It’s no secret that email is one of the most common ways that attackers gain a foothold on an organization’s network. Targeted spear-phishing campaigns use carefully designed messages that combine a sophisticated look and feel with appealing content to trick users into clicking on malicious messages.
Awareness campaigns have their place, but the practical reality is that people know they shouldn’t click on suspicious links. Yes, we should remind them of the threat on a regular basis, but we also need to take proactive steps to reduce the likelihood that employees will become the victims of email-based attacks. Let’s take a look at a few simple measures that you can take to protect yourself and your organization.
1. Don’t Publicize Email Addresses
Attackers love to target low-hanging fruit. If you publish an email directory on your company’s website, you’re asking for trouble. This information can be used to reconstruct organizational charts and serves as a roadmap for designing phishing campaigns that use the names of real leaders in the organization in an attempt to drive action by lower-level employees.
Organizations might consider some standard email contacts for websites or a “Contact Us” interface instead of listing an actual user address, just to make attackers have to work a little harder.
2. Compartmentalize Personal Email
People often mix personal and professional activities. Using your work email for personal purposes spreads information around the internet that is easily linked to your identity. Keep the two separate. If you have email accounts that get a lot of garbage, consider setting up another personal email account for less important uses, like getting 10 percent off at checkout or signing up for something you don’t intend to use much.
A highly publicized attack in 2015 highlighted the value of this practice when hackers released an email database containing information about 33 million alleged users of Ashley Madison, a website promoting marital infidelity. Reviews of that database revealed that many of the accounts registered using email addresses linked with companies, government agencies and the military.
3. Practice Password Hygiene
Hackers know that we’re lazy and routinely reuse the same passwords on many different websites. They take advantage of this when they steal password files from insecure websites and then attempt to use the same account information to log in to more sensitive targets, such as corporate intranets.
Ditch those tired passwords and replace them with unique passwords for every site you visit. Using a password manager such as LastPass or 1Password makes this process easier.
4. Use Multifactor Authentication Whenever It Is Available
Multifactor authentication might be an annoying extra step when logging in to an account, but it’s a time-tested way to dramatically reduce the effectiveness of phishing attacks and other attempts to steal credentials. Businesses that have not already implemented multifactor authentication should immediately do so.
Individuals can take personal action on this front as well. Many popular websites now offer multifactor authentication options. Take the time to turn them on, particularly for your most sensitive accounts.
These are just a few small steps that everyone can take to improve their personal cybersecurity posture. Every little bit we do to reduce the amount of information that can be linked to us or to improve the security of our accounts reduces our personal attack surface and protects both us and our organizations.
This blog post brought to you by: