A guide to email security
Defending your dental practice against phishing emails or a cyber attack is of course absolutely critical, but what steps can you take as a practice owner to protect your data and business?
Phishing attacks often consist of a ‘fake’ email that is sent to thousands of people in the hope that one user will open it. This sometimes will be to solicit an action such as a request for sensitive information or it may be to encourage a user to click on a link or open an attachment that allows the scammer to release a ransomware virus into the local IT system.
At SOE, we recommend that all our customers implement a multi-layered approach to ensure that your practice is resilient and can detect any issues before they can cause harm to your IT systems, and importantly keep this under review to ensure that all your working practices are always up to date and secure.
There are a number of key areas of defence you can put in place to protect your practice
- Install antivirus software and ensure it is up to date on all your computers and IT systems to protect them from malware.
- Use authentication tools such as two-factor authentication to protect your accounts.
- Help users identify and report suspected phishing emails. Provide training to help them spot and report an email with a fraudulent request, link or attachment.
By introducing multiple layers of security to your IT systems, you can be safe in the knowledge that you have done everything possible to protect your sensitive information, patient data and your business.
Here we will guide you through some best practise steps that we recommend that all our customers take into consideration.
Filtering and Blocking emails
If you can filter and block emails in the first instance, then of course this is a strong line of defence. By checking all incoming emails for possible spam, phishing and malware, it means they are blocked before they reach a user.
Blocking and filtering emails can be done using a number of different techniques such as IP addresses, domain names, email addresses, public spam, attachment types and malware detection. Talk to your IT supplier or your email account provider who will be able to advise on this, and help protect your system.
Email providers such as Google Business and Microsoft have these protection features built-in and can help protect your email inbox.
Protecting your devices
It is important to install, turn on and keep updated antivirus software on all your devices and computers that are used at your practice (both onsite and offsite including laptops), that are configured to receive emails or that have access to your patient data.
It is also worthwhile checking that all your internet browsers versions are up to date, as this will add a further layer of protection if a link is embedded into an email and is then clicked on to open - as the latest versions will help to block known phishing or malware websites and prevent the link being opened.
By keeping all of your IT equipment, software and hardware up to date with the latest versions of the solution, you also improve your security. We suggest that if auto-updates are available on your operating systems or programmes, that this is switched on - it’s one less thing to have to remember!
Consideration should also be given to how users login into an account to handle emails, practice admin or financial information. Review your password policy and remove unused accounts. At SOE we would also recommend that you introduce Two Factor Authentication (2FA), which ensures that only the designated person with the correct permissions can access relevant accounts.
Identifying suspicious emails can be difficult in the busy day-to-day running of a dental practice, however, it is important to provide training to your team to help spot and report emails. Training can help your staff to understand some of the warning signs, check authenticity and help recognise emails if they do drop into an inbox.
It is also important that your team understand the threat that these types of emails pose, but at the same time reassure users of the steps you are taking to reduce the risks and the importance of reporting incidents - if they have clicked on an email.
Here is our list of top ten warning signs to look out for when identifying these types of emails:
- Many emails originate from overseas.
- Often the emails will have poor grammar, punctuation and spelling
- Some may include odd-looking logos or images.
- Take a look at the subject line of the email - does this look unusual or does it reference the practice without using the name of the practice.
- Does the email include an action that requires immediate attention - such as click on this link or respond urgently?
- Does it include an attachment that is not something a patient would send to you?
- Does the email look like it has come from someone requesting financial information?
- Consider the type of emails that you usually receive as a practice from patients - and keep these in mind.
- The email has dropped straight into a spam email folder and so should not be opened.
- If it sounds too good to be true - it probably is!
You can also find some useful advice and guidance on the National Cyber Security Centre website: https://www.ncsc.gov.uk/
Protect your business
It is not easy identifying these suspicious emails but by implementing a multi-layered approach to your email security and IT systems then you can help protect your data. If you would like to talk to the team, simply email us firstname.lastname@example.org