For 2019, the single biggest threat to your organization’s online security remains malicious emails. As nonprofit leaders, it’s up to you to require email security best practices among your crew and institute a security-minded culture within your organization. However, recognizing which are malicious can be particularly challenging for a small organization or nonprofit.
Here are two straightforward checklists for consideration when evaluating email and cyber-security initiatives.The first is an Email Best Practices checklist from ProtonMail (www.protonmail.com), a team based in Switzerland dedicated to protecting and improving online privacy. Its goal is to build an Internet that respects privacy and is secure against cyberattacks.
The second is a cybersecurity checklist from Observe IT (www.observerit.com), which is focused on proactively identifying and eliminating threats. While the target audience is large organizations, the list is a good benchmark to learn what challenges those organizations face and apply to your organization.
Email security best practices adapted from ProtonMail’s blog
Contrary to popular myth, the most effective hacking techniques require almost no technical skill. A hacker only needs an Internet connection, an email account and a knack for deception.
Phishing email attacks remain the most common and devastating attack vector. These attacks use various social engineering strategies and target end users (i.e. your employees) rather than infrastructure.
According to 2016 research by Symantec, “One in 131 emails sent were malicious, the highest rate in five years.” These kinds of attacks have become so widespread, costing businesses worldwide about $1.8 billion annually, causing the FBI to release a public service announcement in 2017. They reported that the amount of money lost to email scams had increased 2,370 percent between January 2015 and December 2016.
Given that hackers tend to exploit human mistakes rather than technical ones, your company’s security policy should emphasize each employee’s role in preventing cyberattacks. Here are the main points.
Education: The most important thing you can do is keeping security a priority among your team. Start by understanding the common phishing attacks and share updates and reminders with your employees regularly.
Limit public information: Attackers cannot target your employees if they don’t know their email addresses. Don’t publish non-essential contact details on your website or on any public directories, including phone numbers or physical addresses. All these pieces of information can help attackers engineer an attack.
Carefully check emails: Phishing attacks are seldom perfectly executed. Often there’s a tip off, such coming from a bizarre address (e.g. email@example.com), unusual links (e.g. amazon.net.ru), or a high number of typos or formatting mistakes in the text. If it looks suspicious, employees should report it.
Beware links and attachments: Your employees should be skeptical anytime they receive an email from an unknown sender. Do not click on links or download attachments without verifying the source first and establishing the legitimacy of the link or attachment. Attachments are especially dangerous because they may contain malware, such as ransomware or spyware, which can compromise the device or network.
Hover over hyperlinks: Never click on hyperlinked text without hovering your cursor over the link first to check the destination URL, which should appear in the lower corner of your window. Sometimes the hacker might disguise a malicious link as a short URL. You can retrieve the original URL using this tool.
Never enter your password: Unless you’re 100 percent certain the website is legitimate, you should never enter your password. If you aren’t logging into your account and you haven’t requested to reset your password, then password reset links are likely part of a phishing attack. Password managers, in addition to helping you use strong, unique passwords, can detect fake websites for you.
If in doubt, ask: Better safe than sorry. Your employees should be instructed to check with IT staff or a manager any time they have doubts about an email.
Essential cyber-security best practices for 2019 (as adapted form Obervere IT’s blog)
Based on 2018’s top cyberattacks and insider-threat incidents, and what we predict is on the horizon for this year, Obervere IT staff compiled a list of essential cybersecurity best practices every information security professional should have in their arsenal.
1. Educate employees on cybersecurity policies for remote work and business travel. We recently surveyed 1,000 employees about how they access corporate networks during work travel, and 77 percent admitted to connecting to free public Wi-Fi networks (which are typically unsecured) using corporate computers and phones. Only 17 percent of respondents said they always use a VPN when they’re away from the office.
With the remote work trend on the rise, employees need to know that sacrificing security for convenience isn’t an acceptable tradeoff. Nearly half of employees aren’t aware of their travel or remote work cybersecurity policies, so it may be time for a refresher (or to establish these guidelines if they aren’t already in place!)
2. Conduct phishing simulations. According to Verizon’s 2018 Data Breach Investigation Report, phishing attacks are still as prevalent as ever, but in an analysis of phishing simulations, 73 percent of people did not click on a single malicious email all year (bravo!)
An important aspect of cybersecurity awareness training is helping employees understand how phishing attacks may manifest themselves in their day-to-day lives. As social engineering attacks and credential theft attempts become more sophisticated, investing in phishing simulations creates a safe space to test employees’ knowledge.
3. Prioritize employee privacy. Even a quick look at the tech news headlines from 2018 shows that data privacy awareness and sensitivity is at an all-time high. Not to mention, GDPR regulations and others coming down the pike (such as California’s Consumer Data Privacy Law) make data privacy a business imperative.
Prioritize employee privacy by anonymizing any data you collect from them in an insider threat prevention capacity, and communicating clearly about how cybersecurity policies impact their privacy in any way.
4. Create a cybersecurity-awareness training program. Consider that two out of three insider threat incidents are caused by employee or contractor mistakes, and mistakes are preventable! Now is the time to invest in cybersecurity awareness training. In fact, according to SANS, 85 percent of cybersecurity awareness professionals reported that their work had a positive impact on the security of the organization.
If you’re wondering where to start, check out our Coachable Moments series, which regularly features cybersecurity awareness tips. Cliff’sNotes version: Find multiple channels to reinforce your cybersecurity policies in employees’ day-to-day work (since no one wants to read a long, boring document).
5. Inform third-party contractors of the cybersecurity policy. According to a recent NPR/Marist poll, one in five jobs are held by freelance workers, and that trend will only continue to rise. Many organizations reap the benefits of third-party contract work, but few educate these contractors on cybersecurity policies and best practices that may affect their day-to-day workflows. Ensure these workers are aware of your policies and know how to adhere to them.
6. Monitor both user and file activity. We predicted that savvy, malicious insider threats will take advantage of multiple channels to exfiltrate data and hide their tracks in 2019, which means that having the right user and file activity monitoring solution in place is one of the best methods of prevention. Solutions like DLP that focus on the data, and not user activity, often fall short of stopping malicious insider threats in their tracks.
7. Be vigilant of state-sponsored threats. We’ve seen a lot of 2018 headlines about international threats targeting U.S.-based companies, including Amazon’s high-profile insider threats in China. Employees at companies within high-value industries, including banking, technology, healthcare, and more, may face major incentives to exfiltrate and sell data to foreign governments. Understanding the motivations of nation-state insider threats is crucial, so you’ll be able to spot patterns of suspicious activity.
8. Enforce the use of a password manager, SSO & MFA. It sounds like an obvious faux-pas to the cybersecurity professional, but the use of weak or repeat passwords is still rampant among workers today. If you can’t teach employees how to reliably create hack-proof passwords, then adopting and enforcing a quality password manager is another great option. If you haven’t already chosen a password management solution, check out this post on the benefits and risks of password managers.
Other account security measures such as single sign-on (SSO) and multi-factor authentication (MFA) should also be enforced across the board, taking as much margin for user error out of the picture as possible.
9. Audit privileged access. If you haven’t done it in a while, check how many users have privileged access to sensitive areas of your servers, and ask whether each person’s level of access is really necessary. Privileged access tends to creep up on organizations over time, as certain people leave the organization, change roles, or no longer work on tasks related to his or her admin credentials. If you find this issue is repeatedly happening at your organization, it may be time to adopt a system of temporary or rotating credentials.
The bottom line: Regardless of your organization’s size, there is work to do where email and cyber security are concerned. And if you aren’t yet having these conversations with your IT partner resource, you should make it a priority to pursue a roadmap for email and cyber security best practices in 2019.