Email security: what it means for your small business

  • 02 Oct 2019

Many of us spend our working lives in our inbox. Email remains a popular business communication tools – but it’s also one of the main entry points for cyberattacks.

According to our 2019 CISO Benchmark Report, enterprise security leaders see email as the main threat vector. It’s not hard to understand why. Verizon’s annual Data Breach Investigation Report -  which contribute to – found that email is the number one vector for both malware distribution (92.4%) and phishing (96%).

Small businesses are prime targets for attacks

Small and medium-sized businesses are particularly at risk of cyberattack. Unlike large organisations with dedicated security teams, small companies often have no in-house IT expert.

During our recently Facebook Live chats with former BBC Dragon Piers Linney, he observed:

“Most small businesses are busy building their business and putting out fires, and sometimes they haven’t really thought about security in a holistic way.”

Small businesses rely on employees to stay vigilant and report any suspicious activity. But keeping staff up to speed is never easy. Scammers have far more resources to hand than small businesses - and their methods shift all the time.


In recent survey of ours, half of small businesses said they had experienced a breach, with 40% suffering more than eight hours’ downtime as a result.

Email protection and the law

Protecting your sensitive email data makes sense from a business perspective. According to Hiscox, basic data breach “clean-up” costs amount to £25,700 every year. But regulations like GDPR may also affect your approach to email security. For example, GDPR specifies that personal data should be:

“… processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage...”

Small businesses should therefore have appropriate technical measures, processes and staff in place to keep their clients’ (and their own) data safe.

What to watch out for

Protecting against email attacks is difficult and resource-intensive, which is why many small businesses have moved to the cloud.

Managed email services like those offered by Gmail or Microsoft Office 365 offer practically all the functionality of self-managed email, without the cost and hassle of running an email server – perfect for small businesses.

But the popularity of such tools mean cyber criminals are increasingly using them to launch cyberattacks.


A common technique is the simple phish. An attacker sends an official-looking email to your employees, purportedly from Google or Microsoft, alerting them to an account issue and prompting them to verify their details using a login page provided. The website is fake however, and once username and password are entered, criminals have an instant backdoor into your business.

Try Duo multi-factor authentication for free.

Where scam email goes, malware follows

Phishing emails are often accompanied by malware – either as attachments or via links in the email.

Malware takes many forms. More than half of malicious files flagged in 2018 were apparently innocuous file types used by small businesses every day: PDFs; Word documents; Excel spreadsheets, etc. Once opened, these attachments can cause serious damage to host systems and the entire business network.

Protect your small business against attacks

Education is the best defence. Regular training keeps your employees up-to-date about typical phishing methods and how to reduce the risk of a breach.

See our dedicated resources on this topic:

In addition, we recommend these security practices:

  1. Run regular phishing exercises. Emulate the latest real-world techniques to educate employees.
  2. Use multi-factor authentication. Reinforce access to your systems by requiring more than one method of verification.
  3. Keep software up-to-date. Vendors constantly patch their products to remove vulnerabilities that hackers can exploit.
  4. Enable DMARC, and other anti-phishing technologies. The DMARC protocol can help to ensure email senders are who they say they are. And modern anti-phishing software helps identify scams.

And we have a range of products for small businesses to improve email security, protect data, and stay compliant.

Finally, don’t forget to read the Cisco 2019 Email Cyber Security Report.


Related topics