Email Is Your Business’s Front Door, and Most Are Left Wide Open

Email is how your business communicates with clients, sends invoices, authorises payments, and shares sensitive documents. It is also the primary way attackers get in.

The UK Government’s Cyber Security Breaches Survey (DSIT 2025) found that 85% of cyber attacks start with phishing. A convincing email tricks someone into clicking a link, entering a password, or approving a payment. The average cost of an impactful breach reaches GBP 8,260, and the average time to detect one is 241 days (IBM 2025). That means an attacker could have access to your email for eight months before anyone notices.

Only 40% of UK businesses currently use multi-factor authentication on their email (DSIT 2025). That leaves 60% relying on passwords alone to protect their most important communication channel.

Want to know if your email credentials are already exposed? Run a credential exposure check to find out which accounts are at risk, or call 0151 452 3060.

The Three Attack Types That Cost Businesses the Most

Phishing

Modern phishing emails are not the obvious “Nigerian prince” scams of a decade ago. They are fake Microsoft 365 login pages that look identical to the real thing. They are invoices from domains that differ from a genuine supplier by a single character. They are payroll redirection requests that appear to come from your finance director.

Business Email Compromise (BEC)

BEC attacks involve an attacker gaining access to a legitimate email account (or creating a convincing lookalike) and using it to request payments, redirect invoices, or extract sensitive data. These attacks are targeted, patient, and often go undetected until the money has left the account.

Domain spoofing

If your email domain is not properly configured, attackers can send emails that appear to come from your business. Your clients receive what looks like a genuine message from you, but it contains a malicious link or a fraudulent payment request. The reputational damage can be severe.

Even if you never work with us, check these two things today

1. Go to MXToolbox DMARC checker and enter your business domain. If the result says “No DMARC record found,” your domain can be spoofed by anyone.

2. Check whether MFA is enabled on every email account in your organisation, not just the directors. One unprotected account is all an attacker needs.

The Technical Controls That Actually Work

SPF, DKIM, and DMARC

These three protocols work together to prove your emails are legitimate and stop attackers from impersonating your domain:

  • SPF (Sender Policy Framework): Tells receiving email servers which systems are authorised to send email from your domain.
  • DKIM (DomainKeys Identified Mail): Adds a cryptographic signature to your emails that proves they have not been tampered with in transit.
  • DMARC (Domain-based Message Authentication, Reporting and Conformance): Sets the policy for what happens when an email fails SPF or DKIM checks, and sends you reports showing who is using your domain to send email.

Without these configured correctly, your emails are more likely to land in spam folders, and your domain is vulnerable to spoofing. Setting them up costs nothing. The configuration just needs to be done properly.

Multi-factor authentication on every account

MFA ensures that a stolen password alone is not enough to access an email account. Microsoft 365 includes MFA at no additional cost. There is no reason not to enable it on every account today. It is the single most effective step you can take to prevent email compromise.

Advanced threat protection

Modern email security goes beyond basic spam filters. Advanced threat protection scans attachments in a sandbox before delivery, checks links at the time of click (not just at delivery), and uses behavioural analysis to identify suspicious activity. Microsoft 365 Business Premium includes these capabilities.

Business-Class Email Versus Personal Accounts

If anyone in your business is still using a personal Gmail or Outlook.com address for work, you are missing critical security capabilities: centralised admin controls, enforced MFA, email archiving for compliance, and the ability to manage data when someone leaves. Microsoft 365 or equivalent business platforms provide these controls. When configured correctly, they are significantly more secure than personal email setups.

How This Works Alongside Your Existing IT

If you already have an IT provider handling day-to-day support, email security configuration (SPF, DKIM, DMARC, Conditional Access, advanced threat protection) is exactly the kind of specialist work they may not have time or expertise to manage. We work alongside existing IT teams as the security layer, configuring the email controls that close the gaps in your current setup.

What To Do Next

Email security is not optional. With 85% of attacks starting with phishing and only 40% of businesses using MFA, the gap between where most businesses are and where they need to be is significant, but entirely fixable.

Here is how we help:

  • Credential exposure check – See which of your business email accounts are already compromised. If credentials are circulating, your email security is urgent.
  • H-Protect Standard (from GBP 55/user/month) – Includes Microsoft 365 security configuration, advanced email threat protection, credential breach monitoring, cloud backup, and quarterly vulnerability scanning. This is the email security baseline that professional services firms need.
  • H-Protect Complete (from GBP 89/user/month) – Adds 24/7 security operations centre monitoring, continuous vulnerability management, and security awareness training for your team.

Book your credential exposure check or call 0151 452 3060. We are based in Liverpool and work with businesses across the North West.