Email security guide for SMBs.

Our Guide to Email Security for SMBs

Yann Guides 11 minutes

Please find Our Guide to Email Security for SMBs

Emails are the lifeblood of any business, and with that, here are some little statistics:
In 2021
1) there were 3.9 billion active email users.
2) In the US, workers receive an average of 126 emails daily.
3) Nearly 60 billion junk emails will be sent each day in the next four years
4) Up to 60% of email opens will occur on mobile devices, depending on the industry.
5) 82% of workers check email outside of normal business hours.

Email is still the number one communication channel for most businesses. Email is the perfect solution for asynchronous communication, but it can also be an entry point for cybercriminals if it is not sufficiently secured. There are many ways that cybercriminals can exploit emails, including phishing, domain spoofing, sharing of ransomware and more. This article will discuss the importance of email security for SMBs and five ways your business can secure your email.

The Importance of Email Security for SMBs
Email has remained the number one threat vector for many years, with 83% of all cyberattacks reported as phishing attacks. Email is an effective attack vector for cybercriminals as all businesses use email, and the sheer volume of emails received daily makes it difficult for employees not to let a phishing email slip through. These phishing emails can have various goals, including stealing payment card information and launching a wide-scale ransomware attack. However, regardless of how a cybercriminal uses email as an attack vector, it can have devastating consequences for SMBs. Typically, businesses are concerned about the direct financial impact a cyberattack can have, although the downtime and associated reputational damage can be significantly worse, which is why SMBs need to invest in keeping their email secure.

4 Ways to Keep Your Email Secure

Email Security Protocols
The first step to secure your business’s email is to ensure that all appropriate security protocols are implemented correctly. There are many options for email security protocols that each serve a specific purpose whilst working together to achieve overall security. Common security protocols include TLS for HTTPS, SMTPS, STARTTLS, SPF, DKIM, DMARC, S/MIME and OpenPGP. While these protocols are essential, SPF, DKIM and DMARC are particularly important.
SPF or Sender Policy Framework is a protocol that allows the domain owner to authorise which hosts can use the domain when sending emails and how this should be verified. This strongly decreases the chance of a business falling victim to a domain-spoofed phishing attack.
DKIM or DomainKeys Identified Mail extends SPF to allow the individual who owns the signing domain to link a digital signature that authenticates the individual.
DMARC, or Domain-based Message Authentication, Reporting and Conformance, provides a method for notifications and actions if an email fails authentication from SPF and DKIM. The response actions or policies either quarantine the email or reject it outright.
These email security protocols are relatively simple to set up but provide powerful protection; therefore, all businesses should have them implemented, either in-house or with the assistance of a trusted third-party IT provider.

Make Use of an AI Solution
To truly protect your business from cyber threats using email as an attack vector, businesses should invest in a solution with multiple layers of security supported by next-generation AI. Often, these solutions have features that protect against gaps in an email provider’s security, including offering a secure email gateway with targeted threat protection and internal email protection. For businesses that are looking to take their security to the next step, it is also possible to have an email security solution that includes web and URL protection, so even if a malicious email does get through the multiple layers of security, the end-user cannot download a malicious file or click a malicious link.

Employee Education and Awareness Training

When considering all security elements, businesses should aim for Defence in Depth, a concept whereby businesses have multiple layers of protection, so if a cybercriminal thwarts one layer, they are stopped by the next. Whilst email security protocols and a comprehensive email security solution that uses AI should stop most attacks, employees must have sufficient security awareness training to detect a potential email attack and know what actions to take to avoid falling victim. The training should be interactive and specific to the business and industry, and employees should be given frequent ‘refresher’ courses to ensure the knowledge is retained. Typically, this will include examples of phishing emails, potentially real-world examples that the email security solution has quarantined or rejected, and a clear policy of how to report a phishing email.

Implement Multifactor Authentication
Whilst low-effort phishing attacks can be easy to spot, launching a phishing attack from a compromised account is far harder, as the email is ‘from’ a colleague’s account. The accounts can be compromised in various ways; however, typically, they are cracked using credential stuffing. This is a form of cyberattack whereby the attacker collects stolen account credentials, typically usernames/emails and passwords, to gain access to other accounts. These credentials can be purchased on the dark web through previous data leaks. One way these attacks can be avoided is by using a unique, complex password for each system, which all employees should be doing. However, multifactor authentication should also be implemented for every user’s email client, as this will stop 99.9% of account compromise attacks.

Looking to Secure Your SMB’s Email?
It can be difficult for SMBs to prioritise cybersecurity in their IT budgets. However, it is essential to ensure the longevity of your business. Email is the number one attack vector, so it should be high on the list of priorities, as secure email can prevent most attacks. With this being said, as mentioned previously, to reduce your business’s cyber risk, you should consider defence in depth as a method of providing multiple layers of protection.

More information from Microsoft here:

For assistance with email security, please get in touch with us on 01444 871200 or

You may also be interested in this article: