SecureMail: How SMEs can improve their email security

Emails determine our everyday lives. Whether we're sitting in the office all day or on the road from dawn to dusk: Emails are the most important communication channel for most SMEs. And this is precisely why they are a popular target for cyber attacks. How can SMEs protect themselves effectively?
A woman and a man look into a laptop together

The National Cyber Security Centre (NCSC) reports weekly on phishing attacks by email, ransomware distributed by email, and spam, which at best only clog up email inboxes. Small and medium-sized enterprises are popular targets for cyber criminals. This is partly because they are generally less well protected than large companies, and partly because they lack internal cyber security expertise. This is why email security is the Achilles heel in the security arrangements of many SMEs in Switzerland. It doesn't have to be that way: SMEs can effectively protect their business-critical email communication, and thus their sensitive data, with just a few measures.

Understanding the threat: How cyber criminals attack

For many companies, email is the most important communication channel. This is why cyber criminals prefer to use email inboxes to penetrate IT systems and cause damage. The most common threat scenarios:

  • Phishing: In this scam, cyber criminals send fake emails to trick recipients into revealing confidential information such as passwords or credit card details. The emails often look deceptively genuine and appear to come from a trustworthy sender. Read here how you can protect yourself against phishing.
  • Malware: Cyber criminals send malware by email. One click on an attachment or link is enough for them to access the system, block it or delete, steal and sell data. They often demand a ransom to release the system or data. Read here how you can protect yourself against ransomware.
  • Spam: Cyber criminals use junk mail to flood and block email inboxes, affecting the productivity of recipients. The mass emails are often phishing attempts or contain malware. Spam is therefore a risk to email security.
  • Fraud: Cyber criminals send emails with false or manipulated invoices. In invoice manipulation fraud, for example, they send an old invoice with a new IBAN number or ask you to transfer the money to a different account in future. They work with social engineering tricks and refer to previous email communication, for example.

The consequences – from data leaks, financial losses and operational downtime to reputational damage – can threaten a company's very existence. Regardless of their size. Read here how you can protect yourself against hacker attacks.

Email security: Technical protective measures

Technical protective measures are an important part of a holistic security strategy. With these measures, SMEs effectively protect their email accounts and thus their data:

  • Passwords: Strong passwords are the first line of defense in the security system and protect against unauthorized access to email accounts. A secure password is at least 12 characters long, varied (upper- and lower-case letters, numbers and special characters), random, unique and individual. Test how secure your password is here.
  • 2FA (or MFA): Two-factor authentication provides an additional layer of security. To retrieve emails, a second factor is required in addition to the password, for example a security code on a smartphone. This makes access much more difficult for cyber criminals. Read here how you can protect your network and your data with 2FA and MFA.
  • Encryption: Emails that are encrypted with PGP (Pretty Good Privacy) or S/MIME, for example, can only be opened and read by the correct recipient. There are also user-friendly services such as the GDPR-compliant SEPPmail, which was developed in Switzerland and Germany.
  • Secure format: Only send and receive emails in secure formats and avoid HTML emails, for example. This is because cyber criminals like to hide malicious links or executable malware code in the HTML code.
  • Image display: External content, such as images in HTML emails, can automatically load and execute malicious code. You should therefore deactivate the display of external content in your email program.

Email security: Sensitize and train employees

People are often the weakest link in the security system. This is why employee awareness and training are at least as important as technical protective measures. Well-informed employees significantly minimize the risk of cyber attacks. They must therefore receive regular training on how to recognize fraudulent emails, identify suspicious messages and react appropriately so that no damage is done. Possible training topics:

  • Fake invoices: Employees learn how to recognize fake invoices and avoid falling for fraudulent requests for payment.
  • CEO fraud: Employees learn how fraudsters who pretend to be CEOs, for example, operate, how to recognize such fraud attempts, and how best to report them.
  • Phishing emails: Employees learn how to recognize phishing emails and are made aware of the special characteristics of this type of attack.
  • Attachments and links: Employees learn how to safely handle attachments or links in emails in their work and thus minimize the risk of malware infection.
  • Data privacy: Employees learn how personal data must be processed, stored and protected in accordance with the Swiss Federal Act on Data Protection and the European Union's General Data Protection Regulation, so that it does not fall into the wrong hands.

Tip

Zurich offers companies awareness training. Employees are made aware of cyber risks in five elearning modules and a phishing simulation. Among other things, they learn how to recognize fraudulent emails and how to increase email security in the company. The course is free of charge for companies with "Basic," "Optimum" or "Premium" cyber insurance for up to 100 employees.

Email security = technical measures + sensitization + training

The whole is more than the sum of its parts. Individual measures are effective but only unleash their full power when they work together. With the right measures, even small or medium-sized companies can increase their email security with relatively little effort. This includes, for example, the use of strong passwords and two-factor authentication for email accounts, the encryption of emails, restriction to secure formats, and awareness-raising and regular training for employees. In addition, SMEs should also introduce data protection guidelines and continuously monitor their systems for suspicious activities.

Calculate now how little cyber insurance costs for your company, or arrange a consultation. Our experts will recommend customized security solutions for your company.

Cyber insurance for SMEs in Switzerland
The media regularly report on cyber attacks. What we read or hear about is just the tip of the iceberg. Small and medium-sized enterprises are particularly at risk because they are considered easy victims. They should therefore prepare for cyber attacks and protect themselves against financial risks.

FAQ: Technical Questions on Email Security for SMEs

What is the difference between cloud email and a local email server?

Cloud email 

  • Benefits: Cloud email services are scalable, offering automatic updates and regular security patches. They are often more cost-efficient and offer high availability and redundancy. With many providers, you don't have to worry about email backups or archiving yourself.
  • Disadvantages: Dependence on third-party providers and/or Internet connections. There may be data protection concerns as data is stored outside of your own control.
  • Security: Cloud providers often implement strong security measures and email filters to detect malicious emails. Nevertheless, it is important to check the data protection regulations and security practices. 

Local email server 

  • Benefits: Complete control over data and security infrastructure, as well as better customization options for specific business requirements.
  • Disadvantages: Higher costs and greater effort for maintenance and operation. In-house IT resources and specialist knowledge are required.
  • Security: Regular maintenance, security updates and backups to ensure that systems are protected against threats. In addition, an email security solution should be implemented that checks incoming emails for threats. 

Which encryption methods are the most secure?

PGP (Pretty Good Privacy) offers strong end-to-end encryption for emails. S/MIME (Secure Multipurpose Internet Mail Extensions) uses digital certificates to encrypt and sign emails. SEPPmail is a user-friendly encryption service for secure email communication.

How do I recognize external emails?

External emails can be identified by specific references in the subject line such as "External." Mechanisms such as SPF (Sender Policy Framework) can be used to verify the authenticity of the sender and reduce the risk of phishing.

How do I recognize compromised e-mail accounts, and how do I react to them?

You can often recognize compromised email accounts by the fact that you receive unusual or suspicious emails from known senders. Look out for an unusual style of writing, unusual attachments and links, or sending times outside normal office hours. If in doubt, it is better to call the (supposed) sender once too often than once too little to check the authenticity of the message.

What are digital signatures, and how do they help?

Digital signatures use Public Key Infrastructure (PKI) and DomainKeys Identified Mail (DKIM) to ensure the authenticity and integrity of emails. They guarantee that an email actually originates from the specified sender and has not been changed during transmission.

How do I secure a local email server?

If you use a local email server such as Microsoft Exchange, make sure that all patches and updates are installed regularly. Use a demilitarized zone (DMZ) for secure network segmentation and restrict administrator rights. Also plan regular backups. Local email servers often do not have sufficiently reliable protection mechanisms against phishing, spam or malware. It therefore makes sense to implement additional specialized security software that comprehensively checks incoming emails and detects potential threats at an early stage. Ask your outsourcing or managed service provider which email solution they operate and host and how they protect it effectively.

What is legally compliant archiving?

Legally compliant archiving requires the secure and traceable storage of emails and data in accordance with legal requirements. This includes compliance with retention periods and data protection guidelines as well as ensuring that data can be restored in full and unchanged if necessary. Read the answer to the question "Is there a sensible backup strategy for emails for SMEs?" below.

How does an SME send large volumes of data securely?

These services or measures can be used to send large volumes of data securely:

  • Email services such as ProtonMail or SEPPmail enable the secure and encrypted sending and receiving of emails (with or without attachments).
  • Data transfer services such as WeTransfer Ultimate transfer files in an encrypted and password-protected form.
  • Cloud storage services such as Dropbox Business, Google Drive or Microsoft 365 share files in encrypted form and with two-factor authentication.
  • File transfer protocols such as the Secure File Transfer Protocol (SFTP) transfer data in encrypted form.

Is there a sensible backup strategy for emails for SMEs?

Regular backups are crucial to prevent data loss and ensure business continuity. Here are some proven strategies:

  • Regular backups: Create daily or weekly backups of all emails and store them in a secure location.
  • Redundant storage locations: Back up to multiple locations (physical or in the cloud) to ensure that data is available even in the event of a location failure.
  • Automated backup solutions: Use software solutions that perform automatic backups and check the integrity of the backups.

Read here what you need to know about backup concepts and data backup for companies.