Despite the steady stream of news detailing calamitous cyberattacks and data breaches, many employees’ poor email hygiene habits continue to leave them — and therefore their employers — vulnerable.
“Despite collaborative communication platforms gaining popularity, email is still the communication medium of choice for the majority of businesses and organisations,” said Colin Thornton, the founder of South African IT consultancy Dial a Nerd. “It therefore shouldn’t come as a surprise that email is also the most popular way for fraudsters to try to take advantage of people online.”
Given that a single email attack can disrupt business operations for extended periods of time and often at great expense, financial management professionals and employees have to assess and most likely change their email habits.
Here’s what leading cybersecurity experts recommend for improving your email security:
Unleash your inner sceptic. Today, remaining safe online requires approaching every email and link with a healthy dose of scepticism. You need to double-check anything remotely suspicious, including emails and communications that appear to be from a trusted or familiar source. For example, if your CFO asks for a financial transfer, pick up the phone and confirm with them verbally before initiating the transaction. This hypervigilance is particularly important, as hackers have become adept at impersonation and can trick almost any user who operates without awareness.
“Your email platform security will do its best to block or alert you to common spam and virus attacks, but most skilled attackers know how to circumvent these defences,” said Craig Rosewarne, managing director at cyberthreat management firm Wolfpack Information Risk. “Your best defence in this case is common sense and a large degree of scepticism. I never bought a lottery ticket, and it is highly unlikely that a rich long-lost relative wants to leave me their millions, so don’t open suspicious emails.”
Rosewarne also recommends scanning any unsolicited files for malware, noting that attackers can spoof email names, addresses, or links in the email itself, so never take anything at face value. In addition, hover over suspicious links to reveal what their true nature is rather than simply clicking on them.
Keep your details private. A key rule is to avoid publishing any more information about yourself online than is necessary, Thornton said. This is because hackers are successfully using a technique called social engineering to use personally identifiable data — such as your birthday, pets’ names, family names, etc. — to refine and personalise email attacks.
Social engineering is a particularly effective technique for hackers today because it exploits our natural curiosity and human psychology. Typically, it involves email or other communication that evokes urgency, fear, or similar reactions in the victim, leading them to reveal sensitive information, click a malicious link, or open an infected file. The method relies on access to data that can be used against you, which makes it critical to keep your details (and life) as private as possible.
“We even recommend removing job titles from professional platforms like LinkedIn or from the company website,” said Thornton. While that may be unrealistic for most, take care with how much personally available data you are putting out into the digital world.
Enable email filtering tools. According to Thornton, some email providers like Microsoft, with certain Office 365 subscriptions, have built-in customisable filters that learn to identify threats or spam — and stop them from ever reaching an inbox. It is important to check that such filters are enabled, correctly customised, and regularly maintained.
“The strength of the filtering has to be handled very carefully because without human insight it’s very easy for a filter to stop legitimate emails,” said Thornton. “So, there’s a balancing act between being strict enough to stop threats and allowing email through. You’d be very happy knowing that phishing emails from Nigeria are being stopped automatically, but if your financial director’s emails are also being blocked because he’s using a flagged subject line, you’d be upset!”
Use encryption and dual-factor encryption. Most of today’s email applications store a large amount of sensitive personal or work-related information.
“Remember that if you are backing up your files to a physical storage drive or the cloud, ensure this information is encrypted, password-protected, and that you enable dual-factor authentication,” said Rosewarne. Dual-factor authentication offers an extra layer of security on top of the usual single-factor authentication password method — for example, via the sending of a code number by a different medium.
Sign up for cybersecurity training. Cybersecurity training and awareness courses must become part of every financial management professional’s working life.
“If users don’t know how to recognise a security threat, how can they be expected to avoid it or report it?” Thornton said. “Training is imperative.”
Training courses should be supplemented with phishing simulations and should also be able to identify higher-risk users who might need additional guidance.
The most important step is to recognise the magnitude of the threat — and the hypervigilance it demands.
— Jessica Hubbard is a freelance writer based in South Africa. To comment on this article or to suggest an idea for another article, contact Drew Adamek, an FM magazine senior editor, at Andrew.Adamek@aicpa-cima.com.