Email security and what it means for your small business

July 17, 2019 Hazel Burton

Many of us spend our working lives in our inbox. Email remains one of the most widespread business communication tools – but that also means it’s one of the biggest entry points for cyberattacks.

According to our 2019 CISO Benchmark Report, enterprise security leaders consider email to be the number-one threat vector, and it’s not hard to understand why. Verizon’s annual Data Breach Investigation Report – to which we’re a contributor – found that email is the number one vector for both malware distribution (92.4%) and phishing (96%).

Small businesses are prime targets for attacks

Small and medium-sized businesses are particularly at risk of cyber attack. Unlike large organisations, which have teams dedicated to security, small companies may not even have an in-house IT expert.

We recently ran some Facebook Live chats with former BBC Dragon Piers Linney, where he said:

“Most small businesses are busy building their business and putting out fires, and sometimes they haven’t really thought about security in a holistic way.”

Small businesses rely on employees to stay vigilant against scams and report suspicious activity when they see it. But keeping employees up to speed is never easy. Scammers have far greater resources than small businesses can muster alone, and their methods are shifting all the time.

In a recent survey we ran, we saw that half of small businesses had experienced a breach, and of those, 40% had suffered more than 8 hours of downtime as a result.

Email protection and the law

Protecting the sensitive personal data in your emails makes sense from a business point of view. According to Hiscox, the basic “clean up” costs of a data breach add up to £25,700 every year. But regulations like GDPR may affect your approach to email security, too.

For example, GDPR specifies that personal data should be:

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage...”

Small businesses should therefore have the appropriate technical measures and processes in place – as well as properly trained staff – to keep their and their clients’ data safe.

Email attacks that small businesses should watch out for

Because protecting against email attacks is difficult and resource-intensive, many small businesses have moved to the cloud.

Managed email services like those offered by Gmail or Microsoft Office 365 are great for small businesses. They offer nearly all the functionality of self-managed email without the cost and hassle of running an email server. But the popularity of such tools mean that cyber criminals are increasingly targeting them as platforms in which to launch cyber attacks.

A common technique is the simple phish, where an attacker sends an official-looking email to your employees purporting to be from Google or Microsoft. The email says there’s been some problem with the account and that they need to verify their details using the login page provided. But the website is fake, and once they enter their username and password, criminals have an instant backdoor into your business.

Try Duo multi-factor authentication for free.

Where scam email goes, malware follows

Phishing emails are often accompanied by malware – either as attachments or via links in the email.

Malware comes in many forms. More than half of malicious files flagged in 2018 came in the form of innocuous documents like PDFs, Word docs or Excel spreadsheets – the kind of files small businesses use every day.

Once opened, these attachments can cause serious damage not only to their host systems, but to a small business’s entire network.

Protect your small business against email attacks

The best defence against email attacks is education. Regular training will keep your employees up to date about typical phishing methods, what to look out for, and how to reduce the risk of a breach.

We have a range of resources dedicated to this topic:

We also recommend a few good security practices:

  1. Run regular phishing exercises. Emulate the latest real-world techniques to educate employees.
  2. Use multi-factor authentication. Reinforce access to your systems by requiring more than one method of verification.
  3. Keep software up-to-date. Vendors constantly patch their products to remove vulnerabilities that hackers can exploit.
  4. Enable DMARC, and other anti-phishing technologies. The DMARC protocol can help to ensure the email sender is who they say they are. And modern anti-phishing software helps identify scams.

And we have a range of products for small businesses to improve email security, protect data, and stay compliant.

Read the Cisco 2019 Email Cyber Security Report now.


About the Author

Hazel Burton

I'm the Marketing Storyteller for IT Security for Cisco's UK & Ireland region. That means I spend most of my time researching what those dastardly hackers are up to, and I also have a lot of conversations with my much cleverer research colleagues, in order to create content which seeks to inform people about the current threat landscape against businesses. IT Security is a subject I'm immensely passionate about, and what's most important to me is helping customers protect their livelihoods, and educating users not to leave the back door open. Outside of Cisco a big part of my life is improvisational comedy - I participate in weekly workshops at The Improvisation Foundation and perform on stage with my lovely fellow workshoppers once a month. Other than that I'm a big nerd when it comes to movies, as my blogs will no doubt unveil.

Follow on Twitter Follow on Linkedin More Content by Hazel Burton

No Previous Articles

Next Article
MFA for small business: greater security and a competitive edge
MFA for small business: greater security and a competitive edge

When we think of security, we think of needing to protect our systems from people ‘breaking in’ to our acco...

Read the latest Cyber Security trends

Get the report