Audit Log allows you to record and reverse major events. Office 365 also has strong encryption features built in, allowing you to limit emails using a one-time password, as well as ensuring that they can only be read within the Office 365 environment.
2. Educate Employees on Best Practices
Whichever service you use and however much you pay, spam filters are imperfect. New email addresses and methods are being used constantly to circumvent these filters, and the stricter you make your controls, the more legitimate emails inevitably get caught up and sent to your junk mail. In short, whatever you do to keep suspicious emails from reaching your employees, some will always slip through the net.
What this means is that vigilance and awareness among your employees is crucial to keeping your emails safe. Thankfully, most of the best practices when it comes to email security are common sense, and simply a matter of awareness. Once employees realise the propensity for links and attachments to cause damage to a system or network, they should be more cautious about opening them.
To ensure that wariness around links and attachments does not affect legitimate emails, it’s important to help employees spot the differences between legitimate messages and dangerous ones. The most common form of malicious email is a phishing attack, where the sender attempts to pretend that they are another person or a genuine representative of a company.
For instance, their name may be ‘Apple Customer Support’, with a link claiming that your account has been compromised, and providing a link for you to login and change your password. Most email software provides two easy ways to detect this. One is to check the actual email address of the sender, rather than just their name, to see if it is from the company’s real domain (e.g. firstname.lastname@example.org).
The other method is to hover over the hyperlink they are trying to direct you to. The actual link it will send you to if you click on it should appear, either in the bottom left of the window, or as a tooltip that pops up next to your cursor. While it’s a good idea not to follow any link in an email that you absolutely can’t trust, this will show you whether the link is to a genuine website (e.g. apple.com).
Common signs of a malicious email include:
- Typos in the title or body of the email
- Email address doesn’t match the company
- Content which lacks specificity to you or your company
- Requests for you to click a link/download an attachment
- Executable (.exe) or archive (.rar, .zip) attachments
- Unusual links
- Poor quality or incorrect images
- An unusual or incorrect footer
3. Protect Your Passwords
Passwords are extremely important for all data security, and this includes email accounts. Should someone gain access to an email account, they may not only have free access to thousands of historic emails, but also contacts who they can send emails to, and whatever services that email account can also access. In the case of Office 365, that could include plans, notes, and an address book containing personal and contact information.
Protecting passwords within an organisation means establishing best practices. While there are numerous ways to secure passwords, perhaps the easiest is to utilise a password manager. Password managers allow for unique passwords to be generated for every individual application and website you use, including email clients. This in turn requires the use of one password for the password manager, which is complex enough to be virtually impenetrable, and changed regularly.
Of course, this requires its own change in approach. The password for the password manager needs to be complex enough that it cannot be ‘brute forced’ – essentially guessed at – while also being extremely memorable. Increasingly, the advice for a strong password of any kind is to make it a long, unique phrase, containing several numbers and symbols. For example, 3mailSecur1tyIsMyP@ssion would be a phrase that’s difficult to guess, but quirky enough that it should be easy to remember.
4. Use Secure Protocols
If you aren’t using Office 365 or another software platform which includes encryption by default, you’ll need to ensure that your emails are being encrypted. Encryption ensures that emails cannot be read while they are en route to their destination, a process that takes them through several points of contact. Think about it like an open envelope – it’s secure when you or the recipient have it, but not when it’s travelling through the postage system.
Most popular web email clients use a form of end-to-end encryption by default. Gmail for instance uses a TLS layer called STARTTLS to mask plain text communications, ensuring that information is not readable when it passes between destinations. However, the effective use of TLS encryption requires that both sender and recipient are using it. If you send an email to someone using their own mail server (e.g. someone using a company email) which doesn’t utilise encryption, neither party’s message will be protected.
Various software solutions exist to provide email encryption, including Cisco, Egress and Trustifi. While some function as email clients – either as downloadable software or web apps – others plug directly into popular email clients such as Outlook and Gmail. Different solutions offer different levels of customisation and control over emails, with some also allowing email recipients to respond using the same encryption without having to sign up.
Good email security requires both proactive changes to company policies, and an active effort to engage employees in good security measures. By changing behaviour and improving the tools you use to secure email messages and accounts, you can go a long way to making your email accounts watertight, and preventing a significant avenue for online criminals.