Today more than ever, it is important to adapt security as a mindset and not view it as a switch we turn on and off while at work. Security awareness training teaches us to be cautious when opening emails with our corporate accounts, but do we remember to take these same precautions with our personal email accounts?
Cyber criminals, just like anyone else, tend to follow the path of least resistance. They are looking for the weakest link that can be exploited with the least amount of effort and this element more often than not is the human. For a motivated attacker that is committed to compromising an organization or a specific user, personal email accounts are probably well within the scope of what they may attack.
Understanding that our personal email may be within a motivated attacker’s scope lets look at few simple steps we can take to help mitigate these threats.
Choosing a Secure Email Service
When we are looking at an email service provider we should be as dedicated and inquisitive as we are when we are buying a car.
- What features does each service provide?
- What security measures are in place?
- Is the password recovery process something that can be easily bypassed?
- Can notifications be sent to your phone when your password has been changed or be alerted when there has been a malicious attempt?
- Is the email service hosted via SSL/HTTPS?
- Do they offer Two-Factor Authentication options?
These are all great features to look for in an email service provider. Please keep in mind however, that all of these features can be bypassed if you neglect to set them up in a secure fashion. For example, we can have a 32-character password with symbols, capital letters, and numbers memorized and in place. Just realize it isn’t going to matter if our only recovery question is “What’s your favorite football team” and our username is “eaglesfan2014”.
Maintain a “Throwaway” Email Address
Who doesn’t like to go out shopping and find great bargains? In doing so we tend to sign up for reward cards so we can save money on our purchases. What doesn’t make sense however, is when we sign up for all of these rewards using the same email address that we do for our personal banking. Do we really need all of these sales notifications and coupon spam messages going to the same email that will inform us of suspicious back account transactions and activities?
In our busy day, sorting through our cluttered email filled with spam, will we be as diligent as we should be when opening these emails? If we use a dedicated email address just for banking it is unlikely that we will receive as much spam or phishing attempts since we shouldn’t be posting this email address to our social media accounts or providing it to those spam sending retailers.
Separating the two will ensure that while we are operating in our more sensitive email environment we will likely be more diligent and cautious when opening email messages. Spam or suspicious emails that arrive in our more sensitive email environment are easily identifiable and can in most cases go directly to the deleted message box! Just as email messages appearing to originate from our bank arriving in our throwaway email environment are easily identifiable as suspicious and can be safely ignored.
Storing Important Documents in your Email
If we e-filed our taxes this year then we may have had our tax return sent to our email, which is a fast and convenient method of receiving our return. After receiving it though, did we delete it out of our email or did we keep it there so we knew where to look should we need to locate it in the future? Is it necessary to have all of our tax information located on our email?
What other important personal documentation do we keep floating around on our “eaglesfan2014” email account? If we need these documents we should download them and store them in a secure manner. Just remember if we are going to store sensitive documents they should be encrypted using something like TrueCrypt. A few years ago we showed how easy it was to recover sensitive data off of removable media in our “The Data You Left Behind” project. We don’t want to be that person!
How often does close of business come when we need just another 30 minutes to finish an important business document that is due tomorrow? Does it not make sense to attach the document to an email and send it to our personal email address so we can work on at home? That way we can finish the document, impress our boss, get that next promotion, and be with our families all at the same time.
Doing this however puts our company trade secrets and our career’s at risk. Simply put, it is not worth the risk. We should keep our company documents out of our personal email accounts. If there is a real need for us to work from home our company should provide a secure method to do so. The better solution would be to ask if that more secure method is available!
The Reality Is…
Unfortunately, there is no perfect solution, but this does not mean we should just give up and do nothing. Taking action by applying these few suggested steps will help prevent the amount of damage caused to our company’s by an attacker should our personal email accounts ever become compromised.