The cost of doing business
One of the most widely used method for transporting ransomware, viruses and malware is through something that we use every day. It’s a tool that we became dependent on for communication, orders, processes and running our business. This tool is almost vital to operating our business, yet it can bring our business to a screeching halt if we make one mistake. Email is one of the biggest contributors to the way we run our businesses and is a vital tool in communicating with our team, our vendors and most importantly, our customers.
The threat actors try to gain access to our email accounts and just watch our habits. They document the company’s chain of authority and replicate our company team on a tree, adding names, titles, and email addresses as they watch. They can be in the system for weeks, months or even longer. As they watch our email communications, they are becoming smarter with how the company runs and perhaps who we pay, and how. They gain the knowledge of our infrastructure, habits, and our financial methods, all of this is accomplished by going through our emails.
They gain this access to our email accounts by the lack of security tools, training or perhaps praying on the weakest employee to open a malicious email that will grant access to the hacker. Keep in mind that any process can only be as good as our weakest link and email is only as secure as our less trained employee.
With Email being one of the enter points to our business, one would think that this resource would be managed with the highest security possible, yet we all depend on our employees and team members to know the difference between safe and unsafe emails. We try to increase our employee awareness through training classes or videos that we make all our new employees watch, but is it good enough? Training your team is a great start, but it’s not enough. Email threats grow with sophistication every day. Let me tell you what I have learned throughout the years of being on great IT teams. The more advanced the employee title, the more relaxed we tend to be with adding security tools or adding a process for that individual. The executives lose patience when it takes time to accomplish a task, or so that’s what you may think. In fact, many of the locations that I visited would always make the functions for the Owner, CEO, CFO and COO’s as easy and less complicated as possible. However, based on the type of information that these users have access to, is this a good idea?
With Convenience, comes insecurity.
As we make things easy, we remove the ability to remain secure. How nice would it be to log into your computer, start your applications and begin to work? Open your email to post orders or check with the vendors from emails sent the day prior. This is exactly how most of us are working now! Unfortunately, the way that things are on the internet somewhat resembles a big swimming pool and everybody jumps into the pool at the same time. If you can’t swim, you will need a floating device. If you don’t have a floating device and you jump into the deep end of the pool, you’re responsible for the outcome. If we already had the ability to float, then jumping into the pool wouldn’t be an issue! The same holds true with any internet-based interaction. We are responsible to stay safe on the internet and our safety is solely on how we use it, or what tools we have in place. The main difference between us and our employees is that our employees will jeopardize our entire business if they click on the wrong email or open a malformed attachment. What this means is that our security is now something that we need to prepare for and that most certainly will slow down our ability to engage in our work efficiently, but it will allow us to be safe. If fact, we are responsible for the entire company’s security.
Security is certainly inconvenient.
Security is certainly inconvenient. I mean, I what if I must use a dongle every time that I start outlook for the first time that day? 2FA (Two Factor Authentication) is annoying and I don’t always have my cell phone with me. Why do I need to go through this process of changing my password every 90 days? It’s just too much work and we just don’t have time for this. This would be a bit inconvenient I would say.
Although these are all great excuses for wanting to work without the additional security checks and balances, they are not reasonable exceptions to running securely. I have always been told that security is inconvenient and the more convenient we are, the less secure we become. Maintaining a secure environment makes it necessary to add the additional processes to the CEO’s daily tasks. Afterall, they have more important documents than the receptionist would have. We need to treat each user as if they held the most important documents within the company. Afterall, any user that gets hacked will corrupt the entire company network, so it really doesn’t matter what title they hold. Remember, we don’t want anyone in our email system lurking around and collecting information.
Our email is secure, so HR can send documents!
Now that you understand how important it is to keep the email secure, let’s work together to help secure our company. I have included a few things that you can do to keep your email safe, but a big part of this would be to remove the bad emails before they even reach the users mail box. There are products out there that manage this exact process and some go as far to disallow attachments that are not from your normal contacts until you validate them. These tools cost money, but they are one of the most effective ways to keep your email safe.
Once we get the tools in place to secure our emails, does that mean that we can use email to send sensitive information or attachments that contain social security numbers? Let me offer a few of my thoughts on this and you can decide how to use your email.
Email is forever.
hen an email is sent, it will remain in the users sent mail until it is archived, deleted or perhaps rules manage the sent mail, if they were set up. The same goes for the receiver of the email. It stays in that email inbox until deleted, archived or other. If the receiver deletes that email, it stays in the deleted folder until it is dealt with. Sometimes we have no control of the receiver’s email system, especially if it is someone outside of our network. My point is that every email that was ever sent or received can be viewed by anyone that has access to that email address, at ANY TIME. Perhaps you change providers or security methods, and there is a point in time that the email address is susceptible to an intruder. Perhaps you lose your laptop at the airport, and you have your email application to startup without having to put in the password every time. Once the intruder is in the email, they will be able to have access to all emails that were sent, received, deleted, and archived (online archive reachable through the email application). If the email existed, they have WILL have the ability to see it.
Basic Rules to follow:
Even if you have a secure application or toolset watching over your email, you should never use it to send sensitive information.
Scanning the sensitive information into a PDF and password protecting it will not keep it safe. These passwords can easily be removed or cleared by anyone wanting to access the document. I know that I had to personally crack into a secured PDF for one of our team members who forgot the password that they used to secure the document. This was accomplished without much effort.
Don’t open links in an email, especially if they are sent by your bank, ebay, paypal, amazon and any other online service. If there is something that you want to confirm, open a web browser, and go to the site by typing in the URL manually.
Look at the sender of the email before opening attachments that could be a purchase order or invoice. Many times, these emails are sent using another person or company’s display name, but upon further look you can see that the email was sent by firstname.lastname@example.org or some type of ambiguous email server. The police, IRS, Government agencies or rich prince will ever email you.
Phishing attempts are sent in an email and try to trick you into giving out personal information, especially your email password. When you click on a link, it will open a webpage that looks like a Microsoft web-based email client and prompt you for your email address and password. Don’t fall for these types of attack. Again, always open your browser and go to the site manually.
If the email doesn’t have enough information, don’t react to it in any way. Don’t open it and don’t reply to it. Just delete it to be safe. If it’s important, the person will eventually call you.
That brings up a great point. If the email looks legitimate but you were not expecting to hear from the sender, and the email contains a person phone number, call the number to ask about the email. I have seen a few nicely formatted emails that look EXACTLY like a customer’s email, down to the signature at the bottom. It included a document that they needed me to quote and were looking for this as soon as possible. I wasn’t expecting this email and I wasn’t sure why they wanted me to quote immediately, so I called the customer. Turns out that they were hacked and never sent the email. If you’re not expecting an attachment, call the sender to see what the deal is.
Purchase a tool to help keep your email safe by eliminating the known spam emails, disallowing attachments until they are scanned, generating a safe list and things of that nature. These services are not too expensive, but they are charged per email address. Call us, we can help you with this.
If you’re a company, provide training to your team that discusses these types of unsafe practices and educate your team to be successful in practicing safe email protocols.
Join a service that alerts you to the newer scams going around. There are news groups that offer this content at no charge, and it helps to alert yourself, and others, about the current threats going around.
These are just a few ways to stay safe and I can think of so many more. The key is to understand the threats and how email works, knowledge is power.
Above everything else, you can always reach out to our team, and we can help.