9 email security best practices

January 21, 2020

Here at Graphus, we see a variety of different email configurations – almost every organization is setup differently. We are regularly asked for advice on improving email security so we decided to put together our top recommendations.

(1) Use a reliable email service provider – like G Suite or Office 365

If you aren’t currently using a cloud email provider, like G Suite or Office 365, migrating to one of these is a smart decision. Not only can this be cost effective but these cloud providers utilize the latest in security, something most companies managing their own email infrastructure don’t (or can’t) do. Now, this doesn’t mean these cloud email providers are completely secure. If they were, there wouldn’t be a need for applications like Graphus. But moving from your own on-premise email to a cloud email provider can certainly have a positive impact on your email security.

(2) Use Strong Passwords

While this seems like an obvious suggestion, 35% of people use weak passwords, and 65% use passwords that can be cracked, according to Preempt. On top of this, 20% of medium-sized business users and 37% of small business users use weak passwords.

(3) Use Multi-Factor Authentication

Enabling multi-factor authentication (MFA) for your email is always a good idea. If you are using Office 365, here is how to setup MFA. If you are using G Suite, here is how to setup 2-step verification for your domain.

(4) Use Encryption

Email encryption is the process of encoding email messages to protect the content from being ready by people other than the intended recipients. Tony Bradley points out, “Encrypting your email will keep all but the most dedicated hackers from intercepting and reading your private communications.”

Here is more information about email encryption for Office 365. And here is information about message encryption with G Suite.

(5) Enable DMARC

In a previous post we talk about what DMARC is and why it’s not enough to protect your organization from attacks. While this is true, it’s still an important part of email security best practices. 

(6) Carefully examine sender name and address

An email address is formatted with a friendly name and email address – like this “John Doe” <johndoe@example.com>. Cyber criminal often use a name that is trusted but from email address that doesn’t belong to that trusted person, e.g. “Trusted Name” <xyz@hotmail.com>. We recognize the trusted name without realizing that the email address <xyz@hotmail.com> is not the same email address used by the ‘trusted name’ we communicate with. There can be many variations to this kind of spoofing that relies on you not being careful of the name, email address and spellings that’s used by the trusted person you are mistaking this email to be from. Be careful to examine the name and address of the emails you are responding too.   

(7) If the email is unexpected – check with the sender offline

If the email content or the email itself is unexpected, check with the sender offline. Don’t click any links or attachments. To check with the sender don’t reply to the email as the response may come from the impostor. Send them a new email and reference the content in the email you want to verify. What’s even better is if you have their phone number, just call them.

(8) Hover over links before clicking

Before clicking on any links, hover over to see the actual destination that’s revealed. Most browsers support this in the bottom left of the browser window. If the URL isn’t one you recognize or believe to be legitimate, don’t click on it! You can also copy paste the URL into a free site like VirusTotal to test if the URL is malicious. This is good for the 80% of the bad stuff but some pretty malicious zero day type threats may not get identified.

(9) Deploy additional security on top of your email service provider

The 8 suggestions listed above can certainly improve your email security posture but still can leave gaps. Also, we are all human. We get tired and forgetful and hackers can take advantage. Leveraging 3rd party applications, like Graphus, can provide that extra layer of security and peace of mind. 

Interested in trying Graphus out? Click the button below.

Get a Demo of Graphus