Many of us spend our working lives in our inbox. Email remains one of the most widespread business communication tools – but that also means it’s one of the biggest entry points for cyberattacks.
According to our 2019 CISO Benchmark Report, enterprise security leaders consider email to be the number-one threat vector, and it’s not hard to understand why. Verizon’s annual Data Breach Investigation Report – to which we’re a contributor – found that email is the number one vector for both malware distribution (92.4%) and phishing (96%).
Small businesses are prime targets for attacks
Small and medium-sized businesses are particularly at risk of cyber attack. Unlike large organisations, which have teams dedicated to security, small companies may not even have an in-house IT expert.
We recently ran some Facebook Live chats with former BBC Dragon Piers Linney, where he said:
“Most small businesses are busy building their business and putting out fires, and sometimes they haven’t really thought about security in a holistic way.”
Small businesses rely on employees to stay vigilant against scams and report suspicious activity when they see it. But keeping employees up to speed is never easy. Scammers have far greater resources than small businesses can muster alone, and their methods are shifting all the time.
In a recent survey we ran, we saw that half of small businesses had experienced a breach, and of those, 40% had suffered more than 8 hours of downtime as a result.
Email protection and the law
Protecting the sensitive personal data in your emails makes sense from a business point of view. According to Hiscox, the basic “clean up” costs of a data breach add up to £25,700 every year. But regulations like GDPR may affect your approach to email security, too.
For example, GDPR specifies that personal data should be:
“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage...”
Small businesses should therefore have the appropriate technical measures and processes in place – as well as properly trained staff – to keep their and their clients’ data safe.
Email attacks that small businesses should watch out for
Because protecting against email attacks is difficult and resource-intensive, many small businesses have moved to the cloud.
Managed email services like those offered by Gmail or Microsoft Office 365 are great for small businesses. They offer nearly all the functionality of self-managed email without the cost and hassle of running an email server. But the popularity of such tools mean that cyber criminals are increasingly targeting them as platforms in which to launch cyber attacks.
A common technique is the simple phish, where an attacker sends an official-looking email to your employees purporting to be from Google or Microsoft. The email says there’s been some problem with the account and that they need to verify their details using the login page provided. But the website is fake, and once they enter their username and password, criminals have an instant backdoor into your business.
Where scam email goes, malware follows
Phishing emails are often accompanied by malware – either as attachments or via links in the email.
Malware comes in many forms. More than half of malicious files flagged in 2018 came in the form of innocuous documents like PDFs, Word docs or Excel spreadsheets – the kind of files small businesses use every day.
Once opened, these attachments can cause serious damage not only to their host systems, but to a small business’s entire network.
Protect your small business against email attacks
The best defence against email attacks is education. Regular training will keep your employees up to date about typical phishing methods, what to look out for, and how to reduce the risk of a breach.
We have a range of resources dedicated to this topic:
- Phishing, ransomware, and email spoofing: cyber security advice for small business owners (educational videos to share with employees)
- Boost security by phishing your staff
- Security Essentials eBook
- Small business champion Piers Linney chats to our own Hazel Burton about small business email security (Part 1, Part 2)
We also recommend a few good security practices:
- Run regular phishing exercises. Emulate the latest real-world techniques to educate employees.
- Use multi-factor authentication. Reinforce access to your systems by requiring more than one method of verification.
- Keep software up-to-date. Vendors constantly patch their products to remove vulnerabilities that hackers can exploit.
- Enable DMARC, and other anti-phishing technologies. The DMARC protocol can help to ensure the email sender is who they say they are. And modern anti-phishing software helps identify scams.
And we have a range of products for small businesses to improve email security, protect data, and stay compliant.
Read the Cisco 2019 Email Cyber Security Report now.
About the AuthorFollow on Twitter Follow on Linkedin More Content by Hazel Burton