CASES.LU

Knowhow

Email: good practices

In brief

Email is one of the primary forms of private and professional communication. It’s a user-friendly, fast and inexpensive tool. Despite its advantages, there are still some precautions to be taken into consideration when both sending and receiving messages.

While it is true that sending company emails internally does not carry the same risk of interception when the company has its own internal mail server, it is nevertheless important to remember that the information sent is not just saved on the company’s secure server. It can also be found in the sender and recipient’s mailboxes. Most of the time, these computers are both physically and logically significantly less well protected than the servers – and are therefore more vulnerable to attack – while containing, in some cases, the exact same information, with the same classification levels, as the servers.

Therefore, emails sent within the company are often the source of the inappropriate broadcasting or distribution of confidential or secret information. This information would be more secure if it were stored in a single, protected environment, with information that could be accessed according to classification level.

The problem with loss of information is also made worse by the use of laptop computers within the company.

For the company’s security, it is also important to set up, amongst other things, specific disposal procedures for IT equipment.

Risks

Risks related to sending emails

  • Loss of confidentiality as a result of:
    • sending confidential information by email (interception or social engineering);
    • sending confidential information to the wrong recipient;
    • adding new recipients during a discussion that previously contained confidential information;
    • due to a recipient in the same company forwarding their emails to an external mailbox to receive ‘push’ notifications on their smartphones;
    • logging in to their mailbox without SSL;
    • the email server being compromised externally or internally (bad protection, bad configuration, weak administrator password, etc.);
    • the malicious extraction of confidential data by an employee;
    • the malicious extraction of confidential data from a badly protected workstation (physical security, access security, weak password or password that is visible on or near the workstation);
    • the theft of a computer with an email account;
    • the theft of an email server;
    • not following the data classification instructions;
  • Loss of integrity due to multiple versions of a document distributed through multiple company mailboxes.

Behavioural measures

  • Make sure you don’t reveal any confidential information when replying to emails. Check the legitimacy of the request and be careful not to divulge too much information when you respond;
  • the majority of emails containing attachments are follow-ups to previous discussions, meaning that they fall within a special context in which the addition of attachments is to be expected. If this isn’t the case, be very careful when you receive an email with an attachment, as this attachment may contain malicious codes;
  • ill-intentioned people often try to exploit human vulnerability, such as curiosity, pity, fear, the lure of rewards, or even libido. If you receive an email that makes allusion to any of these things, it is highly likely it is a malicious email;
    • there are many types of malicious emails, including hoaxes, phishing emails, spear phishing emails (a highly targeted type of phishing), Nigerian scams, malicious codes, and spam;
  • check if the email resembles those you have previously received from the supposed sender. The language used, way of writing, spelling, style, etc. may all be clues. If something seems odd, it’s probably a malicious email;
  • never click on links in emails where you don’t know the sender, or in particular, if there are signs the email may be malicious, as it could be a phishing email or a link towards a fake website;
  • never answer suspicious emails. By answering, you are confirming to the sender that the email address is active.

Organisational practices

  • staff training in the classification of data and associated rules;
  • staff training in risks related to social engineering;
  • try to eliminate any procedures involving attachments;
  • if opening attachments is necessary:
    • wait 4 days before opening attachments. Waiting this long gives the antivirus a chance to detect malicious codes. A minimum of 3 to 4 days is necessary to detect a new virus when it first appears and add it to the signature database for the corresponding antiviruses.
  • equip PCs used to open attachments with a less common operating system that is therefore subject to fewer attacks, e.g. ‘Linux’;
  • call the person who sent you a suspicious email and ask them if they did indeed send it. Tell them why you thought the email was suspicious;
  • avoid opening emails on critical assets or those which have access to critical assets, such as confidential information or indispensable assets.

Applicable sectoral policies

Draw up and enforce the following sectoral policies:

Technical measures

  • Make sure your antivirus software is always up to date. Normally, updates are downloaded automatically;
  • Do not use the same antivirus software on both the email server and on the workstations. This increases the likelihood of discovering malicious software. No antivirus detects more than 80% of existing malicious codes;
  • do not work at a workstation when logged on in administrator mode. Malicious codes run on these workstations will inherit your rights and will therefore be able to access and install programs on all of the computer’s accounts;
  • activate the spam filter in your email software;
  • encrypt the content of your laptop computers;
  • dutifully adhere to the equipment disposal instructions, both for servers and for computers and GSM;
  • use strong authentication tools for your webmail solutions (OTP, LuxTrust);
  • only use secure SSL log-ins for your webmail solutions.
Table of Contents