These days social media is the little red sports car of communications platforms while email is more like your father’s Oldsmobile.
However, the fact is, email is still the mainstay of internal communications for business.
For large organizations, email continues to offer powerful advantages over other communications platforms. These include its near universal acceptance and familiarity, its ability to keep a record of important communications, and the ability it provides to send attachments.
Email is also far from dead in the world at large: Its use continues to grow internationally. You can use email without having any social media accounts, but every social media account requires an email address. Every purchase you make online requires one as well.
Unfortunately, email also has one big disadvantage: It’s one of the biggest, if not the biggest, vulnerabilities in every organization’s computing environment.
In this post, which is Part 3 in MHA Consulting’s Corporate Security Awareness series, we are going to look at the dangers of email from a business continuity perspective, as well as how organizations can protect themselves.
View Part 1 of the series on Helping Your Employees Stay Safe When Using Non-Company Wi-Fi Networks, and Part 2 The New World of BYOD: How You Can Help Your Organization Stay Safe.
What is the role of the business continuity professional when it comes to email security?
Obviously, the responsibility for setting up the email system and establishing the company’s email policies lies with other departments.
However, business continuity managers should make it their business to understand the risks associated with email. They can also act as advocates within the company for safe email practices. By raising the matter of email safety with their partners in IT security and other departments, BC managers can raise awareness and promote the adoption of safer policies.
The role of advocate is especially important for BC professionals working at smaller or less mature organizations. Larger companies tend to have a good handle on email security, but smaller ones often have a lot of room for improvement.
For the remainder of this article, I’ll talk about email security as it pertains to the following five areas:
- Best practices
- Business continuity
- Disaster recovery planning
For convenience, the tips below will be written as if addressed to the individual user, but the real audience is business continuity professionals with responsibility for the recoverability of systems of the entire organization.
The main thing to be aware of is that email is probably the riskiest application in the computing environment. There are two main dangers: that employees will accidentally give sensitive data away to the wrong people, and that harmful programs from outside will sneak in through email and infect the network.
One of the biggest email dangers is the phishing attack, which is when a bad actor sends an email that is disguised to appear as if it comes from a sender trusted by the recipient. The email asks the recipient to provide sensitive personal information, such as login credentials or credit card numbers. Frequently, the email will include a link to a page that cleverly mimics a trusted web site. If the recipient is deceived and enters their information, that data will go straight into the hands of the hacker.
The other danger from email that is most commonly encountered is when malware is allowed into the system by people clicking on infected attachments. Malware can include viruses that destroy network data or programs that secretly track your keystrokes.
These threats are present both with cloud-based email applications such as Gmail and with email systems administered by the company on virtual private networks (VPNs).
Follow these tips to reduce your chances of being victimized by a phishing or malware attack:
- Never open an email from a sender you don’t recognize.
- Never open attachments you aren’t expecting or that do not come from someone you know and trust.
- Do not, under any circumstances, provide personal information that is requested through a cold email.
- Be on the lookout for emails that look as if they come from a corporate sender but which do not have the type of email address you would expect from that sender. (For example, an email purporting to come from Amazon but which was sent from a Gmail address rather than from firstname.lastname@example.org.)
- When responding to a request for information that appears to be legitimate, go to the company’s website through an address you enter yourself rather than clicking on a link in an email.
Reporting has to do with letting the right people know when you think you’ve found something fishy going on with the emails you receive.
You should notify your company’s IT security department if you receive any kind of suspicious email, such as an apparent phishing attack or an email from an unknown sender containing an attachment.
Also, notify them if you think your spam filter has stopped working.
Do not forward any email that you believe is suspicious. This increases the risk that any malware it contains will infect the company’s servers.
Email Security Best Practices
Good corporate email implementations include the following:
- Spam filtering
- Content filtering
- Two-factor authentication
- Policies requiring hard passwords and the regular changing of passwords
- The avoidance of the sharing email addresses (groups or aliases should be used to send emails to more than one person)
The company should also have a policy stating the allowable level of personal use of company email. Ideally, no such use should be allowed. The more that company email addresses are used out in the world, the more spam they will receive, and the more likely they are to be targeted by hackers.
Email is a mission-critical application for most companies. Most organizations rely heavily on email not only for day-to-day business communication but also for communication during emergencies.
The main on-site email providers have very good high-availability solutions so that you can run their systems across locations and data centers.
Of course, many organizations have recently shifted to cloud-based email. This has led to some incorrect assumptions about the security of those systems. The main assumption is that cloud-based systems are magically protected from disruption.
The fact is, cloud-based email systems are only as resilient as the networks that carry them. With a cloud-based system, if your network goes down, your email goes down. If the network access at your facility goes away, you would have to send people to a remote location to access email. The network is the limiting factor for cloud-based email. For companies running cloud-based email, the security of their systems is enhanced if they have multiple internet service providers, including a primary and a backup.
Whatever kind of system your company uses, be sure you have a good understanding of its vulnerabilities and recovery capabilities.
Disaster Recovery Planning
In preparing your disaster recovery plan, don’t under-prioritize the importance of recovering your email systems. Many emergency plans depend on email for executing other parts of the plan (for example, transmitting key disaster-related messages to employees and outside parties).
Make sure the recovery time objective (RTO) in your plan for restoring email service is soon enough so that it can be leveraged as necessary to carry out the other parts of the plan.
This breakdown should help BC professionals who want to deepen their understanding of email security issues and discuss them with their partners in IT and other departments.
Ensuring that email recovery is properly prioritized and provided for in the disaster recovery plan is a core responsibility of the BC department. The BC manager who helps their company get stronger in email security will be doing an important service.