When we think of people trying to hack into computer systems it often conjures up images of Hollywood-style spies and espionage. The reality, of course, is more prosaic; teams of people with little or no respect for the law and with little chance of being detected or prosecuted, sending out emails by the million to people like you and me. When they strike lucky, it’s often because of a coincidence of factors that prove very unlucky for the victim.
Tales are rife about the ways in which people become victims. It could be unfortunate timing - someone who happens to be changing supplier receives an email that appears to be from their new supplier and they click on an attachment. Bingo. Or it could be the relatively new employee, working for a company with poor financial approval processes, that accepts emailed instructions from their new manager to transfer funds to a supplier. Except that the instructions aren’t from their manager and the bank account doesn’t belong to the supplier.
The consequences of these mistakes for people and businesses can be dire. Businesses have mistakenly transferred huge sums of money to the wrong bank account, never to be seen again. Organisations, big and small, have ground to a halt because their data has been encrypted and they found themselves facing huge ransom demands from criminals. And reputations have been damaged when yet more malicious spam is sent from someone’s hijacked mailbox to all their customers, suppliers and personal contacts.
There is also a serious impact on the staff member who falls victim to these email-borne attacks. Their lack of training, poor company processes or routine pressure from managers to bypass controls amounts to a breach of an employer’s duty of care. And if you are a company director or one of those managers, be aware that you may be at even greater risk. You are a high-value target, well-known and well-connected, with access to lots of high-value company data. On top of that, you are almost certainly very busy, trying to clear as many emails as possible as quickly as possible.
How do you provide everyone in your business with the necessary level of protection against email attacks? Just as it takes a combination of factors for an attack to succeed, it requires a combination of layers of protection to provide an effective defence.
Almost every email service, including Microsoft 365’s Exchange email, has optional mail-filtering services. These are an essential for basic protection. At a level above this are services from third-party providers who specialise in email protection. The benefit of these services is that they deliver a higher level of threat protection and additional layers of protective services, plus a third-party provider means you don’t have all your security eggs in one basket. Crucial stats here are the false negatives (the malicious emails that get through) and the false positives (good emails that get blocked accidentally). It is the false positives that cause frustration, when you have to search through spam boxes for a customer email you missed several days ago.
When choosing an email protection service, check that the layers of protection suit the needs of your business. Some provide analysis and testing of email attachments, whilst others might check every internet link in every email. You might want a service that will report on suspicious patterns in your email or the latest threats to beware of. Educational material for your staff can help to build your ‘human firewall’, transforming your people from unwitting victims into informed and knowledgeable assets in the fight against the organised crime that is trying to hijack or defraud your business.
To summarise, here is an email protection checklist for any business:
- Choose a reliable business-level email service.
- Get a great email hygiene service from a company that specialises in email protection.
- Add layers of additional protection to match the risk level in your business.
- Educate your staff so they contribute to your protection, not your risk.
- Stay up to date. Review your protection periodically to keep up with changing threats, or make sure your IT provider is advising you on the changing threat landscape.
You can find out more about Riverbank’s Email Protect service on the Riverbank web site. If you would like to speak to a member of the Riverbank team about email protection, call 01235 426700 or email firstname.lastname@example.org.