Select Page

Share this episode with someone you think will benefit from it.

Leave a review at Lovethepodcast.com/BusinessConfidential

Security measures

SECURITY MEASURES

What security measures do you have in place to protect your email messages?

We assume our emails are secure. But what if they’re not? How do we make sure our messages stay confidential?

Those are a few of the topics we’ll explore with our cybersecurity expert, Stephen Jordan, when we come back.

What You’ll Discover About Security Measures:

* Why the security measures of email addresses provided by domain name providers are not enough

* 5 easy protocols you can configure right now that can improve email security measures

* Where to get the biggest return on investment in adding security measures to your email

* How to find a cybersecurity expert you can trust

* And much more.

Guest: Stephen Jordan

Stephen Jordan

Stephen has spent over 33 years providing computer related products and services to small businesses, working as a Technician, System Administrator, System Engineer, and I.T. Manager, with 30 of those years running his own business.

Stephen experienced the evolution of the industry as it changed from being the sales driven computer industry, to the more balanced sales and service I.T. industry, and then to the managed services industry, and has seen many new industries created, including cybersecurity.

Stephen sold his I.T. and managed services business in October of 2021 so he could just focus on matters of cybersecurity for small businesses, which brought him to start his latest business venture called Sound Cybersecurity.

 

Related Resources:

If you liked this interview, you might also enjoy our other Risk Management episodes.

Contact Stephen and connect with him on LinkedIn

And check out his informative blog.

_____

Evaluating the Best Email Security Measures for Small Businesses

What security measures do you have in place to protect your email messages? We assume that emails are secure, but what if they’re not? How do we make sure our messages stay confidential? Those are the few questions that I’m going to be exploring with our cybersecurity expert, Stephen Jordan, when we come back.

 

This is Business Confidential Now with Hanna Hasl-Kelchner, helping you see business issues hiding in plain view that matter to your bottom line.

 

Welcome to Business Confidential Now, the podcast for smart executives, managers, and entrepreneurs looking to improve business performance and their bottom line. I’m your host, Hanna Hasl-Kelchner, and I’ve got another fascinating guest for you today. He’s Stephen Jordan.

 

Stephen focuses on cybersecurity for small businesses at Sound Cybersecurity. He brings over 33 years of experience to the table, having worked as a technician, system administrator, system engineer, and IT manager. I’m really excited to have him join us today to demystify email security measures for us.

 

Welcome to Business Confidential Now, Stephen.

 

Thank you, Hanna, and I’m glad to be here.

 

Glad to have you. For many of us, email is a black box we type into, and we assume it’s secure. But you know what they say about assumptions, right? And I’m hoping you can tell us…

 

Exactly.

 

…what red flags we need to be alert to, that would indicate to us that it’s not secure, Stephen.

 

I think you’re right that we all just use it, and we just think that it’s secure, and we’ve done that for, what, going on 20-plus years for most of us, maybe 30 for some. So, just I think the biggest thing is just if you’re assuming it’s secure, that maybe should be the red flag, that it is not just an automatic secure thing. There’s definitely steps that need to be taken to make it far more secure than it’s going to be right out of the box.

 

All right. Well, what are those steps? How do we know that it’s not secure out of the box?

 

You just – I mean, unless you have purchased your email subscription service through a very highly encrypted and secure system that’s out there – and I’m sorry, I don’t know any of the names of those ‘cause I don’t deal in that space with top secret and government Department of Defense type things. But if you’re just buying the normal everyday Google, Microsoft, or other email or exchange hosting services out there, just out of the box, it’s – you can just know it’s not going to be a secure thing.

 

And there’s just some steps that you should take. And I have a kind of a lengthy list and a blog not to bore everybody in a podcast with all of those, but using a modern and secure email platform is a first step in that. A lot of the different companies that we register our domain names with, be it like the Network Solutions, GoDaddy, Cloudflare, and many others that are out there, they often will provide a very inexpensive type of email service along with that domain name registration.

 

Those are just the old SMTP pop type email services that we started with decades ago, and we know that those protocols are easily compromised.

 

So, using something like Microsoft 365 or Google Workspace is going to be a lot – definitely going to be a step up in using a more modern and secure email platform. Are they perfect? Are they the most secure things on the planet? Absolutely not. We’ve recently heard of Microsoft’s own email compromise here in the last few weeks. So, it’s definitely not secure as it could be at that point, but it’s definitely more modern.

 

There’s a lot of old email features, and we call them protocols that need to be disabled, and so that newer ones are used. Many other steps. Using strong passphrases instead of just passwords and preferably ones that you’re not using anywhere else, using multifactor authentication, setting your account lockout settings, using email warning tags and attachment blocking.

 

Those are just free things that you can get in and configure your email system to do to make your security much, much stronger. And then from there, it really – the list – there’s another list of that long of things that are going to start costing a little more time and money.

 

All right, Stephen, you’re scaring me here. Because I would imagine unless somebody has an IT department or an expert such as yourself on staff, they may be totally unaware, especially if they don’t consider themselves tech savvy. Right? They’re relying on these companies…

 

Right.

 

the Googles and whatever to give them a product that is reliable and safe.

 

Right, yeah.

 

For those folks, what would be the first step you would recommend where they would get the biggest bang for the time that they invest in adding a security measure to their email?

 

Yeah. First, I think they – if they don’t know – and then that, I think, is just the biggest problem with cybersecurity in general. Most people – and I’ll just pick on business owners for now since I work in a small business space, they don’t realize or know anything about these security holes and the improvements that need to be made. So, it – it’s kind of easy to turn a blind eye to it ‘cause you just don’t know that it exists. So, getting with somebody like myself that can give you some direction and advice would be a huge first step.

 

But if they don’t have somebody like that, then there are a lot of different next-generation email security platforms out there. They’re still going to need to work through an IT professional to get access to those. Most of those don’t allow end-users to sign up for their services. They’re usually resold through partners. So, somebody like myself can help you get set up with something like Harmony Email & Collaboration Security through Check Point Software, which is a new next-generation email security platform.

 

Unlike the many old email gateways and spam filters that we’ve used in the past. I’d say if there’s any one thing that in the list that would be – make a huge amount of difference and get them on the right path really quick, that would be the first step, but they should never think that that’s the only step. When I usually start talking about email security with most business owners, they’ll often just kind of tune out because they know they already have some sort of email security feature built into their email hosting, whether that’s with Microsoft or Google, or maybe they pay a monthly bill for a separate email security, spam filter, virus filter for their email.

 

And they just immediately go, “Oh, checkmark. I’m covered there.” Well, no, that’s just one of about 15 things on the list that you need to check off.

 

All right. Well, that sounds like it’s pretty complicated. And I think my first question, if I wanted to pursue one of these options that you’re talking about is, is it going to change my email address? Because that’s something that can stop people in their tracks from making a change. They have all these contacts who have their existing email address. Well, now you have to give them a new address if you’re going to another system, or can you bring your address with you? How does that work?

 

Yeah, you can definitely keep your email address if you have a custom email, or I should say custom domain name. So, of course, in my company’s case, SoundCybersecurity.com is my custom domain name. And I can take those email addresses anywhere that I want to take them, and so can any other company that has that.

 

The only time that somebody would have to make that kind of switch would be if they are using, say, a G – an email address at Gmail.com, or Hotmail, or Yahoo.com, or NetZero.com if we’re going back in time aways. Any of those generic email addresses, those are often not as secure as they should be either, and you can’t add these security features to most of those. So, if you want to add them, you would need to get your own custom domain name, which, obviously at that point, is going to force you into changing to an email address.

 

Got it. But I would imagine that many of the entrepreneurs and small business owners that are listening do have a custom domain. They have a website, and they’ve got domain names associated with it. Which leads me to wonder. When finding a security expert – because you are really kind of opening the kimono here in terms of important email data, if you will – how do they go about finding someone with the right expertise such as yours? What questions should they be asking? How do they know that it’s somebody that they can trust?

 

Well, hopefully listening to your podcast will be the first step for them.

 

Well, thank you.

 

But – and that they’ll give me a call. But anybody who – you need to just get on the internet and search for email security expert specialist enthusiast and you will find a lot of us out there. Local IT companies often will cover this space. But I think if the bigger thing would be to search for cybersecurity companies, they’re going to be a little bit more keen on those security issues than maybe just your standard IT guy that you may be aware of.

 

But not that they couldn’t help, but turning to those – to them or searching on the internet would be a great place to start to find a helpful resource.

 

Understood. And I’m sure there are a lot of people who say they can do cybersecurity, but what questions should we be asking? Once we’ve identified two or three potential candidates, somebody that’s local, that you can maybe have a face-to-face meeting with, what should we be asking them?

 

I’d be looking at how long they’ve been in the business. How many – ask for some references for a couple of their clients and get those and get in communication with those people to see how they feel. But there isn’t a good industry scorecard, I guess, out there. Anybody with the knowledge could spin up a website and talk really great things about themselves.

 

So, I would probably dig in a little bit deeper as to what platforms or tools they would be using or providing you with to secure everything, and you could then do some reviews on those tools and services that they will be using to protect you. And – but again, I’d go back to that just how long have they been at it. I mean, you definitely want somebody who’s been dealing with email for a long time. And, for instance, in my case, I started hosting email for clients in 2000.

 

I’d been, of course, working with other email services for my clients and hosting that themselves prior to that. But that’s been about the – so what, 20 – going on 24 years now that I’ve been hosting email and evolved with that over the years. It just continues to change. You think email is email, but there have been a lot of changes in that timeframe.

 

And if somebody were to make that kind of a transition to a different email server, whether it’s with you or someone else, about how long does something like that take timewise? Is it a matter of days, weeks, months to do that type of a transition? Can you give us an idea?

 

Well, if they actually are in a bad place with their email hosting provider, that’s something that could take a couple of weeks to work through. If it’s just a single person, it could just take some number of hours to transition over to an email service, but then transitioning more into securing your existing email.

 

For instance, if you’re with Microsoft 365, that’s something that could require not very much time, just a little bit of coordination time on the part of the end-user, maybe a little bit more on our end, but it’s really not a complex process to start implementing these things. It’s just a process. And a little bit of time here and a little bit of time there. And within some number of months, two to three months, many of those, if not all, could be implemented and fully up and running.

 

So, does it depend on the number of emails? I mean, small business that probably has a handful of employees, and they may have additional emails for customer service or information that aren’t name-specific. They may be more department-specific or product-specific. Does the number of emails make a difference or is it just plug and play, move it over?

 

So, it makes a difference if they do need to migrate. Say, they need to make that switch to a more modern and secure email platform, then yes, the more users or mailboxes that they have the more time it’s going to take because all of that data needs to be moved. All the messages, maybe calendar appointments and contacts, all of that will need to be moved. So, if you’ve got 10 users, that could be the better part of a day. If you’ve got 100 users, that could easily take a week or two to move that much.

 

Okay. Well, let’s talk about 10 users and under and…

 

Okay.

 

…mailboxes that are not overly stuffed, let’s put it that way, where people aren’t keeping 10 years of emails. You mentioned it could take a couple of months, but I’m wondering in terms of budget, how big a budget are we looking at to be able to move the typical email from, let’s say, GoDaddy to something more secure?

 

Yeah, to Microsoft 365. I would say that would be in the hundreds of dollars, maybe under a thousand if it’s just a 10-user. Yeah, so not too much money, and on an ongoing basis.  I don’t have those monthly costs just off the cuff, but there’s lots of different Microsoft subscription levels. Just the most secure 365, which should be the premium package, is like $22.00, $23.00 a month per user.

 

But that’s just for the platform itself. That doesn’t include any advanced security, and all the other features, that could easily add another $15.00, $20.00, $25.00 a month per user once all of those security features are enabled. So, if you’re spending somewhere between $30.00 to $50.00 a month per user would kind of be an ongoing budget that I would expect to know that you’ve got a good platform, and that it’s – this right security is in place.

 

But as far as the upfront move, I mean, I think it – your probably $1,000.00 budget would be a good expectation for that migration. And they may be able to do it cheaper.

 

Well, that’s a good ballpark. I’m not trying to pin you down, but are we talking three figures, four figures, five, six?

 

Right. Got you.

 

That’s something that could factor into somebody even wanting to look at this as opposed to saying…

 

Right.

 

“Yeah, I know I get some spam emails. I just delete them. I – it’s okay.”

 

“Not that it’s great. It’s a nuisance. It’s annoying, but I don’t feel like it’s going to be a cyber-attack that is going to require me to pay a ransom for documents or anything like that.” It’s about the risk they’re willing to take and the time and the cost to plug that hole.

 

Yeah. And with 91% of all cyber-attacks beginning with an email, it – that makes it a huge entry point that definitely needs a strong gate.

 

Well, you’ve raised an interesting issue here about cyber-attacks. What makes the email – I mean, I know we’ve heard about people opening up a link in an email or an attachment in an email that then allows a virus into the system. But is there more to that?

 

Yeah, there is. And yeah, some of those are – it is a link that you would click on. There are some awful ones out there that just opening the email can have an impact on you, but definitely opening attachments or clicking on links within an email that you shouldn’t will open the door to that. But there’s more to it in just being able to spoof an email address, which another one of those wonderful techie terms.

 

But right now, given my level of knowledge about email servers, as long as I know your email address, I could create or we’d say spin up an email server here in my office, and within a short number of bit of time, minutes maybe, I could start sending email out as if I were you. I could start to pretend to be you. And with a little bit of investigation, which the cybercriminals do – maybe they’ve gained information from other compromises that have existed in the past.

 

Maybe they’ve intercepted emails through computers they’ve already hacked, however they get it, they start to learn about our lives, whether that’s through social media or companies’ web pages.

 

They start learning who’s who, and then they start using our email address to send email to the right person with a pretty convincing story, “Hey, I need you to wire transfer X amount of money to whatever vendor XYZ and send this amount, and here’s the wiring instructions.” And suddenly they just gave away $50,000.00 to a cybercriminal. And that email didn’t contain any links, didn’t contain any attachments.

 

There was nothing within the email that would have triggered anything in the way of a virus or spam filter, but – yet it was obviously malicious, and it’s social engineered somebody into doing something that they shouldn’t. So, that type of security needs to be addressed through something we call DMARC. That’s some protocols that we enable that will stop them from being able to use your email address.

 

And right now, it’s something everybody needs. And the sad thing is it’s probably less than 5% of all domain names actually have that protection in place today.

 

Well, that is scary, so please don’t do that to my email.

 

Yes, I won’t do that to your email.

 

Okay. Well, we’ve covered quite a – quite a bit. And I’m sure we may be scaring the sauce out of some people. And it’s certainly not intended to paralyze you with fear because what we really want is to empower you with more information to be able to make your business safer and more secure. Is there anything else sort of top line, Stephen, that you think we need to know that we haven’t covered about the generic type of email service providers.

 

Even with all the best security in place, in the end, us humans are the final line of defense. So, getting yourself and your staff educated, whether you sign up with your IT provider or a managed service provider, or you find some other online security awareness testing and training, everybody in the organization really needs to start doing that to become aware. Because that’s where I think the biggest problem exists, is that most people are just not aware that it’s even an issue.

 

It’s just, “This is how we’ve always done it. We’ve never had a problem, so why do we need to change?” And being educated will hopefully help them avoid some social engineering, but also open their eyes to some things that they just may not have contemplated previously, and that in itself will be a huge step in securing things.

 

Very good. There’s a lot of value in being proactive and improving our peripheral vision. So, thank you Stephen. This has really been great. I appreciate your time and your insights about this important topic because I think we do take email for granted and assume that there are security measures in place, not realizing just how vulnerable we may be.

 

So, if you’re listening, and you’d like to know more about Stephen Jordan and his work at Sound Cybersecurity, that information, as well as a transcript of this interview, can be found in the show notes at BusinessConfidentialRadio.com.

 

Thank you so much for listening. Be sure to tell your friends about the show and leave a positive review. We’ll be back next week with another information packed episode of Business Confidential Now.

 

So, until then, have a great day and an even better tomorrow.

Join, Rate and Review:

 

Rating and reviewing the show helps us grow our audience and allows us to bring you more of the rich information you need to succeed from our high powered guests. Leave a review at Lovethepodcast.com/BusinessConfidential.

Joining the Business Confidential Now family is easy and lets you have instant access to the latest tactics, strategies and tips to make your business more successful.

Follow on your favorite podcast app here as well as on Facebook, YouTube, and LinkedIn.

Download ♥ Follow  Listen  Learn  Share  Review Comment  Enjoy

Disclosure:

This post may contain links to products to products on Amazon.com with which I have an affiliate relationship. I may receive commissions or bonuses from your actions on such links, AT NO ADDITIONAL COST TO YOU.