Why Email Security Isn’t Set and Forget for Small Business Owners
The other day in Melbourne, I was catching up with a client named Liam, who runs a small homeware brand. Over coffee, he told me how his business had just gone through an “email nightmare.” Several customers called, asking whether his business had changed its bank account details. Each of them had received a message—seemingly from him—asking for payment to a new account. That’s when he realized his email had been compromised.
The feeling of helplessness? He said he still gets chills thinking about it.
Liam’s story is far from rare. According to the Australian Signals Directorate’s (ASD) Cyber Threat Report 2023–24, email compromise is now the most reported cybercrime affecting businesses. And these attacks aren’t always high-tech. In fact, they often rely on the most ordinary, everyday tool in your business: email.
In many of the cases ASD investigated, attackers used “information-stealer” malware to gather credentials from infected devices. Once they got in, they didn’t just poke around—they set up email forwarding rules, impersonated the account owner, and silently siphoned off sensitive business conversations.
I once worked with a global logistics company where, during a security audit, we discovered that over 60% of employees still used the default password “Welcome123.” Worse, many had never enabled multi-factor authentication (MFA). Even more alarming, several email accounts had silent forwarding rules in place, sending copies of every message to unknown third-party inboxes.
And no, it’s not just big corporations that are targets. Cybercriminals increasingly focus on small businesses, precisely because they tend to have fewer defenses—and a single attack can be catastrophic.
Take the example of a six-person construction supply company in Perth. They lost over AUD $25,000 to a fake invoice that came from a spoofed supplier email. Since the finance team hadn’t enabled MFA or implemented basic verification protocols, the transfer went through without a second thought.
So what can businesses do?
Let’s start with the obvious: Enable MFA. It’s the simplest way to stop attackers in their tracks, even if your password is stolen. Next, enable email content filtering using platforms like Google Workspace or Microsoft 365—don’t just stick with the default settings. Customize them to your business's risk level.
But the most important line of defense is people.
At a private school we worked with in NSW, we ran a “red team” test—a fake phishing attack disguised as a message from the principal, asking teachers to click a link to join an “emergency meeting.” Within ten minutes, more than half the staff had clicked the link and entered their email credentials. The school was shocked. From that moment on, they implemented hands-on phishing awareness training and started running quarterly simulations.
A few months later, a real phishing email hit their inboxes. This time, a teacher flagged it instantly—and prevented a potential data breach.
As for Liam, we helped him reset his passwords, activate MFA, set up geo-location login restrictions, and add approval workflows for any invoice payments. It may sound like a lot of steps, but as he put it, “At least now I can enjoy my morning coffee in peace.”
Email is your front door in the digital world. You wouldn’t use a rusty lock to secure your storefront—so why trust default settings to protect your clients, your cash, or your company’s reputation?
The truth is, email security isn’t just an IT issue—it’s a business survival issue. Don’t wait until the damage is done. Take 15 minutes today to review your settings, educate your team, and lock the door before someone walks through it.
Because email security was never meant to be “set and forget.” It’s more like brushing your teeth—boring, maybe, but ignore it long enough and you’ll really feel the pain.