Email has been an integral part of our lives for over 50 years, especially in business communication. Email traffic continues to grow, projected to reach 347.3 billion messages daily.
However, as email use rises, so does cybercrime. In 2022, 39% of UK businesses reported experiencing cyber-attacks.
Since the onset of the pandemic in 2019, email has increasingly become a focal point of security incidents and now features in 80% of breaches.
Here’s what small and medium-sized enterprises (SMEs) need to know about secure email.
Understanding the forms of email attacks is essential to safeguarding your business. These risks fall into two main categories:
These individuals exploit technology to conduct malicious activities online.
Threat actors may intercept messages during transmission, hack accounts with weak passwords to access inboxes, or send fraudulent messages with deceptive links (phishing).
Their goal is typically to steal files and data for ransom or sale.
Surprisingly, a significant source of email risk is your own colleagues.
A 2022 data breach report indicates that 82% of breaches involve the ‘human element’, suggesting many could be prevented by reducing human error.
Burnout and stress can increase the likelihood of these errors, impacting email security.
43% of cyberattacks target small or medium-sized businesses, yet only 14% are prepared to defend themselves effectively.
SMEs often lack the resources for comprehensive email risk assessments and staff training compared to larger companies.
The impact of a data breach can be more severe for an SME.
The average cost of a breach has risen by 12.7% in recent years. Alarmingly, 60% of small businesses shut down within six months of a hack, unable to recover like their larger counterparts.
Beyond financial damage, businesses have a duty to protect customers' personal information. Trust is crucial for maintaining a strong market position.
Effective cybersecurity strategies should encompass both prevention and response measures.
Although quick responses are vital during an attack, preventative measures significantly reduce the likelihood of incidents — remember, prevention is the best cure.
Regularly updating staff on key cybersecurity principles and potential threats is crucial — ideally on a quarterly or at least annual basis.
Investing in cybersecurity training and awareness can reduce security-related risks by 70%.
The IBM "Cost of a Data Breach" report notes that 19% of breaches stem from compromised credentials.
Employing strong passwords that combine letters, numbers, and symbols without using personal information is a fundamental step in securing email accounts.
Alarmingly, 51% of businesses lack policies for storing or transferring personal information.
With only 31% of employees aware of what email compromise entails, it's likely they aren't using encryption effectively.
Encryption can be seamlessly integrated into daily operations using solutions like Mailock, ensuring secure email communications without hindering productivity.
Implementing two-factor authentication (2FA) ensures that only authorised individuals can access sensitive information.
Authentication methods such as SMS codes, security questions, digital certificates, or biometric verification like fingerprints or facial recognition are robust ways to secure data.
Surprisingly, only 31% of businesses use 2FA, even though it prevents 99.9% of automated attacks.
Sending an email to the wrong person or the wrong attachment to the right person is a common human error in business data compromise.
Being able to revoke emails (block access to them) is a valuable preventative measure to contain potential damage from such mistakes.
Although many email providers offer a recall function, it often relies on the recipient’s email provider for compatibility.
Your response to an email data incident can be crucial in determining the outcome. Swift, compliant actions are essential to contain the issue.
Under UK law, you must report an email breach to the ICO (Information Commissioner’s Office) within 72 hours of discovery.
Begin the clock as soon as you realise the breach and focus on containing it as much as possible before filing your report.
Assemble key personnel to gather facts. Identify the types of sensitive data involved, the volume of data, and who it concerns.
Determine immediate actions to mitigate damage and protect those affected.
Examples include:
You may need to perform tests to fully understand the breach's extent. Do this while containing known risks.
Take steps to ensure that compromised personal data does not spread further.
Notify anyone whose data has been affected so they can take protective measures, such as changing passwords.
Document the incident thoroughly: when it occurred, the cause, the data involved, and its extent.
If you cannot contain the situation further or if your 72-hour window is closing, submit your report to the ICO by calling 0303 123 1113.
If you are unsure whether to report after containing the breach, use the ICO’s self-assessment tool to decide.
Developing a robust strategy to guard against cyber risk takes time but is crucial to prevent the worst outcomes.
Daily Number of Emails Worldwide, Statista
Cyber Security Breaches Survey 2022, UK Government
Share of Cyber Security Breaches in the UK, Statista
Human Error is Responsible for 85% of Data Breaches, GRC eLearning
34 Cybersecurity Statistics to Lose Sleep Over in 2020, TechTarget
60% of Small Companies Close Within 6 Months of Being Hacked, Cybersecurity Ventures
Cost of a Data Breach Report, IBM
2021 Brand Trust Report, Edelman
The Impact of Cybersecurity Awareness Training, Pensar
Cyber Security Rules Implemented by UK Businesses, Statista
Prevent 99.9% of Account Attacks with One Simple Action, Microsoft
Personal Data Breach Assessment, ICO
Data Security Incident Trends, ICO
Sabrina McClune, 18.06.24
Sam Kendall, 18.06.24