Email security can feel prohibitively expensive or complex for small- and medium-sized businesses (SMBs). Rick Goud, Chief Innovation Officer and Co-founder at Zivver, explains why that does not need to be the case and emphasises the importance of comprehensive outbound email protection measures.
Email remains a cornerstone of business communication, especially for small and medium-sized businesses (SMBs). While it offers incredible convenience, it also poses significant security risks. It was reported in 2022-23 that 32% of UK small businesses reported suffering a breach, with the proportion rising to 59% for medium businesses. Additionally, the UK Cyber Security Breaches Survey 2023 stated that the average annual financial cost of cybercrime for businesses is estimated to be £15,300 per business. This is a huge proportional loss for smaller companies, and something that many cannot afford.
SMBs do face relentless cyberthreats, however the uncomfortable truth is that over 80% of data leaks are caused by employee behaviour, which only goes to show the role that humans play in data losses, especially email-related incidents. Outbound email security – how your business handles the emails it sends out – is crucial in preventing data breaches, safeguarding sensitive information and maintaining trust with clients and partners. On average, employees spend over two hours per day dealing with 130 business emails, and over 300 billion emails are sent globally every day. The volume of emails increases the attack surface for cybercriminals, while also overwhelming staff, leading to security complacency and human error.
With such vast numbers, the potential for security breaches, through the unintended sharing of sensitive data, misaddressed emails, phishing and fraud, is stark. While larger corporations may have the resources to invest heavily in advanced security infrastructures, SMBs often operate under tighter budgets and constraints. Reports from industry watchdogs, such as the ICO (Information Commissioner’s Office), indicate that a significant portion of data breaches in the UK are not cyber-related, such as the malicious deployment of ransomware, but stem from human error and oversight.
Understanding and demystifying email security for SMBs
Outbound email security is often overlooked in favour of inbound security, which focuses on protecting against more ‘prolific’ external threats like phishing and ransomware. However, the risks associated with outbound emails are equally significant. These include data leakage, reputation damage and compliance violations. Data loss occurs when sensitive information is unintentionally shared, leading to potential breaches. Reputation damage can result from sending sensitive information to the wrong recipient, eroding trust in your business, while compliance violations come from failing to protect sensitive data, risking non-compliance with regulations like GDPR, HIPAA or CCPA.
As previously mentioned, the most significant risk in outbound email security is human error. Misuse of BCC (blind carbon copy) is a common mistake, where using CC (carbon copy) instead can expose email addresses to all recipients, leading to privacy violations. There have been several examples of this error in the press, including the Conservative Party and NHS Trusts. Another frequent error is selecting the wrong recipient due to autocomplete features, which can cause sensitive information to be sent to unauthorised parties. Additionally, sending the wrong file or including sensitive information in inadequately protected attachments poses serious risks, and insufficient encryption protocols can lead to emails being accessed during transmission.
Strategies to enhance outbound email security
Enhancing outbound email security requires a multi-faceted approach. Education and training are fundamental. The delivery of training, however, needs evaluating, as traditional training (think annual courses or spontaneous quizzes) is proving ineffective. Instead, there is the opportunity to educate employees in the moment that an incident is about to occur by integrating Data Loss Prevention (DLP) tools into existing workflows. In this way, employees can learn about the risks associated with outbound emails, proper use of BCC and the importance of verifying recipient addresses and attachments before sending whilst they work. In short, training must be adaptable, consistent and tailored to the behaviours of every employee.
Utilising advanced encryption methodologies, over and above those employed by standard email clients, is also crucial when sharing sensitive data, ensuring no one can access emails other than the sender and receiver – not even email security vendors.
Two-factor authentication (2FA) adds another layer of security, preventing unauthorised access to email accounts. Ensuring that 2FA methods are user-friendly encourages widespread adoption among employees. Email archiving and monitoring creates an audit trail, essential for compliance and investigating breaches, while monitoring outbound emails can identify patterns indicating potential security issues.
Best practices for SMBs include conducting regular audits of email security solutions and policies to ensure they are current and effective. Developing and maintaining an incident response plan for dealing with email security breaches ensures quick and efficient mitigation. Selecting reputable email service providers and security vendors offering robust security features and compliance support is crucial.
Making outbound email security a priority
Outbound email security is critical for SMBs to prevent data breaches, protect sensitive information and maintain trust with clients and partners. By focusing on reducing human error, implementing reliable security measures and fostering a culture of security awareness, SMBs can significantly enhance their email security posture. Investing in the right tools and training can turn email from a potential vulnerability into a secure and reliable communication channel.