Email Security

Continue reading on next page >

CRAIG PETERSØN.COM

EMA

IL C

YB

ERSE

CUR

ITY

CH

EAT

SH

EET

26

1

© 2019 Craig Peterson. All Rights Reserved.

accounts secure against unauthorizedaccess, loss, or compromise.

Email is a popular medium for thespread of malware, spam, andphishing attacks, using deceptivemessages to entice recipients todivulge sensitive information, openattachments or click on hyperlinksthat install malware on the victim’sdevice. Email is also a common entry vectorfor attackers looking to gain afoothold in an enterprise networkand breach valuable company data. Email security is necessary for bothindividual and business emailaccounts, and there are multiplemeasures organizations should taketo enhance email security.

Email security describesvarious techniques forkeeping sensitiveinformation in emailcommunication and

EMAILCYBERSECURITY

CHEAT SHEET

2

Necessity of Email Security2

Phishing emails can also be used to trickrecipients into sharing sensitive information,

often by posing as a legitimate business ortrusted contacts. Phishing attacks againstbusinesses often target departments that

handle sensitive personal or financialinformation, such as accounts payable or

human resources. In addition to impersonatingknown vendors or company executives,

attackers will try to instill a sense of urgency inphishing emails to increase their chances of

success. Phishing emails aimed at stealinginformation typically will ask recipients to

confirm their login information, passwords,social security number, bank account numbers,

and even credit card information. Some evenlink to counterfeit websites that look exactly

like that of a reputable vendor or businesspartner to trick victims into entering account or

financial information.

Due the popularity of email asan attack vector, it is critical thatenterprises and individuals takemeasures to secure their emailaccounts against common

Necessity of Email Security(con't)

attacks as well as attempts at unauthorizedaccess to accounts or communications.Malwaresent via email messages can be quite destructive.Phishing emails sent to employees often containmalware in attachments designed to look likelegitimate documents or include hyperlinks thatlead to websites that serve malware. Opening anemail attachment or clicking on a link in an emailcan be all that it takes for accounts or devices tobecome compromised.

Because email is so critical intoday’s business world,organizations have establishedpolicies around how to handlethis information flow. One ofthe first policies most

3A secure email

gateway, deployedeither on-premises or

in the cloud, shouldoffer multi-layered

4Email Security Tools

Email Security Policies

organizations establish is around viewing thecontents of emails flowing through their emailservers. It’s important to understand what is inthe entire email in order to act appropriately.After these baseline policies are put into effect,an organization can enact various securitypolicies on those emails.These email securitypolicies can be as simple as removing allexecutable content from emails to more in-depth actions, like sending suspicious contentto a sandboxing tool for detailed analysis. Ifsecurity incidents are detected by thesepolicies, the organization needs to haveactionable intelligence about the scope of theattack. This will help determine what damagethe attack may have caused. Once anorganization has visibility into all the emailsbeing sent, they can enforce email encryptionpolicies to prevent sensitive email informationfrom falling into the wrong hands.

Continue reading on next page >© 2019 Craig Peterson. All Rights Reserved.

EMAILCYBERSECURITY CHEAT SHEET

CRAIG PETERSØN.COM

(CONTINUED)

protection from unwanted, malicious andBEC email; granular visibility; and business

continuity for organizations of all sizes.These controls enable security teams to

have confidence that they can secure usersfrom email threats and maintain email

communications in the event of an outage.

An email encryption solution reduces therisks associated with regulatory violations,

data loss and corporate policy violationswhile enabling essential business

communications. The solution should workfor any organization that needs to protectsensitive data, while still making it readily

available to affiliates, business partners andusers—on both desktops and mobile

devices. An email encryption solution isespecially important for organizations

required to follow compliance regulations,.

CRAIG PETERSØN.COM

(CONTINUED)EMAILCYBERSECURITY CHEAT SHEET There are also some important

best practices that end usersshould follow to ensure secure

email usage. Arming youremployees with the

6Individual Best Practices

know-how to avoid risky behaviors can makea substantial impact on your company’s ability

to reduce risks associated with email.

Email security best practices for endusers/employees include:Never open attachments or click on links inemail messages from unknown senders.Change passwords often and use bestpractices for creating strong passwords.Never share passwords with anyone,including co-workers.Try to send as little sensitive information aspossible via email, and send sensitiveinformation only to recipients who requireit.Use spam filters and anti-virus software.When working remotely or on a personaldevice, use VPN software to accesscorporate email.Avoid accessing company email frompublic wi-fi connections.

By educating employees on email security

and implementing the proper measures toprotect email, enterprises can mitigate many

of the risks that come with email usage andprevent sensitive data loss or malware

infections via email..

There are multiple ways to secureemail accounts, and for enterprises,it’s a two-pronged approachencompassing employeeeducation and comprehensive

Business Best Practices5

security protocols. Best practices for email security include:

Engage employees in ongoing securityeducation around email security risks andhow to avoid falling victim to phishing attacksover email.Require employees to use strong passwordsand mandate password changes periodically.Utilize email encryption to protect both emailcontent and attachments. (Typically TLS.)Implement security best practices for BYOD ifyour company allows employees to accesscorporate email on personal devices.Ensure that webmail applications are able tosecure logins and use encryption.Implement scanners and other tools to scanmessages and block emails containingmalware or other malicious files before theyreach your end users.Implement a data protection solution toidentify sensitive data and prevent it frombeing lost via email.

© 2019 Craig Peterson. All Rights Reserved.

The information and content in this document is provided for informational purposes only and is provided “as is”with no warranty of any kind, either express or implied, including but not limited to the implied warranties of

merchantability, fitness for a particular purpose, and non-infringement. We are not liable for any damages,including any consequential damages, of any kind that may result from the use of this document. The informationis obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of thedata provided, we make no claim, promise or guarantee about the completeness, accuracy, recency or adequacy ofinformation and is not responsible for misprints, out-of-date information, or errors. We make no warranty, express

or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any informationcontained in this document.

If you believe there are any factual errors in this document, please contact us and we will review your concerns assoon as practical.