Why “email working” doesn’t mean your business is actually secure

Introduction

Most small businesses judge email by one test: “Can I send and receive?”

That’s like testing a shop’s security by checking the front door opens. Useful, but wildly incomplete.

Email is where your invoices, password resets, customer data, and supplier relationships live. If someone gets into your mailbox, they can do real damage without breaking anything obvious.

Why this topic matters

When email is compromised, it rarely looks like “email is down”. It looks like business as usual.

Attackers want access, not attention. If they can sit inside a mailbox quietly, they can steal data, impersonate you, and redirect money.

For a small business, the impact is brutal because email is the hub for everything else: banking alerts, accounting, client comms, and password resets for other systems.

If you only measure “working”, you miss the things that actually protect you:

• Identity control (who can sign in, and how)
• Access control (least privilege and admin safety)
• Detection (knowing when something is wrong)
• Recovery (getting back to normal fast)

Core concepts explained

1) “Email working” is a delivery test, not a security test

Delivery is about routing and configuration: mailboxes existing, mail flowing, and things arriving where they should.

Security is about stopping the wrong person reading, sending, forwarding, or deleting your mail.

You can have perfect delivery and terrible security at the same time.

2) Identity is the real front door

In most real-world compromises, attackers don’t “hack email servers”. They log in using stolen credentials.

If your sign-in rules are weak, email becomes the easiest way into the rest of your business.

That’s why multi-factor authentication (MFA) matters. A password alone isn’t a reliable control anymore.

3) Admin access is a different risk level

In a small business, it’s common to have one person who is “the admin” for everything.

If that admin account is compromised, attackers can reset passwords, add forwarding rules, create new users, and weaken security settings. Email will still look “fine” while it happens.

4) Email security is a system, not a setting

Strong email security usually needs these layers working together:

• Sign-in protection: MFA, strong recovery options, sensible sign-in rules
• Threat filtering: blocking obvious phishing and malware before it hits inboxes
• Domain protection: reducing spoofing and impersonation
• Safe sharing: avoiding emailing passwords or sensitive files around
• Recovery: ability to restore content if something is deleted or corrupted

A step-by-step way to think about your real risk

This is not a “click here” checklist. It’s a simple way to judge whether your email is actually protected.

Step 1: Ask “How could someone get into a mailbox?”

• Stolen password (phishing, reused password, breach elsewhere)
• Weak sign-in controls (no MFA, weak recovery, shared accounts)
• Lost or stolen device with saved sessions

Step 2: Ask “What could they do without being noticed?”

• Create hidden forwarding rules to an external address
• Send believable emails from the real account
• Search old emails for customer data and supplier details
• Trigger password resets for other services

Step 3: Ask “How would we spot it quickly?”

If your only “monitoring” is whether email still sends, you won’t spot a quiet compromise.

At minimum, you want a habit of checking for unusual sign-ins, suspicious forwarding, and unexpected changes to security settings.

Step 4: Ask “Can we recover cleanly?”

Recovery isn’t just “change the password”.

You need to remove attacker persistence (for example, forwarding rules), confirm the right people still have access, and restore missing content if mail has been deleted.

Examples and scenarios that catch small businesses out

Scenario 1: The shared inbox with one shared password

A team shares one mailbox login “because it’s easier”. Email works fine.

Then one person leaves, or their phone is lost, or the password leaks. You can’t tell who did what, and you can’t remove access cleanly without disrupting everyone.

Scenario 2: The owner has MFA, but the admin account doesn’t

Many businesses protect the owner account and forget the admin account.

Attackers target admin access because it gives them control of everyone else. Email still works while they silently change settings.

Scenario 3: “Invoice hijack” using real email history

An attacker gets into a mailbox and reads a few weeks of conversations.

They learn how you write, when you chase invoices, and who pays what. Then they send a believable email with “new bank details”.

Scenario 4: Spoofing your domain to your customers

Your email can be working perfectly while criminals send emails that look like they came from you.

If you don’t have the right domain protections in place, your customers and suppliers are easier to trick.

Scenario 5: “We can’t find those emails” after a mistake

Someone deletes the wrong folder. Or a mailbox gets cleaned up aggressively. Or a sync issue removes items.

Email still sends and receives, but the missing history breaks your business. If you can’t restore reliably, you’re exposed.

Advanced considerations

Stop treating email like a single system

Email security overlaps with identity, devices, and your domain registrar.

A “secure email” setup usually needs the basics to be consistent across all of them.

Don’t confuse retention with backup

Retention can help with accidental deletion. It is not the same as an independent backup you control.

If email history matters to your business, you should understand what your recovery options actually are before you need them.

Make “least privilege” normal

Not everyone needs admin powers. Most people shouldn’t.

Separating day-to-day accounts from admin accounts reduces the blast radius when someone makes a mistake or gets phished.

Write down your recovery path

When something goes wrong, you’ll be stressed and rushed.

Document who can reset what, where recovery codes live, and what “good” security settings look like for your business.

Summary and key takeaways

• “Email working” proves delivery. It does not prove security.
• Identity is the real front door. Weak sign-in controls turn email into a breach waiting to happen.
• Admin compromise is the fastest way to lose control.
• Email security is layered: sign-in protection, filtering, domain protection, safe sharing, and recovery.

If you want a clean starting point, use the Microsoft 365 Starter Kit to get the fundamentals right first. Then build up from there.

Helpful internal resources

• Get the free Microsoft 365 Starter Kit (recommended first step)
• Microsoft 365 Setup Guide overview (what “proper setup” actually covers)
• Microsoft 365 Setup Guide (full step-by-step)

FAQ

Isn’t Microsoft 365 already secure out of the box?

It includes baseline protections, but security depends on how you control sign-ins and admin access, plus how you handle recovery and basic monitoring.

If I have MFA turned on, am I safe?

MFA massively improves security, but it’s not the whole story. You still need to protect admin access, reduce risky habits like shared logins, and make sure you can recover from mistakes.

What’s the biggest mistake small businesses make with email security?

Thinking “it works” means “it’s safe”. The next biggest is using shared accounts and weak sign-in controls.

Do I need complicated security tools?

Not to get started. Most businesses get safer quickly by tightening identity, admin access, and recovery basics, then adding more protection where the risk justifies it.

What does “domain protection” mean in plain English?

It means setting your domain up so other mail systems can tell whether an email claiming to be from you is legitimate. It helps reduce spoofing and impersonation.

Why are shared mailboxes risky?

The shared mailbox feature isn’t the problem. The risk is sharing passwords or using one account as “the team login”. That kills accountability and makes clean access removal harder.

What should I do first if I suspect a mailbox has been compromised?

Act fast: change the password, confirm MFA and recovery methods, check for forwarding rules, and review recent sign-ins. Then assess what data may have been accessed.

How do I know whether our setup is “good enough”?

You want confident answers to: who can sign in, how admin access is protected, how you detect unusual activity, and how you restore if something is deleted or damaged.