email security
Photo by  Miguel Á. Padriñán from Pexels

By Ernst Pelser

Every business uses email in today’s world. It is also one of the biggest security risks in our industry. According to the FBI, business email compromise (BEC) continues to rise each year. In its newest public service announcement, the FBI states that it has seen a 100% increase in BEC between May 2018 and July 2019. Furthermore, between June 2016 and July 2019, there were over 165,000 reported domestic and international incidents, causing over $26 billion in lost revenue to organisations.

It is common for criminals to use various phishing attacks and spoofing attacks to penetrate organisations. In the last few years, the rise of Ransomware poses an even greater risk to organisations and email is a common entry for Ransomware.

This document explores 6 Email Security Best Practices To Protect Against Business Email Compromise

1.  Set an EXTERNAL EMAIL warning

Attackers use email spoofing to trick people into thinking someone they know sent the email, therefore actioning or responding to the email. Using “external message” notifications to warn users that this email is from an external source, which helps users think about their next actions.

2.  Implement DMARC: Domain-based Message Authentication Reporting and Conformance

DMARC is a technical standard used to provide greater assurance on the identity of the sender of a message. This helps reduce the risk of spam, phishing, and spoofing. It helps a user identify the sender.

DMARC enables an organisation to publish a policy that defines its email authentication practices and provides instructions for receiving mail servers about how to enforce them.

DMARC also helps to increase visibility in your email by alerting you when emails are sent from your domain.

Please note that DMARC in itself does not provide full security but instead should be used in conjunction with SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail)

3.  Use appropriate authentication

Email is such an integral and integrated part of any business and the authentication policy should match its importance. It is highly recommended to use MFA (Multi-Factor Authentication) also known as 2-Factor Authentication. Details of MFA are beyond the scope of this document.

Using strong complex passwords can also help protect against BEC. It is recommended to use passwords of at least 12 characters. Use passphrases instead of common words. Also, use multiple special characters and a combination of upper and lower case.

Although “passphrase” attacks are commonplace, it still presents a better challenge than common words. This is why MFA is so important.

4.  Sender Policy Framework (SPF)

SPF is a technical standard and authentication method to help protect email users from spoofing, phishing, and spam. It validates that an email was sent from an authorised server.

As discussed previously, it is recommended to combine SPF, DKIM, and DMARC to reduce risk.

5.  Implement Domain Key Identified Mail

DKIM is a standard that uses public key cryptography to verify the email sending organisation. It does this by verifying the authorised servers actually sent the email, therefore protecting against spoofing. It reduces phishing, spam,  and phishing.

6.  Implement a security- awareness training

Unfortunately, a lot of security personnel like claiming people are the weakest link in the security chain. Frankly, I think it’s unfair. Not everyone is technically inclined and security experts should help users understand the risks and train them in the appropriate action. In fact, users can become our most potent ally. However, we need to help users feel they can trust us and have an open conversation with security experts without being patronised.

This is where security-awareness training is crucial. It is an opportunity to educate staff but it is also an opportunity to build trust and a relationship with them. When staff feel they can approach a security expert and have a conversation, they are more likely to acknowledge if they have clicked on something they should not have. This way, security can respond in a timely fashion. The tip here is to make security training interactive and interesting


This document covers just a few steps to improve your overall email security posture. Email is such an important part of any business but also such a common attack vector. It is worth taking the time to secure it.