The Guide to Email Security for Small Businesses

Email remains the primary communication tool for UK businesses of every size — and, consequently, the primary attack vector for cyber criminals. According to the UK Government's Cyber Security Breaches Survey, the vast majority of identified attacks against UK businesses arrive via email, whether as phishing messages, malware-laden attachments, business email compromise attempts, or fraudulent invoice requests.

For small businesses, the threat is particularly acute. Smaller organisations typically have fewer security controls, less staff awareness, and smaller budgets for cyber security — making them attractive targets for attackers who know that a single successful phishing email can yield valuable data, financial transfers, or a foothold for ransomware deployment.

This guide provides a comprehensive overview of email security for UK small businesses, covering the threats you face, the defences available, and a practical roadmap for implementing robust email protection without requiring a specialist security team or an enormous budget.

The Threat Landscape: Understanding Email-Based Attacks

To defend against email threats effectively, you first need to understand the types of attacks you face. Modern email attacks are sophisticated, varied, and increasingly difficult for untrained users to identify.

Phishing

Phishing emails impersonate a trusted entity — a bank, a supplier, a government agency, or a colleague — to trick the recipient into revealing sensitive information, clicking a malicious link, or opening a dangerous attachment. Phishing can be broad and untargeted (sent to thousands of recipients simultaneously) or highly targeted (spear phishing), where the attacker researches their victim and crafts a convincing, personalised message.

Business Email Compromise (BEC)

BEC attacks are among the most financially damaging email threats. The attacker either compromises a legitimate email account or spoofs one to send convincing requests — typically asking for a financial transfer, a change to payment details, or the disclosure of sensitive data. CEO fraud, where an attacker impersonates a senior executive and instructs the finance team to make an urgent payment, is a classic example. UK businesses lost over £50 million to BEC attacks in 2025 alone.

Malware and Ransomware

Malicious attachments — often disguised as invoices, delivery notifications, or shared documents — can install malware on the recipient's device. Ransomware, which encrypts your files and demands payment for the decryption key, is frequently delivered via email. A single employee opening a malicious attachment can compromise your entire network within minutes.

Essential Email Security Controls

Protecting your business email requires a layered approach. No single control is sufficient on its own, but together they create a defence-in-depth that significantly reduces your risk.

1. Email Authentication (SPF, DKIM, DMARC)

These three protocols prevent attackers from sending emails that appear to come from your domain. SPF specifies which mail servers are authorised to send email from your domain. DKIM adds a cryptographic signature to verify the email has not been tampered with. DMARC ties SPF and DKIM together and tells receiving servers what to do with emails that fail authentication. Every UK business should have all three configured, with DMARC at a p=reject policy for maximum protection.

2. Multi-Factor Authentication (MFA)

MFA is the single most effective control against email account compromise. Even if an attacker obtains a user's password through phishing, they cannot access the account without the second authentication factor. MFA should be mandatory for every email account in your organisation, without exception. The Microsoft Authenticator app or a FIDO2 security key are the recommended methods — SMS-based MFA, while better than nothing, is vulnerable to SIM-swapping attacks.

3. Advanced Threat Protection

If you use Microsoft 365, enable Microsoft Defender for Office 365 (formerly Advanced Threat Protection). This provides Safe Attachments (which detonates attachments in a sandbox to detect malware before delivery), Safe Links (which scans URLs in real-time when clicked, protecting against links that are clean at delivery but weaponised later), and anti-phishing policies that use machine learning to detect impersonation attempts. For Google Workspace users, the Advanced Protection Programme provides similar capabilities.

4. Email Filtering and Anti-Spam

A robust email filtering solution should sit between the internet and your mailboxes, scanning every incoming email for spam, phishing, malware, and other threats before it reaches your users. Most business email platforms include built-in filtering, but dedicated third-party solutions like Mimecast, Proofpoint, or Barracuda provide more advanced detection capabilities, particularly for sophisticated phishing and zero-day threats.

5. Data Loss Prevention (DLP)

DLP policies prevent sensitive data from being sent via email — either accidentally or deliberately. You can configure rules that detect and block emails containing credit card numbers, National Insurance numbers, financial data, or other sensitive information. Both Microsoft 365 and Google Workspace include DLP capabilities that can be configured to warn users, require approval, or block outbound emails that match specified data patterns.

Security Control	Protects Against	Cost (Microsoft 365)	Implementation Difficulty
SPF, DKIM, DMARC	Domain spoofing, impersonation	Free (DNS configuration)	Medium
Multi-Factor Authentication	Account compromise, credential theft	Included in all plans	Easy
Defender for Office 365	Phishing, malware, malicious URLs	£1.50–4.20/user/month	Medium
Data Loss Prevention	Accidental data exposure	Business Premium+ plans	Medium
Email encryption	Interception of sensitive emails	Business Premium+ plans	Easy
Conditional Access	Unauthorised device/location access	Business Premium+ plans	Medium–Hard
Security Awareness Training	User error, social engineering	£2–5/user/month	Easy

Security Awareness Training

Technology alone cannot protect your business from email threats. Your employees are both your greatest vulnerability and your most valuable defence. A well-trained workforce that can recognise and report phishing attempts is more effective than any single technical control.

Security awareness training should be ongoing, not a one-off annual exercise. The most effective programmes combine regular short training modules (five to ten minutes per month), simulated phishing campaigns that test employees with realistic fake phishing emails, immediate feedback when someone clicks a simulated phishing link, and regular reporting on organisational performance so leadership can see where additional training is needed.

Incident Response: What to Do When an Attack Succeeds

Despite your best efforts, there is always a possibility that an email attack will succeed. Having a pre-defined incident response plan ensures that you can act quickly to minimise the damage.

If a user clicks a phishing link and enters their credentials, immediately reset the compromised account's password, revoke all active sessions, check for email forwarding rules that the attacker may have created (this is a common persistence technique), review the account's recent sent items and deleted items for signs of misuse, and enable or strengthen MFA if it was not already in place.

If a user opens a malicious attachment, isolate the affected device from the network immediately, do not shut down the device (this may destroy forensic evidence), contact your IT support provider or incident response team, and scan all connected systems for indicators of compromise.

Compliance and Regulatory Requirements

UK businesses have specific regulatory obligations around email security. Under UK GDPR, you must implement appropriate technical and organisational measures to protect personal data — and since email is a primary channel for personal data, this directly requires robust email security. The ICO has taken enforcement action against organisations that suffered data breaches due to inadequate email security, including failures to implement MFA and insufficient phishing protections.

For businesses pursuing Cyber Essentials certification — which is mandatory for government contracts involving sensitive data and increasingly expected by private sector clients — email security controls including anti-malware, access controls, and patch management are assessed as part of the scheme. Cyber Essentials Plus, the higher-level certification, includes a technical audit that specifically tests email security by sending simulated malicious emails to the organisation's users.

Building Your Email Security Roadmap

Implementing comprehensive email security does not need to happen overnight. A phased approach allows you to make immediate improvements to your most critical vulnerabilities while building towards a fully secure email environment over time.

Month One (Quick Wins): Enable MFA on all email accounts. Configure SPF if not already in place. Review and remove any unnecessary email forwarding rules. Ensure anti-malware scanning is enabled on your email platform.

Month Two (Authentication): Configure DKIM for all email-sending services. Publish a DMARC record with p=none and begin monitoring reports. Review your email platform's security settings and enable all available protections.

Month Three (Advanced Protection): Enable advanced threat protection (Defender for Office 365 or equivalent). Begin security awareness training for all staff. Move DMARC to p=quarantine.

Month Four and Beyond (Continuous Improvement): Move DMARC to p=reject. Implement DLP policies for sensitive data. Conduct regular simulated phishing campaigns. Review and update policies quarterly. Consider pursuing Cyber Essentials certification to validate your security posture externally.