As we increasingly use mobile devices like iPhones for sending work emails, we must be alert to the mobile security risks that email can pose to organizations and private data.
A recent LinkedIn poll found that 71% of people check their emails as soon as they wake up – either every day, or sometimes. It’s likely that many of the people reading this article will have fallen into this very habit; picking up your phone, still blurry-eyed, to check the notifications you’ve missed overnight.
Notwithstanding the psychological effects of your email being the first thing you see in the morning, our reliance on using cell phones for mobile communications has wider consequences when it comes to your organization’s fortification against email security threats.
In the past, email was contained to work devices and company issued cell phones. But today, with mobile devices ubiquitous, almost all of us are signed into company email accounts on our smartphones, tablets and personal computers.
A survey of 2,000 Americans found that 60% of respondents check their work email on a smartphone, and 14% on desktop. Other studies have found that outside of office hours, work emails are often checked in the evening on weekdays, and in the mornings on weekends, suggesting users are keeping up with work communications from the comfort of their own homes and devices.
Open rates for emails on smartphones vastly outnumber desktop equivalents, with one study finding that 61.9% of email opens happen initially on mobile devices, compared to just 9.8% on desktop.
Using smartphones for work email has some great benefits. It allows us to be more productive, firing off responses to queries and resolving problems quickly as they arise. It means we don’t have to come back to work on Monday with an inbox filled to the brim with emails we’ve not been able to deal with.
But it can also lead to security problems, which may become a significant challenge for both end-users and IT teams to deal with as using personal smartphones for email communications becomes ever more common. In this article, we’ll cover some of the security risks that can arise from using personal smartphone devices for emails, and some of the steps organizations can take to protect their users.
What are the risks from using smartphones for email security?
Today, email communications are the number one cause of data breaches within organizations. The 2020 Verizon Threat Report found that 22% of data breaches involved some form of social engineering, be it phishing or account compromise. Of that, 96% of threats started with an email.
Because of this, email security should be a top priority for your organization’s security team. It’s important that you have strong protections in place against email security threats like spam, malicious attachments and harmful URLs.
When using mobile devices for email, these threats are actually less of a problem. As Gartner point out in their 2020 Market Guide for Email Security, smartphone devices often have strong inbuilt security against malware and malicious webpages, especially when kept regularly updated with recent security patches. This means that the problem of spam, malicious URLs and harmful attachments is somewhat reduced on mobile devices.
However, there is an increased risk from email threats on mobile devices when it comes to social engineering attacks, like phishing and businesses email compromise. These attacks aim to trick users into giving over personal information or making fraudulent payments. They can be highly targeted and sophisticated, using brand impersonation or phishing websites to try and convince victims to hand over their passwords or financial information.
These threats are very difficult to stop. They target victims on a personal level so that, in the case of business email compromise, cybercriminals can gain access to internal company accounts with the intent of using that access to trick others within the organization into handing over sensitive data. Social engineering attacks often don’t contain any software that is overtly malicious, making it hard for traditional email security systems to spot the attacks.
When using mobile devices, users are arguably even more susceptible to phishing attacks. When we’re scanning an email in bed, or when watching TV, we’re not paying full attention to the contents of the email like we do when we’re sat at our desks. Clicking on a phishing link accidentally and logging in to a fake page is far easier to do on mobile when you’re not paying full attention.
This can pose significant challenges to organizations. The cost of data breaches is increasing year on year, and it’s not just financial. The cost to your brand reputation and the subsequent damage it can cause to customer confidence in your brand are also significant when data breaches and leaks occur, even if the risk of large financial loss is low.
So how can we allow our employees to keep the benefits of using mobile devices to send and receive emails, while ensuring that the organization remains secure from cybersecurity threats?
Email Security With Customizable Controls
Implementing strong email security is the first step to protecting users against email threats across all devices. As many mobile email security users will likely be using Office 365 and G Suite for their email communications, we recommend implementing a strong email security solution.
A strong email security service will provide powerful threat protection capabilities and they are designed specifically to tackle the problem of social engineering and BEC attacks.
Advanced services will also allow you to implement security controls such as warning banners within emails – even on mobile email clients – to alert users when a suspicious email is delivered to their inbox.
Many solutions will also implement a phishing report button, allowing the end user to report email threats to their IT departments, helping to improve threat detection and remediation rates while training end users to practice more cautious security behaviors across all of their devices.
You can read our guide to the top email security solutions to tackle phishing here.
User Awareness Training
Implementing user awareness training for employees across the organization is an important step to protecting against social engineering attacks. More than anything else, these attacks target people, and people are prone to error and making mistakes. On mobile devices we are even more susceptible to social engineering attacks, as email formatting and the way webpages are displayed can often make it even more difficult to tell a genuine email apart from a phishing attack.
To help mitigate this, it’s recommended that all organizations should use security awareness training tools to train their users to be able to know what a phishing email looks like. These tools can be low-cost and easy to manage. Training materials are delivered via cloud-based learning management systems (LMSs), which allow admins to select courses for employees to take which train them on security issues with a mixture of animations, quizzes and games.
Many solutions will also allow IT admins to create simulated phishing emails which can be sent to employees which test their abilities to detect and report suspicious emails. Admins can track which employees are effectively able to spot phishing, and direct training to those who are risk of falling for a malicious email scam. These campaigns can be customizable, and so IT teams can create campaigns which mimic the specific threats facing your organization.
User awareness training helps to build a better culture of security throughout your organization, helping users to be more cautious when using email. It is not a magic bullet to stop phishing attacks but it’s an important step in a multi-layered security strategy. For organizations that are seeing a large number of their employees using mobile devices to communicate, we’d highly recommended that they use awareness training to train users on mobile device security issues specifically.
You can read our guide to the top ten phishing awareness training and simulation solutions here.
A final important step to protect users against phishing and email compromise attacks is to ensure that you implement an organization-wide policy of multi-factor authentication (MFA). Multi-factor authentication policies ensure that, alongside a user-name and password, sensitive accounts need an extra layer of verification to be accessed. The benefit of this is that if a phishing attack is successful and a user’s account or password is compromised, the malicious actor would still be unable to access critical company accounts.
Most accounts by default need one factor of authentication to allow account access, something you know, like a password. The problem here is that if the attacker also knows this piece of information, they can access the account, and passwords are relatively easy to crack with a little background information on the user. With MFA, multiple factors are needed, such as something you have, like an authentication app which can generate a unique single-use sign-in code, or something you are, like a fingerprint or face scan. It’s extremely tricky for an attacker to replicate single-use sign in, and even more difficult for them to steal your biometric data. Because of this, attackers so will be unable to access accounts even if they use phishing attacks to compromise the user’s password.
To help make this easier to manage, MFA can be implemented as part of a wider identity management platform, which can include business password management and single sign-on. These platforms make it easier for IT admins to manage access to all company accounts and helps employees to access accounts more seamlessly, which plugging security gaps. MFA is an important step to protect against phishing attacks, acting as a final line of defense if your account details are compromised.
We’ve put together a guide to the top multi-factor authentication solutions, which you can read here.
As we continue to use mobile devices for emails and other work activities, it’s critical that security teams have systems in place to protect all of their users, both in and out of the office. By implementing the systems recommended in this article, organizations can achieve a powerful, multi-layered security stack, which will help to provide much needed protection against phishing and other social engineering attacks.
The risks associated with email are likely to grow as attackers see it as a low cost, low-risk avenue to reach millions of people. Following the steps in this article can help you to ensure you’re ready to meet these cybersecurity challenges and protect all of your users, wherever they are, across all of your devices.