Email is one of the most common routes used by cyber attackers for malicious activity. Implementing proper email security controls is fundamental for all organisations regardless of what data is processed.
Labyrinth have been contracted to manage the response to a number of cyber security incidents, most of which were the result of inadequately protected email systems. These incidents were all for small businesses and resulted in financial losses of up to tens of thousands of pounds each.
94% of malware comes through Email, but this is not the only threat to consider.
Through Phishing and Business Email Compromises (BEC) cyber attackers gain access to email accounts to leak confidential data and send fraudulent communications (such as requests for invoice payment) for financial gain.
Multifactor authentication is where users are required to enter their password and a second form of authentication (usually a temporary code sent to an app on their mobile phone) any time they set up a new device or sign in to a web portal. Multifactor authentication is available as standard at no extra cost on virtually every cloud business system today including Microsoft 365 so there really is no excuse for implementing it.
With multifactor authentication, a user’s Email account cannot be breached with the password alone which means it is virtually unbreachable. It is one of the most effective controls that can be implemented.
Email Security Software
Email security software solutions like Microsoft Defender, Symantec, Vade or Mimecast are essential to providing protection against:
- Phishing emails (where a cyber attack poses as a legitimate person or business often for financial gain)
- Malware attached to emails
- Malicious links within emails
- Spam (nuisance emails)
User Awareness Training
Some malicious emails will inevitably slip through the net, so it is important that users know how to spot them. In particular, finance teams should have clear processes in place for validating invoices received via email.
Labyrinth provide end user training material to all of our managed support clients. We also partner with uSecure to deliver a low cost user security awareness platform, featuring training videos, simulated phishing attacks and more.
Encryption and Mobile Device Management
Any devices used to sync emails should be encrypted and password protected. For mobile devices, this can be enforced using Mobile Device Management (MDM) tools such as the built-in version provided with most Microsoft 365 licenses.
Mobile Device Management tools can also be used to remotely wipe devices if they are lost or stolen and usually do not infringe on user privacy.
Windows and Mac devices can be encrypted using the built-in Bitlocker and FileVault tools.
Individual high-risk emails can be encrypted if required using add-ons and third–party tools.