Back to Resources

Cloud Email Security Best Practices Guide

Cloud Email Security Best Practices Guide

Business Email Compromise (BEC) is among the most common attacks against organizations today. According to a public service announcement by the Federal Bureau of Investigation (FBI) during June 2016 and July 2019, domestic and international Business Email Compromise (BEC)/Email Account Compromise (EAC) resulted in USD 26,201,775,589 of exposed dollar loss – which demonstrates the actual cost of such incidents. The primary culprit? not following Cloud Email Security best practices. To make matters worse, BEC/EAC is often the first point of compromise, and once compromised, attackers typically try to pivot and gain further access to exfiltrate sensitive data. It has never been more crucial, especially for startups and small businesses that don’t have mature cybersecurity programs, to ensure they have the appropriate safeguards in place. Implementing the following practices won’t guarantee your organization’s safety from email-based threats. Instead, it will enable your organization to identify and respond to business email compromise successfully, harden Email Security, and limit phishing emails your organization will receive. Whether you are using Gmail, Google Workspaces, Outlook, Office365, ProtonMail, or Zoho, this blog post’s guidance can be applied to any platform—regardless of whether you are a business or an individual.

1. Enforce usage of strong passwords

People often use weak passwords and have been found to reuse passwords regularly. As a result, it is crucial to ensure a strong password is used by individuals, and a password policy is enforced and distributed by businesses to their employees. At the very minimum, passwords should comply with OWASP’s password guide, which states that passwords should have the following characteristics:

  • Passwords should not be shorter than eight characters
  • They should use a minimum of 3 character sets (i.e. upper case characters, numeric characters, special characters)
  • Avoid using personal information within the password, such as birthday or easily identified information, such as the name of your dog

2. Use Time-Based OTP Multi-Factor Authentication (MFA)

MFA can block over 99.9 percent of account compromise attacks, so it is no surprise that this recommendation has made the list. Despite this, users are still not adopting MFA, and an increasing number of organizations – especially those now adopting new cloud technologies – are often not configuring organization-wide MFA in the respective technologies. The following resources can aid you in getting started and enforcing MFA on your respective Cloud Email Password. Text-based or phone-based 2FA should be deprecated in favour of a more secure alternative, such as Time-Based One Time Password (TOTP) apps such as Google or Microsoft Authenticator. There have been many documented attacks which can enable attackers to steal text-based 2FA codes with ease How To Enforce MFA for Your Users (Businesses):

How to enforce MFA for users on Google Workspaces How to enforce MFA for users on Office 365 How to enforce MFA for users on Zoho For individuals:

How to set up MFA on Gmail accounts How to set up MFA on Protonmail accounts How to setup MFA on Office 365 accounts

3. Setup DMARC, DKIM & SPF for your domains

The Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol, when enabled on a mail server, creates an email security policy that defines what actions to take if it receives emails that have not originated from an authorized sender or fails to authenticate a digital signature. This, in turn, helps its recipients avoid spoofing, spam and phishing emails. DMARC works in conjunction with DKIM and SPF to facilitate this process. The settings for configuring DKIM and SPF vary on each platform, but the following resources can aid in the process for the respective platform. If you’re using a personal email account, this is most likely handled by your email provider already. WatchDog Security can automate this entire process and ensure that your email continuously meets these requirements through our email firewall. How to Enforce DKIM/SPF/DMARC manually (Businesses):

How to configure DMARC on Microsoft 365 How to configure DMARC on Google Workspaces How to configure DMARC on Zoho

4. Implement the concept of least privilege

An increasing number of cloud email providers offer solutions such as storage (i.e. Google Drive, SharePoint, etc.). In addition to general permissions granted, these should be approached using the concept of least privilege. This means that employees should only gain access to what is required. Let’s take a common scenario for a business that uses SharePoint or Google Drive exclusively for all Cloud storage. This business has multiple Drives (GDrive) or Sites (O365) segmenting departments, each with its material. It is pertinent that access controls are applied, either at a group (preferred) or user level, to ensure only authorized users (who have a business need) have access to the underlying folder/file. The same approach should be applied to the email provider – the number of users with administrative privileges should be limited. Resources for Email Platform Administrators:

Google Workspace best practices for planning accounts and organizations How to set up role based access control in Office 365

5. Invest in an Email Firewall

A modern-day email security firewall leverages advanced artificial intelligence (AI) and machine learning (ML) technologies to identify incoming emails and use various techniques to determine if they are phishing, spam, or malicious in nature. This firewall sits before your mail server, analyzing emails as they come. This, in turn, lowers the likelihood of one of your employees receiving and clicking on a malicious email.

6. Effective Security Awareness Training

Ensure that employees receive regular security awareness training and that any new hires are assigned training immediately. Ensure that the training is evaluated to cover the following:

  • How to identify common phishing, smishing and vishing emails – tailored to specific departments
  • Educating users not just on how to recognize emails but also reduce their likelihood of spear phishing.
  • Training users on what to do after receiving a phishing, smishing or vishing
  • How to recover from successful social engineering attacks

Our free WatchDog Security subscription, Essentials, empowers your business with free cybersecurity awareness training that covers these topics and more. Get started here. Users on a paid WatchDog subscription can benefit from individualized training programs automatically created to address individual deficiencies based on user-driven behavior.

7. Business Continuity for Cloud Email Systems

Ransomware against Cloud Email Systems, specifically their associated document storage such as OneDrive and SharePoint, is an occurrence that has been on the rise. As a result, organizations must consider a Business Continuity strategy and plan for disruptions and encrypted files. In other scenarios where this could be helpful, sometimes files are accidentally deleted. A BCDR solution for Office 365 or Google Workspaces can help with this. All WatchDog paid subscriptions include a solution to automatically back up OneDrive/SharePoint files to a secure location and facilitate secure and easy restoring.

8. Perform access reviews and review account activity regularly

Implement an access review at a recurring frequency (e.g., quarterly) that reviews all permissions and users on the cloud email solution and any associated document storage. This review should confirm if users still require the level of access they have while documenting any changes made. Additionally, review your employees’ account activity regularly to ensure nothing suspicious is going on. Resources:

How to review user sign-in activity on Google Workspaces Access activity logs for Microsoft Entra

Total visibility. Zero blind spots. WatchDog helps you monitor every user, service account, and system across Cloud, SaaS, and devices -flagging misconfigurations and risks the moment they arise.

  • âž• Asset management – Add and track your own assets easily across Cloud, SaaS + On-Prem
  • Identity monitoring – Limited to Google Workspace & M365 Non-Human Identities on free plan
  • đź”§ SaaS + Cloud hardening checks – Spot misconfigurations before they become risks

Get started free today – no credit card required.