Unsolicited email or spam may be a mere nuisance for most emails users, but for an IT administrator spam is a headache and a major security threat. More than 3% of all spam includes a malware payload, but that doesn’t mean that the remainder is safe. Far from it. You can still be directed to a website that is infected by clicking on a link in that email.
Spam is not going anywhere any time soon, either, and the percentage has rarely dipped below 75 percent for many a year.
As the 2013 Microsoft Security Intelligence Report states: “More than 75 percent of the email messages sent over the Internet are unwanted. Not only does all this unwanted email tax recipients’ inboxes and the resources of email providers, but it also creates an environment in which emailed malware attacks and phishing attempts can proliferate. Email providers, social networks, and other online communities have made blocking spam, phishing, and other email threats a top priority.”
All the more reason to pay attention to how we use email on a daily basis, at home and at work. It takes one spam email to ruin your day and that of your IT team. Reducing the risk does not require every employee to have a doctorate in security, but they can follow a few basic (and common sense) steps that will help keep your network safe.
Post these tips on your intranet or share on the office noticeboard:
1) Do not open or respond to emails that look suspicious, unusual or from someone you don’t know that generally ask you to make an action such as giving information, credit card details, making a payment, etc. – ever.
2) Do not open an attachment you weren’t expecting, especially if you don’t know the sender. Often malicious attachments masquerade as Word documents or some other file type. It is far too easy to change an .EXE extension on a malicious file to .DOC. If you’re in doubt, check with your IT admin.
3) Just as you should not open attachments, do not click on a link in an email unless you are 100 percent sure it is safe to do so. If in doubt, delete (or check with the sender or your Helpdesk).
4) The company uses a professional-grade spam filter that is configured to meet the company’s security needs. Check your spam folders regularly just in case a legitimate email is caught by the filters. Whitelist important email addresses so they won’t be filtered.
5) Don’t be fooled by phishing attempts. Someone somewhere will try to get personal information from you. Never give out details by email or fill in forms that pop up when you open an email. If in doubt, check with you sys admin.
6) Also on the phishing front, never open or interact with messages from businesses you haven’t already given your address to. Also be wary of messages from companies that already have your address. If you get a notice from your bank stating you need to upgrade your details or change your password, don’t follow those instructions, but instead go the company’s website, sign in and see if your account is in order. If there is nothing on the site, give the bank a call. Better safe than sorry. Also, banks and other organizations should not be contacting you on your work email.
7) If you think that you have opened an email with a malicious attachment or clicked on what might have been a malicious link, then immediately shut down your machine and inform IT. They will be able to isolate that machine from the network and carry out the necessary scans and remediation.
8) Emailed calendar invites are a fairly recent threat. If you get one from someone you don’t know or one that looks suspicious, don’t accept it. If it is from a colleague but not using the corporate address, contact them to see if is legitimate. In both cases, delete the invite so it can’t cause any harm.
9) Be careful when using Wi-Fi, especially public Wi-Fi. Don’t be tempted to log onto every bar or restaurant Wi-Fi network you come across, but instead stick with trusted providers. Avoid suspicious-sounding SSIDs. Hackers love to spoof genuine SSIDs to sniff traffic to steal passwords and user names.
10) Your company email account should be separate from your personal one… and never use the same password.
11) Try not to post your work email address on forums, websites and blogs unless really necessary. Hackers gather these addresses and use them for broad-based attacks and for spamming.
12) Do not download any software that has not been approved by the IT department. This could open a backdoor on your machine and used by hackers to gain access to the network or use your pc as part of a botnet, spewing out spam across the world.
A good number of security issues could be avoided if employees understood what they could be doing wrong and the impact their actions could have on the company. Circulating a few security tips every now and then will refresh their memory and remind them why security is important.