IT Focus Area: security
November 12, 2019
Prepare for Error: 5 Best Practices for Email Security
Email is a high-risk threat vector for every organization. Although a perfect email security program may be impossible, there are strategic, actionable steps you can take to elevate your strategy.
User awareness training, understanding how your business uses data, and keeping your finger on the pulse of threat trends are all essential for a strong email security strategy, but is there more you could be doing to effectively handle business growth as well as the inevitable margin of error? To build and scale an effective email security program, you should have practices in place to ensure that you're continually evaluating risks to your organization.
Error-proof your email security program
Here are five best practices to help you error-proof your organization’s email security program:
1. Implement a reporting process for users.
All too often, organizations implement a new email tool without reporting processes in place for the end-users most impacted by the tool. If users can’t report valid business traffic being blocked or malicious traffic coming through unblocked, they are more likely to become frustrated and work around the tool. This leads to business impediments and the tool is eventually taken out of play. Businesses need to invest in user-facing email reporting platforms and processes to reduce risk. These platforms and processes can often be handled directly through the email security tool itself.
Developing the reporting process is important but educating users on the process is just as imperative. Whether through formal awareness training, response testing, email alerting or other training tactics, it is critical that users know they are empowered. A seemingly perfect reporting process will do very little to benefit your email security program if its key stakeholders—your email users―don’t use it or understand how it benefits them.
2. Monitor metrics and make necessary adjustments.
To maintain your email security program, you must review your metrics and key performance indicators (KPIs) regularly. Think strategically about who should be involved in implementing your security program, and how they should monitor, analyze and determine its effectiveness. While many security programs have reporting that easily integrate email security metrics, identifying who should receive the data and what should be done with it is key.
One rule of thumb is that the data should always be reviewed by a resource with the power to influence change in that area. For example, metrics on the source location of blocked emails may be reviewed by a security analyst who is empowered to block or quarantine all incoming emails from that specific source IP if there is a spike in malicious traffic from that location. At the same time, the total number of tickets reporting phishing emails that users interact with may go to IT management, who can then work with the training department to enhance the organization’s user phishing training or implement a multi-factor authentication initiative.
Sample list of metrics:
3. Enable reliable cleanup and automation.
Timely cleanup is enabled when controls and automation are in place. Most security orchestration automation and response (SOAR) vendors have pre-built playbooks that respond to user-submitted messages, perform deeper investigation against free and paid threat intelligence services, and purge harmful messages from inboxes. Many email security vendors now offer a retrospective capability to identify where harmful emails have been delivered so they can be purged from inboxes. As automation becomes more prevalent in your environment, be sure to implement oversight to these processes through your metrics program. This oversight is necessary to catch any idiosyncrasies and identify opportunities for improvement.
4. Take advantage of new features and updates available through your security vendor.
In addition to monitoring, reporting and alerting, stay informed about new and emerging security features available from your vendor. Most email security vendors make promises that their system will offer a “set it and forget it” approach. However, email is the most-used threat vector and requires care, updating and consistent oversight—and security trends and threats are always changing. Once you have an email security program in place, keeping up with new features and updates will ensure continued protection from evolving threats. Not doing so exposes entry points to attackers and makes your organization vulnerable to data loss.
Here are some tips to help keep your email security program up to date:
- Delegate one person to be responsible for proposing new configuration changes to the system as part of their job function.
- Ensure that person has access to information about how the product is evolving (release notes, vendor blogs, etc.).
- Provide your delegated resource with guidance on what they can implement at their discretion versus what needs to be brought to leadership for approval.
5. Incorporate compensating controls.
Setting up additional compensating controls (outside of email filtering itself) can help address incidents as they occur, improving response time and minimizing threat impacts. For instance, many attacks that are initially propagated via email require internet access (callbacks to C2 servers, user downloads or users entering credentials). Having strong controls in place to monitor web traffic, including SSL, prevents user entry of credentials in designated scenarios. Again, multi-factor authentication (MFA) and automated incident response, among other controls, will greatly reduce your risk footprint and ensure that you can quickly respond to threats when they are successful.
Prepare for error with strategy and education
Your people play a pivotal role when you are taking extra precautions outside the parameters of the email security program established with a vendor. Error-proofing your email security program is a tall order but applying these best practices to your processes can help ensure your program is running as effectively as possible―especially when considering the human element. Shrinking the margin for error as much as possible will not only add an extra layer of security to your email program, but it will also give you peace of mind in the event of a security threat.
From incorporating better metrics monitoring to empowering your users to report suspicious activity, taking the extra steps to apply these best practices can help you avoid errors and breaches in your email security posture—making all the difference for your business.