Blog

6 Best Practices To Secure Business Email

From Secure Email Gateways to MFA and DMARC, we’ll take you through the top ways you can secure your business email against cyberthreats.

Blog Profile
By Megan Rees Updated Dec 12, 2022
Twitter LinkedIn

Business email security is, without doubt, one of the most vital investments you can make to better secure your organization against cyberattacks. And it’s easy to see why.

Think about it. If you were launching a cyberattack, you’d look for a method that was low cost, low complexity, and offered a high chance of success. And, for cybercriminals, attacking vulnerable business email accounts can provide these three things on a platter. 

In fact, an estimated 96% of social engineering attacks are delivered by email for this very reason. And with the tools needed to launch a successful email attack available for bargain prices on the Dark Web, it’s easy to see the attraction for criminals. 

So, what does this mean for businesses? It’s estimated that by 2025, 376.4 billion emails will be sent worldwide, daily. That’s almost fifty times the world’s population in emails, every single day. So, identifying malicious emails in this sea of noise is more vital to organizations and individuals than ever—especially during a time where businesses are increasingly relying on online communications.

We’ve put together a list of the top six ways you can secure your business email. From implementing more robust technologies, to training staff and backing up cloud data, we’ll take you through each of our tips so you can identify the methods to secure your business email that will work best for your organization.

1. Implement A Secure Email Gateway

We always say that prevention is the best defense—and this rings especially true when it comes to Secure Email Gateways (SEG). An SEG is the backbone of any great email security defense, and works by filtering and blocking unwanted or harmful emails from entering an organization’s server, while also monitoring outbound emails for damaging information that could lead to data loss. 

Think of an SEG as a security guard working at the gates of a secure facility—or, your organization’s email server. When an email attempts to pass through the gates, the SEG will halt it to check its domain and analyze its content. If an email is deemed safe, the SEG will open the gate and let it through and onto the email server. If it’s classed unsafe, the SEG will instead block or quarantine the email, ensuring the gate remains firmly closed. This means that potentially harmful content is identified and blocked before it can be delivered—this is why SEGs are classed as pre-delivery protection

For inbound emails, an SEG blocks harmful or unwanted content—including spam, graymail, viruses, malware, denial of service attacks, and phishing attacks. While for outbound emails, it blocks sensitive information that could lead to data loss or compliance issues. 

Additional features include:

  • Email encryption for outbound emails
  • Email archiving to comply with data compliance laws
  • Granular controls for admins and reporting
  • Business continuity to ensure email access in the event of an email client failure
  • Cloudon-premises, and hybrid deployment

To find the right SEG for your business, take a look at our guide to the top secure email gateways.

However, while SEGs can block spam, malware, and more traditional phishing attempts, more sophisticated attacks such as spear phishing and business email compromise can often slip past the guard and through the gates. It’s for this reason that alongside pre-delivery protection, we advise you should invest in post-delivery protection too. 

Which brings us on nicely to our next tip. 

2. Post-Delivery Protection

Post-delivery protection (PDP) platforms work by automatically detecting and remediating against malicious emails that make it onto an organization’s email server. If the SEG is the security guard at the gate, the PDP is the guard on-site checking that all those who made it through the gate are authorized and safe to be there.

PDP platforms often include anti-virus and malware detection, sandboxing, and use machine learning systems to scan email content in real-time, and protect against advanced threats such as spear phishing and business email compromise.

Key features include:

  • Automatic deletion of detected threats
  • Automatic email quarantine based on AI, machine learning, and reports from users at other organizations
  • Warning banners for users on suspected malicious emails
  • Granular controls for admins

Machine learning capabilities also mean that PDP platforms can check internal communications, analyzing and growing familiar with each employee’s habits, patterns, and conversation style. This enables it to spot any anomalies in these behaviors and block spear-phishing or business email compromise attempts, for example.

For maximum protection, we recommend that you take a multi-layered approach to their email security, and implement both SEGs and PDPs for the best protection. To find the right platform for your business, take a look at our guide to the top cloud email security solutions.

3. Security Awareness Training

When it comes to cyberthreats, knowing what you’re up against is half the battle. And something that’s often overlooked by organizations is ensuring that their employees know how to respond to a threat that’s bypassed their security technologies. 

Security Awareness Training (SAT) helps turn employees into human threat detectors, equipping them with the tools and knowledge necessary to defend their organizations against a targeted attack. Because, after all, once an email has bypassed threat detection technology your employees are often all that’s standing between a breach and business as usual. 

There are three aspects to any robust SAT solution:

  1. Training Content: Depending on the vendor, these can be online portals providing engaging training videos, interactive games, and quizzes. These are aimed at educating employees on security best practices, and topics often include email security, password management, social engineering attacks, and more.
  2. Phishing Simulations: Many solutions enable organizations to send simulated phishing emails to employees to familiarize them with the content and tactics that cybercriminals might use to trick them into handing over sensitive data, as well as track which employees or departments are most vulnerable to these attacks. Vendors also often offer outlook plugins that enable employees to report suspected phishing emails—both genuine and simulated. This helps engrain hesitation and reporting into a user’s muscle memory, encouraging them to stop and think before clicking.
  3. Analytics And Reporting: Key to understanding user behavior, as well as an organization’s risk level, is having access to robust admin analytics and reporting capabilities. Using these reports, admins can identify users that might need further training, and areas of weakness across their organization.

SAT is offered by various email security platforms to complement their platform and admin controls, but can also be purchased standalone from vendors.

For training to be effective, we recommend that you implement SAT as an ongoing process across all levels of employees, ideally via monthly microlearning and phishing simulations. To find out more about the top solutions for your organization, take a look at our guides to the top security awareness training platforms and the top phishing simulation and testing platforms.

4. Backup Office 365 In Case Of Ransomware

If you lost all of your data today, how severely would this impact your organization? Of course, there are a plethora of disadvantages to cybercriminals getting their hands on your data and holding it hostage, but a large one for many organizations is the inability to function without access to that crucial data. 

A common misconception about Office 365 is that it backs up organizations’ data for them—in fact, it doesn’t. Or at least, not to the level that many organizations require. It’s estimated that 60% of sensitive data is stored in Office documents, and 75% of that isn’t backed up. Additionally, Microsoft frequently clarifies that users are responsible for controlling and protecting their data, and recommends that users regularly back up their content and data using third-party apps and services in their services agreement

Using a robust Office 365 backup and recovery solution, you can quickly and easily implement automatic backups of your data, that run in the background without impacting day-to-day operations. These solutions are often flexible, and enable organizations to retain email and other data for periods of time that suit you, to meet compliance standards, and allow data recovery in the event of a ransomware attack. 

To discover the best solution for your organization, check out our guide to the top Office 365 backup and recovery solutions.

5. Multi-Factor Authentication

So, what happens when a cybercriminal learns an employee’s email password? With the biggest password leak of all time having happened in 2021, and password-related attacks growing increasingly common, passwords are perhaps more vulnerable than ever—which means that organizations are more vulnerable than ever. 

While undesirable, a breached password doesn’t always have to mean a breached email account. Implementing a strong Multi-Factor Authentication (MFA) solution means that even if a criminal does learn an employee’s password, they’d fail to access their victim’s account without being able to make it past a second or third factor of authentication too. 

Types of authentication that can be used alongside passwords include:

  • Knowledge Based: Security questions, such as “What was the name of your first pet?”
  • Possession Based: Authenticator apps, hardware security tokens, and more.
  • Inherence Based: Fingerprint scanners, facial recognition, voice recognition, behavioral patterns, and more.

We recommend that organizations of all sizes invest in an MFA solution and roll this out across all employees—not only to secure access to their email accounts, but all business accounts within the organization. To find the right MFA solution for your business, take a look at the top MFA solutions.

6. DMARC

For users, email spoofing of well-known brands can be notoriously difficult to spot. Especially when cybercriminals can send malicious emails using the same email address as a well-known source, such as a bank or utility company. 

This is why, in 2012, Domain-Based Message Authentication, Reporting and Conformance (DMARC) was developed to target such attacks. DMARC is an authentication, policy, and reporting standard that enables organizations to verify email domains and senders via a combination of existing authentication techniques: Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). DMARC both works to block phishing attacks targeted at organizations, while also generating reports on senders that are abusing their domains.

Key features of the DMARC standard include:

  • Verifying emails against SPF and DKIM authentication—if an email fails, it fails DMARC authentication
  • Enabling receivers to reject unauthenticated messages and providing guidance on how to handle these 
  • Improving deliverability, as authenticated emails won’t be marked as spam or malware
  • Providing reports about emails that both pass and fail DMARC authentication, as well as insights into senders sending emails from their domains

DMARC policies are available to everyone, as they’re published in the public Domain Name System (DNS), and so any organization can implement them. Gartner notes, however, that adoption of DMARC by organizations has been slow, because of the complexity of managing records, the limitations of the standard, and concerns about emails not being delivered.

For this reason, we’d recommend partnering with a dedicated DMARC provider who can help implement the standard across your organization. Some email security solutions may also offer DMARC as part of their service offering. To find out more, take a look at our guide to the top DMARC solutions.

Summary

So, there are numerous solutions and technologies you can invest in to better secure your business email. 

As a final, overarching piece of advice, we always recommend taking a multi-layered approach that encompasses at least two or more of the technologies we’ve described throughout this article. 

Remember that a secure business email leads to a secure organization, and can be key to your business’ overall health. 

Megan is a writer, editor, and journalist and has been actively researching and writing about the tech industry for three years. Throughout that time, she has covered a wide range of IT and cybersecurity topics in depth—including cloud software, biometric technologies, identity and access management solutions, and threat intelligence—and conducted interviews with dozens of industry experts. An avid reader and lover of research, Megan has a master’s degree and First-Class Honours bachelor’s degree in English Literature from Swansea University.

Now Read

Email Security Guide For Business

A New Approach To Email Security Is Needed to Combat Advanced Email Threats