Six ways to maintain compliance and remain secure

With approximately 3.4 billion malicious emails circulating daily, it is crucial for organisations to implement strong safeguards to protect against phishing and business email compromise (BEC) attacks. It is a problem that is not going to go away. In fact, email phishing scams continue to rise, with news of Screwfix customers being targeted breaking at a few weeks ago. Today, every business large or small is a target. So, what can be done to prevent a business’ email being hacked. And what can be done to mitigate the impact should the worse happen. 

1. Use secure email to send and receive sensitive content

Organisations can ensure the security of their employees’ emails by using a secure email service to send and receive content. Using such a service typically involves encrypting the email, including the email body and any attachments, in its journey from sender to recipient. Encryption lets a business keep its email communications private and confidential and helps it comply with increasingly stringent data privacy regulations like HIPAA and GDPR. In addition, an email protection gateway (EPG) ensures both the sender and recipient use the same encryption standard, obviating the potential of exposed content prior to receipt.

2. Regularly change passwords

Keeping email communications private ensures that PII, PHI, and IP does not fall into the wrong hands. In certain industries, protecting sensitive data in email communications is also a legal requirement. A business should require employees to use strong, unique passwords for each workplace-related account and change them regularly. Recommend the use of a password manager to help manage complex passwords.

Choosing strong passwords and utilising other forms of data access controls like multi-factor authentication (MFA) are also vital for safeguarding accounts and their sensitive content from cybercriminals. A six-character lowercase password can be cracked within minutes. Ensure password strength by creating long and complex passwords, with at least eight characters and special symbols.

3. Avoid clicking links in emails

Cyber criminals regularly use email as a way of tricking employees into sharing sensitive data like credentials to access email and bank accounts. An effective way to safeguard an organisation from such nefarious phishing techniques is to provide training to employees to help them identify what a typical phishing attack can look like. Educate them to exercise extreme caution when clicking on links in emails, even if they appear to come from trusted sources. Encourage employees to pay attention to the spelling and grammar used in emails and to hover over links to verify their destination before clicking.

In addition to the above, ensure that they are trained to report any suspicious emails or potential threats in the future to the IT department or designated security team in a timely manner.

4. Avoid using public Wi-Fi

The world has changed. Today, if business professionals can’t simply and securely access emails and files while on the road, deals don’t close, issues don’t get resolved, and businesses can’t grow. Employees working during their commute or remotely from a public area will often connect to public Wi-Fi. However, using a public network for sensitive communications opens employees, their organisations, and their sensitive data to risks. Examples include MITM attacks, where hackers intercept email traffic, and malware injection, which installs malicious software to access company email accounts, steal data, or damage corporate infrastructure. These attacks can all have severe consequences such as identity theft, financial loss, reputation damage, and legal liability if any confidential data is exposed.

As an alternative to using public Wi-Fi, offer employees access to a Virtual Private Network (VPN) which establishes a secure, encrypted connection between their device and a remote server. Additionally, implement secure email protocols like SSL/TLS or STARTTLS to encrypt all messages and attachments.

5. Use antivirus software and encryption services

Antivirus software plays a crucial role in defending against email-based attacks by scanning incoming emails and attachments for viruses, and by providing real-time protection through a firewall that monitors network traffic. Businesses need to ensure it has robust antivirus solutions in place and that they are regularly updated to incorporate the latest security patches and threat definitions. For more advanced forms of malware like advanced persistent threats (APTs), businesses should consider investing in advanced threat protection (ATP) solutions.

6. Develop an incident response plan

Sometimes it is not a case of if, but when. To quickly address any security breaches should the worst happen, organisations should develop and regularly update an incident response plan. This will include a predefined strategy that outlines the necessary steps to take when a security breach is detected. Such as isolating affected systems, conducting a thorough investigation to determine the extent of the breach, communication guidelines, and a step-by-step recovery guide to eradicate the threat, communicate progress to stakeholders, and restore operations. 

Additionally, consider collaborating with national or regional fraud and cybersecurity services to report significant threats, which can aid in preventing potential cyberattacks and enhancing overall organisational security.

Conclusion

To effectively combat the scourge of phishing and BEC attacks, there are a few things that organisations should do to mitigate the threat. Focusing on comprehensive employee training to recognise common attack methods and cybersecurity risks is a good place to start. Adopting email authentication protocols and verifying the legitimacy of email senders are also essential steps. Additionally, by employing email encryption, enforcing rigorous financial controls such as two-step verification, and conducting regular security audits will help detect and respond to unusual activities promptly.

Protecting personally identifiable information (PII), protected health information (PHI), and intellectual property (IP) is important across nearly every industry to avoid potential regulatory fines. Organisations should, therefore, ensure that all sensitive information is identified, classified, and protected with strong encryption methods like AES-256. But don’t stop there. Ensure that employees are trained on the proper handling of confidential content, covering identification, protection, and incident response. Regular monitoring and auditing of security practices will help maintain compliance with evolving regulations and emerging threats.

Patrick Spencer VP at Kiteworks

Patrick Spencer (Ph.D.) is the VP of Corporate Marketing and Research at Kiteworks and has over 20 years of cybersecurity experience in various senior leadership positions in global enterprises and fast-growth unicorns that include Fortinet, Symantec, and Contrast Security, among others.

Birmingham Unveils the UK’s Best Emerging HealthTech Advances

Kosta Mavroulakis • 03rd April 2025

The National HealthTech Series hosted its latest event in Birmingham this month, showcasing innovative startups driving advanced health technology, including AI-assisted diagnostics, wearable devices and revolutionary educational tools for healthcare professionals. Health stakeholders drawn from the NHS, universities, industry and front-line patient care met with new and emerging businesses to define the future trajectory of...

Why DEIB is Imperative to Tech’s Future

Hadas Almog from AppsFlyer • 17th March 2025

We’ve been seeing Diversity, Equity, Inclusion, and Belonging (DEIB) initiatives being cut time and time again throughout the tech industry. DEIB dedicated roles have been eliminated, employee resource groups have lost funding, and initiatives once considered crucial have been deprioritised in favour of “more immediate business needs.” The justification for these cuts is often the...

The need to eradicate platform dependence

Sue Azari • 10th March 2025

The advertising industry is undergoing a seismic shift. Connected TV (CTV), Retail Media Networks (RMNs), and omnichannel strategies are rapidly redefining how brands engage with consumers. As digital privacy regulations evolve and platform dynamics shift, advertisers must recognise a fundamental truth. You cannot build a sustainable business on borrowed ground. The recent uncertainty surrounding TikTok...

The need to clean data for effective insight

David Sheldrake • 05th March 2025

There is more data today than ever before. In fact, the total amount of data created, captured, copied, and consumed globally has now reached an incredible 149 zettabytes. The growth of the big mountain is not expected to slow down, either, with it expected to reach almost 400 zettabytes within the next three years. Whilst...

What can be done to democratize VDI?

Dennis Damen • 05th March 2025

Virtual Desktop Infrastructure (VDI) offers businesses enhanced security, scalability, and compliance, yet it remains a niche technology. One of the biggest barriers to widespread adoption is a severe talent gap. Many IT professionals lack hands-on VDI experience, as their careers begin with physical machines and increasingly shift toward cloud-based services. This shortage has created a...

Tech and Business Outlook: US Confident, European Sentiment Mixed

Viva Technology • 11th February 2025

The VivaTech Confidence Barometer, now in its second edition, reveals strong confidence among tech executives regarding the impact of emerging technologies on business competitiveness, particularly AI, which is expected to have the most significant impact in the near future. Surveying tech leaders from Europe and North America, 81% recognize their companies as competitive internationally, with...