Secure Email for SMEs: What You Need to Know

Email has been an integral part of our lives for over 50 years, especially in business communication. The Radicati Group estimates that around 392.5 billion emails will be sent and received worldwide each day in 2026.

However, as email use rises, so does cybercrime. In 2022, 39% of UK businesses reported experiencing cyber attacks.

Since the onset of the pandemic in 2019, email has increasingly become a focal point of security incidents and now features in 80% of breaches.

Here’s what small and medium-sized enterprises (SMEs) need to know about secure email.

What Are the Main Cyber Risks?

Understanding the forms of email attacks is essential to safeguarding your business. These risks fall into two main categories:

1) Threat Actors

These individuals exploit technology to conduct malicious activities online.

Threat actors may intercept messages during transmission, hack accounts with weak passwords to access inboxes, or send fraudulent messages with deceptive links (phishing).

Their goal is typically to steal files and data for ransom or sale.

2) Your Employees

A significant source of email risk is your own colleagues.

A 2022 data breach report indicates that 82% of breaches involve the human element, suggesting many could be prevented by reducing human error.

Burnout and stress can increase the likelihood of these errors, impacting email security.

"Small firms rarely have a dedicated security team watching every inbox. That makes everyday send habits, training, and tools that work at the point of send especially important for SMEs."

Paul Holland, Founder and CEO, Beyond Encryption (Mailock)

As an SME, Why Should You Care?

43% of cyber attacks target small or medium-sized businesses, yet only 14% are prepared to defend themselves effectively.

SMEs often lack the resources for comprehensive email risk assessments and staff training compared to larger companies.

The impact of a data breach can be more severe for an SME.

The average cost of a breach has risen by 12.7% in recent years. 60% of small businesses shut down within six months of a hack, unable to recover like their larger counterparts.

Beyond financial damage, businesses have a duty to protect customers' personal information.

When customer data is exposed, brand trust can fall quickly - and SMEs often have less room to absorb that damage than larger competitors.

"SMEs often need protection that fits existing workflows rather than a wholesale platform change. Encryption, recipient checks, and recall need to feel practical for busy teams, not like a separate security project."

Adam Byford, COO, Beyond Encryption (Mailock)

How to Secure Your Emails

Effective cybersecurity strategies should encompass both prevention and response measures.

1) Prevention:

Although quick responses are vital during an attack, preventative measures significantly reduce the likelihood of incidents - remember, prevention is the best cure.

Educating Employees

Regularly updating staff on key cybersecurity principles and potential threats is crucial - ideally on a quarterly or at least annual basis.

Investing in cybersecurity training and awareness can reduce security-related risks by 70%.

Utilising Strong Passwords

The IBM "Cost of a Data Breach" report notes that 19% of breaches stem from compromised credentials.

Employing strong passwords that combine letters, numbers, and symbols without using personal information is a fundamental step in securing email accounts.

Encrypting Messages

51% of businesses lack policies for storing or transferring personal information.

When staff are unsure what email compromise involves, encryption may not be used consistently in day-to-day work.

Encryption can be built into daily operations using solutions like Mailock, helping teams send secure email without adding unnecessary friction.

Authenticating Recipients

Implementing two-factor authentication (2FA) ensures that only authorised individuals can access sensitive information.

Authentication methods such as SMS codes, security questions, digital certificates, or biometric verification like fingerprints or facial recognition are practical ways to secure data.

Only 31% of businesses use 2FA, even though it prevents 99.9% of automated attacks.

Employing Email Revoke

Sending an email to the wrong person or the wrong attachment to the right person is a common human error in business data compromise.

Being able to revoke emails (block access to them) is a valuable preventative measure to contain potential damage from such mistakes.

Although many email providers offer a recall function, it often relies on the recipient’s email provider for compatibility.

2) Response:

Your response to an email data incident can be crucial in determining the outcome. Swift, compliant actions are essential to contain the issue.

Start the Timer

Under UK law, you must report an email breach to the ICO (Information Commissioner’s Office) within 72 hours of discovery.

Begin the clock as soon as you realise the breach and focus on containing it as much as possible before filing your report.

Assess the Situation

Assemble key personnel to gather facts. Identify the types of sensitive data involved, the volume of data, and who it concerns.

Determine immediate actions to mitigate damage and protect those affected.

Examples include:

• Sent an email to the wrong person? Request deletion or use Mailock to revoke it.
• Compromised email account? Regain control by resetting passwords.

You may need to perform tests to fully understand the breach’s extent. Do this while containing known risks.

Contain and Report

Take steps to ensure that compromised personal data does not spread further.

Notify anyone whose data has been affected so they can take protective measures, such as changing passwords.

Document the incident thoroughly: when it occurred, the cause, the data involved, and its extent.

If you cannot contain the situation further or if your 72-hour window is closing, submit your report to the ICO by calling 0303 123 1113.

If you are unsure whether to report after containing the breach, use the ICO’s self-assessment tool to decide.

The Best Protection

Developing a practical strategy to guard against cyber risk takes time, but it helps reduce the chance of the worst outcomes.

FAQs

What Cyber Risks Matter Most for SMEs?

SMEs face external attackers, employee mistakes, phishing, weak controls, and limited security resources.

What Should SMEs Prioritise First?

Prioritise MFA, secure email, staff awareness, and clear response processes for incidents.

Why Does Email Security Matter for Smaller Firms?

Email is where many customer documents, payment details, and confidential decisions move every day.

References

Email Statistics Report, 2024-2028 - Executive Summary, The Radicati Group, 2024

Cyber Security Breaches Survey, UK Government, 2022

Share of Cyber Security Breaches, Statista, 2023

Human Error Is Responsible For 85% Of Data Breaches, GRC eLearning, 2022

Cybersecurity Statistics, TechTarget, 2020

Small Companies Close After Hack, Cybersecurity Ventures, 2023

Cost Of A Data Breach Report, IBM, 2023

Brand Trust Report, Edelman, 2021

Impact Of Cybersecurity Awareness, Pensar, 2023

Cyber Security Rules Implemented, Statista, 2023

Prevent Account Attacks, Microsoft, 2019

Personal Data Breach Assessment, ICO, 2023

Data Security Incident Trends, ICO, 2023

Reviewed by

Sam Kendall, 02.06.26

This content is for general information only and is not legal advice.