Your only as secure as your weakest link

It’s all well and good securing your email systems, but if there’s a weakness elsewhere in the computing estate, you’re going to get compromised – sure as eggs are eggs. The totality of the computing, communication infrastructure and business systems must be considered, Supply chain attacks are on the rise where malicious actors compromise enabling tools like network monitoring, firewalls, VPN devices, CCTV software which in turn compromises providers, and customers. Don’t despair but do prepare.

Malicious actors can attack with military precision, often carrying out extensive surveilance of your computing infrastructure for long periods of time (sometimes many months) before dealing the final blow, that might include compromising your backups.

If you’re unsure or you are not getting the right answers from your IT provider call or email.

On-premise vs cloud

These days I’d be really struggling to put a case forward for having an on-premise email system. I’d be going for a cloud solution every day of the week. The economics and overheads of on-premise just don’t add up. I get that it can seem expensive, but imagine if you had no email for a month or maybe even longer and/or that you had lost all of your old email. There are lots of tools available to make even large scale migration fairly painless.

Email forgery

Spoofing someone’s email is so so easy. In reality, anyone can pretend to be any email address with just a couple of lines of code unless your email system set up properly.

It’s my IT providers job to implement best practice surely?

Yes it is, but if you read the article and it’s not ringing bells, you need to question them very carefully.

 Email best practices

User Education

Ensure all your personnel regularly attend security awareness training

Conduct regular updates, and test the effectiveness of your training with spearphishing simulated attacks.

Impose a policy of clearing out mailboxes regularly.

If the email account is compromised there’s much less damage if there’s only the last few days, weeks or months of emails. I’ve seen accounts with 12 years of old emails.

If you need to keep emails use an offline archiving tool (not offfice 365 or google archive). That way again the attacker won’t have access to the archive if you’re email account is breached.

Out of Office.

Users should post out of office responders when on leave.

Personally Identifiable Information

Imbibe a culture within your organisation and produce policies and procedures such that no personally identifiable information should be sent over email without security measures such as additional encryption.
Of particular import is information relating Passports, Proof of Address, PPSNs, health, financial, bank, credit cards, salary, gossip, sexual orientation.

Bank Details

Educate staff that bank details must never ever be taken from an email, if a supplier or client changes their bank details and informs you over email, traditional mail, phone call or any other media, Call to a known person on a known landline number for them, and check the exact details of the new account, then check with someone else.

Encourage staff to report anything they are unsure of

Implement a culture of reporting anything odd, no matter how trivial

Known & Unknown Contacts

Tell users to be extremely wary of messages from unknown sources. Jeff Bezos of Amazon fame had his phone hacked from a whatsapp message, there’s also reason to be wary of messages from friends. It’s so easy to spoof an SMS message purportedly from a friend.

Email Account Setup

Setup your email accounts with your favoured email provider – and this is a big one. Don’t use the one provided by your webhosting company, unless they are reselling from a specialist email provider like Microsoft, Google, Mimecast, Tutanota etc. Your webhosting company is unlikely to have the level of protection, detection and analysis tools the specialist players have.

Enable Multi-factor Authentication

Once you’ve got your account set up. protect each and every account with Multi-Factor Authentication (so not just a username password, but additionally an authenticator app, biometrics, or other hardware device. You can  download Microsoft Authenticator or Google Authenticator from the app store, and they are simple to setup and use. SMS messages can easily be spoofed so stay away from SMS if at all possible, (it is though better than nothing).

Enable Logging/Auditing & Review logs regularly

Check that logging/auditing is switched on and the logs retained for the maximium period allowed. You can regularly review the logs for anything suspicious. In the event of a breach  logs provide the best chance of finding out what was breached when and how.

Investigate Each & Every anomaly

Investigate, investigate, investigate until you are satisfied a compromise has not occurred.

Implement strong spam filtering

Ensure that the email system  and anti-malware checks links every single time they are accessed. Hackers tend to point links at safe content to get them through the email gateway and then change them to the malicous payload destination after delivery.

Disable Automatic Forwarding of Emails

A hackers favourite is to forward all your emails to their email account, even if you change your password they still have access to your email, and can use recovery to get back in.

Enable Disclaimers/Signatures at the Email Server

Enable signatures/disclaimers at the mail provider rather than in outlook/gmail or on your phone. That way the disclaimer will always be sent and its not subject to someone changing it on the device they are using to access the email. Ensure that the disclaimer also states that you will never inform suppliers/clients of a change of bank details in an email.

Never ever put your mobile number in the disclaimer, it provides a malicious actor with pretty much all the information necessary to take over your digital life.

Disable any email protocols not used

There’s multiple protocols used to access email – POP, IMAP, MAPI, so if you’re only using outlook disable POP & IMAP etc.

Implement email tags/tips or banners

These banners/tags/tip should be set to indicate if an email originated outside of an organistion, whether it failed spam or spoofing checks (SPF, DKIM, DMARC, SPAM) but was delivered.

Use a VPN

If possible get a dedicated IP business VPN and only allow access to email from the VPN IP address or static IP address from the office.

Check the health of the email domain

Google has an excellent tool for checking the health and setup of an email domain. It will check SPF, DKIM, DMARC as well as a host of other checks. It will produce a large red warning if you’re not using google to send/receive email, but that can be ignored.

Enable Sender Policy Framework (SPF)

Sounds complicated but its not. Its a txt record which informs all the email systems connected to the internet which email systems and servers can send email on behalf of your internet domain. Typically this would be your email provider and maybe your website server (although i’d frown on this). There’s loads of online tools available to help you generate the record correctly, and typically your email provider can generate the record when you set the account up. SPF isn’t foolproof though, so use it in conjunction with DMARC.

Enable DKIM (domain keys identified mail)

Typically DKIM is enabled when you set up your email account, DKIM uses certificates to inform the inbound email server that the outbound server has the right to send email on the domains behalf.

Enable DMARC (Domain-based Message Authentication Reporting and Conformance)

DMARC is an email validation system designed to protect your company’s email domain from being used for email spoofing, phishing scams and other cybercrimes. Its a reporting system which email systems use to report violations of SPF, DKIM to a specific email address, and importantly what to do with those emails (report and deliver, quarantine, or reject the email). Typically you’d start off reporting only, just to make sure you haven’t missed something, then move on to quarantine and finally reject.

Get a VMC (Verified Mark Certificate)

Read our concise guide to implementing Verified Mark Certificates You must have implemented SPF DKIM, DMARC and have a trademarked logo before you apply for a VMC. Verified Mark Certificates (VMCs) allow you to render your logo next to the “sender” field in email clients so that users see your mark—and that your organization has been authenticated. Before a user has even opened your email, they know that your organisation has a mark of quality about it, and your logo will be next to every email you send.


Ensure that the administrator has written checklists and policies for new starters, leavers, (ma/pa)ternity leave, leave of absence etc. A policy of the least privilege necessary to perform a role should be applied not just across email but across all systems.

Email like any data should have classifications (public, confidential, secret), automate policies such as email tagged as secret may not be shared outside the organisation. PPSN may not be emailed outside of the organisation.

Implement a structured security model, such as Discretionary Access Control (DAC), Non Discretionary Access Control (NDAC) , or Manditory Access control (MAC). Don’t get too hung up on these terms, so for example you might create a EMEA group, and everyone who works in EMEA has access to the Africa Folder, when a staff member leaves the EMEA team and relocates to the Asia team, remove them from the EMEA group and add them to the Asia group. A staff member may access confidential information for EMEA but not email tagged as secret.

Make it simple, sensible,logical and as unburdensome as possible.

Review the logs regularly

I mentioned this above, but it’s so important it deserves repeating.

It’s a constant battle

Keep yourself educated with the latest developments