E-mail security has become a critical concern for small businesses, as they're bombarded daily with constant spam, virus and fraud attacks. Unsolicited e-mails, more commonly known as spam, is now the single largest nuisance for internet users. An estimated 45 percent of all e-mail is defined as spam, costing business worldwide $20 billion a year in lost productivity and technology expenses, according to the Radicati Group, a market research firm in Palo Alto, California.
The need to eliminate spam and fraud is critical: Spam and viruses rank as the top two security breaches for small and medium-sized businesses (SMBs)-according to the Yankee Group, more than 80 percent of SMBs have fallen victim to security breaches, leading to major losses in business productivity.
Following are five critical tips which will help you create a more productive workplace that is better protected against spam and phishing attacks-even if you have minimal or no IT staff.
1. Make sure your employees are aware of "phishing" attacks. For small-business owners, now is the time to educate your employees on how to spot a phishing attack-they're on the rise and they're dangerous.
Phishing is a high-tech scam that uses spam, pop-up messages or counterfeit websites to deceive users into disclosing credit card numbers, bank account information, social security numbers, passwords or other sensitive information. (According to a study released in last year by research firm Gartner, some 3 percent of those targeted by phishers reveal personal information.) The message may pop up while you're online or take the form of an e-mail notification that says you need to "update" or "validate" your individual or company account information. You may be able to recognize these attempts through grammatical errors and general language that is improper for corporation-to-customer communications.
2. Educate employees on the how-tos of secure e-mail usage. Make sure your employees know they should avoid filling out forms in e-mail messages that ask for personal financial information or passwords. This affects all employees, especially those who book travel reservations, deal with human resources issues or make purchases for your business. Legitimate companies won't ask for this information via e-mail.
Also, as websites are frequently faked in phishing scams, it's always safer for users to type the URL directly into their browser or call the company by phone, rather than click on a link in an e-mail. For example, a phishing e-mail may open a near replica of a well-known bank's website and a pop-up message will appear that directs the individual to "please confirm financial information."
If one of your employees initiates a transaction that asks them to provide personal or financial information through an organization's website, be sure they know to look for indicators that the site is secure, like checking the beginning of the site's URL for a "https:" (the "s" stands for "secure"). Additionally, there are solutions available on the market that will automatically ensure website links are legitimate, so that you don't have to worry.
3. Protect your business from being "phished." For small businesses, phishing can be especially pernicious, putting owners and employees at risk of online fraud, identity theft and outright robbery. What's more, phishing also threatens future operations, causing users to have less trust in legitimate, commercial e-mail messages.
A number of companies that have been stung by phishing scams are taking the opportunity to improve their communications with customers. Be sure your business is engaged in stronger customer authentication on your website and outline how you customarily communicate with customers. Authentication on your site removes phishers' profit motives-if they can't abuse stolen passwords and identity information, they'll stop stealing them. Other ways to protect your company is to use digital signatures to sign outbound mail and provide signature verification at the gateway or e-mail client.
It's important to have a solution that protects your company from being phished, not only for financial reasons but to maintain your customers' trust in working with your company via e-mail or through your site.
4. Let your employees have some control. Look for a spam-filtering solution that lets users sort through their own junk mail, so they can determine exactly what is spam vs. other mail which might accidentally end up in the trash bin (such as e-mail newsletters and marketing messages). Also, have a procedure in place so employees can report spam and you can in turn report it to your ISP or the Feds at www.ftc.gov .
Also, decide how lenient you want to be when it comes to employees using your business systems for personal use. As your company grows in number, internal spam, such as forwarding jokes, can often become one of your biggest spam problems.
5. Choose an e-mail security solution that's right for you. Because small businesses may not have the money to afford dedicated IT resources, they often require a different type of solution to support their security infrastructure. Since you may not be able to afford the upfront investment in technology to help meet these challenges, you should look to solutions that don't require an IT resource, are easy to use, and are specifically designed with small businesses in mind.
Be sure your e-mail security solution is providing you with everything you need to protect your business and your employees. If you aren't happy with your current solution, then consider trading up to something better. Depending on the e-mail security solution (if any) you use now, it may be likely that you're receiving a growing amount of "junk" e-mail on a daily basis. Researchers estimate that spam represents anywhere from 30 to 70 percent of all e-mail traffic.
Don't wait for an attack to happen before figuring out what to do. Spam attacks are on the rise, and you need to start now to reduce your business risk and develop response plans.
Karl Jacob is CEO of Cloudmark , a company that produces immune systems for e-mail programs. Karl is a member of both the Anti Phishing Work Group (APWG) and the Information Technology Association of America (ITAA).