Secure Email for SMEs: What You Need to Know

Email has been an integral part of our lives for over 50 years, especially in business communication. Email traffic continues to grow, projected to reach 347.3 billion messages daily.

However, as email use rises, so does cybercrime. In 2022, 39% of UK businesses reported experiencing cyber attacks.

Since the onset of the pandemic in 2019, email has increasingly become a focal point of security incidents and now features in 80% of breaches.

Here’s what small and medium-sized enterprises (SMEs) need to know about secure email.

What Are the Main Cyber Risks?

Understanding the forms of email attacks is essential to safeguarding your business. These risks fall into two main categories:

1) Threat Actors

These individuals exploit technology to conduct malicious activities online.

Threat actors may intercept messages during transmission, hack accounts with weak passwords to access inboxes, or send fraudulent messages with deceptive links (phishing).

Their goal is typically to steal files and data for ransom or sale.

2) Your Employees

Surprisingly, a significant source of email risk is your own colleagues.

A 2022 data breach report indicates that 82% of breaches involve the ‘human element’, suggesting many could be prevented by reducing human error.

Burnout and stress can increase the likelihood of these errors, impacting email security.

As an SME, Why Should You Care?

43% of cyber attacks target small or medium-sized businesses, yet only 14% are prepared to defend themselves effectively.

SMEs often lack the resources for comprehensive email risk assessments and staff training compared to larger companies.

The impact of a data breach can be more severe for an SME.

The average cost of a breach has risen by 12.7% in recent years. Alarmingly, 60% of small businesses shut down within six months of a hack, unable to recover like their larger counterparts.

Beyond financial damage, businesses have a duty to protect customers' personal information.

Trust is crucial for maintaining a strong market position.

How to Secure Your Emails

Effective cybersecurity strategies should encompass both prevention and response measures.

1) Prevention:

Although quick responses are vital during an attack, preventative measures significantly reduce the likelihood of incidents - remember, prevention is the best cure.

Educating Employees

Regularly updating staff on key cybersecurity principles and potential threats is crucial - ideally on a quarterly or at least annual basis.

Investing in cybersecurity training and awareness can reduce security-related risks by 70%.

Utilising Strong Passwords

The IBM "Cost of a Data Breach" report notes that 19% of breaches stem from compromised credentials.

Employing strong passwords that combine letters, numbers, and symbols without using personal information is a fundamental step in securing email accounts.

Encrypting Messages

Alarmingly, 51% of businesses lack policies for storing or transferring personal information.

With only 31% of employees aware of what email compromise entails, it is likely they are not using encryption effectively.

Encryption can be seamlessly integrated into daily operations using solutions like Mailock, ensuring secure email communications without hindering productivity.

Authenticating Recipients

Implementing two-factor authentication (2FA) ensures that only authorised individuals can access sensitive information.

Authentication methods such as SMS codes, security questions, digital certificates, or biometric verification like fingerprints or facial recognition are robust ways to secure data.

Surprisingly, only 31% of businesses use 2FA, even though it prevents 99.9% of automated attacks.

Employing Email Revoke

Sending an email to the wrong person or the wrong attachment to the right person is a common human error in business data compromise.

Being able to revoke emails (block access to them) is a valuable preventative measure to contain potential damage from such mistakes.

Although many email providers offer a recall function, it often relies on the recipient’s email provider for compatibility.

2) Response:

Your response to an email data incident can be crucial in determining the outcome. Swift, compliant actions are essential to contain the issue.

Start the Timer

Under UK law, you must report an email breach to the ICO (Information Commissioner’s Office) within 72 hours of discovery.

Begin the clock as soon as you realise the breach and focus on containing it as much as possible before filing your report.

Assess the Situation

Assemble key personnel to gather facts. Identify the types of sensitive data involved, the volume of data, and who it concerns.

Determine immediate actions to mitigate damage and protect those affected.

Examples include:

• Sent an email to the wrong person? Request deletion or use Mailock to revoke it.
• Compromised email account? Regain control by resetting passwords.

You may need to perform tests to fully understand the breach’s extent. Do this while containing known risks.

Contain and Report

Take steps to ensure that compromised personal data does not spread further.

Notify anyone whose data has been affected so they can take protective measures, such as changing passwords.

Document the incident thoroughly: when it occurred, the cause, the data involved, and its extent.

If you cannot contain the situation further or if your 72-hour window is closing, submit your report to the ICO by calling 0303 123 1113.

If you are unsure whether to report after containing the breach, use the ICO’s self-assessment tool to decide.

The Best Protection

Developing a robust strategy to guard against cyber risk takes time but is crucial to prevent the worst outcomes.

References

Daily Number of Emails Worldwide, Statista, 2023

Cyber Security Breaches Survey, UK Government, 2022

Share of Cyber Security Breaches, Statista, 2023

Human Error Is Responsible For 85% Of Data Breaches, GRC eLearning, 2022

Cybersecurity Statistics, TechTarget, 2020

Small Companies Close After Hack, Cybersecurity Ventures, 2023

Cost Of A Data Breach Report, IBM, 2023

Brand Trust Report, Edelman, 2021

Impact Of Cybersecurity Awareness, Pensar, 2023

Cyber Security Rules Implemented, Statista, 2023

Prevent Account Attacks, Microsoft, 2019

Personal Data Breach Assessment, ICO, 2023

Data Security Incident Trends, ICO, 2023

Reviewed by

Sabrina McClune, 18.06.24

Sam Kendall, 16.06.25