Email, Messaging applications, and Internet services have dramatically improved the efficiency of business operations over the years.
However, in addition to efficiency, they have also introduced a vast array of new vulnerabilities, risks, and threats.
Organizations need to ensure that appropriate controls, message security, including preventive protections, are implemented to guard against the loss of data confidentiality, integrity, and availability of information and systems. These controls, and their importance, are the focus of pitfall #59 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Information involved in email, messaging, and Internet use needs to be protected with appropriate message security. This includes performing online transactions, as well as posting information on social media. Message security should guard against fraudulent activity, incomplete transmission, or the misrouting of information. Your organization should also ensure controls are in place to prevent unauthorized message alteration, disclosure, duplication, or replay.
Only fully supported email clients, messaging applications, and web browsers should be authorized to operate within your organization’s environment. Whenever possible, only the latest version of these productivity tools provided by the vendor should be used. Plugins or add-on applications should be uninstalled or disabled unless they have been specifically authorized for use. Only authorized scripting languages should be permitted to run in email clients, messaging applications, and web browsers. Additionally, only approved social media platforms should be accessible. Any approved access to social media platforms should be limited to only authorized personnel.
URL filters should be configured and deployed to limit the ability of systems to connect to websites that have not been approved by your organization. This filtering should be enforced for each system, whether they are physically in your organization’s facility or not. Your organization should subscribe to URL categorization services to ensure you remain up to date with the most recent websites category definitions available. Uncategorized sites should be blocked by default.
Email attachments entering the email gateway should be blocked if the file types are unnecessary for the organization’s business. For example, it is strongly recommended to block executable files (e.g., .exe files) from being delivered via email. Sandboxing should be used to analyze and block inbound email attachments with unauthorized file types, malicious characteristics, or dangerous payloads.
To learn more about this pitfall, and 99 more, get my book: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASCENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.