The 11 Best Email Security Practices to Lock Down in 2022

Did you know that, by some measurements, Massachusetts is the ninth most vulnerable state to identity theft and fraud? This is according to data collected by WalletHub that compiled numerous data points that combined, amongst other things, how much attention each state’s laws gave to phishing and what resources each state had in place to help fight cybercrime.

While not as bad as it could be, this ranking is certainly less than ideal. Let’s go over a key facet to decreasing the cybercrime that a business may face by analyzing how the right cybersecurity solutions and practices can help minimize the security issues your business faces due to its use of email—a favorite attack vector for phishing and other forms of cybercrime.

Be Selective About Where you Access Your Email

A big part of your cybersecurity actually falls to your behaviors as you are using your devices… and where you do so. Business email should never be accessed on a public Wi-Fi signal if it can be helped, and a virtual private network (or VPN) should always be in use for additional data protections. You also need to be sure that the device you are using to access your email is itself secure.

Furthermore, if you are no longer going to be using a particular device to access your company email, that device should have its access to it revoked. The same naturally goes for all company documents and data.

Be Vigilant Against Phishing Attacks

Phishing attacks are a favorite method that cybercriminals use to access a network or introduce malware into it, which makes it critical that your team is able to spot these attempts before they are successful. Make sure that they know to always check the sender. Does it come from a sender that they recognize, or that appears in a quick Google search? Does the language used in the message match what you would expect of the supposed sender?  Before clicking through any links, make sure that your team members are hovering over them to reveal where the link actually goes—and remind them that they can always reach out to IT for assistance if they’re unsure.

Use Strong, Unique Passwords and Change Them Regularly

We’ve gone on record numerous times regarding the importance of a password policy that enforces a few recommended best practices. By requiring passwords to be of a minimum level of complexity and each only used in one place, you can help reduce the chance of a business account being undermined.

For added security, we recommend that you periodically change these passwords… often enough to keep your resources secure, but not so often that your users will start to resort to insecure practices in order to remember them. If keeping track of these passwords seems to be a challenge for your workforce, you might consider implementing a secure password management solution, which can store your organizations’ passwords safely and conveniently for your employees.

Enforce Site-Wide Multi-Factor Authentication Across All Users

While passwords have been the standard identity authentication measure for decades, they just aren’t sufficient to keep your business’ resources safe—not on their own, at least. 

Today, multi-factor authentication doubles down on the security once afforded by the password alone by requiring the person attempting to access a system or account to provide more than just a password (which, if we’re being honest, aren’t nearly as reliable as they once were considered). By requiring this additional form of authentication, you can more reliably ensure that the only people accessing your business’ resources are those who are authorized to do so.

As such, MFA should be enabled wherever it is an option. Two moments of extra time logging in is worth the benefits to your security.

Invest in Email Encryption

Email has long been a staple in the office, which makes it a reliable target for hackers to turn their attention to. Many of the messages that are sent through email will be effectively worthless to a cybercriminal. Unfortunately, the few that aren’t make it all worth it.

In order to keep the contents of your email safe, your business should implement email encryption. Doing so will—for all intents and purposes—render the data you send useless to all but its intended recipient, as unscrambling the scrambled message is just too much of an investment for the average hacker to make.

Utilize a Centralized Antivirus that is Always Kept Updated

The vast majority of threats out there are relatively easy to repel. An antivirus solution, particularly one that is centralized and therefore protects your entire network, can identify and block any code that matches its records of malicious entities.

That being said, this antivirus will need to be maintained. As cybersecurity protections improve, cybercriminals constantly need to innovate new attacks… attacks that an outdated antivirus won’t recognize. Keeping your protections up-to-date will be half the battle.

Don’t Open Attachments Without Scanning Them

Email is a favorite attack vector for cybercriminals, it would seem, as they not only try to intercept messages to steal data—they also send malicious ones to their targets in the hope that the target enables their own downfall. This is a practice known as phishing, and commonly uses the attachment feature of email messages to deliver payloads of malware to the target.

In light of this, it is important that any attachments your business receives through its email are thoroughly scanned for any malicious code before they are opened… and even then, they need to be opened with caution. Hackers are only getting more clever in their phishing attempts, so make sure that your team is aware of the threat and keeps their eyes out for them.

Utilize DKIM, SPF, and DMARC

Without getting too far into the weeds, email is a big enough risk factor for phishing and spam that it pays off to implement certain protections at the server and file system levels. You need to be sure that there are a few DNS (domain name system) techniques in place to help protect your organization.

Ask your IT resource to verify that there are a few standards and practices in place—namely, DKIM, SPF, and DMARC.

DKIM (Domain Keys Identified Mail) helps to ensure that a message hasn’t been altered in transit by checking a special signature that is added to each email as it is sent. If the signature matches what the receiving server expects, it is accepted.

SPF (Sender Policy Framework) helps to stop spam and other unwelcome messages through a similar process to DKIM. Basically, when a server processes an incoming email, it checks the SPF record to confirm the email comes from an authorized source.

DMARC (Domain-based Message Authentication, Reporting and Conformance) isn’t technically an authentication method itself, but instead brings DKIM and SPF together, and allows a domain administrator to dictate what happens when a message doesn’t pass these checks.

While it isn’t technically difficult to set these safeguards up, we still recommend that you give us a call to help. We’ll verify that everything is done correctly so you won’t have another thing to worry about.

Have Datalyst Investigate Suspicious Email Messages

Earlier, we referenced the importance of having your team keep an eye out for potentially hazardous emails. Our clients know that, should one of their team members come across a suspicious email, they can turn to us to give it our expert attention. When in doubt, turn to the professionals.

Dont Reply to Scammers/Spammers

As tempting as it can be to try and waste a scammer’s time, you’ll ultimately only be wasting your own. Plus, you never know… the scammer might be trying to get you to respond for some ulterior motive of theirs. It is better to not play into their hands and simply leave the messages for your IT resource to handle appropriately.

In short, a scammer has only wasted your time by forcing you to identify their attempts. Don’t let them waste any more of it.

Audit Your Datalyst’s Cybersecurity Regularly

Cybersecurity isn’t a set-it-and-forget-it process… it is a mobile and evolving thing that needs to be managed. One part of doing so is to regularly give it a comprehensive once-over to identify any weaknesses or vulnerabilities that may have popped up since you last checked.

You never know—maybe an employee’s device wasn’t attached to the network when a security update was pushed, or there’s a security patch that was missed at some point. Checking your cybersecurity is never a bad idea, as it may be what identifies the vulnerability that would have otherwise taken you down.

You Need to Take Your Business’ Security More Seriously than Massachuesetts Does…

…and, if the Massachusetts Data Protection Law is anything to go by, the state takes it pretty darn seriously. The requirements put in place by this law are quite stringent and could be challenging for a business to manage independently.

That’s where we come in. We can comprehensively assist a business with its cybersecurity, including all of the above measures and more. Give us a call at (774) 213-9701 to find out how we can help protect your operations today.