For more than four years, IDECSI has built a solid reputation by protecting email and Office 365 accounts for executives and employees of major international groups. IDECSI is often engaged as an expert on best practices for the protection of mailboxes, be that for executives, senior managers, their assistants, employees managing sensitive information (HR, DOFA, IT, security, …), and the wider employee base.
Don't give visibility to your sensitive data
The first rules are basic and critical, but all too often are not followed today.
- Do not write passwords on post-it notes and absolutely do not leave them visible near your computer.
- Do not leave your laptop or desktop open, even at night – always log off or at least lock the session. IDECSI frequently identifies nighttime activity, and of course internal or external staff frequently work out-of-hours.
- Ideally, do not allow users administrative rights on their computers. Where such rights are needed, use a separate account that is only activated when needed.
Have visibility on your data
Some less well-known good practices can help secure against important security threats:
- Ensure that personal devices connected to the work environment (home computer, tablet, personal phone) can only be used by the owner – prevent access by family and other staff.
- Check the level of visibility to the calendar by other users. The calendar often contains sensitive information (appointment details, meeting titles, conference call details, attachments). If the rights are too permissive, it will be impossible to verify who has accessed the information.
- Regularly check who has access to email accounts and whether the access rights and delegations are up-to-date and legitimate. Delegations often remain active after the departure of an executive assistant, or after IT has completed a task.
- Regularly review the rules present on email accounts (forwarding, copying, deletion, etc.)
Executive assistants are a high-risk population, similar to the individuals they support. Assistants often have access to several mailboxes, potentially making them an even more attractive target for hackers. In general, executive assistants must protect themselves in the same way as the executives, following the best practice in this post.
Ensure governance of your delegations
For senior staff, it is also important to ensure that mailbox delegations are well managed:
- When an assistant stops supporting a given executive, the executive should change their own password(s) – it’s very common for assistants to know their boss’s passwords.
- The assistant’s rights and delegations should be removed, including from the calendar.
- It’s often important for assistants to manage their executive’s appointments from a mobile device. However, giving access to the calendar by mobile means giving access to the entire account. Where such access is given, it is crucial to delete the account from the assistant’s smartphone when they change function.
These tips significantly reduce email security risk for all employees and executives of the company.
In general, the more entry points there are to critical data, in this case mailboxes, the wider the area of exposure. For each entry point – delegation, rule, service account, etc – companies should consider the real need for that exposure. When the need is legitimate, it is then a question of protecting this access point.
With IDECSI, we invite you to go further in securing your email and Office 365.
