Many firms invest heavily in blocking incoming attacks, yet still send sensitive customer information by everyday email without encryption, authentication, or evidence of who opened it.
That gap in outbound customer communications is where a large share of regulatory, reputational, and fraud risk sits.
In a bonus episode of our Regulated Digital series, Paul Holland, Founder and CEO of Beyond Encryption (Mailock), explains why organisations often overlook the messages they send to customers and what practical protection looks like in real workflows.
Cyber attacks on businesses are becoming more advanced, and criminals increasingly target critical infrastructure such as hospitals.
When systems fail under attack, organisations can be forced to delay care or send patients elsewhere, and operational disruption can follow within days.
The Radicati Group estimates that around 392.5 billion emails will be sent and received worldwide each day in 2026, which makes email a persistent target for criminals.
Where UK Breaches Are Reported
The ICO received more than 3,000 cyber breach reports in 2023, with finance (22%), retail (18%), and education (11%) reporting the most incidents.
Outgoing messages often include personal or financial information that criminals can exploit if access controls are weak.
Email remains one of the top sources of reported breaches.
"Email was never created with security in mind. With over 390 billion emails expected to be sent and received daily, it's still the main way we communicate - and it's a big risk."
Paul Holland, Founder and CEO, Beyond Encryption (Mailock)
The scale of everyday email use makes outbound protection a practical priority, not a secondary control.
Securing Outbound Communication
Many companies build strong internal defences but leave the data that leaves the business exposed.
Organisations share private information with customers every day, including policy documents, ID checks, and financial details.
Without safeguards, those exchanges can be intercepted or manipulated in transit.
Outbound communications need AES-256 encryption and recipient authentication if firms want to reduce the risk to customer data.
Without those controls, everyday email gives criminals a straightforward target.
Regulatory enforcement can follow. British Airways was fined £20 million by the Information Commissioner's Office after a 2018 data breach affected the personal and financial details of more than 400,000 customers.
"If you send private customer info without encryption, you're making it easy for criminals. Protecting that data is your duty."
Paul Holland, Founder and CEO, Beyond Encryption (Mailock)
Firms also need evidence after sending: message tracking and broader audit trails help teams show who accessed sensitive information and when.
Usability is the other half of the outbound security problem: controls only work when customers complete them.
Balancing Security and Simplicity
Security tools only work when customers actually use them.
Controls need to feel simple enough to complete and secure enough to trust.
If verification steps are too complicated, recipients delay, call support, or ask for the document another way.
Good security should stay largely invisible in everyday digital products.
It should allow encrypted and authenticated communication without adding friction at every step.
"We expect tech to be simple and easy to use. If security is hard, people won't use it - we need to be customer-centric."
Paul Holland, Founder and CEO, Beyond Encryption (Mailock)
Over half of the UK public has experienced a data breach, and a third of those incidents happened in the last year (2023-24).
What The ICO Survey Shows
More than half of UK adults reported experiencing a data breach, according to the ICO Public Attitudes Survey 2024, which raises the bar for how firms protect personal information in customer communications.
Customers notice when protection feels bolted on. Firms that balance security and experience are more likely to keep trust when something goes wrong.
Teaching Customers to Stay Safe
Fraudsters do not rely on advanced technology alone.
They exploit human error, impersonate trusted brands, and mimic advisers to extract private information.
Sending Important Documents At Scale?
Learn how Mailock Automated helps organisations protect high-volume customer communications without forcing every recipient through a portal.
Businesses need to treat that as a daily operational risk, not a niche fraud-team issue.
Criminals are getting better at persuading people to share sensitive details, while many firms still send and receive customer data through ordinary email.
Practical protection includes teaching customers how to recognise secure communication and giving them tools for secure replies.
When a firm sends information securely, the recipient should be able to respond through the same protected route.
"If I send you private info securely, I should also let you reply securely. This closes the loop and keeps both sides safe."
Paul Holland, Founder and CEO, Beyond Encryption (Mailock)
Two-way protection matters because fraud often starts when a customer replies using an ordinary inbox.
Regulation, Evidence, and Customer Trust
Data regulations such as GDPR raise expectations beyond basic perimeter security.
Encryption, identity checks, and safe return delivery are increasingly expected for organisations handling personal data at scale.
Regulation does not prescribe one communication tool, but it does increase pressure on firms to show how sensitive information is protected, delivered, and controlled.
Enforcement action and reputational damage follow when controls fail.
Visible protection helps customers see that their data is handled carefully, which supports trust over time.
What Firms Should Prepare For Next
As threats evolve, identity checks are becoming a more routine part of secure communication.
Senders and recipients both need confidence in who is at the other end of a sensitive exchange.
Security tooling is also moving closer to existing email workflows, combining advanced encryption with proportionate authentication rather than forcing customers into separate portals for every message.
According to IBM's 2024 UK findings, 71% of organisations studied are deploying security AI and automation in their security operations, and those using automation extensively reported lower breach costs on average.
When security fails and a breach follows, recovery costs rarely fall.
That is one reason secure customer communication belongs on the same priority list as inbound defence.
"Companies need to invest in secure technology and help employees stay aware of risks across the full communication journey, from outbound delivery through to customer replies."
A practical test for leadership teams is whether sensitive customer email still leaves the business without encryption, authentication, or evidence of access. Inbound security spend alone will not close that gap.
FAQs
Why Is Outbound Customer Email a Separate Risk?
Many firms invest in stopping incoming threats but still send sensitive customer information without enough protection, evidence, or recipient verification.
What Controls Make Outgoing Email Safer?
Encryption, recipient authentication, secure replies, message tracking, and clear evidence trails all help reduce exposure in outbound communication.
How Can Firms Improve Customer Trust Without Adding Friction?
Use security that fits familiar customer workflows, explains protected access clearly, and avoids pushing people into unnecessary channel changes.
Sam Kendall works on digital marketing at Beyond Encryption, helping build B2B marketing activity around research, first principles, and sustainable growth. He writes about marketing effectiveness, positioning, customer communications, and digital culture, with longer-form work published at ATNL.
Sam Kendall
.svg)
Previous post