You’ve implemented the strongest firewalls. Your passwords are 100 character strings that must contain Capitals, lowercases, and special characters in non-repeating patterns. You skipped over two-factor and went straight to five-factor authentication. Everything is retina scanned. Your encryption is encrypted.
And one email from a prince needing money wired to his account brought the whole thing crashing down.
For most SMBs, email is the weakest link in their security strategy, and it's an attractive target for good reason. By its very nature, it is a direct line of open communication with the world at large. Unrestricted, ungated, unfiltered access is available to anyone who knows a business’ email address—unless the proper steps are taken. It’s no wonder that this very week, email giants such as Google, Amazon, Microsoft, Comcast, LinkedIn and Yahoo came together to publish a new email security standard, known as SMTP Strict Transport Security (SMTP STS), that sets new rules and policies for encrypted email.
The need for strong email security has its roots all the way back in 1982, the year that email was effectively invented with the introduction of the Simple Mail Transfer Protocol (SMTP), which allowed email messages between clients and servers, regardless of provider. (In a strange coincidence, Tron was also released in theaters that year, but no correlation has been identified—yet.) It was built in a different time with a more laissez faire philosophy toward security, with no idea of how fundamentally it may change the world. As such SMTP had no encryption built in to email, allowing it to be vulnerable almost immediately upon its adoption. Twenty years later, an extension to SMTP was developed as an add-on to increase security. Known as STARTTLS, it allowed for transport layer security (TLS) between email connections. And, while its adoption has increased in recent years, many vulnerabilities remain. A large amount of email remains entirely unencrypted. It is easy to downgrade STARTTLS encryption, leaving it vulnerable to “man in the middle” attacks that allow a hacker to intercept and change the contents of an email while on its way to the recipient.
The new standard, SMTP STS, addresses several of these concerns, but as an MSP, there are many process and measures you will need to provide your clients in order to have a rock-solid email security strategy. Let’s look at a few.
1. Deploy a Security Package.
Security-as-a-service is less about being a hot trend than a forgone conclusion among many MSPs, because if you don’t offer it, eventually your competitor will. Security tools like Webroot offer endpoint security and also tie into IT management platforms such as Continuum, which will strengthen your total MSP offering and increase client security across the board.
2. Configure Multi-Layered Email Filters.
Most email compromises occur due to attachments, so it’s absolutely necessary to scan email attachments. Additionally, spyware and messaging protection are also widely available as well. The real challenge is to adjust security filters to block out dangerous email and keep safe email out of your users' spam folders. It’s not enough just to lock it all down; an efficient email security strategy needs to be nimble enough to adapt to threats, smart enough to allow the right mail through, and fast enough to not impede day-to-day efficiency and communications.
3. Keep Definitions Up to Date.
Plain and simple—your security is only as good as your last update, and keeping your Exchange Server patches and black lists up to date is vital to the success of your clients (and your profitability). Partnering with a fully-managed network operations center (NOC) solution can often alleviate much of the burden here, allowing you and your team to think strategically about security policies, rather than staying in the thick of deployments across your client base.
4. Encrypt Whenever Possible.
Once the purview of the government, lawyers, banks and accountants, encrypted email is no longer reserved for only some. When used properly, email encryption is strong and extremely hard to compromise. As mentioned prior, recent years have shown a marked adoption of encryption as a standard, so don’t leave your clients’ information exposed—encrypt whenever possible.
5. What about Mobile Device Management (MDM)?
Unlike most SMB business functions, email security is a 24x7x365 concern, across many devices including desktops, laptops, tablets and phones. Taking the next step with your email security policies may mean enacting an MDM solution to maintain security when communication moves out of the office and on to employees’ personal devices.
It’s unlikely that we’ll see a day that email communication is 100 percent secure, but options exist to get closer to that goal. This week, huge steps were made to make email more secure, but SMBs, for the foreseeable future, will need a managed IT services provider to be a trusted resource to provide a secure business environment.
By Lily Teplow
By Brian Downey
By Dave LeClair