In 2016, cybersecurity was yet again thrust into the spotlight. Massive data breaches captured headlines, forcing businesses, government officials and consumers alike to grapple with how to protect sensitive information. This year, we saw San Bernardino County’s failure to fully consider the issues related to BYOD tailspin into a government and tech industry standoff. We also witnessed the DNC, John Podesta, Colin Powell and others fall victim to highly-publicized email hacks, as a result of a poor understanding of email security and lack of cybersecurity training.
Given the ever-growing threat to cybersecurity this year, we’ve put a strong emphasis on educating our ZixCorp community on how best to protect sensitive data. In addition to meeting with new and existing customers across the country, I personally had the pleasure of chatting with a handful of influential legislators from both sides of the aisle in Washington D.C., such as Senator Markey and Cassidy.
The question on everyone’s mind? How to identify and defend email vulnerabilities.
As we start to look at the year ahead, we see the same email vulnerabilities continue to pose a threat to businesses. Since it’s safe to say that cybersecurity is not going away in 2017, here’s a look at a few key email security threats to watch out for in the new year.
Cybercriminals are getting more creative with how they steal sensitive information through email messages. Phishing attacks impersonate a legitimate company or individual and attempt to steal people’s personal data or login credentials. Those emails frequently use a sense of urgency to scare users into doing the attackers’ bidding. It’s important for employees and high-level executives to remain vigilant about their data and to scrutinize all emails carefully for signs of phishing. This means checking email addresses carefully and if the request is suspicious, checking in with the person or institution who supposedly sent the email. Implementing defensive technology is important, but defending phishing attacks requires ongoing user awareness and training.
In general, most employees aren’t aware that “bad guys” can access their email as it travels over the Internet using a man-in-the-middle attack — just one of the many weapons cyber thieves have in their arsenal. A data thief can use a man-in-the-middle attack to cause an email to be intercepted without detection, putting your data in the wrong hands — without your knowledge. This is where email encryption comes into play. Email encryption keeps messages and attachments illegible from unauthorized users. Just be sure to deploy a solution that’s not only secure, but also easy to use. The easier email encryption is for senders and recipients, the more likely it will be used to keep email secure. For more information on protecting email from man-in-the-middle attacks, please see the Zix TLS white paper.
An email threat with a psychological twist, social engineering is used by cybercriminals to build trust before stealing confidential information. This con technique has many different derivatives, but what it comes down to is a criminal pretending to be another more-trusted individual (IT support, human resources, outside contractor, etc.) and engaging in a conversation where the end goal is to gain access to your company’s network. It’s always easier for thieves to first attempt social engineering before hacking into the system forcibly. To protect your company against social engineering, educate your employees by informing them never to give out passwords and watch for suspicious activity.
All employees make mistakes, but some are more costly than others. And all too often it is an error from within an organization that wrongly discloses some of the most important information, rather than an attack from the outside. All employees should receive regular training on how to handle sensitive information. Another way to combat human error is a data loss prevention (DLP) solution that scans all emails and attachments to ensure that sensitive information isn’t leaving an organization by mistake or in an insecure fashion.
There are many ways for hackers to deliver ransomware — designed to block access to a computer system until the owner pays a sum of money — with email being a mainstay. Many attackers deliver a convincing ploy to their targets via email, providing a web link for more details. Simply clicking on that infected link can lead you to a malicious website that will download ransomware and lock your computer until the ransom is paid. In order to combat ransomware via email, educate employees on that threat and the potential security risks affiliated with suspicious links and attachments. Do not click unfamiliar links, especially shortened links, like bit.ly or owl.ly. Frequent and complete back-ups are also an important safeguard.
Seeing how 2016 shaped up, I urge you to make cybersecurity a priority for your business this new year. With the right education and online best practices, you can prevent your sensitive information from getting into the wrong hands. We’ll likely continue to see data breaches make headlines in 2017, but don’t let your business be one of them.