Email Security Risks and Best Practices

Nov 15, 2018

Email Security Risks and Best Practices Image

The use of email for internal and external communications in organizations has been around since the 1990s, but even with advances made to enhance email security, it remains a significant cyber risk factor. Today, over 125 billion business emails are being sent and received every day, many containing links to which we’ve grown accustomed to clicking. As you can see in the graph below from a study depicting 2015-2019 email usage growth per user in businesses, that number continues to grow year over year.


The importance of communicating these findings is to illustrate the potential for a security incident or data breach to occur. According to the SANS Institute, approximately 75% of phishing, malware, and ransomware attacks enter through email, primarily through the clicking of malicious links. Organizations are more likely to suffer a breach through these social attacks versus actual network vulnerabilities. In this article, we discuss different types of email security risks and ways to enhance your email security in your organization to prevent becoming a hacker’s next victim.

Types of Email Security Risks

The most frequent and well-known email security risk is phishing, which is the use of communications sent through an email from a hacker to deceive end users into providing sensitive information such as login credentials, credit card or financial information, social security numbers, and personal identification numbers (PINs). Additionally, spear phishing has become a popular way for hackers to deceive end users by sending emails from a known or trusted sender like the CEO or CFO. The hacker impersonates the executive in an email to acquire information that is of value, or to direct an action that involves money transfers or sending sensitive data.

The man-in-the-middle attack (MitM) is an email security risk where a hacker, phisher, or anonymous proxy sets themselves in the middle of the sender and receiver of the email, retrieving any unencrypted data from the email. Other prevalent email security risks include Shadow IT – using applications outside the organization to send large files and documents – and the use of weak passwords for securing emails.

See also: Managing IT Risk in Your Organization

Securing Your Email

There are preventative measures you can take to enhance the email security in your organization such as the use of email security gateways, multi-factor authentication (MFA), and encryption.

    • Email security gateways or secure email gateways (SEGs) is a great way for organizations to secure email transmissions to prevent data loss, utilize email encryption, and protect against malware. They provide functions such as, inbound filtering of spam, phishing, malicious links, outbound data loss prevention, and email encryption. Some examples of companies offering SEG products or services include, Mimecast, Proofpoint, Barracuda Networks, and Cisco.
    • MFA is the method of using two or more pieces of evidence to confirm a user’s identity to login and access applications. Enforcing MFA provides an extra layer of protection, enhancing your email security across your devices. Using MFA to access email makes it much more difficult for criminals who successfully phish unwitting employees. The employee clicks a malicious link and logs in to a malicious, but authentic-looking login screen. The attacker obtains the username and password in this way. With MFA, the attacker still lacks a critical authenticator and cannot compromise the user’s account.
    • Encryption is the activity of protecting the content within the email from being read by other entities outside of the intended recipient. Email encryption has been notoriously difficult to use from an end-user perspective, but is improving in simplicity and usability. Some email security gateways offer email encryption, and some don’t. Email encryption comes in different types including, transport layer encryption and end-to-end encryption. End-to-end encryption is better suited for businesses, where the sender encrypts the message before sending and the receiver uses a public/private key pair to open the message. However, this requires the sender and receiver to use compatible email solutions. When the recipient is not compatible, the email message must be opened, read, and responded to within a web browser, and is not typically a favorable user experience, but does attain compliance and security objectives.

As the use of email for internal and external communication continues to increase in organizations, email security will be paramount for safeguarding data and information. Training your employees on email security best practices and educating them on how to identify, detect, and report phishing tactics will help your organization address security challenges and privacy concerns that email delivers.

For questions regarding email security or to speak with one of our security professionals about our Cyber Risk Management Program, please reach out at