When you run a small business, you send and receive a lot of information via email. It is the number one method of communication between you and your clients, your accountant, your suppliers, and your team. But how secure is your email and is it a safe way of sending out all this information?
It may seem secure because access to your emails is password protected but the emails are exposed at various points during their transmission, not just on your device. In this blog we are going to give you a few pointers about where and when emails could be vulnerable and some simple tips for email security.
If IT isn’t your thing and the question ‘How secure is our email?’ keeps you awake at night, just remember: We Can Help. Whether you are a small business, an SME or a larger organisation located in Yorkshire or Lancashire, call the experts at SquareCubed to talk through your email security concerns.
So just how secure is your email?
Devices
All devices, desktops, laptops, tablets, and phones can be vulnerable if they are unlocked and left unattended. It may sound basic, but it is surprising how many businesses forget or overlook basic security protocol when training employees. Make sure that your staff know they should log out of their emails and lock their devices when they leave their desk, work from home, or when they are out of the office on business. Leaving devices unlocked gives immediate physical access to opportunistic fraudsters.
If you have an employee handbook, make sure you include basic cyber security best practice within it and make sure your employees understand their responsibilities when using work devices.
Networks
Fraudsters and identity thieves don’t need physical access to your device to get into your emails. There are connection points they could target during the transmission between devices and email providers. Talk to the SquareCubed experts about email encryption and how to ensure your emails are sent safely.
Servers
On-premise servers (those fan heaters in the cabinet that whirr away to themselves) store email data. Hackers who gain access to your email server could read everything in your inbox plus any attachments and even emails that you may have deleted. We Can Help. Talk to us about Microsoft 365 and the opportunities that moving your business email into the cloud can offer in terms of flexibility, security, and mobility.
Phishing
Everyone has heard about phishing, and techniques are becoming more sophisticated all the time. There are now several different types of phishing to be aware of:
Whaling – targeting important people within an organisation who may have greater access to critical company information and confidential files – the CEO, Finance Director, Head of HR, Operations Director, etc.
Spear phishing – abandoning the scattergun approach of mass emails in favour of targeting specific individuals.
There are also two forms of phishing that use phones, rather than emails. Smishing is where SMS/texts are used rather than emails. Vishing is a phone scam, normally where messages are left on an answerphone purporting to be from your bank or HMRC for example. It feels like the industry is just making up words at this stage (which they are) but the risks are very real and businesses are experiencing losses when they fall victim to these scams. Always remember: the weakest point of any security system is the human factor - humans are fallible.
Another form of phishing uses the information you share on social media platforms. People seem to put their whole life on social media today, don’t they? But scammers and hackers can use this against you by using this information to try to guess your passwords or by trying to connect with you on a personal level.
In order to get you to click on to their bogus email, fraudsters try to make it look like the real thing. Phishing emails could look like they come from a colleague or supplier, someone you email frequently. They also ‘spoof’ legitimate email accounts, for example:
Stating your account is on hold until you pay the outstanding amount
Offering you something for nothing
Requesting that you confirm your personal details or information
Warning you there is suspicious activity on your account
Phishing – what to look out for
Forewarned is forearmed, so here are some obvious things that should raise alarm bells:
Unusual URLs – Hover over the link to check it’s OK because criminals fake URLs.
Sender’s address – Their email does not match the company the email is from.
Footer information – Does not match the company the email is from.
Typing errors and bad English – Sometimes typos are because the scammer does not have good command of the English language. However, sometimes the spelling mistakes are to vet recipients i.e. thinking those who cannot spot the typos may be easier to scam! Using a mixture of upper and lower case in the header or subject line is another giveaway.
Links – The email contains lots of ‘click’ requests. Don’t click on links if the email has come from someone or a company that you don’t know or haven’t dealt with before. Check their credentials!
Personal details – The email is basically a request for personal information.
File attachments – Think before you click! Authentic emails from institutions would normally ask you to download information from their website, not send you emails with attachments. Attachments are a great place for criminals to hide viruses or malware, so be wary.
How secure is your email? Tips for staying safe
There are some simple measures you and your team can take to cut down the risk posed by phishing and downloading viruses and malware:
Employees
Your staff can be your greatest defence against phishing attacks, so make sure they know about the dangers and how to notify your IT team or IT service provider about suspicious emails, links or attachments. Include basic password safety tips and how to spot bogus emails in your staff training and manual.
Use strong passwords
Use random phrases containing numbers and characters. Don’t use the same password for lots of different accounts, and most importantly make sure your email password is not used for anything else. Change passwords from time to time, and especially if an account or company is hacked, but don’t recycle the same ones! For more information on good password policies, have a read of the guidance published by the National Cyber Security Centre.
Multi-factor Authentication
Whenever possible, use MFA to provide an additional level of security to all accounts - especially cloud-based accounts. This works by linking the end user's mobile phone to their account so that additional security checks can be performed when they log on - particularly if the login is coming from an unexpected location. Accounts that are secured with MFA are that much stronger because the attacker doesn't just need to get the password, they also need access to the user's mobile phone.
Verify
We mentioned this already against ‘links’ above, but it is worth mentioning again. If something looks ‘phishy’, check their credentials and assume a link is malicious until proved otherwise.
Antivirus packages
Modern antivirus packages can also include additional protections to identify suspicious emails and dubious links. Install them on all your company devices. Check out the best ones for personal use recommended by PC Mag For businesses in Yorkshire or Lancashire, call the experts at SquareCubed and we will advise you about your options, depending on the size and nature of your business.
Backups
Make sure you back up all your confidential and important data, in fact everything you need to be able to run your business as normal and TEST THOSE BACKUPS. If the worst happens, being able to recover quickly and get working again is crucial. Read our blog on backup and disaster recovery and why it is so important for your business.
Email encryption
The protocols that the internet uses to transmit emails are inherently insecure - they were originally developed and published in 1981! Long before spammers and scammers were even thought of. Encryption scrambles the contents of your email so it cannot be read by anyone other than the intended recipient – a bit like the Enigma machine in World War II.
If you don’t have the resources or IT expertise in your company to address the question ‘How secure is our email?’, don’t let it keep you awake at night, take action! We Can Help businesses in Yorkshire and Lancashire to stay safe online with Office 365 provision, migrating to the cloud, backups and disaster recovery, and all things IT. Call us now to discuss your requirements or to make an appointment for the SquareCubed experts to assess your whole IT provision to make sure it is the right choice for your company.