Online Security Tips 2024

In the past, email security best practices could be summarized quickly: Don’t trust email because email is an unauthenticated, unreliable messaging service. This is still mostly true, and the same best practices for email security for employees from 1989 still hold: Use strong passwords, block spammers, don’t trust offers that are too good to be true and verify requests even from trusted entities.

As email becomes increasingly critical to business success, however, organizations must follow a stronger set of email security best practices. They can be summarized as follows:

Train employees on email security best practices

It is crucial to train employees on email security best practices to ensure they are aware of the potential risks and how to protect themselves and the organization. This training should cover topics such as identifying phishing emails, avoiding suspicious attachments, and using strong passwords. By educating employees on these best practices, organizations can significantly reduce the risk of email-related security incidents.

Create strong passwords

One of the most important email security best practices is to use strong passwords. Password security advice has changed in recent years, however. Previous thinking was that complex equaled strong. But forcing employees to create complex passwords usually ends with users writing their passwords on a sticky note or saving them in an insecure file on their desktops.

Current recommendations maintain that password length, not complexity, is the key to password strength. Passphrases, such as “kittEnsarEadorablE,” are one method to make longer, easy-to-remember yet difficult-to-guess passwords that help defend against attackers who use dictionary attacks to target weak passwords.

Don’t reuse passwords across accounts

Password reuse is a major email security threat. If an attacker compromises one account that uses the same credentials as other accounts, the attacker can easily gain access to those other accounts. Attackers know that trying a reused password associated with a person’s account on a breached system often unlocks other accounts.

Encourage employees to follow password hygiene best practices, such as using strong, unique passwords for each account. This is a pain point for many users, especially those with dozens or hundreds of logins to remember. Using single sign-on or a password manager can help alleviate the challenge.

Consider changing passwords regularly — or not

Guidance around the frequency of password changes has been debated in recent years. Changing passwords every 90 days used to be the norm, but it often leads to user frustration and the use of less secure passwords. NIST recommends against forcing periodic password changes.

However, always force password changes following a suspected compromise or data breach. In addition, some compliance regulations, such as PCI DSS, require frequent password changes. Companies must weigh the benefits of regular password changes with users’ tendencies to use weaker passwords that are easier to remember and therefore easier for attackers to exploit.

Use multifactor authentication (MFA)

Multifactor authentication adds an extra layer of security to email and can prevent account compromise attacks. MFA involves using more than one method to authenticate a user’s identity. For example, a username and password in combination with a one-time password or fingerprint biometric.

Adding a second — or third, or more — factor to the authentication process adds an additional layer of defense and defends against common email threats, such as brute-force attacks and password cracking. Companies should mandate the use of MFA. Employees should also protect their personal accounts by using MFA wherever available.

Take phishing seriously

While email security products prevent many spam emails from reaching a user’s inbox, a good amount of spam still gets through that can contain phishing schemes, which are becoming increasingly sophisticated. Users should be on the lookout for phishing scams and use caution when opening any potentially malicious emails.

Don’t open, respond to, click links in, or open attachments from emails that appear suspicious. More and more organizations are including phishing awareness training in their security awareness training programs to help employees identify problematic messages and to teach them how to avoid clicking on the wrong links or opening the wrong attachments.

One of the best ways for employees to keep their email secure is to understand how phishing scams work.

Be wary of email attachments

Many email attacks rely on the ability to send and receive attachments that contain malicious executable code. Email security gateways and antimalware software can detect malicious sources and block most malicious attachments.

These attachments, however, can also come from trusted sources that have been exploited by attackers. Whatever the source, employees should beware of attachments even when the organization uses email-scanning and malware-blocking software. Use extra caution before opening an attachment that has an extension associated with an executable program, such as EXE (executable file), JAR (Java application file), or MSI (Windows Installer). Files such as Word documents, spreadsheets, and PDFs can also carry malicious code, so be careful handling any type of attached file. Scan files with an antimalware program or avoid opening them altogether.

Don’t click email links

Hyperlinks in emails can often connect to a web domain different from the one they appear to represent. Some links might display a recognizable domain name — such as www.amazon.com — but, in fact, direct the user to a different, malicious domain. Attackers also use international character sets or misspellings to create malicious domains that appear to be those of well-known brands.

Always review link contents by hovering the mouse pointer over the link to see if the actual link is different from the displayed link. Note that even this can be spoofed, however, though most modern email programs should catch such links. When in doubt, type domains directly into browsers to avoid clicking links in emails.

Don’t use business email for personal use and vice versa

While it might be tempting and convenient for employees to use a corporate email account for personal matters, an enterprise email security best practice is to prohibit this practice. Likewise, don’t send work-related emails from personal accounts. Mixing business and personal matters can result in threats such as spear phishing. Outline acceptable email use policies and any restrictions in a corporate email policy.

Only use corporate email on approved devices

People can access email from practically anywhere and on any internet-connected device. While convenient for employees, this could become a security disaster for an organization. If company email is opened on devices that don’t have the proper security controls, attackers could exfiltrate users’ credentials, email, and data. Require employees to only access email on company-approved and trusted devices.

Encrypt email, communications, and attachments

Email encryption is crucial to protect the contents of emails from unauthorized access. Encryption ensures that anyone who intercepts the email cannot read its contents. This helps prevent many email security issues, such as man-in-the-middle and business email compromise attacks.

Most major email services have encryption capabilities. Encrypting the message isn’t enough on its own, however. Also encrypt communications between the organization and the email provider. Encrypt attachments as well, even if the email they are attached to is encrypted.

Avoid public Wi-Fi

Employees might see public Wi-Fi as a blessing, but they should be reminded that these connections are ripe for attacks. If employees log into corporate email on public Wi-Fi, anyone on that network could also access their email. Malicious actors can use open-source packet sniffers to monitor and gain access to personal information via email.

Only use secure, known Wi-Fi networks to check email.

Use email security protocols

Email security protocols are crucial for filtering spam messages and preventing email spoofing. The following three email security standards are key to filtering spam messages:

1. DomainKeys Identified Mail (DKIM): The DKIM standard uses asymmetric cryptography to prevent email spoofing. A digital signature added to an email verifies the message was not altered after it was sent. If the signature doesn’t match the email domain’s public key, it is blocked. If it does match, it is delivered.

2. Sender Policy Framework (SPF): SPF verifies an email came from its source and is authorized to send an email from that domain. If verified, the email gets delivered. If not, the email is blocked.

3. Domain-based Message Authentication, Reporting, and Conformance (DMARC): The DMARC protocol extends DKIM and SPF. Using DMARC, domain owners can publish their DKIM and SPF requirements, as well as specify what happens when an email fails to meet those requirements, such as reporting back to the sending domain.

Note that these technical controls prevent spoofed emails but do not stop all unwanted messages.

Use email security tools

Beyond implementing the proper protocols, email security strategies should include multiple tools that help maintain email security. Antimalware, antispam, antivirus, email filtering, email security gateways, email monitoring systems, firewalls, and endpoint protection should be considered.

By following these online security tips in 2024, organizations can significantly reduce the risk of email-related security incidents and protect their sensitive information from unauthorized access. Remember to train employees, use strong passwords, avoid password reuse, consider changing passwords regularly, use multifactor authentication, take phishing seriously, be wary of email attachments and links, separate personal and business email accounts, use approved devices, encrypt email and attachments, avoid public Wi-Fi, use email security protocols, and utilize email security tools.