You are here

Why Education Shouldn’t Be Your Only Email Security Control

Written by: Tony R. Luciani, CISA, QSA
In previous articles, such as Top 2 Cybersecurity Threats Affecting Financial Institutions, we’ve indicated that it’s crucial for you to provide regular security training to your employees to help them be better equipped to protect themselves and your institution from hackers. Unfortunately, with new data security threats continuing to emerge and hackers ramping up their tactics, those responsible for information security now need to do more than just educate their personnel on security basics and remind them to be wary of suspicious-looking emails. 

For instance, while poor grammar and spelling mistakes are often clear indicators of a phishing email, some hackers are getting better at crafting their email messages, making it less obvious to detect when an email is fraudulent. What can your financial institution do to help employees use email more wisely? Along with providing security education and regular reminders, you should also implement some recently developed technical controls. 

Here are some of the things Wolf is doing to help prevent our employees and our clients from making consequential and embarrassing email-related mistakes:

  1. Help employees quickly identify where their email came from
    Having a clear and distinct message automatically appear at the top of every email that’s sent to your employees from a source originating outside of your financial institution can act as a cue for the employees to be extra cautious about the emails and any links or attachments they contain. We like this control for two reasons; not only does this control serve as a continual reminder to staff to always be suspicious of links or attachments, but it also acts as an important red flag if a hacker is attempting to impersonate a staff member. While we understand that there is always potential for employees to spam each other, the majority of damaging issues stem from emails sent from external sources. 

  2. Implement tools that help employees send email to the correct email address
    We all know sending an email to the wrong person can be embarrassing or even more consequential. To help prevent this type of mistake from happening at Wolf, we are currently testing an application that’s compatible with Outlook and requires employees to validate the email addresses they are sending an email to, before the email can send. 

  3. Delay the delivery of a message
    What if you had an extra minute to retract the email you just sent? Adding a slight delay to how quickly emails can leave employees’ email outbox folders may give employees enough time to realize they made a mistake in the content of their email or that they didn’t send the email to all of the appropriate recipients, and then actually be able to retract the email before it sends. This added measure could be especially beneficial given that the standard tools used to recover and delete an email that’s already been sent are usually insufficient. 

  4. Investigate the use of behavioral technology
    With employees focused on working to support the goals of their institution, we can’t expect that they will never make a mistake. With this in mind, Wolf is investigating the use of emerging behavioral-type technologies that help identify when an employee does make a mistake so that it can be dealt with immediately. Stay tuned!

Education is still an important security control to have in place. But with employees on the front line against hackers’ ever-evolving tactics, you should look into additional technical tools that can be implemented to strengthen your institution’s email security controls and better support your employees. 

For assistance with your security program, please contact Tony R. Luciani, CISA, QSA, IT Assurance Supervisor, at 617-261-8179 or tluciani@wolfandco.com.