12 Email Security Tips to Protect You in 2015
2014 has been a year of public security awakening … high profile breaches, extensive and terrible vulnerabilities in pervasively used software, and a fear and awareness of eavesdropping by governments and covert organizations.
2015 is poised to continue the trend. Security has transformed from being something you take care of by buying a product and forgetting about it, to an escalating war with security professionals constantly parrying against increasingly sophisticated attacks. More and more the burden is being placed on individuals and small businesses to have an awareness of the security landscape, to understand the risks of online activities, and to use common sense and evolving tools to protect themselves.
As 2014 winds to a close, here are 12 things that you can be doing to proactively protect your email accounts and identity in 2015:
1. Use Two-Factor Authentication
Two-Factor authentication protects your account in the case that your username and password are compromised. In addition to your password (the first “factor”) you need something else (such as access to your phone) in order to successfully login. Check with your email provider and enable Two-Factor authentication if they provide it.
2. Use different passwords for each site
If you use the same password for multiple web sites, then the probability of that password being compromised increases dramatically. Furthermore, if it is compromised, the attacker then has automatic access to all of the places that you use that password.
Make sure that the password used for access to your email is different from all of your other passwords.
3. Use strong passwords
Strong passwords are hard to guess. These days, it is easy for a computer to try millions or 100s of millions of possible passwords in a very short time. So, if your password is based on a word in the dictionary with a few permutations, such as “Appl3” … that could be easily discovered.
Instead, pick passwords that are easy to remember and which are comprised of multiple words and numbers or symbols. E.g. “My son loves pizza pies!” This is an easy sentence to remember, contains mixed case and a symbol, and would be exceedingly hard for a computer to guess.
4. How to remember your passwords
The biggest barrier to using different, complex passwords for your various email and other web site logins is tracking and remembering them.
This is really not such a big deal anymore as there are a myriad of applications for your computer or phone where you can save all of your passwords, securely, in one place where you can get at them when you need them.
We recommend using a secure password storage area that is in the “cloud” and which you can access from any computer, anywhere — so you are never without access to your passwords and so you can grant other people access to them if needed and desired (e.g. your spouse or for estate planning).
5. Change your passwords frequently
Possibly more of a pain than having multiple passwords is changing them. However, you never really know if a provider has been hacked and your passwords have been compromised until long after the fact. In the mean time, your password may be “out there.”
It is best to change your password periodically, at least for those accounts that are most important (e.g. your bank, your email, etc.) In this way, you protect yourself against someone using an old password to access your account.
Many providers allow you to setup schedules that auto-expire your password, so that you are forced to update it periodically (such as every 3 or 6 months). This is best, as it does not allow you to “skip it” just because you are being busy or lazy.
6. Enable alerts on failed and/or successful logins
What if someone does access your account without your knowledge? Wouldn’t it be best if there were a kind of “trip wire” that would be sprung so that you could detect this access immediately and take action to limit the damage?
Many providers allow you to enable automatic alerts that will send you an email or text message to any address you like, when there is a successful login or when there are failed login attempts. If you get an alert and see logins that “were not you,” then you can call the company and take action to lock down your account.
7. Lock down access to your IP or Geographic Location
Many attackers that try to login as you or attack your account are coming from foreign countries or regions distant from where you are usually located. Many email providers provide options where you can lock down access to your email account so that you can only access it from specific computers (e.g. from your home or work IP addresses) or from certain regions (e.g. Massachusetts or USA).
This goes a long way towards stopping attackers from even trying to gain access to your account.
8. Send sensitive information securely
Sensitive information is being sent over the Internet more and more frequently. Medical records, tax returns, legal documents, divorce agreements, company roadmaps and product plans … all contain very sensitive data.
It’s good to have an option for “Email Encryption” in your tool box so that you can be sure that such messages are secured on demand and to prevent them from being stored or transmitted insecurely leaving them vulnerable to capture by attackers.
9. Use good email filtering to protect you from viruses, malware, and scams
The vast majority of email is spam. A substantial fraction of that spam is designed to attack you in some way — to infect your computer, convince you to download malware, or trick you into divulging sensitive information or money.
A good spam and virus filter can stop most or all of these malicious messages before they reach your inbox…. and before you have to waste your time and brain power trying to decide what is legitimate and what is not (and that can be very hard).
10. Use good email filtering to protect you from fraud
Fraudulent email messages are those purporting to be from one person (e.g. a friend, co-worker, or family member) but which are really from a spammer, attacker, or other malicious individual. Usually this is just a trick to get you to open and read some spam. Sometimes, it is a trick to get you to trust the message and take some action … from sending someone money to opening a door to giving someone a “forgotten password,” etc.
Good filters can detect forged email in many cases and protect you from bring tricked by this kind of fraud. Look for filtering services that include SPF, DKIM, and DMARC filtering technologies…. and be sure these are enabled.
11. Keep email archives
Keeping a separate copy of the messages that you have sent and received is a good practice for both businesses and individuals.
If your email is hacked and messages are deleted, you may lose a lot of information that is essential to your day-to-day life, business, health, etc. By having a separate, immutable archive of these messages, you protect yourself from loss (and you also protect yourself from you. Who has not accidentally deleted something important?)
Hacked email messages can also be altered in some cases. By having a separate archival system designed to prevent the deletion and modification of your email, you always have a “true copy” of all of your messages. This is essential in any legal situation.
12. Choose a good email provider
The security of your email is ultimately in the hands of your email provider; it is up to you to make a good choice. Consider:
- Big companies are big targets
- What is their security stance?
- Will they treat your email with the privacy and confidentiality you need?
- Do they have features you can use to lock down security for your account?
- Do they provide encryption options for you?
- Can you call them and expect meaningful and timely help?
Think about your current email situation and your risk … maybe its time to shore up your email defenses and turn on some security features that you have not yet used. Maybe its even time to choose a new provider that can better protect you.