Cyber Security Hygiene - Email

Regardless of how much investment you make in your network, cloud, identity or training awareness for cyber security, one channel that you will continue receiving constant threats on will be email. Basically, anyone can email anyone in your organization and on many occasions, this will pass your spam, malware and other protection filters you might have in place. Of course this is where having defense in depth and at multiple layers helps removing the threat or reducing the impact it has, but doing your best to secure email means there will be less threats and less false positives reaching your users and IT team.

With email security, I found things are not straightforward to setup right. You go too strict on restrictions, you risk having a lot of false positives, emails stuck in junk or quarantine and users complaining about email deliverability. You are too tolerant, then a lot of phishing emails go through and there is always someone that clicks the links. Below is a set of recommendations which represent a basic hygiene for email security:

• Start by not managing the email service yourself. I hope the number of organizations which manage their own email server is reducing drastically and they are all moving to a managed cloud email such as Google Workspace or Microsoft M365. As covered in other posts, this is not for cost reduction, but for having specialized, trained and well resourced teams looking after your email infrastructure and security. As a business, if you host your own email (and you might need to for compliance purposes), there is limited resources you can invest in having a top tier service. This will not compare to the platform built and maintained by 1000s of infrastructure, cloud, email and security specialists whose work compounds in the managed email solution that is offered to you.
• Once you have email as a service, ensure you license it for security as well. In the Microsoft world, this means you need to bolt on ATP Plan 1 or 2 which give you access to spam and phishing protection as well as Safe Links and Safe Attachments which scan the links and attachments you receive via email and aim to protect against the most common ways of infiltrating a computer via email.
• Make sure your identity security is in place and access to email is protected via MFA and perhaps only accessible on company issued devices.
• Work towards having encrypted emails and check if you have litigation options enabled to safeguard emails for a number of years, based on regulation specific to your domain.
• Ensure your email DNS is setup the right way, by having SPF, DKIM and DMARC entries and also that you check for those when establishing if an email is legitimate, to avoid spoofing attacks.

On top of this foundation, you can consider doing the below:

• If you have a cyber awareness platform, consider doing simulated phishing email campaigns.
• Consider adding a 3rd party email security solution on top of the standard security that comes with every email provider. You are looking here at things such as Mimecast, Dark Trace or Abnormal Security which have built in AI to analyze user behavior and patterns and thus do a better job at stopping threats, reducing false positives and allowing through legitimate email. This is a significant cost however and might not be justified or affordable in many companies.
• Consider adding a Data Loss Prevention solution to protect from inside threats where company data can be leaked intentionally or not intentionally. This way you can stop Personal Identifiable Information from being sent via email which is an uncontrolled channel (basically anyone receiving that email can then forward anywhere) or other confidential or financial company information.

All in all, email remains probably the most used communication channel in businesses world wide and one of the most vulnerable channels for a cyber attack. Applying the practices mentioned above puts your business in a better security posture, together with the other practices on identity, devices and security solutions.