Hackers use many creative vectors to penetrate and compromise their targets, but the greatest vulnerability doesn’t lie in some overlooked corner of your office environment. It’s hidden in plain sight as the front door of your organization: your email system. Email is the weakest link in most security strategies, an appealing and effective vehicle for phishing, scams, ransomware, and other forms of malware.

A single gap in either your technical countermeasures or the attentiveness of an employee—at any level, from the executive suite to the call center—can invite mayhem into your organization. As you work to fortify your environment against ever-increasing cyber threats, email security should be a primary area of focus.

The threat landscape is broad. One of the scariest things about ransomware is that cyber criminals can purchase it as a service. Businesses have to protect themselves against both old ransomware threats, like cryptowall and Locky, and newer threats, like cryptolocker, which affected more than 500,000 people as recently as 2014. One of the primary methods for spreading ransomware has been through spear phishing, so it’s as important as ever to be vigilant when receiving an email message from someone you don’t know, or clicking on embedded links or attachments in an unusual or suspicious email message.

There’s no single magic solution for email security. Your approach must encompass different protective measures for both users and network security teams, taking a proactive approach to predict and preempt the many scams and attacks we see today. To stay one step ahead of even the most skilled email adversaries, industry security professionals should strongly consider a three-part email security strategy.

Part 1: Mobilize Users for Better Email Hygiene

User awareness is a crucial element of email security. Whether people are clicking an unsafe link, opening a malware-bearing attachment, or giving sensitive information to a social engineering scammer, the human factor looms large in email-related breaches.

Your phishing awareness and training program should reflect the different types of methods and risks that apply to different roles in the organization so that people know exactly what to watch out for. For example:

• Executives are often phished using spoofed emails bearing the name of a trusted contact and asking for sensitive information. Their administrative staff face similar attacks, given their role in handling privileged communications.
• Customer support personnel can inadvertently facilitate identity theft by providing personal information about the intended victim—for example, confirming the address they have on file for a caller impersonating a current customer.
• Salespeople are highly responsive and accommodating over email—as they should be—but this, along with their widely available contact information, makes them an easy target. A hacker who manages to steal a salesperson’s account credentials can gain access to confidential deal information as well as a platform for further phishing attacks on the salesperson’s associates.
• HR staffers often receive and open unsolicited attachments in the form of resumes, making them vulnerable to malware-carrying documents. They also routinely respond to requests from others in the company for personal employee information, such as salary and banking details.

The training you provide should be backed up by testing to make sure people are taking the lesson to heart. Phishing tests mimic real campaigns and tactics in a controlled environment, allowing you to gauge the current success rates of various forms of attack as well as the types employees most in need of further education. There are a variety of software as a service (SaaS) and open-source platforms available to design and implement phishing tests.

There’s no such thing as perfect security. It’s crucial to continuously evaluate and refine to adapt to changes in the threat landscape.

Complement training with simple, automated ways for employees to respond to actual phishing activity. One of the most effective ways is to use the Report Message add-in for Microsoft Outlook, which works in tandem with Office 365 Advanced Threat Protection and Office 365 Threat Intelligence to provide your security team with useful information on the suspicious emails users receive. Employees should also be encouraged to actively spread the word about suspected phishing attacks on internal communication channels such as Slack, in case others in the organization are also being targeted.

Part 2: Keep Malicious Email Attachments Out of Your Environment

Disguised documents and PDFs are highly popular and effective for delivering malware into the enterprise. The need for caution is a key part of user training and can reduce the incidence of such breaches, but it’s not enough to ensure protection.

Organizations using Microsoft Office 365 and Exchange Online can set up mail flow or transport rules that allow the content of email attachments to be inspected before they reach recipients. Email security solutions allow attachments to be scanned in the cloud using both static and dynamic malware analysis to recognize even previously unknown forms of malware such as zero-day threats and polymorphic attacks.

It’s also a good idea to reduce the use of email attachments in your organization in general. By shifting from email to a digital collaborative environment with integrated file sharing, you can enable people to share and access content without actually sending or receiving files to each other’s endpoints. A centralized repository is simpler to secure and monitor and allows more control to limit the spread of any breach that does occur.

Part 3: Secure Your Email Gateway

A secure email gateway adds essential protection against email-borne threats. Incoming emails are scanned for malicious programs and content, including viruses, malware, and illicit URLs, and placed into quarantine when such content is detected. It’s important to make sure you’re able to unpack nested archive files such as .zip and .rar, which are often used to conceal malicious programs.

While signature-based scanning can be highly successful for detecting known threats, it is ineffective against zero-day and other unknown or unidentified risks. It’s best to complement signature matching with heuristics, which compares the behavior of a potential threat with other known threats to determine whether it should be quarantined for further evaluation.

Together, these three approaches can greatly strengthen your email security posture—but there’s no such thing as perfect security. It’s crucial to continuously evaluate and refine each of these measures to adapt to changes in the threat landscape, your organization’s risk profile, and the behavior of your users.

You may not be able to completely seal your front door against attackers, but with constant organization-wide vigilance backed by strategic security technologies, you can make it much harder for them to get in.