Email Security Intelligence - Email Risk is Universal: Securing Business Email in Every Industry Sector - Best Practices for Securing Business Email in Any Industry Sector

Email risk doesn’t discriminate - threat actors are targeting businesses of all sizes in  every industry sector with advanced attacks designed to deceive victims into sharing credentials, financial information and other sensitive data that can be exploited for monetary gain. Now is not the time to overlook the importance of effective email security!

Cybercriminals are taking advantage of the ongoing global pandemic - and the increase in remote workers using inadeqautely secured cloud platforms like Microsoft 365 and Google Workspace  - to craft dangerous attack campaigns which capitalize on the urgency and fear that are characteristic of the current environment. Email risk is universal - especially in this heightened digital threat environment. This article will explore the biggest risks that businesses in different industry sectors face and offer advice on how to mitigate these risks with proactive, multi-layered email protection.

Mary E. Ziegler, CLTC, Agent of CFS, LLC and Registered Rep. of Park Avenue Securities, elaborates on the growing digital risk that all businesses face, and the importance of effective email security - for financial institutions as well as organizations in other industry sectors. "Security is vital to the customer relationship within every organization, and has grown much more so now that the environment has dictated the necessity for electronic deposits and document delivery." writes Ziegler. "The issue affects every sector with the growing demand to transmit personal information. More advanced email security solutions need to be implemented immediately to protect personal data,” concludes Ziegler.

Real Estate & Title Companies

Wire fraud is ubiquitous in the real estate industry. Cybercriminals exploit the complex and hurried nature of real estate and the number of vulnerable parties involved in the real estate closing process - attorneys, lenders, agents, title companies, sellers and buyers - to steal large sums of money in targeted phishing scams. These dangerous scams are initiated with the compromise of either a realtor or a title company's email account by malware sent via email. The Coalition to Stop Real Estate Wire Fraud explains: “These criminals rely on trust. They know you trust your real estate agent, your lawyer or the bank, and they exploit that trust to steal from you.” In addition to doing significant financial damage, wire fraud can destroy trust with clients and irreparably damage a title company’s reputation.

If you work in this industry, you know just how real this threat is, despite having existing protection in place. The Coalition to Stop Real Estate Wire Fraud has recently spoken out on the issue, reporting that 47% of major financial institutions have seen an increase in real estate wire transfer fraud over the past 12 months, and only 15% of all wire fraud incidents are reported. With an average loss of $179,000, real estate fraud often derails transactions, leaving victims homeless.

Lisa Sammataro, a realtor at Keller Williams Village Square Realty, elaborates on the danger of wire fraud in the real estate industry, and the critical need for effective email protection in this sector: “I've heard of more than one horror story of email hackers sending bogus wiring instructions that resulted in large sums of money being sent to a criminal's offshore bank account,” recalls Sammataro. “It is imperative that everyone involved in real estate transactions have sophisticated email security in place to prevent wire fraud. The problem is serious and real!”

Companies in the real estate sector need to invest in a cloud email security solution that provides proactive, defense-in-depth email protection, preventing fraudulent emails from reaching the inbox and thus mitigating their risk of dangerous and costly wire transfer scams.

We’ve also compiled a list of general technology best practices that organizations can follow to protect their business in any industry.

Attorneys & Law Firms

A small legal firm in suburban Chicago and the largest law firm in the world have both fallen victim to it, the largest email cloud providers can do little to guard against it, and once the damage is done it's all but irreversible. "Spear-phishing" - the act of sending emails to specific and well-researched targets while purporting to be a trusted sender - is a growing concern for law firms of all sizes.

Law firms and attorneys are some of the most popular targets for cyberattacks. Email is an attorney’s trusted and preferred method for communicating with his or her clients and sharing critical information. However, due to a lack of mandated security policies or regulatory guidelines in place to protect sensitive data against theft, misuse or alteration, law firms often lack the protection necessary to detect and combat advanced attack campaigns. 

Eighty percent of law firms report being hit by phishing attacks over the past 12 months, and in recent years, the amount of money stolen in email scams targeting businesses in the legal sector has risen by as much as 300%. In addition to being frequent victims of phishing campaigns, law firms and other professional services organizations are also the most popular targets for ransomware attacks of any industry sector.

Downtime due to a cyberattack is time that a law firm cannot bill for, resulting in direct monetary losses as well as serious and potentially irreparable damage to a firm’s reputation. Establishing and maintaining trust with clients is essential to achieving long-term success in the legal industry, and inadequately securing email accounts is a lethal mistake that can instantaneously erase decades worth of hard-earned credibility.

The most effective protection against phishing attacks for attorneys involves proper use of sophisticated authentication including SPF, DMARC and DKIM to provide greater assurance that not only are the emails being sent are from a trusted source, but also the emails being received are as they appear.

A well-designed email security solution for attorneys and law firms provides complete end-to-end control of email accounts through the use of multiple layers of software and detection engines, which work in harmony to accurately identify and rapidly quarantine ALL malicious emails before they reach the inbox.

We’ve also compiled a list of general technology best practices that organizations can follow to protect their business in any industry.

Hospitality & Service Industries

Data beaches are a serious and persistent threat to businesses in the hospitality industry. Fast food chains, large retailers, and every major hotel chain have been victims. The rise in online travel companies, online ordering, online delivery services have led to a larger landscape for threat actors to attack.

Hospitality companies collect copious amounts of personal information from their guests - which is invaluable to cybercriminals. This data can be used to carry out highly deceptive impersonation scams, often leading to other social engineering attacks and, in many cases, identity theft. For this reason, businesses in the hospitality sector are very attractive targets for dangerous email attacks including spear phishing and business email compromise (BEC). 

Although the number of reported breaches impacting businesses within the hospitality and service sector has decreased over the past year, the magnitude of these breaches is on the rise. In the notorious Marriott Hotels data breach, the personal information of roughly 500 million guests was compromised. In another massive breach, personal data of 4.9 million DoorDash customers, drivers and merchants - including credit card and bank account information - was exposed.

Having an effective email security strategy in place is imperative to hospitality and service companies’ safety and success. The best defenses against advanced modern threats involve working with the key people, executives, and digital assets within an organization to ensure a comprehensive approach to risk management to address new threats is put in place.

We’ve also compiled a list of general technology best practices that organizations can follow to protect their business in any industry.

Healthcare

Sound digital security is vital in protecting healthcare organizations and the people they service. Because of the extensive data they collect from patients, businesses in the healthcare sector are popular targets for email-borne attacks such as phishing and ransomware, and a  successful attack can result in the compromise of sensitive information, significant downtime and serious compliance issues. HIMSS repoorts that 82% of hospitals have experienced a “significant security incident” over a 12-month span. And data shows that digital risk is greater for small hospitals and healthcare centers with fewer than 500 employees. Seventy percent of ransomware attacks impacting the healthcare sector target these smaller organizations. Attackers recognize and exploit the fact that small healthcare organizations often have “lean security support”, and are more likely to pay ransom than their larger counterparts. Phishing and ransomware attacks lead to downtime, loss of reputation and revenue. Healthcare phishing attacks are even more serious - they result in the loss of sensitive patient data and patient trust, and put the personal financial stability of the victim at risk. In one such incident, nine employees within Oregon's Department of Human Services opened a phishing email that may have exposed the personal information of around 645,000 people.

These attacks aren’t going away anytime soon, and have only been worsened by the ongoing global pandemic. Clearly, more needs to be done to secure business email in the healthcare sector. Fortunately, there are mechanisms available for those in the healthcare industry to fight back. Organizations will have to continue to implement more advanced protection from today’s most sophisticated threats beyond just that which is included by their cloud email provider. Healthcare providers should be choosing a solution that includes multiple layers of enterprise-grade protection, all working together to rapidly and accurately detect and block both existing and emerging threats. 

Learn why NY Spine Care chose Guardian Digital to secure its business email accounts

We’ve also compiled a list of general technology best practices that organizations can follow to protect their business in any industry.

Information Technology (IT)

Email is the attack vector of choice among cybercriminals, and email-borne threats are constantly evolving to become more prevalent, advanced and dangerous. Research by Verizon reveals that over 90% of cyberattacks are carried out via email. Because of this, it is imperative that service providers and other businesses in the technology industry have a sound email security strategy in place to protect both themselves and their clients from phishing, ransomware and other malicious threats. 

Lately, spear phishing attacks targeting businesses in the technology sector have taken a new twist: attackers are asking for documents to be sent to them as opposed to hacking into systems and stealing these confidential files themselves. A popular tactic around tax time has been for threat actors to pose as a CEO and ask for employee W-2s to be forwarded to them. This is what happened in the notorious 2016 data breach that Snapchat experienced. A threat actor posing as Snapchat CEO Evan Spiegel emailed an employee in the payroll department and made a W-2 request. The employee, not carefully checking the email address, forwarded sensitive information including Social Security numbers and stock holdings to the attacker.

Technology companies could be doing much more to protect individuals and organisations from the threats posed by spear phishing. Cloud email providers are in the email business - not the email security business - and take a broad-brush approach to protecting users. More focused protection is needed because the specific threats that each business faces are unique. Companies in the Information Technology sector should be utilizing a solution that identifies the biggest threats within an organization and implements a complete, end-to-end information protection program with advanced encryption technologies, mitigating the risk of data leaks and breaches.

Learn why AT&T New Zealand is securing its business email with Guardian Digital 

We’ve also compiled a list of general technology best practices that organizations can follow to protect their business in any industry.

Financial Services

In 1951, Willie Sutton reputedly replied to a reporter's inquiry as to why he robbed banks by saying "because that's where the money is." Although he denies ever having said it, it’s no different today - cyber criminals attack the financial industry because that’s where the money is.

Businesses in the financial services industry are highly vulnerable to advanced, targeted email attacks such as spear phishing and business email compromise (BEC). These companies have access to valuable personal information on their clients, which is highly sought after by threat actors, as it can be used to craft convincing social engineering and impersonation attacks. Not surprisingly, the banking industry is one of the top targets of threat actors using phishing attacks to breach security. Ponemon Institute reports that 69% of financial services organizations have now experienced a cyberattack at some point during their lifetime.

While safety protocols are built into both internal and consumer-facing banking websites and apps, it is often the human element that fails to detect a scam, frequently resulting in wire fraud. It is critical that financial services organizations take appropriate measures to secure email accounts and protect sensitive information from tampering and theft. 

Encryption is a particularly important component to protecting organizations in the financial sector. The use of advanced authentication mechanisms like SPF, DMARC and DKIM to verify the integrity of the sender and recipient is available through some email security providers, but is often not implemented properly - or even at all. Those in the financial sector should be choosing a provider who will partner with them to understand the threats they face, work with them to manage the protection needed to keep them safe, and maintain the level of vigilance needed to protect users from emerging threats.

We’ve also compiled a list of general technology best practices that organizations can follow to protect their business in any industry. 

Marketing Professionals

Marketing professionals have a pivotal role to play in the cyber security of their organization. Cyber risk has become a high priority for organizations who are concerned about the theft of personal information. Although it has typically been the concern of CIOs, CISOs, and CTOs, the time has come for CMOs and marketing professionals to also focus on cyber risk.

As today’s businesses move toward a world where data privacy and customer data protection practices are heavily scrutinized, marketers need to become major stakeholders in cybersecurity planning and implementation.

The Small Business Administration (SBA)’s Cybersecurity portal provides online training, checklists, and information specific to protect online businesses. 

We’ve compiled a list of best practices for marketing professionals to follow to protect their own assets.

• Customer data must be continuously managed and safeguarded. Make sure you know where your client's data is being stored and that it's being kept secure. Understand the data that your business has. Where is all of the data stored? What is all the data that you have? What is the relative value of the data?
• Partner with your IT team. It’s no longer enough for marketing leaders to simply inform IT they’re adding new tools - it's important they are involved throughout the lifecycle of the product and that they maintain consistent and effective communication with their tech support team. Security programs and processes should be woven into everything that marketers do - they should be genuine stewards of information security best practices.
• Having an effective email security strategy in place is imperative to the safety and success of marketing professionals. The best defenses against advanced modern threats involve working with the key people, executives, and digital assets within an organization to ensure a comprehensive approach to risk management to address new threats is put in place.
• Create a section on your corporate website that discusses security and how seriously you treat customer data. The goal is to make visitors to your website more aware and cautious, which will in turn keep your company’s data more secure. This is especially important if you're an email marketer.
• Understand your internal threats. Information Technology groups within a company should have a strict policy in place that defines who is allowed access to which types of data. Make these policies as restrictive as possible, especially when information such as email addresses or passwords is involved.
• Filter outbound email. Internal users are the most dangerous because of the trust relationship they already have within the organization. Making sure all email is filtered will help to ensure a local compromise won't distribute spam or malicious content to your users or external clients.
• Avoid free security software. Generally speaking, they are not thorough enough for today's more malicious threats. Cyber thieves will take advantage of your weakest link. Don't assume you have nothing to risk or that you're a small target. Same with free website hosting. They are not always maintained with security updates and auditing to ensure they're not being defaced or compromised.
• Use a VPN. A virtual private network is an encrypted tunnel between you and the internal resources within a company. This VPN should be protected with multi-factor authentication to ensure an attacker who gains possession of your system can't simply gain unimpeded access to your organization. Some excellent open-source VPN options include Wireguard and OpenVPN.
• Play a role in data breach recovery. The threat of losing customers due to a data breach is a serious challenge for marketers. It can have a detrimental impact on a business' reputation and subsequently impact customer trust and sales growth. Marketing teams must step in to manage and protect the brand’s reputation and have a strategy in place for how to deal with a potential breach should one occur. Getting hacked isn't just about the technical consequences of a breach, but it is also about how the situation is handled afterwards, and how you maintain your brand's trust with your clients. Should it happen, be transparent and forthcoming with information - not defensive.
• Perform regular security audits. Work with your technology provider to check the security of your initiatives before going live with them, and periodically throughout. 

We’ve also compiled a list of general technology best practices that organizations can follow to protect their business in any industry.

Guardian Digital EnGarde Cloud Email Security: Proactive, Multi-Layered Email Protection

Regardless of a businesses’ size or the market that it serves, effective email defense that is able to keep pace with the rapidly-evolving threat landscape is essential to any business’s safety, operations and success. Defense-in-depth is critical in safeguarding business email accounts and protecting users. Modern threats demand modern, multi-layered protection - traditional signature-based antivirus software and many conventional email security solutions have fallen behind, unable to successfully combat today’s advanced exploits.

Many small businesses cannot afford to employ a full-time IT staff or mail administrator, leaving these companies especially vulnerable. Guardian Digital’s EnGarde Cloud Email Security seamlessly integrates with organizations’ existing email infrastructure, and is remotely managed around-the-clock by a dedicated team of security experts - providing a rapid return on investment (ROI) and an invaluable peace of mind in this tumultuous, frightening time.

Key benefits of securing your business email with Guardian Digital EnGarde Cloud Email Security include:

• Multi-layered, real-time defense against social engineering and impersonation attacks
• Complete, end-to-end information protection with advanced encryption technologies, mitigating the risk of data leaks and breaches
• Tighter security, adaptive implementation and reduced start-up and ongoing costs through the use of a transparent, collaborative development approach
• Critical additional protection in Microsoft 365 and Google Workspace
• Customized protection designed to meet the specific needs of your business
• Scalable cloud-based system simplifies deployment and increases availability
• Expert, caring around-the-clock customer support services and remote system monitoring

Best Practices for Securing Business Email in Any Industry Sector

While making sure that a comprehensive, reputable business email security solution is in place is the single most effective way to prevent a successful cyberattack and should be organizations’ first priority when it comes to securing email accounts, there are other best practices that administrators, employees and users should engage in to mitigate email risk. They include:

• Check for spelling and grammatical errors which can indicate that an email is fraudulent or malicious. Also, be on the lookout for suspicious subject lines and signatures.
• If an email appears strange in any way, make a phone call to the sender to confirm the legitimacy of the email.
• If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than just hitting reply.
• Verify shared links to ensure that they do not lead to fraudulent websites or malicious code.
• Scan all attachments for viruses or dangerous code.
• Make sure your OS is patched and updated - this reduces the chance of security vulnerabilities existing that attackers could exploit.
• Back up your files frequently and automatically and protect the back-ups you create. This won’t prevent a ransomware attack, but it can reduce the damage caused by one. Be aware that backups are not foolproof - ransomware may sit idle for weeks until it is triggered, potentially destroying backups.
• Think before you act! Take time to thoroughly evaluate each email you receive before interacting with it in any way. 

Interested in learning more about the benefits of choosing Guardian Digital to secure your business email? Speak with a security expert today.

What market does your business serve? What are you currently doing to secure your business email? Our experts are here to help - we would love to hear from you and assist in securing your users and key business assets heading into 2022.