Looking back a few years, best practices in email security could be quickly summarised: Just don't trust email, because email is an unauthenticated, unreliable messaging channel. Strictly speaking, this is still the case, and recommendations for email security are a little different than they were 20 years ago: use strong passwords, block spammers, don't trust offers that sound too good, and always question even messages from trusted companies.

Long ago, the requirements for email security best practices among employees became much more complex. An email has become a more expansive application over time. Messages can contain hidden links to prepared websites, carry code or bring attachments that in turn can carry malware for more complex attacks.

Employees who want to improve email security in their own interest have a few options. However, a large part of the responsibility for improving email security lies with the employer. If, for example, outdated e-mail clients or e-mail servers are used in the company, employees rarely have the opportunity to influence this.

When it comes to solutions such as email content filtering and strong authentication, decisions are usually made at the management level. However, email security can be significantly increased by using DMARC, SPF and DKIM throughout the company. If the validation mechanism SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance) are used in combination, a company can counter email threats such as spoofing, spam and phishing much more confidently.

However, employees themselves are also an important factor in improving email security. Best practices in email security focus on issues such as strong authentication and security training to best reduce account takeovers and successful phishing attacks.

Email security best practices for employees

Best practices for employee email security can be summarised relatively simply:

Use strong passwords for strong authentication.

Use multi-factor authentication where possible

Take security awareness and phishing training seriously.

Always be very careful when opening attachments and links.

At the infrastructure level, it is up to the company to ensure the best possible protection against email threats. Companies can support their employees by using solutions such as multifactor authentication, DMARC and email scanners and filters.

Strong passwords for secure authentication

As with all access, the use of strong passwords that are not used in multiple services is a significant security factor. A solid password strategy can ward off attackers who use dictionary attacks to try to crack weak passwords. Whether regularly changing passwords increases security, on the other hand, is more than debatable (see also Putting Password Rules to the Test). In case of doubt, it is important to weigh up the frequency of change and the tendency of users to use only variations of the same password if they have to change frequently.

The reuse of passwords in a wide variety of services is a significant security problem. If one of the systems is compromised, all of the user's other accesses are also at risk. If a user uses the same password on a poorly protected website and for his work email account, then the employer's systems are also at risk in case of doubt, regardless of how well they are protected. Attackers know that it can be worthwhile to use captured credentials in a different context to gain access to additional accounts.

Multifactor authentication for secure login

The use of 2-factor authentication (2FA) in the company is usually not the responsibility of the employees. Either the company has implemented multi-factor authentication and specifies that it is used or it does not. Employees can protect themselves by using 2-factor authentication wherever it is offered.

Using multi-factor authentication is an important approach to securing accounts and preventing them from being taken over. Employees who already use 2FA for their private accounts are better prepared when this is also used in the workplace. The acceptance of such solutions increases significantly as a result.

More and more companies are taking the opportunity to train their employees in phishing security awareness. Employees should consider this training as an important exercise. Appropriate email security training can be designed to target the specific threats of different industries and departments.

Employees learn to identify problematic messages and to exercise caution with attachments and links in these training. In addition, these training can be used to involve employees in the company's email security strategy. For example, users can understand which messages are sorted out by the filter systems in use and which are not.

Many attacks are based on e-mails that contain attachments with malicious code. Correspondingly prepared e-mails are often sent very specifically to certain victims. Sometimes such attachments are recognised and blocked by security solutions, but not always. Prepared attachments can also be found in messages that seem to come from trustworthy sources.

Regardless of the sender, employees should be careful with attachments, even if the company has appropriate security solutions in place. Such attachments do not always obviously come as executable files such as exe, jar or MSI format. Their execution is prohibited by itself. But word processing files and spreadsheets as well as PDF files can also contain malicious code. Employees should be careful with any kind of attachments.

Web links in email messages also pose a risk. They often lead to a different website than it looks like. Attackers disguise these links with known domains, but direct the user to completely different prepared websites to continue the attack. Users can, for example, check via mouseover whether the link displayed matches the link behind. Attackers also use international character sets to lure users to prepared websites that appear to have the domain of a well-known brand.

When organisations deploy a secure email infrastructure, employees are the last line of defence when it comes to security. Therefore, employees should be able to counter threats such as phishing, spoofed attachments and malicious links as confidently as possible. Appropriate training can make a crucial contribution here. And last but not least, employees should rely on common sense when they receive suspicious messages.

Hide Comments | Add Comment