Small Business Best Practices for Email Security

It goes without saying that the past two years have been difficult. Cybersecurity teams have had to create systems that support working remotely as well as preventing interruption to the business. At the same time, cybercriminals exploited a weakened economy and accelerated their attacks, often through email and social engineering.

In fact, according to Guardian Digital researchers, phishing attacks have increased by 600% due to the pandemic and users are three times more likely to interact with a malicious link than they were pre-COVID. Some of the biggest obstacles to security, especially for small businesses, include gaps in Microsoft 365 security, the difficulties of remote and hybrid working as well as a lack of multi-layered security strategies.

Email Threats Create Increased Risk for Small Businesses

Small businesses face an increased risk of falling victim to attacks, such as business email compromise (BEC). Cybercriminals often target small businesses and pose as the CEO or executives to manipulate users into sharing data or even enabling large monetary transfers.

Remote workers are more likely to interact with suspicious emails as opposed to those doing in-person work. It doesn’t help that phishing attacks are becoming more clever and increasingly harder to differentiate from legitimate emails. The sad fact is those smaller companies struck by a cyberattack often close within six months of the attack, as the financial burden is too great to recover from. Damages can range from $35,000 to $200,000—not including legal fees, compliance penalties, loss of reputation and loss of customers.

The Flaw in Microsoft 365 and Exchange Online Protection

Attackers will prey on human error and because smaller companies have less experience with ransomware, they often solely rely on Microsoft 365’s built-in protection. Unfortunately, this single-layered approach can neither anticipate an incoming attack nor defend against human error. The software also is ineffective at preparing for zero-day attacks, malicious URLs and attachments that are not included in static lists. Microsoft Exchange Online Protection (EOP) is a cloud-based service to protect email, but it doesn’t have customizable options that will adjust to meet small businesses’ unique security needs.

Email Security Requirements Businesses Should Follow

To bolster email security, organizations—of all sizes, but especially small businesses—would do well to focus on encrypting their email. Encryption is essential to a successful email security strategy, but the content is still vulnerable when in transit. To combat this, implement transport layer security (TLS), a protocol that offers end-to-end encryption from one TLS-enabled secure email server to another.

Sender fraud protection is another necessary component to protect against email spoofing, a type of email fraud where a malicious actor will send an email with a fake “From” address. The tactic is commonly seen in phishing attacks where the intent is to steal data or initiate wire transfers and it can cause severe and lasting harm to your reputation. Email security protocols including SPF, DKIM and DMARC can provide protection by authenticating the sender of the message.

An effective email security system requires a layered defense for stronger security. For example, Office 365 has an integrated spam filter, but it’s ineffective against more advanced attacks, so spammers will test their methods until they bypass Microsoft’s filters. With multi-layered email cloud security, each layer focuses on a specific area where malware may enter. A layered approach will eradicate spam and virus-infected email, detect and block threats in real-time and build on each other to provide stronger, more effective protection.

Recommendations for Small Businesses

Avoiding the dangers associated with increased cloud email use is important. Tips for securing your company from these threats include:

• Learn how to spot phishing, ransomware and other email-borne attacks.
  
• Don’t rely on endpoint security alone – this is the last line of defense.
  
• Advise remote workers that they should be the only user to access their home endpoint. They should use a strong password for their account and, if they share a PC, make sure that each user has their own account.
  
• Use a VPN.
  
• Avoid insecure networks.
  
• Maintain an updated operating system; your operating system and applications are only as secure as their latest security patches.
  
• Be wary of emails from personal email addresses.
  
• Implement authentication protocols to confirm the messages you receive are legitimate. Sender authentication protocols help prevent spoofing, business email compromise (BEC) and other dangerous exploits.
  
• Implement proactive, multi-layered supplementary cloud email protection. Defense-in-depth is a necessity for protecting email against today’s threats.
  

Prepare Your Business for Battle

When it comes to cybersecurity, we can no longer afford to turn a blind eye, in more ways than one. The damages that can come from an attack are costly, potentially resulting in a total shutdown of your organization. Cybercriminals are not going anywhere anytime soon, and the threats to your system infrastructure are only progressively getting more clever. AT&T researchers stated that over 90% of companies with a lag in their security will miss revenue goals, and 57% of companies with stronger measures surpass goals by seven percent. If a business is prepared for the next cyberattack they are more likely for greater success. Email security is an investment that will pay off by mitigating the risk to your company as well as improving the image of your brand and decreasing the cost of operations. The time to look past standard defenses and implement additional measures is now.