Email Security for Small Businesses: A Plain English Guide

Every email security guide I've ever read seems to be written for companies with 500+ employees and a CISO on staff. "Deploy a SIEM." "Implement zero-trust architecture." "Conduct quarterly tabletop exercises."

Cool. I'm a 12-person marketing agency and Dave from accounting is also our IT department. What do I actually do?

This guide is for businesses with 1 to 50 employees. No jargon where it's not needed. Realistic budgets. The stuff that actually matters, in order of impact.

First: why small businesses should care more, not less

There's a dangerous assumption that attackers only go after big companies. The opposite is often true. Verizon's 2024 Data Breach Investigations Report found that 43% of data breaches involve small and medium businesses. Attackers know that smaller companies have weaker defences and less ability to recover.

The UK's Cyber Security Breaches Survey 2024 found that 50% of businesses reported a cyber attack or security breach in the previous 12 months. For small businesses (10-49 employees), the average cost of the single most disruptive breach was £3,770 — but that average hides the outliers. Some lost tens of thousands.

And email is the #1 attack vector. It's not close.

The 5 things that actually matter

I've ranked these by impact per effort. Do them in this order.

1. Use a proper business email on a custom domain

Cost: £5-12/user/month (Google Workspace or Microsoft 365) Effort: A few hours to set up Impact: High

If your team is using [email protected] or [email protected] for business email, stop. Not because free email is insecure — Gmail's spam filtering is excellent — but because:

• You can't enforce security policies across personal accounts
• You can't set up SPF, DKIM, and DMARC (more on this in a second)
• When someone leaves, their email goes with them — including client communications
• It looks unprofessional, which makes phishing easier (clients can't distinguish real from fake)

Google Workspace Business Starter is £5.75/user/month. Microsoft 365 Business Basic is £4.50/user/month. For a 10-person company, that's under £60/month. This is the foundation everything else builds on.

What to do right now: If you're already on Google Workspace or Microsoft 365, you're fine. If not, migrate. Both offer straightforward setup wizards. You'll need access to your domain's DNS settings.

2. Turn on MFA for every account

Cost: Free Effort: 30 minutes per person Impact: Very high

Multi-factor authentication should be mandatory for every employee, on every business account. Not optional. Not "encouraged." Mandatory. Enforce it at the admin level so nobody can skip it.

In Google Workspace: Admin Console → Security → Authentication → 2-Step Verification → set to "Enforced."

In Microsoft 365: Microsoft Entra admin centre → Protection → Security defaults → Enable. Or use Conditional Access policies for more control.

Use authenticator apps (Google Authenticator, Microsoft Authenticator, Authy) rather than SMS where possible. If you want maximum protection, invest in hardware security keys — a YubiKey costs about £25 per person and lasts years.

The one thing people get wrong: They enable MFA for email but forget about other accounts — cloud storage, accounting software, CRM, social media. If any of those use the same password as email (they shouldn't, but they often do), they're attack vectors too.

3. Set up SPF, DKIM, and DMARC

Cost: Free (but takes some DNS knowledge) Effort: 1-3 hours, then monitoring Impact: High (protects your domain from being spoofed)

These three DNS records prevent attackers from sending emails that appear to come from your domain. Without them, anyone can email your clients pretending to be you.

If you're on Google Workspace or Microsoft 365, both provide guides for setting these up:

• SPF: A TXT record listing which servers can send email for your domain
• DKIM: Google Workspace and M365 both generate DKIM keys — you publish the public key in DNS
• DMARC: Start with v=DMARC1; p=none; rua=mailto:[email protected] to collect reports, then move to p=quarantine and eventually p=reject

Don't jump straight to p=reject. Spend a few weeks in monitoring mode first. You might discover that your invoicing software, email marketing platform, or CRM also sends email from your domain — and you need to make sure those are covered by SPF and DKIM before you start rejecting failures.

Free tools to help: dmarcian has a free tier for small domains. DMARC Analyzer offers free lookups. MXToolbox checks everything at once.

4. Train your team (but do it right)

Cost: Free to cheap Effort: 1 hour quarterly Impact: Medium-high

"Security awareness training" sounds corporate and boring. It doesn't have to be. Here's what actually works for small teams:

Skip the hour-long compliance videos. Nobody learns from those. Instead:

• Show real examples. Pull up actual phishing emails your company has received (check spam folders — there's gold in there). Walk through what makes them convincing and what gives them away
• Run a 15-minute session quarterly. Brief, recent, relevant. "Here's what's been hitting our inbox. Here's what almost got through. Here's how to spot it"
• Establish a no-blame reporting culture. If someone clicks a suspicious link, you want them to tell you immediately — not hide it because they're embarrassed. Make it clear: reporting is rewarded, not punished. The worst-case scenario isn't someone clicking a bad link — it's someone clicking a bad link and not telling anyone for three weeks
• Create a simple check process. If an email asks you to transfer money, change payment details, or share credentials — verify by a different channel. Call the person. Walk to their desk. Slack them. Don't reply to the email

Free resources: KnowBe4 offers free phishing simulation tests. Google's Phishing Quiz is a fun 5-minute exercise for team meetings. The UK's National Cyber Security Centre has free small business guidance.

5. Have a basic incident plan

Cost: Free Effort: 2 hours to write, then review annually Impact: Critical when you need it

You don't need a 50-page incident response playbook. You need a one-page document that answers:

1. Who do we call? Designate one person as the go-to for security concerns (even if they're not an expert — they're the coordinator)

2. What counts as an incident? Someone clicked a phishing link. Someone sent money to a wrong account. Someone's email was compromised. Unusual login from another country

3. What do we do first? Change the compromised password. Revoke active sessions. Check for forwarding rules or delegated access added to the email account. Enable MFA if it wasn't on. Check if the attacker sent emails from the compromised account

4. Who needs to know? If customer data was exposed, you may have legal obligations (ICO notification within 72 hours under UK GDPR). If money was transferred, contact your bank immediately — speed matters for recovery

5. Where is this document? Not just in email (which might be compromised). Print a copy. Keep one in a shared drive. Make sure everyone knows where it is

The most common post-breach regret I hear from small businesses: "We didn't know what to do, so we didn't do anything for two days." Those two days are when the damage compounds.

Common mistakes (that I see constantly)

Shared passwords. "We all use the same login for the company social media." Every person gets their own credentials. Use a password manager — Bitwarden has a free tier, and their Teams plan is $4/user/month.

No offboarding process. When someone leaves, their access should be revoked the same day. Not next week. Not "when we get around to it." Make a checklist: email, cloud storage, Slack, accounting software, CRM, social media, any shared tools. Every time someone leaves, run the checklist.

Personal email for business. Client contracts in someone's personal Gmail. Invoices sent from Hotmail. When that person leaves (or their personal account gets compromised), you've lost control of business-critical communications.

"We're too small to be a target." You're not. You're the perfect target — small enough to lack defences, large enough to have money worth stealing. Automated phishing campaigns don't check your employee count before targeting you.

Ignoring email forwarding rules. After an email compromise, attackers often set up forwarding rules to quietly copy all incoming mail to an external address. Even after you change the password, the forwarding rule persists. Always check email rules and filters after a suspected compromise.

The realistic cost breakdown

Compare that to the average cost of a small business breach (£3,770 per the UK government's survey — and that's the average, not the worst case) and the maths is straightforward.