Although email is a crucial tool for businesses, most of the time it’s not properly secured beyond a login password. While this may seem harmless, email security vulnerabilities are at heart of most cyber insurance claims. In fact, the majority of cyber insurance claims come from the same attacks: business email compromise (BEC), social engineering, brute force of remote access, exploitation of known vulnerabilities in unpatched software, and ransomware. Recent findings from Coalition, a cyber insurance and security firm based in the US, show that 54% of claims in the first six months of 2020 were caused by BEC and social engineering, and 29% were linked to remote access.
These risks only increased with the spike in remote working due to COVID-19. Some people started using their personal devices to access their business email, and security policies were not always reinforced.
Even before the pandemic, business email has always been a frequent and easy target. Attackers can exploit common email security vulnerabilities, compromise accounts through phishing or social engineering techniques, or do email spoofing. It’s important to understand that email security does not end with authentication for accessing our accounts. Here are some useful tips.
The following options are available and advisable to use for securing business email.
A password is not enough, as it’s one single “factor” of verifying that you are who you say you are. However, multi-factor authentication (MFA) combines these credentials with another method. The most common example of a second method is a one-time key or token, often sent by email, SMS or push notification, which is requested after the username and password. MFA is free, easy to implement and it’s available on most web services and applications, including all Microsoft and Google products.
There are also methods to validate and secure the message content, authenticate the sender’s identity, authorize email senders, and maintain the integrity and functionality of the email app itself. For instance: sender policy framework (SPF), Domain Keys Identified Mail (DKIM), and Domain Message Authentication Reporting and Conformance (DMARC).
The covid-19 pandemic made accessing the business network from all over the world a necessity. With that ease comes an extended risk surface, opening up your network to abuse, lost credentials, insecure Wi-Fi connections and/or social media account hacking – nothing that a robust set of security policies and procedures can’t avoid or mitigate.
Cybersecurity is becoming a part of everyone’s job, not just the IT team. Make your staff join the fight against cybercrime by explaining the potential threats and how to protect from them. Let them know they’re an integral part of the business security. This could actually make the difference in someone accidentally clicking a phishing link or visiting a compromised website from a spam email.
Some people (and organizations) might not even be aware that their email accounts have been compromised. There are tools that help businesses prevent account takeover and fraud stemming from stolen credentials. SpyCloud is one of them, feeding exposed credential risk data to our ThirdPartyTrust platform. This sort of monitoring can go a long way helping you secure your supply chain against exposure to data breaches and cyberattacks, and even empower remediation.
We’ve now seen some attainable ways of securing business email. Are you ready to take your email security one step further?
To learn more about how ThirdPartyTrust can help you manage third-party risk across your organization, request your free trial now: