Why Email Security Is Critical For Every Business - And How To Improve It
Fri 22nd April 2011
If we're honest, it's easy to ignore these warnings, easy to feel that they warn of impending catastrophe without any noticeable consequences to ourselves, and perhaps easy to feel that they might be a little too technical for us to concern ourselves with.
But a substantial majority of these warnings are genuine, and although they might not herald disaster across the world (and there are many in the media who have a tendency to sensationalise and exaggerate) the infection they warn of can still be a very real disaster for your business; after all, they might pass most of us by, but if you're the unlucky one who gets hit, knowing that others haven't is no consolation. All of us can help protect the organisations we work for or manage with just a little awareness of what to look out for, what to do about it, and how we can guard ourselves against these attacks in future.
First, we need an explanation of terminology. When you hear about an infection or attack that's being transmitted through email, what's actually happening is that a small program (called malware) is secretly attached to a message. It'll be hidden within an attachment that looks innocent - perhaps a picture or a video file - and when you download the innocent attachment onto your computer to look at it, the program automatically installs itself to your computer and sets to work.
It's common to use the word 'virus' to cover all malicious infections, but there are three types of programs that work this way: the term virus is correctly limited to programs that automatically change files on your computer to prevent it working as it should (or at all); worms have a similar result, but damage your computer by replicating themselves until a drive is full up and stops operating; and trojans (named after the Trojan horse) are programs that allow a computer to be used for malicious purposes. The last are perhaps the most insidious, for whereas viruses and worms can destroy a computer, trojans allow information to be stolen, some by logging keystrokes to obtain your passwords, others by allowing an individual to control your computer remotely and gain access to all your sensitive files. The impact of this for individuals and organisations is clear and potentially catastrophic.
It can't be stressed enough that viruses and worms are capable of automatically reproducing themselves (and viruses, having self-replicated, are able to carry trojans with them onto the next host machine) - so once a computer is infected, any attachment sent from that computer can have malware hiding within it, and neither sender nor recipient would know that it's there. Because of this, keeping the whole of a company's network secure is absolutely critical - as easily and widely as infections can covertly reproduce themselves and transmit themselves from one computer to another, they can't do anything if they've no way in to begin with.
One of the most effective means of defence is a digital signature. In principle, this is much the same as providing a signature on a paper document: adding a distinctive and individual mark to prove that the author is who they say they are. But rather than a physical image, a digital signature is a code that's automatically stamped onto a message by email software (such as Microsoft Outlook), and should also be registered with a Certification Authority. When you receive a message with a digital signature, your computer will automatically compare it to that stored by the Certification Authority, and let you know whether it's valid or not.
This might seem unnecessary if your inbox is mostly full of messages from friends and family, but any business email might have regular communication from individuals and organisations you don't personally know. Whether it appears to be from another company who you work with, or from a colleague you're not familiar with, it's important to be sure that the source is trustworthy and who they claim to be - unfortunately, it's entirely possible for an individual with malign intent to pose as someone you'd expect to trust and to use that position to infect your organisation's network. If you insist on digitally signed emails at work, that possibility is cut out entirely.
Of course, there may still be occasions when you receive email without a valid digital signature - if you're using Outlook, the software will alert you automatically. What you do then is up to you (although you should never simply disregard the warning: it's there for a good reason), but there are still other precautions you ought to consider taking. The message may purport to be from someone you know to be trustworthy, but we should never assume the email is from who it claims to be from; in this case, there's no harm in simply getting in touch with the supposed sender and checking that it is for them. Also, if your organisation has an IT department or support contract, contact them, they will likely be able to give you advice specific to your business situation and needs.
Being vigilant where potentially harmful email is concerned doesn't mean panicking and assuming that everything is destructive, but rather being aware of danger and applying common sense. Think of it this way: if a friend comes to your house, you'd let them in; if someone comes to check the electricity meter, you'd expect verifiable ID to prove they're who they are, and if they have it you'd let them in; but if someone turns up claiming to have a right to enter, but with no ID or evidence to support that claim, you'd turn them away. It's the same with email, trusting where it's clear you can do so, but being cautious when it isn't.
As we've said, Microsoft Outlook can help protect the security of your computer and network automatically, without you having to worry. It's certainly worth considering a short training course for you or your staff to ensure the most effective and secure use of the software - after all, being able to communicate with confidence is vital for every business. The integrity of your business information and continued operation of the organisation's network are both essential at all times; with Outlook, you know they'll always be protected.
Original article appears here: