Email was invented over 50 years ago. Today, over half the population of the globe uses email. And the number of business and consumer emails sent and received each day is expected to exceeded 347 billion in 2023.

But email’s prevalent role in business represents a major risk.

• 83 percent of UK businesses who identified an attack in the last 12 months suffered a phishing attack.
• The 2022 IBM study put the average cost of a data breach in the UK at over $5 million.
• And the attack vectors with the highest average cost were ‘business email compromise’ and ‘phishing.’

So, let’s talk about some of the email security mistakes your employees could be making right now that leave your company exposed (and how to stop them).

To err in email security is human

Email habits can make or break your company’s cybersecurity. Criminals exploit less aware (or less cautious) employees who may:

Use a personal email address for work. Company email is often (or should be) configured with your company’s security in mind. This isn't so with personal domains. Yet employees often transfer materials between work and personal accounts without realising the exposure it brings.

Send an email to the wrong person. This can be simply an embarrassing error but can mean a huge breach if sensitive data or information reaches an unintended recipient.

Use cc when it should be bcc. Employees sometimes neglect the privacy of contact information. Bcc protects associates’ contact information or affiliation with your company, especially on impersonal emails such as newsletters or marketing campaigns.

Click the phishing link. Sophisticated scammers impersonate CEOs or make role-based attempts (like a fake bank emailing your finance department). An untrained eye (or a distracted one) could click on a link or attachment.

Email password protected .zip files. Employees may assume password protected .zip files secure the information inside. But the encryption of most built-in software is weak and susceptible to breaches. Default software does not offer the protection of tailored encryption programs.

With email security mistakes being so common, how do you account for the human element of email security?

Equip your people for savvy email security

You must embed savvy email security in your company culture. How does this happen?

• IT bring their expertise. If you want savvy email security, let your IT staff inform the content and approach. They have a handle on the what, when, and how of email cyberattacks and the security that protects your business.
• Clear security standards. Sometimes employees fail to realise the value of the information they work with. Whether it’s data in a spreadsheet or a customer email address, create awareness around what they need to protect and why.
• Clear security guidelines. Clear procedures (eg: materials should never be sent to personal email, no one will ever need your password) make it easier for employees to realise something is amiss.
• Educate employees. Invest time and resources to train staff (anyone assigned a company email address) on your company’s standards and guidelines. Include positive email practices and phishing red flags in intentional, regular training.
• Implement phishing simulations. Follow up training with simulations that train employees to look for the odd domains or urgent language that characterise a phishing scam. Make it habit for employees to second guess every item that lands in their inbox.
• Reporting and follow up procedure. Even with training, mistakes happen or rules are ignored. Excellent email security practices include a quick, clear way to report an incident so IT can investigate for a breach and any fallout.

Your goal is to equip employees in every role at every level against malicious attacks and security missteps. These steps aim to create a company comprised of security-minded staff.

Invest the time, effort, and resources to make sure email is a communication aid, not a critical risk factor.