Cybercriminals don’t just attack large organisations – they also target SMEs too, which is why SMEs should always consider their email security. Business leaders need to ask if they have the right systems in place and also if the employees are aware of the dangers posed by email threats. Two experts from CyberSmart and Cybereason explain how SMEs can bolster their email defences.
Jamie Ahktar, Co-Founder and CEO at CyberSmart said:
Email threats or phishing scams are one of the most common forms of cyberattack. What’s more, they’re increasingly being used by cybercriminals as the first point of access into a corporate network.
These attacks usually prey on heightened emotions, such as fear, excitement or a fast-paced working environment, to entice employees into clicking on a link or downloading an attachment. Once the recipient has been snared, the link will usually redirect them to another page requesting sensitive information or simply release malware on to their device.
Cybercriminals use this technique because it requires minimal effort to launch an attack – all it requires is sending one email to a list of targets – and just one mis-click could reap great rewards. Most hackers don’t discriminate between large and small businesses, so it’s vital SMEs bolster their cybersecurity on this front.
The key to protecting SMEs from email attacks is continuous cybersecurity awareness training, coupled with an effective spam filter. Employees should be made aware of the latest tactics used by cybercriminals and learn how to recognise the red flags.
For example, it’s essential that employees check the email address along with the sender, look for grammatical mistakes and stay vigilant to an unusual sense of urgency or eagerness in the tone of the message.
Of course, cybercriminals are becoming ever more sophisticated in their tactics, so much so that it can be near impossible to distinguish real emails from phishing scams. Therefore, businesses need to implement other measures alongside training. This includes using email filtering software that can help detect and flag suspicious email addresses and malicious links or attachments.
The software should also accommodate for unknown threats by testing unfamiliar URLS and files in a sandbox, or a secure and isolated environment, to prevent the spread of malware. In addition, multi-factor authentication should be applied where possible. That is, requiring users to meet a combination of ‘something you know’ (e.g. password), ‘something you have’ (e.g. token) and ‘something you are’ (e.g. biometrics). That way, if an attacker accesses an employee’s credentials, the information is virtually useless.
Finally, it’s important to encourage employees to apply an ‘if in doubt’ approach. Staff should never click a link or download a file if they’re unsure of the source. Instead, they should seek a second opinion.
Individuals can also help avert the spread of large-scale attacks by reporting suspicious communications to the Suspicious Email Reporting Service (SERS): [email protected] which support’s the government’s Active Cyberdefence programme.
Sam Curry, Chief Security Officer, Cybereason said:
Email remains one of the most compromised services no matter how much security training we throw at it, but it doesn’t have to be that way. Email can be made less vulnerable – the key to the strategy is to know your stack, get the basics right, consider the configuration and security controls to enable, have a detection strategy and lean into the email security solutions, both old and emerging.
The first step is to understand the unique trade-offs in email security based on your platform: Google is not the same as Microsoft, for instance. Any stack can be deployed well, and any stack can be deployed poorly. Know what you have. Rule number one is to know the strengths, weaknesses and options for improving security in your environment.
Next, get the identity hygiene right. This means having an identity strategy and a strong authentication policy that ensures unique passwords. Consider password vault options because in the end there aren’t bad users, but there are a lot of security departments that expect users to behave unnaturally. Make it easier to activate the human layer to participate in its own rescue.
Then apply security layers on top of the mail stack. Consider spam and phishing filters and look into the step-up security features of the stack you use. For instance, Google has a Confidential mode that many don’t even know exists. Consider what protocols can be used for email, whether filters are bypassed for internal users (don’t do this!) and options to validate email with SPF, DKIM and DMARC.
It’s vital that security moves with the business and doesn’t grind all email to a halt. Nothing will sink a security program and kill new initiatives faster than becoming the business inhibition team.
Defence-in-depth may have developed a bad name over the years, but there’s enormous validity to it in control layers. Just as antivirus or firewalls fail, so can the best of email security controls. The best strategy assumes that prevention tools in email will be defeated and proactively seeks to detect the malicious operations that start with email compromise with a strong detection strategy: EDR/XDR and MDR. These aren’t really endpoint tools, they are the way to catch advanced attackers in an enterprise environment with depth used to advantage.
It’s also worth leaning into vendors out there in the email security space, from established vendors which can help co-ordinate a strategy and add layers to your email stack to emerging solutions. Vendors aren’t the enemy. Many will fail. But this is the source of tomorrow’s solutions and building the skill to talk with them and see technology evolve will help you find the solution that can make a difference.
Click below to share this article