Blog / Five Helpful Email Security Tips: What You Should Look for in Your Email Setup
In the old days if you were looking to contact an organization without physically going there, you would be looking for a phone and/or fax number. These days, if you try making contact with any outfit, you look for email and sometimes, a website. Email is everywhere. A person without an email address today seems really strange; just like a business not having an email address would be almost unthinkable…
Many organizations will go to the Cloud for their email and use a Cloud Service like Gmail. Others, will set-up their own mail server in their network and go that route. In both cases, setting it up requires very little knowledge and can be done with some simple clicks. This sets the bar for getting into the world as an Email Administrator very, very low.
So, the huge question is: What can you actually do, in order to help ensure that your email setup is decent? Well, I put together a list of suggestions that should be of help to most Small & Medium organizations:
1 – Use a Cloud Email Provider.
Even if you have an internal mail server, make use of a Cloud Service provider to act as your main spam filtering service. They have invested a lot of money into their hardware (probably more than you), which means that if someone decides to send a massive flood of email your way, a Cloud Service is better equipped to handle the situation. I have seen small organizations have their email brought completely offline for days, because they were receiving thousands of spam emails per minute, and their hardware simply couldn’t process those messages fast enough.
Essentially, you are making it look like the Cloud provider is your email end point to the outside world. The idea is to let their infrastructure handle all the heavy lifting, so that you can manage what is left.
As part of a Business Continuity plan, being able to have your users get their email directly from the Cloud provider, would be an asset. This could ensure you continue receiving and responding to emails, in the event that your internal mail server has a critical issue. It would be unwise to allow this all the time, since it would make performing any kind of email audit seem extremely complicated. However, if it can be quickly flipped on and off, then that could come in very handy.
2 – Configure Anti-Spoofing Information.
What this means is that you should configure, SPF, DKIM and DMARC for your email domain. These are methods of preventing an unauthorized person on the Internet from sending an email that looks like it is from your domain. These protections do not cost anything, but they require you to understand how the checks work and how your own email flows, in order to set them up properly. If they are not configured correctly, you will either wind up blocking your own emails, or they will be useless.
Make sure all three are set-up and they have been individually tested. There is no requirement that a mail server uses any of these to check the email they receive, so while they are useful, they do not guarantee that someone can’t spoof your domain. Nevertheless, as these checks are free to set-up, there is no real reason to not make adequate use of them.
3 – Use Appropriate Encrypted Protocol for Email Access.
There are different protocols that can be used, so that user software can send and receive email. If you are running an Exchange server (which is very common these days), then Microsoft has a proprietary exchange protocol that can be configured in the Client software. Not all software supports this proprietary protocol, in which case you have Public Protocols POP3 and IMAP to choose from. Make sure you only allow the encrypted versions of these protocols to be used (especially over the Internet.)
Also, make sure to use the proper protocol for the situation. POP3 is only good when a user accesses their email from a single device. If they use multiple devices (a PC & Phone & another PC or something like that), then all devices should use IMAP (or the Exchange protocol, which also handles multiple devices.) Be aware that due to how these protocols work, IMAP and Exchange require a lot more storage space on your mail server than POP3.
4 – Configure Additional Spam Filtering and Virus Scanning.
Even if you rely directly on a Cloud provider and have no internal mail server, you should make sure to set-up an extra level of spam and virus scanning. There’s an old saying: “Don’t put all your eggs in one basket.” So, don’t put all your faith in the Cloud providers’ ability to block spam and detect viruses. They have multiple customers, so their checks need to be generic enough not to interfere with anyone’s legitimate email. Blocking ten million spam messages doesn’t matter, if you also block one authentic email (making people very angry.)
Phishing is often highly targeted and customized. This means that the generic Spam Filtering of a Cloud provider has little chance of detecting this sort of attack. You should install supplementary checks on your end that look for viruses and spam.
5 – Force the Use of Good Password Hygiene for your Email Accounts.
By this, I mean all the normal advice when it comes to passwords. Make them long, complicated, change them periodically and above all, MONITOR ACCESS. In most organizations, the password associated with your email is the same one that you use to login to your computer. Second, your email address is pretty easy to find on the Internet. Finally, your email address is generally the same as the username for logging in to your computer. This means someone on the Internet who can easily find your email address, could potentially discover your password, simply by trying to connect to your mail server with random passwords over, and over, and over, and over, and over, until they find the right one. This could not only give them access to someone’s email, but also things like VPNs (i.e.: a way in.) By default, no mail server will ever lock a user out after a certain number of failed login attempts, unless you explicitly configure this.
Don’t make an attacker’s life easier; protect your email!! Proper password hygiene is easy to enforce and you need to accept that if you don’t, it won’t happen. Also, making sure that unauthorized people don’t try to access the email accounts of your employees, is the outfit’s responsibility. Make sure this obligation is specifically assigned to someone and that you do what it takes to make it happen.
Just because you can send and receive email, doesn’t mean your organization has things set-up “properly.” Take a step back and go over your whole setup. Chances are you could simply improve your situation, by following at least some of the advice I have given.
To quote Shakespeare, from “King Henry V” (Act IV, Scene III): “All things are ready, if our mind be so.”
If you have any questions about improving your Email Security, please reach out to your TRINUS Account Manager, for stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.