May 11, 2016

5 Email Security Threats That Cause Compliance Risk

4 minute read

A recent article on the Office 365 blog highlights five overlooked threats to your email security that can cause substantial compliance risk. All too often, easily preventable breaches occur because of either a poor process in place or simple carelessness by an employee. However, there are times when no matter how vigilant, a hack can occur. The five threats below are ones which may have been overlooked and should jump to the front of your mind to avoid becoming a victim of a breach.

From the article:

Here are five often overlooked threats to your email security:

  1. Social engineering schemes that use your mobile number—Did you know that attackers only need your mobile number to trick you into giving access to your email? Essentially, they’ll send you a text posing as your email provider (e.g., Outlook) and tell you you’re about to receive a code to ensure your email account is secure. This text will then ask you to reply with the code to confirm. Then, they’ll trigger the password reset process, you’ll receive a real message with the unlock code—and if you send it to the attackers unknowingly—they’ll use it to reset your password without your knowledge. Check out this video if you want more specifics on this scheme.

  2. Sharing your access credentials with others—It’s common for some employees to share their credentials—including their password—with a fellow employee or manager when they’ll be out of the office, whether on vacation or during short-term or long-term disability. If organizations don’t have defined security policies for these situations, a lack of accountability could lead to compromised email security.

  3. Loss of a phone with pertinent information—Password management applications are wonderful tools that help you keep track of all the passwords for all of the email accounts you undoubtedly have. But if this application is installed on a phone that is lost or stolen, that can be a problem. Of course, it’s important that your phone is also password-protected, but organizations should take security one step further when it comes to work or personal devices that carry business data or information. Specifically, a business should standardize acceptable use policies regarding the local storage of files, remote wipe capability and network connectivity.

  4. Lack of email encryption—Just because data is passed via a secure email server doesn’t mean it’s 100 percent safe. To add an extra layer of protection, companies should invest in an encrypted email service, which seals email messages and ensures only those with a decryption key can read and access sensitive information.

  5. Crypto-ransomware—Ransomware is nothing new, but it’s a nasty way for hackers to operate. They essentially take the files on your computer or devices hostage until you pay a ransom to have them released. Crypto-ransomware is even nastier, as the hackers encrypt your computer’s files and will only surrender decryption keys upon payment. How is this related to email? These attacks are typically triggered through the opening of some sort of email attachment (e.g., an invoice, energy bill, image, etc.) and they often look legitimate. According to Symantec’s 2015 Internet Security Threat Report, attacks of this nature are highly profitable (bringing in approximately $34,000 per month for one group alone) and growing in popularity.

These threats are certainly not the only ways your email can be compromised and put your business at a significant compliance risk, but it is always helpful to learn about those which may be less common.

In advance of any breach, proactively managing your records is a key tenant in decreasing your compliance risk. 

Receive News Updates As Soon As They Happen