Email security remains a top IT concern for businesses entering 2019. The exponential increase of phishing attacks over the past year alone can be credited for this, especially after news broke that additional Yahoo and Gmail users were compromised in December. To help get 2019 started, here are several steps you can take to improve your email security.
One of the simplest yet most effective tips to improve email security is to choose and stick with major vendors such as Microsoft or Google who invest significant resources into proactive security and continually advance their systems to protect their clients.
They (MS and Google) generally adhere to modern security compliance measures and are always at the forefront to ensure that the latest technologies and/or measures are applied. A great example is Microsoft’s new SecureScore for Office 365 which is ever-evolving as it continues to check your security compliance against emerging best-practices, allowing you to make your security better in real time.
If for some reason you choose to carry on without Microsoft or Google, be sure to take note of the following:
Avoid e-mail services that do not use SSL/TLS encryption. SSL/TLS should be used throughout (between your mail application and the server, and server to server). This includes scanners/copiers as well, so be sure to set up a email@example.com account that authenticates to the email provider with SSL/TLS to protect your outbound scanning.
Avoid e-mail services that do not support or use SPF, DKIM, and DMARC. These are Sender Verification features that assist with spoofing.
Avoid e-mail services that do not incorporate spam/AV protection in front of your mailbox. This means, inbound mail is scrutinized BEFORE it hits your mailbox.
Avoid IMAP or POP3 mail services because they can expose your business to certain risks that can be avoided by using more advanced e-mail systems like Microsoft Exchange (which Office 365 is built with).
Ensure your e-mail service offers auditing to help with forensic analysis in legal situations. And on the topic of forensic matters, Office 365 offers a litigation hold feature on certain mailbox types which prevents anything in the mailbox from being deleted under the correct settings. This is great for legal situations.
Ensure your e-mail service offers a way to protect your e-mail data on mobile devices by requiring certain security criteria be met (eg. must have a password to sign into phone, must be an encrypted device, etc.)
Ensure you have a way to wipe a mobile device or laptop if it is stolen or lost.
As you can see, the intent of the points above is to show you that going with a major vendor is the only way to go. View more on why you should migrate your email to Office 365.
In our recent guide about how to achieve better IT security we made a case for multi-factor authentication (MFA), which is a system that requires more than one method of authentication from independent categories of credentials to verify a given user's identity for a login or other transaction.
Major vendors like Microsoft and Google offer MFA because it’s effective and it is absolutely recommended as a part of login protocol for all services. A word of caution however - do not use text/SMS based MFA as it has been proven to not be secure. Instead, ensure that you and your staff uses a mobile device application which randomizes a key every 30 seconds that must be entered at the same time as regular credentials. Google or Microsoft authenticator apps are available for iOS and Android. Microsoft’s authenticator is even more robust as it also offers push notifications to allow you to confirm access by simply clicking a confirmation button, rather than entering a number.
Your mail server domain is instrumental in email security. Please abide by the following:
Confirm and verify your login credentials for the registrar that holds your domain(s).
Enable domain privacy where supported. This will keep malicious parties from emailing you fake renewal scams.
Confirm the contact information on the domain’s owner, admin, and technical contacts is up-to-date and actually you! Resellers have been know put their own ownership details on domains in the past which puts some clients into an ownership battle when they want the domain.
Ensure domain-locking is turned on to prevent changes on the domain without verification.
Ensure your domains don’t expire in the next 12-months
Ensure you also have login details to the DNS system that is responsible for each of your domains.
More often than not, the weakest point for most corporate networks is staff. Ensure that your staff are provided weekly or monthly updates about common threats of popular phishing emails that are emerging. Knowing what to watch out for can go a long way to securing company-wide email. Ensure staff are trained on standard security measures and has a stringent understanding of password creation and protection best practices. In addition, introduce e-mail warnings when messages come from external parties or when Sender Verification like SPF and DKIM fail. Also, verify that staff understands what *spoofing is, and introduce extra checks/confirmations to verify ALL fund or sensitive information transfers were actually initiated by the legitimate person. Call them. Don’t email them to verify.
*Spoofing - a fraudulent or malicious practice in which communication is sent from an unknown source disguised as a source known to the receiver. (source: Techopedia)
Last but not least is the inevitable conclusion - IT support. Platforms like Office 365 are heavily focused on security (SecureScore) but they do require the requisite skill of a technical professional to “tweak” them for even better, more customized, security. And these customizations are not a “one time” thing, as e-mail security should be assessed regularly (every 6 - 12 months) by an IT professional.
If you have any further questions about how to improve company email security, please contact SIRKit at to learn more.