Consider the following controls to enhance the security posture of your e-mail system. Check with your e-mail service provider to ensure that these controls are in place and enabled.
1. Avoid “free” or “consumer” e-mail systems for your business; such systems are not approved to store, process, or transmit sensitive information. The security you get from a free email account cannot be compared to the security you receive from a business email solution. Business email solutions offer more comprehensive security and control over all your accounts and their sensitive information.
2. Ensure that basic spam/antivirus software solutions are installed, active, and automatically updated wherever possible. Many spam filters can be configured to recognize and block suspicious e-mails before they reach employee inboxes.
3. Deploy multifactor authentication (MFA) before enabling access to your e-mail system. MFA prevents hackers who have obtained a legitimate user’s credentials from accessing your system.
4. Optimize security settings within your authorized internet browser(s), including blocking specific websites or types of websites, to minimize the likelihood that an employee will open a malicious website link. Most browsers assess the possibility that a site is malicious and send warning messages to users attempting to access potentially dangerous sites.
5. Configure your e-mail system to tag messages as “EXTERNAL” that are sent from outside of your organization. Consider implementing a tag that advises the user to be cautious when opening such e-mails, for example, “Stop. Read. Think. This is an External Email.”
6. Implement an e-mail encryption module that enables users to securely send e-mails to external recipients or to protect information that should only be seen by authorized individuals.
7. Provision every employee with a unique user account that is tied to a unique e-mail address. These accounts and e-mail addresses should not be shared and should be de-provisioned when the employee leaves the organization.
Implement the following education and awareness activities to assist your employees and partners in protecting your organization against phishing attacks.
1. Establish and maintain a training program for your workforce that includes a section on phishing attacks.
2. Leverage an encryption module within your e-mail system to minimize the risk of information being intercepted by hackers.
3. Implement regular (e.g., monthly, or quarterly) anti-phishing campaigns with real-time training for your staff. Many third parties provide low-cost, cloud-based phishing simulation tools to train and test your workforce. Such tools often include pre-configured training that is easy to distribute and that your workforce can complete independently.
4. Direct your IT specialist to send a phishing e-mail to everyone on your staff. Track how many of your employee’s “bite” or open the e-mail. This enables you to target training to those who demonstrate need, . This technique will also allow you to understand how susceptible your organization is and to set a baseline that you can use to measure changes in awareness over time.
5. Start your anti-phishing campaigns with easy-to-spot e-mails that your workforce learns to recognize. Slowly increase the sophistication of these simulations to improve the detection capability of your workforce.
Although an anti-phishing campaign cannot stop the inbound flow of phishing e-mails, it will help your organization identify any attacks that bypass established e-mail security protections. Educated and aware staff can become “human sensors” to inform you when a real phishing attack is occurring.
Threats Mitigated
1. E-mail phishing attack
2. Ransomware attack
3. Insider, accidental or intentional data loss