Even though our digital landscape has shifted drastically in the last 10 years, email is still an integral part of a small business’s online engagement. 99Firms estimates that there are over 3.9 billion email accounts worldwide, and that number isn’t surprising considering how much of our online lives are still tied to our email. Registering a Facebook account? You’ll need an email for that. Verifying your presence on Google? You’ll need an email for that. Sending files to a customer or client? Email is likely your first go-to for that as well. So how do we deploy best-practice email security measures in 2021? Read on for my 6 in-depth tips for small businesses.
1. Understand what company or service hosts your email
Every email account is hosted somewhere, with some company, and it’s important that you understand that structure before you proceed with securing your account. Some of you may have your email hosted through Google Workplace (formerly G Suite). Some may acquire your email through your website hosting provider. And some of you might not really know where your email account comes from, and that’s why this is an important first step.
Identifying your email service is fairly easy:
We can usually identify who hosts or manages our email by looking at how we access that email. If we have to log in to Google, then it’s evidently hosted through Google. If we login to our own domain by visiting a URL like https://mail.example.com, it’s likely hosted with our website. Understanding where our email is hosted will give us a better understanding of the steps we need to secure those accounts. For example, my email that is listed at the bottom of my site is firstname.lastname@example.org. I have purchased the domain and then host my email through ProtonMail, an encrypted email service based in Switzerland. This means that all of my email account contents (inbox, sent messages, trash, contacts, etc.) are stored in an encrypted format on their servers and only accessible with my password. I now know that my email will be secured with a password that will be able to decrypt the mailbox. If I choose a strong password and keep it memorized, ProtonMail will safeguard my email from many avenues of attack.
Once we have understood what service is providing our email, we can begin looking at how to secure that service. Email hosted on our own server, say through a cPanel environment, means that the content is stored on servers we pay to host our content. Email hosted through a third party, like Google, Microsoft, Namecheap, ProtonMail, etc., is done by subscribing to their service. With the former, we are largely in control of the security of our accounts and email environment. The latter hands this control off to another company in many regards. With both, our accounts’ security will almost always fall back to the user and how we choose to secure those accounts.
2. Adopt proper password practices and routines to enhance email security
In the year 2000, we only had roughly 413 million Internet users. That number has since grown to over 3.4 billion in 2016. With this increase, we’ve also found ourselves in the middle of a technology explosion of sorts. Dial-up Internet, floppy disks, and massive monitors have been replaced with Gigabit speeds, terabyte hard drives, and computers that fit inside our pockets. Of course, this digital growth isn’t all positive either. It is estimated that cybercrime will cost the world $6 trillion by the end of 2021 and that Americans will lose $15 billion annually this year due to identity theft. Our digital landscape is changing rapidly, and as small business owners, it’s often tough to keep up.
So, using the same eight-character password that just so happens to be your dog’s name with a 1 and an exclamation mark at the end isn’t going to cut it in 2021, especially if that password is reused across multiple sites. My personal password strategy revolves around 3 fundamentals.
- Longer passwords are strong passwords. I hate when companies come up with complex password requirements for their users. because Everest tomorrow@9 has more entropy (stronger) than MeEka!!1999_dog and isn’t nearly as difficult to remember or type in.
- Reusing passwords is a quick route to compromise. We shouldn’t be reusing passwords online either. It’s not proper practice and can lead to major digital compromise.
- We shouldn’t have to remember more than a handful of passwords. That’s right! I want all my passwords to be different, but I only want to remember 5-10 of them.
How we deploy this strategy properly:
Looking at the above personal requirements for passwords (which I have been deploying with friends, family, and small businesses for 2-3 years now), you might be wondering how it’s even possible. There are actually a few ways one could achieve this. Some are not ideal methods because of the risk of compromise or failure (like writing them down in a password book). Others are more complicated (like developing your own Password Memorization System as I did. The middle ground would be deploying a password manager like Bitwarden. Password managers are great because they allow you to store sensitive information in an encrypted format, offering you the luxury of using longer passwords that you do not need to remember.
I wrote a little bit about Bitwarden in my draft paper: Account Takeover via Mobile Compromise, but I would also encourage you to check out their website and YouTube Channel. I feel like it is currently the best solution for small businesses when it comes to password management and doesn’t have an incredibly steep learning curve if you take some time to understand the basics. Bitwarden allows me to generate and use 20 character passwords for nearly every website/service I use online without remembering any account information. I only need to remember my vault password; it stores the rest securely. Alternatives would be services like KeePassXC, LastPass, or 1Password.
3. Consider adding 2-factor authentication to your account
A password is something we remember (unless we’ve deployed a password manager). Two-Factor Authentication (2FA, Multi-Factor Authentication, MFA, Two-Step Verification, etc.) is based on something we have. We are off to an excellent start if we deploy a password manager and generate random passwords for each website that we use. But if we want to enhance these accounts’ security, then we should be deploying 2FA as well. Ideally, we would do this with every account that we can. But if you’re just starting out, you could consider just doing it for your major accounts (Email, PayPal, Bank, and Facebook/Instagram).
Enabling two-factor authentication:
When we enable 2FA, we add a second step into the login process using something that changes. If an attacker were to get our password for our email, they would also need our second step of authentication to log in. Likely the most common form of 2FA would be a One-Time Password. There’s a great overview of 2FA from Duo on their YouTube Channel here. My current setup with 2FA contains 45 accounts stored inside of Authy, which I would argue is the best free solution for 2FA. Every time I log in to a website where 2FA is enabled, my first step is to autofill the credentials using Bitwarden. I then bring up the Authy app on my phone, watch, or computer and search for the website. Finally, I input the newly generated 6 digit code that Authy gives me and sign in. This means that even if someone were shoulder-surfing and grabbed my password as it was being entered, they would still need the code generated only in MY Authy app to get into my account.
Deploying 2-factor authentication to email accounts that require multiple individuals to access them can become a bit trickier. In this case, you might deploy 2FA within Bitwarden and be able to share those tokens with your team members. Many business services will also allow you to have multiple user accounts accessing that same service. Yellowpages Business Portal and Facebook are both examples of this, and more are moving towards this model continuously. I’ve also had cases where small businesses download and enable Authy or Duo on their 5-6 business computers and a manager’s phone, sharing the same account for all 6 employees. If your email account doesn’t allow for 2FA, then ensure you’re using a strong password that you do not use elsewhere on the web.
4. Keep your account details updated for maximized email security
Likely the easiest of the above 3 tips, keeping your account details updated is a great tool for ensuring you aren’t locked out of your account and helps prevent malicious account takeover. Things to keep updated in your account settings:
- Users who should have access to this account
- Password (if using long, unique passwords, I wouldn’t recommend frequent changes of your email password)
- Any two-factor auth settings
- Any account recovery settings
- Billing and address related information
- Privacy settings for that account
5. Familiarize your team with phishing emails
Verizon claims that 96% of phishing attacks come through email, while the FBI states that there were 241,324 incidents of phishing in 2020. A successful phishing attack on your business or employees could be a risk to not only their own personal information but company documents and data as well. Furthermore, if your company were to fall victim to a ransomware attack, you could find yourself scrambling and unable to provide services to your customers properly. This sort of attack crippled SaskPolytech back in the fall of 2020, all because a staff member opened an attachment in an email. Because they had already moved to an online learning model, they prioritized getting their students back into their virtual classrooms, which took a total of 10 days, according to the report. I’m sure email security will be a topic of professional development from now on for their teams.
A well-constructed and deployed phishing email could snag company login information, compromise customer data on your systems, or hold your documents and data at ransom for thousands of dollars, as noted above. As a small business, you might not have the budget for advanced firewalls, systems administration teams, and in-depth training on the topic of phishing. Thankfully, the vast majority of phishing attacks boil down to user error and can be prevented fairly easily. Here are some great resources on identifying and preventing phishing emails:
- What is Phishing?
- Phishing Attacks are SCARY easy to do!
- 7 Ways to Recognize a Phishing Email
- 19 Examples of Common Phishing Emails
It’s also a good idea to report phishing emails to your email provider so that they can block those emails or that sender from hitting other inboxes. You’d then want to notify the rest of your team that you received a phishing email, and they might be receiving it as well.
6. Boost email security with reputable cybersecurity software
The final tip I have for you is to ensure that your company computers and servers have reputable cybersecurity software on them. Cybersecurity software being an umbrella term for antivirus and antimalware tools. I’m generally very good at ensuring that I don’t click on questionable links outside of an isolated environment, download attachments from unknown senders, or forward an email that could contain malicious content. But, I still use strong antivirus and antimalware software on my systems.
My primary machine is a 2020 Macbook Pro and has built-in protective features like XProtect, Gatekeeper, and MRT. However, I still opt to have additional cybersecurity software to enhance my overall system security. Some of this software includes ransomware protection, network monitoring, a reputable VPN, and additional antivirus software. Using a Macbook Pro, iPhone, and iPad for the last 9 years has meant that I’m not as well versed in Windows security but have tried my best to keep up with the basics. I’ve found both Malwarebytes and BitDefender strong in the antivirus field and have also had success with MacAfee and Sophos (if you’re looking for some products to check out).
Conclusion: Email security takes time, but it’s worth it
Hopefully, this post has helped you understand why email security is crucial for small businesses. You don’t want to fall victim to an attack that could put you out of business for days, weeks, or even months. Nor do you want to have your Facebook page taken over and lose your online following. I hope you’ll step away from this article armed with some information about email security and how important it is for your small business. If you’re ready to dive in and tackle these 6 tips in the office tomorrow, I wish you well. If you’re feeling a bit lost and would like personalized help, you can use the form below to get in touch. Wherever you are on the journey to strong email security, I’m here to support you.
Until next time,