The quick transition to a remote work situation triggered by COVID-19 forced companies to scramble to support a larger distributed workforce, and this created new email security risks. It was the optimal opportunity for cybercriminals to attack improperly secured remote work connections and technologies. Therefore, many organization’s cybersecurity defenses have been vulnerable and exposed to breaches.
According to research, American employees will receive an average of 126 emails per day. Cybercriminals like to use email to conduct phishing scams, which means that somebody tricks a user into giving their personal and sensitive information away. Some phishing scams contain malware, and 94% of malware is delivered via email, while 32% of breaches involve phishing.
Fast Facts About Email Security Risks
- APWG’s Phishing Activity Trends Report for Q1 2020 reported that phishing attacks increased in prevalence to a level that hasn’t been reached since 2016. Over 60,000 phishing sites have been reported since March alone.
- Cofense’s Q1 2020 Phishing Review discovered that keyloggers and information stealers are becoming the more popular tools for phishing. Compare this to last year, when just about 74 percent of phishing attacks involved credential phishing – stealing passwords and usernames.
- Verizon’s 2020 Data Breach Investigation Report reported that phishing is one of the top threats in data breaches, with 22 percent of breaches involving phishing.
So how you can guard your fully remote company against phishing attacks? Don’t delay in testing and training your workers on cybersecurity matters.
6 Essential Steps To Take To Protect Remote Employees From Email Security Risks
If your employees are working from home, they’re probably relying on their home network or a coffee shop’s WiFi to access private company data and documents. Don’t let them get into bad habits and punch holes in security, putting your organization’s data, security, and reputation at risk. Let’s go over the six essential steps to take to discourage email security risks and set up your remote team for success.
1. Install Security Software
If your employees are using company-issued laptops and devices, you hopefully have already installed the necessary security software. However, many employees may be using their own devices, so they’ll need to know how to install the right endpoint security software.
Create a wiki or knowledge base article about the types of software your employees need to install and include instructions for Mac and PC. Better yet, make this process a part of your onboarding flow for your remote workers and contractors.
We recommend using Malwarebytes, which is available for all iOS, Android, Mac, and Windows devices. This software promotes privacy through proactive technology that fends off ransomware, malware, scams, and more.
2. Use the Cloud
Ensure your employees have access to cloud storage and implement two-factor (2FA) to secure it further. 2FA will add an extra level of security through a verification step through a thirty-party app like Google Authenticator.
Also, choose software that permits sharing and editing documents in the cloud, which adds more security and discourages cybercriminals from sneaking in.
Consider training your employees on how to set permissions on Google Docs. Ensure they know how to set individual document settings to prevent outside users from copying or downloading a file. Show them all the settings and how to access and use them, especially if they’re giving third parties access to your organization’s Drive.
3. Secure Devices Against Public Wi-Fi
If your remote employees are working from their local coffee shop or coworking space, your company’s private information is being exposed to huge security risks. You can counteract these risks by enforcing the use of a VPN such as Encrypt.me. A VPN is a tool that will make your connection private when you’re using a public network and provides an essential layer of protection between your device and the internet at large.
4. Set Up Virtual Networks
Consider setting up a secure virtual network for remote workers to access and log into the company system. This protects your employees, but also your company environment at large. Better yet, move your entire operation onto a secure cloud solution.
Remote teams can often be found sending passwords back and forth through email, Slack, or Zoom. This leaves your company open to data breaches and could lead to a security disaster.
The most secure way to manage company passwords is through a password manager such as 1Password or LastPass. Your workers should also know that complicated, longer passwords are safer, and password creation strategies should be included in your security awareness training.
6. Check-In And Create Reference Materials Highlighting Email Security Risks
If you have remote employees, make sure your wiki or knowledge base is up to date so they can reference those materials at any time. Give them the information they need to answer their own security-related questions!
Deliver morsels of cybersecurity knowledge on a regular basis so its importance stays top of mind. Now let’s dive into how to get your cybersecurity communication on the right track.
Get Your Cybersecurity Communication Right
Cybersecurity communication starts with your messaging. Employees need to understand why cybersecurity is so essential right now, what to watch out for, what actions they need to keep safe.
Start by informing them of the reasons cybersecurity is extra critical while working from home. Since employees are conducting work on their personal Wi-Fi networks, their devices may not be as protected as they would on an office connection. Plus, there’s evidence that phishing attempts greatly increase during times of crisis.
Educating employees about the types of cyberattacks to look out for such as malware, ransomware, phishing, and malicious websites is crucial. They also need to know best practices that will help keep important company information and their devices safe. Include routine security practices in your communication for common topics like email safety, password security, VPN usage, network security, and personal device policies.
No one wants to be responsible for an accidental security breach. But, many people think they’re tech-savvy enough to avoid cyber attacks. However, cybercriminals are getting smarter and more cunning. Emphasize that threats are constantly evolving to be more complex and that all should stay vigilant.
Diversify Your Messaging Plan
Once you’ve figured out the cybersecurity topics you’d like to cover, you need a solid strategy for communicating them. Sending a general email with your cybersecurity policies attached likely won’t get the attention of your remote workers.
- Emails may be the easiest method for communicating with a distributed group. Just be sure to avoid the “one and done” approach. Consider starting a regular newsletter or a series of training emails. For example, you could whip up a video series covering important tips. The format you use to communicate matters a great deal, and short pieces of content in a variety of mediums may be compelling. Don’t have time to get this done? Outsource your cybersecurity content by signing up for a security awareness service.
- Additionally, you could send regular phishing tests to your employees. For example, at HP, workers are told to send any emails that look suspicious to the IT department. In turn, HP randomly sends emails that look like phishing to test their team. When an employee forwards a phishing email to IT, they will get a response back stating whether the email was a test or not. This method can teach employees to stay vigilant when dealing with suspicious emails and also illustrate what attacks actually look like.
- You may consider formal trainings covering security topics. During these sessions, you could show real-life examples of cyberattacks to drive home your point. You could also share success stories of employees who alerted IT of sketchy emails. Feel free to get as interactive as you’d like and use quizzes to test knowledge. A hands-on approach is often more effective than reading off a list of dos and don’ts.
Once cybersecurity trainings have been distributed, make it easy for employees to reference the material in the future. Create a central repository for all cybersecurity information so employees can review policies and search for answers.
Email Security Risks and Phishing Projections For 2020 And Beyond
Like we said earlier, phishing attempts spike way up in times of crisis, just like we’re experiencing now. Based on statistics from the previous year, we can expect to see key trends as we move through the rest of 2020 and beyond:
- Attacks will advance in sophistication. According to Kaspersky, as organizations catch up with fixing security flaws, cybercriminals will be more limited in malware delivery methods. But, this doesn’t necessarily suggest we will see a decline in the prevalence of attacks. Rather, less complex schemes will be replaced. Attackers will find new and innovative ways to bypass filtering measures and detection.
- There will be a heightened focus on social engineering. Kaspersky predicts that “the focus on social engineering will increase as other types of attacks become more difficult to carry out.” With many exploit opportunities closing down, cybercriminals may be forced to pay attention to the human element of phishing. Even with improved training and education, people will need to stay vigilant as to not be the weak link in security measures.
Now that you’ve learned why cybersecurity training is so important to mitigate email security risks, check out Why You Need a Classified Email Address.