The best approaches for SMEs take to email security 

The best approaches for SMEs take to email security 

Phishing is a pressing concern in today’s technological world and protecting against an attack has never been more crucial. Intelligent SME.tech speaks to two experts about the best email security approaches for small businesses to implement.  

Hany George, Security Specialist for Mimecast ME 

Firstly, it’s important to note that any company – no matter how large or small – is a potential victim of a cyberattack.  

Attackers will aim highly targeted and sophisticated attacks at larger enterprises, working to exploit zero-day vulnerabilities to steal off with a big payday. Smaller firms, in contrast, are typically attacked with low-sophistication, high-volume attacks where threat actors attempt to target as many SMEs in as little time as possible. They know that smaller organisations tend to have less advanced security in place, so they see them as easy targets who offer a higher chance of success. 

In Mimecast’s latest State of Email Security 2022 report, 55% of organisations with 250-500 email users reported increases in phishing and impersonation attacks. Nearly 70% of these organisations also reported some impact from a ransomware attack in the past year, with an average of 7.3 days of downtime following a successful attack. 

To protect against email-borne attacks, SMEs need a cyber-resilience strategy that provides layered security to protect employees and company data from a broad range of threats. User awareness in SMEs plays a big role, especially because a complete suite of defences is typically lacking in smaller organisations.  

Only half (52%) of the surveyed SMEs have a security system in place to protect against email-borne attacks, although nearly all firms surveyed (94%) are in the process of implementing such a system in the next twelve months. 

The growth in brand impersonation attacks also warrants investment in online brand protection tools.  

The cost of a successful brand impersonation attack can be severe. Research conducted by Mimecast in 2021 found that 75% of consumers in Saudi Arabia – and 78% of consumers in the UAE – would stop spending money with their favourite brand if they fell victim to a phishing attack involving that brand, well ahead of the global average of 57%.  

Encouragingly, 71% of surveyed SMEs have a service in place to detect and protect against malicious websites spoofing their websites or brands. Over three-quarters (84%) were made aware of at least one spoofing attack or lookalike domain imitating their brand in the past year, with eight such attempts being the average.  

Regular cyberawareness training is also essential to ensure employees can identify and avoid behaviour that would put them and their organisations at risk. However, half of SMEs (49%) in Mimecast’s latest research provide such training less often than once per month, potentially leaving employees vulnerable to falling victim to new attack types. 

Smaller companies are not immune to cyberthreats, but with a robust cyber-resilience strategy in place, SMEs can bolster their defences and avoid the financial and reputational damage of a successful breach. To protect against email-borne attacks, SMEs need a cyber-resilience strategy that provides layered security to protect employees and company data from a broad range of threats. User awareness in SMEs plays a big role as well, especially where a complete suite of defences is typically lacking in smaller organisations. 

Shane Grennan, Channel Director – Middle East, Fortinet 

Email remains one of the biggest cybersecurity threats for businesses of all sizes but cybercriminals are well aware that small businesses might not have the resources to spend on security staff and software as would a much larger enterprise. This is what makes them a prime target, as hackers see small businesses as particularly vulnerable, especially those without even basic security measures like firewalls in place. Cybercriminals are also aware that many small businesses work with large companies, so access to a small business’ network might mean access to that of a larger corporation.  

The primary objective of email security best practices is to prevent breaches and data leakage. All of the below practices – employee training, deploying email security solutions and encouraging users to secure their passwords and use 2FA – can prevent attackers from targeting users and exploiting vulnerabilities. 

  • Train staff in cybersecurity awareness: Employees are organisations’ first line of defence against email-borne cyberattacks. Cybersecurity awareness training helps employees know the threats they face, which reduces an organisation’s cyber-risk and increases the chances of keeping their data secure. Make sure employees understand how to spot the potential signs of an attack and the consequences of failing to follow email security best practices. 
  • Use Two-Factor Authentication (2FA): 2FA adds an extra layer of security. This process ensures hackers cannot access a user’s account even if they manage to steal their password. 
  • Manage passwords better: Organisations should ensure all employees use a unique password for every account and regularly change their passwords. Deploying password manager software also helps, as users no longer have to worry about remembering long, complex passwords to access their accounts. 
  • Be aware of phishing emails: Phishing attacks are one of the biggest security threats facing businesses. Phishing emails are typically messages that claim to be from service providers, such as banks, that tell victims there is an important issue they need to resolve immediately. Organisations can prevent these attacks by combining email safety best practices and employee training with technology. This includes firewalls, secure email gateways (SEGs), sandboxing and Uniform Resource Locator (URL) threat defence technologies that scan for malicious links, content, and attachments. 
  • Encrypt Email: Encrypting emails ensures that emails are only received and read by the person they were intended for. It also gives email senders more control, including revoking access to messages sent to the wrong person and seeing when emails were opened and by whom.  
  • Improve endpoint and email security hygiene: Endpoint protection solutions enable organisations to monitor every device that connects to their networks. They can run system scans that track access and usage across the network, which can issue alerts and block traffic when potentially malicious activity is detected. This is especially important when users are accessing corporate systems from remote locations and when working from home. 

Employees should also avoid additional security risks, such as using public or open Wi-Fi networks and take advantage of tools like Virtual Private Networks (VPNs) that encrypt their browsing sessions. All of these security best practices are underpinned by strong email defences. This includes deploying firewalls and SEGs to protect employees from malware and phishing emails and secure organisations’ email networks from harmful or malicious content. 

Browse our latest issue

Intelligent SME.tech

View Magazine Archive