Secure Email for SMEs: What You Need to Know (Ultimate Guide)
5 min

Secure Email for SMEs: What You Need To Know

Email has been around for over 50 years, and we are yet to see a decline in usage, especially in business. Email traffic is rising, expected to reach 347.3 billion messages per day by 2023.

Email use isn’t the only thing on the rise. Cybercrime is increasing too. 39% of UK businesses reported cyber-attacks in the past 12 months!

Since 2019 (the start of the pandemic), email has accounted for an increasing portion of security incidents — it is now involved in 80% of breaches. Here’s what SMEs need to know about secure email.

What are the main cyber risks?

It’s important to know what forms of email attack you need to protect against. We can sort the risks into two categories:

1) Threat actors

These are people who intentionally use technology for malicious activities online.

These can include intercepting messages in transit, hacking accounts with weak passwords to access an inbox, and sending fraudulent messages with false weblinks (phishing).

Threat actors usually aim to get files and data to ransom or sell.

2) Your employees

It may surprise you, but the main source of email risk comes from your colleagues.

A 2022 data breach report reveals 82% of breaches involve the ‘Human Element’, meaning they could have been prevented if not for human error or intervention.

Burnout and stress can exacerbate the human risk to email.Secure Email for SMEs What You Need to Know

As an SME, why should you care?

43% of cyberattacks are aimed at small or medium sized businesses, with only 14% adequately prepared to defend themselves.

Preventative measures such as email risk assessments and staff training are often not as well-resourced as they are in larger enterprises.

Yet, a data breach has the potential to hit harder in an SME. The average cost of a breach has increased by 12.7% in the past two years. It’s been said that 60% of small businesses close within six months of a hack, unable to spring back like their larger counterparts.

Beyond the financial damage a data leak could do, all businesses have a duty to customers to protect personal information and trust is key to a healthy position in the market.60% of small businesses close within six months of a hack

How to secure your emails

Any cybersecurity strategy should be broken down into prevention and response.

1) Prevention:

Every second matters when responding to an attack but preventative measures can reduce the likelihood it will happen — as with anything, prevention is the best cure.

Educating employees

Making sure staff are aware of key cybersecurity principles and threats to look out for should be a continual process — if not quarterly, at least annually reviewed.

Security-related risks are thought to be reduced by 70% when businesses invest adequately in cybersecurity training and awareness.

Utilising strong passwords

According to IBMs "Cost of a Data Breach" report, 19% of breaches identified compromised credentials (passwords or other authentication types) as a cause.

Strong passwords with a mix of letters, numbers, and symbols, and no ties to personal information, go a long way to securing an email account.Strong passwords with a mix of letters, numbers, and symbols

Encrypting messages

51% of businesses have no rules on storing or transferring personal information.

How customer data is handled is left to individuals, but with less than a third (31%) of employees saying they understand what email compromise is, it’s unlikely they are using encryption.

Encryption can be deployed for employees easily and securely, without causing friction in everyday communications, with a business-ready solution such as Mailock secure email.

Authenticating recipients

Two-factor authentication (2FA) gives employees the power to ensure the right people (and only the right people), can access any sensitive information contained.

Authentication methods can include an SMS code sent to a mobile device, a question and answer, a digital certificate, or biometric solutions that require fingerprints or scan your face.

Only 31% of businesses have 2FA policies in place (mostly banks and financial institutions). But, with 2FA blocking 99.9% of automated attacks, it is one of the best ways to protect comms.Only 31% of businesses have 2FA policies in place

Employing email revoke

Sending an email to the wrong person, or the wrong attachment to the right person, is one of the most common forms of human error associated with business data compromise.

The ability to revoke emails (block access to them) is a preventative measure that will enable you to rapidly contain the potential damage an email misfire could cause.

Though many email providers offer a recall function, these often depend on the recipient’s email provider for compatibility.

2) Response:

How you respond to an email data incident can be the difference between the best and worst outcomes. It is crucial to respond swiftly with full compliance to contain the situation.

Start the timer

You should report an email breach to the ICO (Information Commissioner’s Office) within 72 hours of discovering it, according to UK law.

Start the clock immediately and focus on trying to contain the breach as much as possible first. Once you’ve completed any containment activities, you can log your report.

Report an email data breach to the ICO within 72 hours of discovering it

Assess the situation

Gather key personnel and find the facts of the situation. What types of sensitive data are involved, how much, and concerning who.

Assess the situation and decide on any immediate actions that can be taken to contain the damage and protect those involved. Here’s some examples:

  • Sent an email to the wrong person? Ask them to delete it (or use Mailock to revoke)
  • Email account been compromised? Attempt to regain control by resetting passwords

You may need do some tests to discover the depth of the breach and establish answers to any unknowns. Do this while containing the damage based on what you know so far.

Contain and report

Take all actions you can to make sure that any compromised personal data cannot spread further than it already has.

Contact anyone whose data has been compromised so they can protect themselves, for example by changing their passwords.

Make sure you record the facts. When did the breach happen? What/who caused it? How much data is compromised? What types of data?

Use the ICO’s self-assessment tool to find out

Once you can’t do any more to contain the situation or protect those involved, or if your 72-hour timer is running out, submit your report to the ICO by calling 0303 123 1113.

If you have managed to contain the situation and aren’t sure if you still need to report it, use the ICO’s self-assessment tool to find out.

The best protection

It can take time to build an approved and airtight strategy to protect against cyber risk, but it’s crucial to prevent the worst repercussions.

Solutions such as Mailock can help. Mailock provides out-of-the-box security for outbound emails by encrypting messages and authenticating recipients. If you need a secure email solution for sensitive business-to-customer communications, Mailock is a safe and compliant option.

Further reading


Originally posted on 17 08 22
Last updated on October 20, 2023

Posted by: Sabrina McClune

Sabrina McClune is an expert researcher with an MA in Digital Marketing. She was a finalist in the Women In Tech Awards 2022. Sabrina has worked extensively with B2B technology companies conducting and compiling thorough academically driven research to produce online and offline media. She loves to read fantasy novels and collect special edition books.

Return to listing