Email Security

Written by Matthew Harris on 26th June 2017
Cyber Security

 

Email Security

 

Yet again we have had another item about cyber-attacks within the public sector. This time it’s around weak passwords. Yes, there were policies on how to conform to the Parliamentary Digital Service yet up to 90 users didn’t?    

I’ve had a lot of conversations with customers around Cyber Security. Without doubt, the most commonly overlooked (ignored!) area is around passwords. Including:

  • Simple passwords (Family, per, Birthday etc)
  • Passwords written on post it notes and/or in a notebook
  • Spreadsheets (Secured or unsecured)
  • Using default passwords
  • Not changing passwords regularly

 

The people with the power and authority to run and manage the business, when compromised, can do the greatest damage. Ironically, they are the people least likely have the time to work on it or know how to protect themselves.

 

  1. Example: Sharing User id’s.

MD is going on holiday and leaves their it credentials with a colleague to cover them while they are away. The colleague leave the company sometime later and their credentials are removed. However, they made a copy of the MD’s information and they can log in whenever they chose as the MD doesn’t like to change his passwords.

 

  1. Example: Spear Phishing.

Two different phishing emails sent over 2 days to a small group of users. Email titled 2017 Recruitment Plan hit’s your filters and gets put in junk. You only need one employee to open the .exe/pdf/.xls/ file and a backdoor was installed. The phishing activity successfully harvests credentials:

Leading to any of the following outcomes:

  • Boss email to finance to pay fraudulent invoice using a legitimate email inbox
  • Hacker sets up email forwarding for all inbound and outbound email track all communications
  • Use MD’s email from a small SMB to break into the next largest organisation in the supply chain as they look for a backup door into an enterprise account.1  

 

Phishing attacks are an ever-increasing attack vector for ransomware. Phishing and Overconfident users have created the statistics below from a mock phishing attack. Showing who said they click vs who did clicked.   

 

Friedrich-Alexander University (FAU) - Dr. Zinaida Benenson

 

78% of participants were aware of the risks let 45% and 25% of people still clicked!

 

Password Vault

 

A password vault will help remove the issues and concerns for users around the administration and control of system and software access.

 

Current password vulnerability

Password best practice

Simple passwords (Family, per, Birthday etc)

Password Vault

One complex password to remember which holds all your other passwords.

Passwords are written on post-it notes and/or in a notebook

Password Vault Polices:

Nothing is written down, all stored securely in electronic form

Using default passwords

Password Vault Polices:

Automatic prompting to change pw

Not changing passwords regularly

Password Vault Polices:

Automatic policies prompting for Qtrly PW change

 

Password Vault additional benefits:

Role based access

Two-Factor authentication

Auditing & Compliance reporting

Automatic backups of password vault

Reset passwords everywhere

Mobile client support

 

 

 

For SMB organisations that work with highly confidential and/or personal data, there will be a higher priority due to the General Data Protection Regulations coming into law in May 2018. By combining a password vault with 2-factor authentication and good user training, your business and your customers can significantly reduce your exposure and vulnerabilities.

 

 

2-Factor Authentication

 

By including 2-Factor authentication and a Password Vault with group and policy controls, you are well on your way to enhancing the security for your business and your customers.

 

 

User Training

 

Another part of the equation is user training. Here we address the heart of the problem by offering a Cyber Awareness Session for non-technical users and business leaders.      

 

No systems are 100% secure, however, by combining Cyber Security best practices around your technology, users and processes, you have a fighting chance.

 

Regards

Matthew

Share this article

Facebook Twitter Linkedin

Have a question? Get in touch.

info@mdinetworks.com

02392 482556

MDI Networks Limited

Ferryspeed Business Park, Limberline Road, Hilsea, Hampshire, PO3 5JT