Email security sounds a bit like somewhat of an oxymoron, really – a little like jumbo shrimp or army intelligence. And if my 16 year old daughter took off her headphones long enough to hear me, her response would be: “Oh my gawd, Daddy. Puh-lease – no one actually uses email anymore!” Still, despite her worldly-wise chastisements, email is still the #1 method of communication in the enterprise, and security of your emails is likely (or at least should be) at the top of your company’s security strategies. Email may be the lifeblood of many a corporation but as we all know, it is rife with security issues. From malware to phishing scams to nefarious links, one false click can bring the entire company to its knees. So let’s talk some strategies with dealing with this (allegedly) antiquated mode of communication and see if we can’t shore up our email security a little…
Generally speaking, users want three things out of their email security: confidentiality, integrity and availability (aka the CIA Triad). You want to know no one can read your emails other than the intended recipient, you want to know you can get access to (and have the ability to send and receive) 24 x 7, and you really want to know it’s being backed up regularly and most importantly, can be restored if disaster strikes.
The threat landscape has changed
Times have changed since the original advent of email back in the 70’s and the world is now full of bad actors (I’m looking at you Nick Cage!). Oh wait, wrong definition of bad actor… There are threats everywhere: government-trained hackers attempting to crack national security databases, criminal gangs bent on selling stolen data, hacktivists looking to publicly humiliate corporations and individuals, cyberterrorists with political or religious agendas, corporate spies trying to get a leg up on the competition – in short, there is no shortage of motivated groups and individuals looking to make a lunch out of your intellectual property. And their absolute fave attack vector is email. Why? Because it’s ridiculously easy to leverage. Here are a few examples:
• Social Engineering – you work in accounting and you get an urgent email purportedly from the CEO who is out of town on a biz trip to Europe when you get a request for an urgent bank transfer (or a customer list, or corporate plans for a product rollout, etc.) for a deal that is closing today.
• Malware infection – an irresistible email arrives with a link to Nick Cage’s latest blockbuster (haha – yeah, not likely…) and being the big Nick Cage fan that you are, you click on the link and unleash Hell on Earth upon your organization.
• Phishing – emails that attempt to get you to login to a fake banking website that are actually designed to steal your password.
• Spear Phishing – a more sophisticated and targeted version of Phishing that usually starts with some gathering of intelligence prior to launch.
What to do?
Back to the CIA Triad where confidentiality, integrity and availability are integral components of a solid security plan, and the best place to start is offsite. With more and more corporations abandoning on-premise email for the allure of Office 365 comes an epiphany: Microsoft is not the world’s foremost expert on security (What??? Say it isn’t so!). And leaving your email security in the hands of the Keystone Cops of security may not be all that great of a strategy. Ok, fair is fair, they have gotten marginally better at it, but most security experts agree that the technique of “defense in depth” – which employs multiple layers of security spread across multiple vendors – is a more sound approach than rolling the dice with Microsoft security and simply hoping for the best.
Cloud-based email security
Two of the biggest misnomers about Office 365 (and other cloud-based email platforms for that matter): 1) Microsoft backs up my emails and 2) Microsoft protects me from spam and email-borne threats. Wrong and wrong. I wrote a blog about email backups here but suffice it to say that they do NOT backup your email and they only have a halfhearted (and largely featureless) defense against mail threats. Nope – if you are looking for a robust email security platform you better move along folks ‘cause you ain’t gonna find it here. They are in the email business, they’re just not in the email protection business. You need a feature rich solution that handles:
1. Antispam, antivirus and malware blocking – stop those bad emails in their tracks!
2. Outbound filtering – protects your reputation in the case of an internal infection
3. Link checking – checks links after you click them but before you actually get there
4. Multiple server redundancy – never be down. Like, ever!
5. Quarantining and attachment sandboxing – check for malicious content offsite in a protected environment
6. Integration across multiple platforms – Exchange, Exchange Online, Office 365, Gmail, etc.
7. Store and forward – in the event your mail service becomes unavailable for a few hours or even a few days
8. LDAP and Active Directory authentication – allows for single sign-on
Many features! Much protection! In the words of the over-excited late night host Jimmy Fallon – “Oh my goodness – now that’s what I’m talking about! That’s how you do it right there!”
Looking for help with your email security strategies? We have a solution that we have been using to rave critical reviews for years and we’re betting it’ll work for you too. Contact us today!