October is cybersecurity awareness month and small business month—the perfect time to combine the two and talk about how companies can increase their email security.
According to Cisco’s CISO Benchmark data, CISOs consider email threats to be the number-one security risk to their organizations. 70 percent of respondents from an ESG report said protecting against email threats is becoming more difficult, and 75 percent said they experienced significant operational impacts due to email-borne attacks.
Email is both a necessity and a risk, so how do you make sure it’s secure while also giving everyone the access they need? The key is a holistic approach: It’s about educating employees so they can do their jobs securely, and it’s about implementing the right products and business initiatives.
Here are some practical tips for recognizing email fraud and preventing a costly click.
Educate your employees.
Your employees are you best defense, and one of your biggest weaknesses. Help them learn to recognize a phishing attempt by running regular phishing exercises to test and educate them. Start with fake phishing campaigns that are easy to spot, then gradually raise the difficulty. Run these exercises about once a month.
Use multi-factor authentication
Multi-factor authentication can prevent an attacker from gaining access to a corporate email account even if the credentials were stolen. Because a login attempt message automatically gets sent to the individual who owns the credentials when someone else tries to log in, the user can quickly deny the request.
Make sure software is up to date.
Updated browsers, software, and plugins help block emails with malicious URLs. Many of the most harmful attacks today take advantage of software vulnerabilities in common applications, like operating systems and browsers.
Double-check login requests.
Always check the URL to ensure it’s coming from the legitimate owner’s website. Malicious actors go to great lengths to make pages look familiar. If it’s a pop-up window, expand it to make sure you can see and check the full URL.
Maintain a healthy dose of skepticism.
Elaborate stories, facts that are close but not quite right, urgent response requests—if there’s something slightly off about an email, don’t trust it. It’s better to make sure the email is valid than to ignore warning signs, however small.
Perform a cyber-risk assessment.
Security budgets don’t always increase with increased threats, but before you scale back on email security, do a risk assessment. Prioritize your most critical entry points with your defense and risk management systems, then work down in order of the probability of an attack and the risk to your organization if a breach occurs. Then allocate your resources. Keep in mind that email is the most common threat vector.
Be prepared with the right email security software.
Security software can help combat advanced and ever-changing attacks. Phishing protection now uses machine learning to understand and authenticate email identities and block advanced attacks. Domain-based Message Authentication, Reporting and Conformance (DMARC) domain protections can prevent attackers from using legitimate corporate domains in their campaigns, and message quarantine can hold messages to analyze suspicious files and remove them if needed.
Cisco’s email security solutions work to not only block the latest attacks but to get ahead of them. Download the full email security report to learn more about how to protect your organization, and to discover other reports in the Cisco Cybersecurity Series.