“If you spend more on your coffee than on securing your email communications, you’ll be hacked.” – EmailOut
Despite the rapid growth of different communication tools, from Slack, Telegram and WhatsApp to Microsoft Teams and more, many businesses still rely heavily on email in order to communicate with their customers – or for internal purposes. With recent stats showing the number of email users is expected to rise to a little over 4 billion in 2020, it’s crucially important to protect your emails from cyber threats. After all, most cyber breaches are happening because of poor email security practices. To avoid being a victim, we advise you to enforce tried-and-tested email security best practices.
In this article, we’ll cover the following email security best practices:
- What is email security and why is it important?
- Types of email authentication methods
- Best practices
Ready to dive in?
Before we go forward and outline the importance of email security as well as tell you about the email security best practices that will help you keep your email communications secure, we’d like to give you some stats that’ll give you an idea of what’s happening in the cybersecurity world.
a) 94% of malware is delivered via email;
b) 80% of security incidents are due to phishing attacks;
c) business lose an average of £3.2 million ($3.92) due to data breaches;
d) in 2019, 2 billion unique email addresses (and over 21 million passwords) were exposed within a single data breach;
e) 68% of businesses ‘feel’ cybersecurity risks are increasing;
f) in 2022, worldwide cybersecurity spendings are expected to reach £109 billion ($133.7); and
g) 37% of top malicious email attachments are .doc and .dot files and 5% (which is the next highest) are .exe files.
These stats probably left you quite shocked. Nevertheless, we’d like to emphasise that proper email security, if implemented correctly, will certainly protect not only sensitive information in your emails, but also prevent any potential phishing attacks, email spoofing and will protect your emails against unauthorised access, compromise and/or loss of one or more email addresses. With that out of the way, let’s turn our focus to email security best practices.
Email Security: What It Is and Why It’s Important?
According to the dictionary definition, email security refers to “the collective measures used to secure the access and content of an email account or service. It allows an individual or organisation to protect the overall access to one or more email addresses/accounts. An email service provider implements email security to secure subscriber email accounts and data from hackers – at rest and in transit.”
To put it simply, email security is a variation of cybersecurity techniques that help businesses keep sensitive information in email communications – and email accounts – safe from unauthorised access and compromise. But, why is it important?
In this day and age, the majority of businesses conduct their communications – being it internal or with customers – via email. By implementing simple email security best practices, you can ensure three very important things –
a) your business email correspondence will not be compromised and any confidential information (such as sales reports, balance sheets,etc.) will be protected;
b) your identity will be protected against theft (prevent hackers from getting a hold of your email and password and sending false, malicious email messages from your account); and
c) you will be compliant with data protection regulations such as GDPR, CCPA, LGPC, CASL, PDPA, CAN-SPAM Act, etc.
Cybercriminals are getting more and more sophisticated by the minute and exploiting each and all possibilities to cause harm. So, businesses must be extremely vigilant when it pertains to email security. As a secure email marketing provider, we always aim to educate our customers on the consequences of sending emails through unsecured email systems. Now, let’s start building your defence with a few simple email security best practices.
Email Security Measures: SPF, DKIM, DMARC and BIMI
Good email security is not just about choosing a strong password or investing in antivirus software. So, avoid shooting yourself in the foot by missing the basics.
By implementing authentication methods such as Sender Policy Framework (SPF), DomainKeys Identifier Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC), you will be able to prevent people pretending to be you (known as email spoofing) and verify that the sender is you. When all three methods are properly set up, they prove the sender is legitimate, its identity hasn’t been compromised and the emails are not being sent on behalf of someone else. Now, let’s take a deeper look at each of these authentication methods.
Sender Policy Framework (SPF)
SPF is an email authentication method whose purpose is to detect falsification of the sender address (return-path header) during the delivery of the email. It’s a DNS record that specifies which IP addresses and/or servers are allowed to send email communications from that particular domain.
If you want to implement SPF, you will be required to add a DNS TXT record which contains all the IP addresses that are authorised to send emails on your behalf. Keep in mind, each domain can have a maximum of only one SPF record. This handy tool will allow you to easily generate an SPF record.
After an SPF record is checked, there are a few possible outcomes –
a) None – this result means no SPF record exists;
b) Neutral – an SPF record was found, however, neither a positive nor negative assertion was made about the sender. It pretty much an equivalent of getting a none result;
c) Pass – this outcome means the sender is authorised to send email communications on behalf of the domain;
d) Fail – it means the sender is not authorised and the mail server may decide to reject the email;
e) Soft fail – the sender is not authorised, however, the mail server shouldn’t reject the email only based on this.
As with everything, there is always a positive and a negative side. In the case of SPF, the negative is that this authentication method alone cannot authenticate the original author of the email, but rather only the source of it (return-path). Nothing will stop a threat actor from setting up their mailbox and domain with an SPF record that will authorise their IP address to send on behalf of that domain. In other words, the only way to prevent email spoofing would be to combine SPF with DMARC and DKIM.
DomainKeys Identified Mail (DKIM)
DKIM is an email authentication method aimed at detecting forged sender addresses in emails (email spoofing). Just like an SPF record, DKIM is a TXT record which is added to a domain’s DNS. If you hear someone using the phrase ’email signing’ know that they are referring to DKIM. It allows the recipients of an email – claimed to have come from a certain domain – to check if the email message has been indeed authorised by the owner of the domain.
This type of authentication is achieved by attaching a digital signature, which is linked to a specific domain name, to each outgoing email and affixed to the email as a header. By looking up the sender’s public key, which is published in the DNS, the email can be verified.
In contrast to SPF, DKIM uses an encryption algorithm to create a pair of electronic keys – public and private. The public key is the one that’s placed in the DNS record, whilst the private key stays on the servers it was created on (which is your mail server).
By having a valid signature, certain parts of your email cannot be modified (such as attachments) since the signature was affixed.
To implement DKIM, you are required to update your DNS – same as SPF. However, it’s a bit more involved than setting up SPF since you’ll need to –
1) choose a DKIM selector – it can be anything – word, number or a combination of both (see an example below, the selector is highlighted);
DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=brisbane;
c=relaxed/simple; q=dns/txt; t=1117574938; x=1118006938;
h=from:to:subject:date:keywords:keywords;
bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
VoG4ZHRNiYzR
2) generate both public and private keys;
3) publish your selector and public key; and
4) attach the token to each one of your outgoing emails.
Domain-based Message Authentication, Reporting and Conformance (DMARC)
DMARC is an email authentication method aimed at tackling the problem of email spoofing by protecting both the sender and the recipient. This method’s main purpose is to protect domains from being used in BEC attacks, phishing emails and email scams. Implementing DMARC requires the same as SPF and SKIM – updating your DNS records. This tool can be particularly useful in creating a DMARC record.
Your DMARC record is published with your DNS records. It instructs the receiving server not to accept an email if it fails DKIM and SPF (among other checks). All the leading ISPs have already introduced DMARC checks on their receiving servers; and, it’s moving closer to becoming the industry standard.
If you are wondering if DMARC is enough to authenticate your email, the answer is ‘Yes’. Why? Because it aligns the domain from the SPF and DKIM results and if the outcome of your check is ‘pass’, then your recipient can be confident of your identity as the email’s sender.
If you are ‘starving’ for more information on DMARC, we have a whole article dedicated to it.
Brand Indicators for Message Identification (BIMI)
BIMI is an open standard allowing businesses to verify their identity and be easily recognised in recipients’ inboxes. Similar to SPF, DKIM and DMARC, BIMI is a text record which lives on your servers. It works alongside all the other three authentication methods to indicate to email clients you are you. Some even call this email authentication method DMARC 2.0.
What differentiates BIMI from the other three methods is that it allows businesses to display their logo in supported inboxes.
To enable BIMI, you have to make sure the following requirements are in place –
a) having a DMARC record with a ‘quarantine’ or ‘reject’ policy;
b) be recognised as a bulk sender and have a good sender reputation; and
c) you need another DNS record, the so-called BIMI Assertion Record.
This TXT record needs to be placed as default._bimi – for example – in the DNS of the sending domain. Usually, this would be the From header. The value of the record looks like:
v=BIMI1; l=https://www.example.com/images/logo.svg
You can find more information about BIMI here.
Email Security Best Practices
Email security breaches that business should be aware of are divided into five types –
1) Spam – it refers to all those unsolicited emails hitting your inbox. Despite the fact spam can occasionally seem harmless, it carries a significant risk to data security;
2) Phishing – attacks that use email to impersonate a trusted sender and deceive recipients that the message is coming from a reputable source;
3) Viruses – the purpose of a virus is to creep in and wreak havoc on systems by adding malicious code. More often than not, viruses accompany spam and phishing attacks. They use emails as the point of entry and then gain access to your business’s systems;
4) Ransomware – it’s a form of malware used to prevent users from accessing their files or systems by demanding payment to regain access. Furthermore, according to Norton, there are five types of ransomware: ransomware as a service, crypto-malware, scareware (it mimics antivirus software), doxware (threats of publishing private and/or confidential information) and lockers (you are locked out of your computer; and
5) Insider threats – have you seen the horror movie When A Stranger Calls? The threat came from inside the house. Well, inside threats work on the same principle. Your employees, depending on their role in the business, have unlimited access to all sorts of information. Thus, all it takes is one employee with little or no knowledge of email security and you’ll have a data breach on your hands. Trust us, in this case, ignorance is not bliss.
Now that we’ve outlined the five main email security breaches, we consider it vitally important to emphasise that the consequences of an email security breach can be disastrous to your business. Fortunately, there are a few simple email security best practices that can be implemented.
Best Practices
1) Cyber-awareness training for employees. The human factor is considered to be one of the biggest challenges when it comes to email security. Therefore, it’s imperative that you educate and train your staff. Teach them how to identify, safely handle and flag phishing and spam emails. According to stats, 2 out of 3 email hacks happen due to employee negligence and that can cost an average of £228,000 ($280,000) per incident.
2) Implement email encryption. By disguising the content of your emails as well as any attachments, you will protect any sensitive information from being accessed by outside parties that are not part of the intended recipients.
3) Perform phishing simulations. To ensure your employees are on par with phishing is to simulate phishing attacks. It’s not only the safest way to test your employee’s knowledge, but also educate them on how to make the correct choice in their everyday work.
4) Use secure email gateway (SEG). SEGs are essentially firewalls for emails. Their purpose is to monitor inbound and outbound email communications. SEGs work best when combined with email encryption. Most importantly, never allow your staff to use company emails for personal use.
5) Use unique, strong passwords and two-factor authentication (2FA). Encourage your employees to create unguessable passwords and make sure they never use the same one for all their accounts. For additional email security, your staff should also implement 2FA or multi-factor authentication (MFA). Both methods require the user to give two (or more) pieces of evidence to verify their identity.
6) Choose quality antivirus software. As obvious as it might be, implementing this measure can exponentially reduce threats of email security breaches. However, keep in mind that on its own, it’s not nearly enough to protect your business.
Final Thoughts
Your parents taught you not to talk to strangers when you were growing up, right? Somehow though, in the virtual world, we seem to have forgotten this very important lesson. So much so, that we willingly engage with the same ‘stranger danger’ type of emails and put not only our businesses but our customers and their data in danger. In order to prevent this from happening in the years to come, implementing email security best practices is imperative.
It doesn’t matter if you are a conglomerate, SMB or a mum-and-dad shop. Securing your emails should be a priority. Yes, it’s challenging to keep up-to-date with all email security threats out there. Especially since threat actors are upping their game constantly. However, the fight is not lost. As long as you are careful and you implement the outlined email security best practices, your email communications will be as protected as possible.
[link] [comments]
source https://www.reddit.com/r/Emailmarketing/comments/g6k3w3/email_security_best_practices_the_importance_of/
No comments:
Post a Comment