Nine tips for the C-Suite: how to ensure you don’t get caught out by employees’ emails

As home and work lives merge, with employees using personal smart devices for email, IT experts share important security advice for business leaders to share with their staff

With the wealth of digital devices now available, employees are increasingly relying on their smartphones and tablets to fit in the work around their personal life outside of the office. Some companies may encourage employees to stay away from their emails, but for many this ‘always on’ culture is quickly becoming the norm. Because of this, checking emails is a compulsory habit, and the ‘mail’ app has become almost another social media platform that gets refreshed constantly.

From a C-level perspective, your employees having a quick check of their work emails from outside the office may seem harmless – but it can actually end up having a catastrophic effect on your business. With this in mind, nine IT experts share their tips with the C-suite as to how to keep employees safe wherever they are.

1. Don’t connect to unencrypted Wi-Fi

“As boundaries between work and personal life continue to blur, employees are increasingly dipping into work emails or documents whilst they’re away,” says Paul Rose, Chief Information Security Officer at Six Degrees.

“Any device will require a data connection to transmit and receive information, and this often means jumping on slightly suspicious looking Wi-Fi.

“All unencrypted Wi-Fi – where you do not need to enter a password to connect – is susceptible to cyber-attack. Cybercriminals can use unencrypted Wi-Fi to harvest data, and they are often able to intercept anything that is sent to and from a device. This can include emails, images, usernames, passwords, attachments, images and cookies; potentially incredibly damaging in the wrong hands.”

2. Connect over a secure Virtual Private Network (VPN)

“Palo Alto’s research found that over a third of UK workers would be likely to use their work device on an open Wi-Fi network when they go on holiday,” comments Tim Bandos, Vice President of Cybersecurity at Digital Guardian; though as he explains, it’s not just holidays but evenings and weekends too that are a cause for concern. “This study not only suggests we have a difficult time in disconnecting from the work world, but also individuals are on the ready to overlook traditional company policy in avoiding these types of practices.

“Connecting to open Wi-Fi networks can leave your PC at risk for attackers to discover and target your device; along with the possibility of capturing your web traffic data. If you must connect, you should always use a secure VPN over an open connection or seek out secured Wi-Fi services in order to encrypt your communications properly and safeguard your computer.”

3. Provide proper training

“All businesses should encourage employees to understand that they are the best line of defence when it comes to cyber-security. To do this, organisations must create a culture of cybersecurity across the entire team that they will carry with them, not just in the workplace, but also when working remotely. My advice would be to perpetuate this culture by providing proper training,” shares Graham Marcroft, Operations and Compliance Director at Hyve Managed Hosting. “Raising company-wide awareness of things like phishing attacks, safe password management and how to protect sensitive information, will mean employees make better informed decisions about potential security risks.”

4. Be aware of phishing scams

“Many network attack vectors start with a link to a phishing URL,” explains Derek Lin, Chief Data Scientist at Exabeam. “A carefully crafted email containing the malicious link is sent to an unsuspecting employee. As soon as it’s clicked, the cycle of information loss and damage begins. Any company that houses sensitive data –especially electronic healthcare records – should aim to nip this problem early on by identifying and alerting on these malicious links.

“There are many public and commercial data providers that offer blacklisting services or databases for potential phishing domain/URL lookup. However, like any signature–based approaches, newly–crafted phishing URLs cannot be identified this way. New machine learning approaches can actually flag a suspicious phishing URL previously unknown to blacklist data providers and should be considered by frequently targeted industries, like healthcare.”

5. Educate your employees based on past experiences

“If you work in the technology industry, it’s likely you’ve gotten a call from an upset customer who’s fallen prey to a tech scammer,” says Jeff Bishop, CPO at ConnectWise. “They received a scary email informing them that their computer was infected and all their files were at risk. Disturbed by the notion that they might lose all their data, they complied with the instructions and allowed the stranger on the other side to remotely access their machine.

“Proactive and continuous customer outreach and education will go a long way in showing that you care about their cyber safety. And if you pair those efforts with remote support and access software that offers transparency and security, you’ll be well on your way to establishing your business as a trusted technology advisor.”

6. Know what a suspicious email looks like

“Social engineering attacks are a go-to method for hackers,” advises Steve Wainwright, Managing Director EMEA at Skillsoft. “They rely on unwitting, unsuspecting and, at times, careless employees.

“The key to defending against this type of threat is education. By training employees to question and look out for suspicious emails – for example, checking if the sender email address looks odd and scanning the email for poor grammar and spelling – organisations can reduce the likelihood of successful attacks. Giving employees the skills and knowledge they need to identify potential attacks is the best way of mitigating the insider threat risk.”

7. Check your device is secure

“When an employee leaves the corporate network behind and accesses business email, data and files directly from their unsecured device, their organisation loses its traditional ability to protect its data and exposes the business to a great deal of risk,” comments Anurag Kahol, CTO at Bitglass.

“The best approach here is for IT teams to switch their focus from securing the device to securing data. Rather than focusing on whether or not a device is ‘trusted’, IT teams should ensure that company data is safe, no matter where it travels.”

8. Sanity check the business’ security

“When employees are working remotely, it is vital for businesses to recognise how to strengthen their security to help prevent potentially devastating attacks from affecting them,” comments Steve Nice, Chief Technologist at Node4. “The first step is to find and understand what their security flaws are with a Vulnerability Testing programme – understand where the weaknesses are and support these areas rather than spending money on unnecessary security infrastructures before knowing where the holes in the defence really lie.”

9. And in the event a disaster does occur? Roll back and recover

“Ransomware is a huge threat to businesses and even just a single employee clicking a malicious link in their emails will mean a ransom must be paid for all business data encrypted,” says Avi Raichel, CIO at Zerto. “Cyber-criminals often exploit vulnerabilities in employee emails, so it is crucial to have the right cyber-defences in place to avoid a disaster where customer data, and a lot of money, could be at risk.

“In the event of any disaster, businesses should utilise tools that allow them to roll back and recover all of their systems to a point in time just before an attack. This level of disaster recovery is paramount, as emails continue to exist at the core of most businesses, they remain a standing target for ever-sophisticated cyber criminals.”