Email is the number one attack vector in the world for hackers and other bad actors.
Email is also the number one tool used for legitimate communication to and from clients and vendors. There are more solutions for protecting email than any other. We can’t say it’s not complicated, and we can’t say there aren’t ongoing costs. What we CAN say, is that we can help you through the process of deciding what tools to deploy, how to deploy them and how to manage them ongoing. Ongoing, it’s the most important thing to understand about email security. There is no such thing as “set it and forget it”. It requires constant care and feeding.
How do we help you protect your email? Here is our approach. Regardless of your company’s size, business sector or revenue; there are some email security basics everyone needs to follow. Let’s start with what’s built into DNS.
SPF (Sender Policy Framework)
This tells the world what servers are allowed to send email as you. There are many different settings available to allow the flexibility you need for any business requirement. Setting it incorrectly allows anyone to send email as you. Ongoing monitoring of the record is important because unauthorized changes are an IOC (Indicator of Compromise).
DKIM (DomainKeys Identified Mail)
This is a cryptographic method of “signing” your emails. It’s very much like sending a Certified Letter from the post office. This DOES NOT encrypt your email contents. DKIM uses the same private and public key pair technology that is at the root of all modern encryption. Your email server has the private key and the public key is posted in your DNS. Using this method other servers can confirm that email was sent by you or someone authorized by you. Managing your private keys, who and what entities have them and changing them periodically is important to ensure the integrity of your domain.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
This is the method used to provide enforcement and reporting to SPF and DKIM. It provides a system that other email servers can use to report bad email from your domain according to rules and conditions you can set. This is a powerful tool that requires monitoring and remediation steps to be taken dependent on the type of reports received from other servers.
Those are the basics. That is where everyone should begin.
It is very important to note that not all email servers follow these rules. While SPF is widely accepted and adopted, DKIM and DMARC are not as prevalent. In part because DMARC usually has a cost associated with it in the form of software licensing or monthly subscriptions, but also because it requires ongoing monitoring, and it generates remediation work.
The next steps for email vary depending on what laws and compliance controls you must follow for your business.
The most common requirements we will help you evaluate are government and state level privacy laws like GDPR and CCPA, security compliance regulations for healthcare and financial like HIPAA and PCI-DSS, cyber insurance requirements from underwriters like Chubb and Travelers and of course we must consider the company’s own security policy.
Once we have completed the process of gap analysis compared against the compiled requirements and agreed on a plan of action with set milestones, we start looking at the solutions. These solutions will include combinations of the following technologies:
Advanced Spam Filtering
Often times an email to hosts built-in spam filter is just not enough. Microsoft 365 and G Suite are often better protected by using an additional spam filtering provider. We will look at how well what you already have is performing and review with you.
Security Awareness Testing and Training
One of the most common requirements across the board. It also happens to be one of the best ways to prevent phishing attacks. This needs to be managed and delivered throughout the year, NOT just once a year over pizza in the conference room.
DLP (Data Loss Prevention)
When used for email this is called a Gateway DLP. Meaning that it only addresses data that is sent or received via email. The primary goal is to stop classified data and intellectual property from leaving the control of the company. There are many other useful functions of DLP, like protecting people from making an accident. Email based Gateway DLP can stop information like Social Security numbers or credit cards from being sent via email.
Advanced Phishing Protection
Account Takeovers, Business Email Compromise, Executive Impersonation and Domain Doppelgangers are an ever rising threat and a moving target. Choosing the right protection is critical to catching and preventing these attacks.
MFA (Multi-Factor Authentication)
This is so important that it should really be part of the basics. Sometimes it’s called 2FA Two Factor Authentication. The first factor is something you know like a password or passphrase. The second factor is something you have (or something you are) like a key fob token, smartphone or fingerprint. There is no circumstance where you should not be using MFA.
Ad Hoc Solutions
There is an endless array of tools and technologies that can be used for email security but also for functionality. We will work with you to research any solutions you are interested in or wish to compare against other solutions.
We know there is A LOT to consider. Email ain’t what it used to be! Call us, we can help make sense of it all.