Small Business IT 101 – Email Best Practices

Taking the assertive approach to securing your information isn’t difficult or even costly. Knowing how information gets exposed, how to protect yourself, and some guidelines can be very helpful. Trying to recover from having your information exposed however, that is both nearly impossible and can be wildly expensive. Having a plan in place should the worst happen is very important.

Over this series, we’ll discuss some easy ways to take care of your company and keep things where they should be. We’ll cover a range of topics:

• Network Security
• Email Best Practices
• File Storage
• HIPAA Standards
• Disaster Planning & Recovery

Email Best Practices

In our first entry to Small Business IT Security, we discussed networks and how important it is to make sure you can’t be accessed. The easiest way to get into a company’s network is through its people, and the easiest way to for people to interact is through email. 

In this entry, we’ll talk to the importance of keeping your email practices mindful and secure, and the methods to ensure that happens. 

Attachments

Email security and best practices boil down to a single cardinal rule: Don’t open that attachment.

Don’t. Open. That. Attachment.

There’s a strange glut of Nigerian princes, I get it. I’m sorry to break it to you, but none of them have your email. None of them want to give you money. None of them need you to open that attachment.

When Crossroads IT talks to clients about email security, the first thing mentioned is that unless you know the sender _and_ you’re expecting to see an attachment, scrutinize the email. Not to say you have to delete it or ignore it, but be smart. Attachments are the easiest way to get someone in a network to run bad software. It only takes one user to make the mistake.

There are virus and malicious-program scanners built in to most common email providers*. In addition, you can install independent programs as well. These scanners serve as a good first step in weeding out problems.

Viruses

 Obviously not all attachments are bad. A reasonable person can know what makes sense to them when they see it. For example, if you’re sent a file that ends in .ZIP or .EXE and you’re not sure why. Even from a trusted source, there is some explanation why you need to run a program. They both have the potential to execute malicious code when you click them. .PDF (Adobe) files have the potential to be bad for your machine as well. If you do try to open these files, many email programs ask you to confirm this decision. Heed the warning and be sure.

Many of the great security breaches began with someone in an organization downloading an attachment that set the table. A malicious attachment is normally used to provide a way in for a more targeted attack. If the program is run, it can notify the attacker that your system is compromised. Once something like that is in your network, it spreads to other machines, becomes difficult to remove, and even harder to contain.

If you use email, you require an anti-virus solution. There isn’t much argument otherwise. Crossroads IT has our preferences on the provider, but if you have nothing, please reconsider. Windows Defender comes with every Windows 10 install and most every Windows 7. We’re a proponent on Windows Defender, so you may not need anything extra. Whatever you have, anti-virus programs are very helpful for stemming email problems. If you’re not sure what to use, contact us and we’ll be happy to suggest a few options.

Beyond Viruses

 Email security is best when it’s aggressive. Stemming problems before they arise and knowing techniques used to get your info. Attachments are the major concern because it’s the easiest way to infect a system, but there’s other things to have in mind. Here’s a few thoughts:

Phishing

Phishing is the act of tricking someone into willingly giving away person information. Logins, credit card numbers, account information, etc.. There aren’t any attachments, just imposters. People claiming to be organizations that you trust and spoofing sites that look legitimate, all so you will hand over sensitive data.

It can look like an email from the IRS asking to confirm information. Or Facebook saying your account is going to be deleted unless you log in. We’ve seen email from a credit card company or a bank warning about an illegal purchase. Phishing usually needs you to follow the link provided and log into your account. The act of logging in gives the attacker your confirmed username and password.

The best thing to do, even if the email looks legit, is to skip the email altogether and go to the company’s website directly. The IRS never uses email. If Chase is telling you there’s credit card fraud, they’re going to inform you on your account page regardless of the email. Open up a new browser window and go directly to the site. Calling the company is another great way to confirm. Your goal is to verify the company intended to notify you of a problem, then you can take steps to resolve it.  

I’ve seen firsthand, phishers trick HR into giving out a national company’s tax information. People’s earnings, SSN’s, addresses… everything anyone would need to file a false return. Phishers are good at what they do only if no one is paying attention.

Web-Based Email Providers

There was recently an article penned in the Daily Record that a client gave me in which the author discussed security of web-based email as a whole. Many of our clients use Hotmail, Gmail, and even AOL. This isn’t terrible but there’s security concerns with web-based mail.

Crossroads IT has professional experience with HIPAA, and I don’t know that there’s a more consequential program that concerns information security in the US**.  HIPAA demands the use of encrypted email whenever sending any sort of Personal Health Information. There are multiple free webmail providers that are in use, including the above. The encryption of these services is not recognized by HIPAA. If you are concerned about showing that you took reasonable steps to avoid a breach, HIPAA is a good baseline.

It’s something to consider if you’re emailing sensitive data around. There are precautions you can take and services you can employ to ensure fully compliant end-to-end encryption, and thus HIPAA compliance. The situation your organization is in might not require such a level of security, but it’s worth noting that if you feel you need that level, you should not assume all email is secure.

Unsubscribe Links vs. Blocking Rules

The most satisfying thing to do when you get spam is to follow the little Unsubscribe button at the bottom. You’re putting the flag in the sand saying “No More!”. Except, unless it’s a reputable company, you should be avoiding that link. We hate spam too, but that link is a world of opportunities for bad-actors.

When you click the link, at a bare minimum you’re confirming that your email address is valid. It’s like answering a telemarketer. In giving any sort of response, you’re telling whomever is calling that it is indeed a warm body on the other end. Legal email marketing costs money per recipient. By confirming the email on their list is valid, you’re justifying the cost. Illegal marketing costs nothing, so it doesn’t matter if you click the link or not, you’re getting another email. Either way you’re not getting what you want.

Furthermore, that link can be dangerous. This certainly isn’t _always_ true, but unless it’s a reputable company, you have to assume it is. Websites can exploit your browser and give hackers an avenue to install malicious software. On top of that, it’s very easy to phish for information if the promise is no more solicitation.

Instead of unsubscribing, you can block the email on your side. Yahoo and Gmail have gone to great lengths to allow a user to block specific messages. Configuring spam filters and blocking rules is easier than it’s ever been. If you use Outlook, you can flag specific senders or content with rules. Email rules allow for a wide range of actions from moving wanted emails to specific folders, to blocking and deleting unwanted emails before the user even gets a chance to see them.

Employing Scanners

Briefly mentioned above, scanners are a very efficient way to keep your office protected. There are plenty of companies providing this service. The offerings range from being specific to email, to being part of a greater security suite overall. How your office approaches this is something we’d be happy to discuss, but there are things to think about when choosing a provider. You want to avoid redundancies when possible, so getting anti-virus with your email scanner might not be a good idea if you already have anti-virus. It hurts both your system performance and could cause odd behaviors.

There is a period of configuration as well. Especially if your office handles attachments frequently. Truthfully, any good scanner will need some sort of learning curve to be highly effective. Few things work perfectly _and_ effectively right out of the box.

Choosing Passwords

We’ve written 6 blog posts to date. All but one of them talks about passwords in some form or another. As they say, once is an accident, twice is a coincidence, three times is a trend… five or more is a hounding.

Change your password often and create strong ones. This is one of those strange situations where the lack of a notable event is its own reward. 

Avoid Public Wi-Fi

In future posts, we’ll delve into the dangers of Public Wi-Fi more, but suffice to say that unless you’ve taken the steps to ensure strong encryption, or you use a VPN server, Public Wi-Fi is not a safe place for anything sensitive.

Educate your Employees

Crossroads IT will gladly hold a small education experience giving your employees a rundown of email best practices. Forming a security-minded business culture is the result of educating staff on how to approach problems they might not otherwise know how to handle.

That said, simply sending internal hot tips and memos provides a less formal (but still effective) experience. Making security a talking point of your business culture is never a bad idea. Making sure that people know how to handle situations can help tremendously.

The Bottom Line

Email is the standard for communication across virtually every platform. It’s ubiquitous for every profession and you’d be hard pressed to find a better way of getting information from one place to another. Still, with any useful medium, you have to be careful and the steps above are a good start.

Encryption, email scanners, and seminars are just a few things Crossroads IT can discuss with your company. Some programs are better than others. Some services fit your company more fully and require different levels of management. We’re always happy to consult to find the best fit for your needs. Contact us anytime.

Part three of our series will drop next week. We’ll be discussing Secure File Storage. Keep imformation yours.

* – Scanners are usually baked in to webmail providers and require no real interaction. Gmail, Hotmail, and Yahoo will often have something in the footer saying the email was scanned with some service. Webmail providers are providing this service as it benefits them coincidentally. If you use Outlook or Thunderbird with a domain email (i.e.: you@yoursite.com), Microsoft and Mozilla may provide a base-level of protection, but using a scanner might be a good idea. There’s no self-preserving investment from those companies.

** – Worth noting here that the European Union has implemented the General Data Protection Regulations (GDPR). GDPR is an incredibly strict set of compliance requirements regarding personal information security. The US has been relatively hesitant to enforce anything close to it not involving HIPAA regulations. Much of this has to do with the fact that established data protections by companies would instantly be in violation on day 1. For EXAMPLE. It’s a tough economic sell and of course, lobbyists are still a thing.