Here we are, after decades of security enhancements, blinky boxes, and hundreds of hours of security awareness training and companies still get compromised through email. My movement to drive everyone back to using pine, mutt, and elm for email has failed miserably, so here are my next best recommendations:
- Strongly consider not doing email, or at least email filtering, on your own. I don’t advocate for particular technology vendors, but most of the big names, like Proof Point and others, have pretty good mail filtering capabilities that you’re just not going to match. Save your efforts for security programs that are unique to your organization. Email is a commodity service these days.
- Prepend the tag “[external]” to the subject line of incoming email from the Internet to serve as a visual cue for employees. It’s not foolproof, particularly in the context of business email compromises where malicious emails can originate locally, but it can help and gives some fodder for awareness training.
- If you do use a service, such as Proof Point, that rewrites URLs in emails and/or add the “[external]” tag, be wary of the way in which you run phishing simulation exercises. If the simulation emails appear to come from outside the organization, but do not have the “[external]” tag, or do not have URLs rewritten in the way that all other external emails do, employees will quickly learn to identify the simulation emails based on those characteristics, rather than the characteristics you want them to observe.
- Tailor awareness training by role. If someone has a job that requires them to open attachments from strangers, such as is the case with recruiters, don’t give them training that tells them not to open such attachments. At best, it’s confusing. Rather, provide guidance on the proper means for various roles in the organization to do their jobs in a safe manner.
- Be aware that every hacker and her dog are trying to get into your organization’s email and act accordingly. Require two factor authentication for mail access, particularly for any cloud-based mail that is accessible straight from the Internet.