Most small businesses assume their email is secure because it’s hosted on Microsoft 365 or Google Workspace. That assumption gets expensive fast. Default filtering blocks obvious spam, but it doesn’t stop the targeted phishing campaigns, business email compromise attempts, and vendor impersonation attacks that make up the majority of successful breaches today.
This post covers what effective email security for a small business actually includes, where Microsoft 365’s built-in tools stop and where you need additional layers, and what a competent managed IT provider should be handling on your behalf.
Default email filtering is not enough. Small businesses need layered protection: authentication records (SPF, DKIM, DMARC), advanced phishing protection, BEC detection, email encryption, and ongoing monitoring. If your MSP isn’t actively managing these, your email environment is likely exposed.
Email security is the set of technologies, processes, and policies used to protect an organization’s email infrastructure from threats including phishing, malware delivery, business email compromise, spam, and unauthorized access. For small businesses, email security covers both inbound threat filtering and outbound controls: authentication records, encryption, data loss prevention, and user-facing protection against social engineering attacks.
Why Email Is Still the Top Attack Vector for Small Businesses
Email isn’t a legacy problem that newer tools have solved. It remains the primary delivery mechanism for the majority of cyberattacks because it works. According to the Verizon 2024 Data Breach Investigations Report, over two-thirds of breaches involve the human element: phishing, stolen credentials, and social engineering. Email is the most common vehicle for all three.
Small businesses are disproportionately targeted for a specific reason: they often have weaker controls than enterprises but handle valuable data (customer records, financial transactions, legal documents, health information) that attackers can monetize or ransom. A law firm with 20 employees is a much softer target than a bank, but it holds equally sensitive material.
What’s Built Into Microsoft 365 vs. What You Actually Need
Microsoft 365 includes Exchange Online Protection (EOP) on every plan: spam filtering, basic malware scanning, and some phishing detection. On Business Premium and above, you also get Microsoft Defender for Office 365 Plan 1, which adds safe links, safe attachments, and anti-impersonation protection. That’s a meaningful baseline, but it has well-documented gaps that attackers actively exploit.
| Capability | M365 EOP (all plans) | Defender for O365 P1 (Business Premium) | What you still need |
|---|---|---|---|
| Spam and bulk filtering | Yes | Yes | Tuning and custom rules |
| Basic malware blocking | Yes | Yes | Sandbox detonation for zero-day payloads |
| Anti-phishing (generic) | Basic | Enhanced | AI-based behavioral detection |
| Safe Links (URL rewrite) | No | Yes | Time-of-click re-evaluation |
| Safe Attachments (sandbox) | No | Yes | Extended detonation window |
| Anti-impersonation (BEC) | No | Yes | Vendor and third-party impersonation detection |
| SPF / DKIM / DMARC enforcement | Partial | Partial | Full DMARC enforcement with reporting |
| Email encryption (S/MIME, OME) | No | No | Requires separate configuration |
| Outbound DLP | No | No | Microsoft Purview or third-party DLP |
| Security awareness training | No | Attack Simulator (basic) | Dedicated phishing simulation platform |
The practical gap is the bottom half of that table. Most small businesses on M365 Business Basic or Standard are running EOP only, roughly equivalent to a locked front door with no alarm system.
The Core Email Security Controls Every Small Business Needs
These aren’t optional extras. They’re the baseline. If any of them are missing from your environment, you have an exploitable gap.
SPF, DKIM, and DMARC records: These DNS-based authentication standards verify that emails claiming to come from your domain actually originate from your servers. Without them, attackers can spoof your domain and send fraudulent emails that look like they came from you, a common tactic in vendor fraud and invoice scams. DMARC enforcement (policy set to “reject”) is the end goal; SPF and DKIM are prerequisites. Many Canadian small businesses have SPF configured but have never moved DMARC beyond “p=none,” which monitors but doesn’t block anything.
Advanced phishing and impersonation detection: Generic anti-phishing rules look for known malicious indicators. Modern attacks use newly registered domains, lookalike URLs, and hijacked legitimate accounts, none of which trigger rule-based filters. AI-based detection that analyzes sender behavior, email patterns, and content anomalies catches what rules miss.
Safe attachments with sandboxing: Attachments are detonated in an isolated environment before delivery. Standard antivirus scans signatures; sandboxing catches zero-day payloads that haven’t been seen before. This is especially important for businesses that regularly receive documents from external parties: accounting firms, law offices, healthcare providers.
Email encryption for sensitive communications: Not every email needs encrypting, but if your business handles personal health information under PHIPA, legal communications, or financial data, you need a mechanism to encrypt specific messages and attachments in transit and at rest. Microsoft 365 Message Encryption (OME) and S/MIME both work, and neither is configured out of the box.
Phishing simulation and user training: Technical controls catch a lot, but not everything. The most effective defence against the emails that get through is a trained user who recognizes the warning signs. Quarterly phishing simulations with targeted training for users who click are standard practice at any well-run MSP. Platforms like KnowBe4, Proofpoint Security Awareness Training, and Microsoft Attack Simulator all handle this at different price points.
Business Email Compromise: The Threat Most Filters Miss
Business email compromise (BEC) is the most financially damaging email threat facing small and mid-market businesses, and it’s the one that standard filters are worst at catching. BEC attacks don’t deliver malware. They use social engineering: impersonating a CEO, CFO, or vendor to request a wire transfer, change a payroll account, or redirect an invoice payment.
According to the FBI Internet Crime Complaint Center (IC3) 2023 Annual Report, BEC resulted in over $2.9 billion USD in reported losses in the United States alone. Canadian businesses face the same threat and report incidents to the Canadian Anti-Fraud Centre (CAFC), which has tracked consistent increases in business fraud losses year over year.
BEC attacks often come from legitimate, compromised email accounts rather than spoofed domains, which means SPF, DKIM, and DMARC alone won’t stop them. Detection requires behavioral analysis: flagging unusual sending patterns, login anomalies, and out-of-character requests. This is why BEC detection needs to be explicitly configured, not assumed.
For a deeper look at how BEC works and how to recognize the warning signs, see our post on What Is Business Email Compromise (BEC).
What Your MSP Should Be Managing for Email Security
If you’re paying a managed IT provider for Microsoft 365 management, email security should be a defined deliverable, not something you have to ask about. Here’s what active management looks like in practice:
- DMARC policy progression: Starting at “p=none” for monitoring, moving to “p=quarantine,” and eventually enforcing “p=reject” as false positives are ruled out. This takes weeks of monitoring, not a one-time configuration.
- Defender for Office 365 policy tuning: Default policies are intentionally permissive. A managed provider tightens safe attachment policies, configures anti-impersonation protection for key executives and vendors, and adjusts link-rewriting settings based on your user workflow.
- Alert monitoring and response: Email security tools generate alerts when suspicious patterns are detected. Someone needs to triage those alerts, investigate potentially compromised accounts, and take action. An unmonitored alert is the same as no alert.
- Phishing simulation cadence: Running simulations quarterly, tracking click rates by department, and assigning targeted training to high-risk users.
- Incident response for compromised accounts: When an account is compromised (and eventually one will be), your MSP should have a defined playbook: revoke sessions, reset credentials, audit mailbox rules for forwarding, check sent items for exfiltration, and notify affected parties under PIPEDA’s breach reporting requirements if personal data was exposed.
Ask your current provider to show you your DMARC policy and the last 90 days of aggregate DMARC reports. If they can’t produce them in under five minutes, email authentication isn’t being actively managed. Free tools like MXToolbox’s DMARC lookup show your current record in seconds, and you can check it yourself right now.
Email Security and PIPEDA: What Canadian Businesses Need to Know
Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), businesses are required to report breaches that pose a real risk of significant harm to affected individuals and to notify the Office of the Privacy Commissioner of Canada. Email is one of the most common breach vectors: a compromised inbox containing client records, health information, or financial data triggers reporting obligations.
For Ontario healthcare organizations, PHIPA adds additional requirements: health information custodians must implement administrative, technical, and physical safeguards appropriate to the sensitivity of the data. Weak email controls are a direct compliance gap. The Information and Privacy Commissioner of Ontario has issued formal findings against healthcare organizations for exactly this kind of oversight, as the province’s first-ever PHIPA fines demonstrated earlier this year.
PIPEDA breach reporting is not optional. If a phishing attack compromises an employee account containing personal information about clients or employees, you are required to assess whether the breach meets the reporting threshold and document your findings. Email encryption and access controls reduce both the likelihood of a breach and the scope of what gets exposed if one occurs.
How to Assess Your Current Email Security Posture
You don’t need a full security audit to get a baseline read on where you stand. These five checks surface the most common gaps:
- Check your DMARC record: Use MXToolbox’s DMARC lookup to verify your record exists and what policy is set. If it’s “p=none” or missing, your domain can be spoofed.
- Verify your M365 plan: Business Basic and Standard do not include Defender for Office 365. Business Premium does. If you’re not on Business Premium, you’re missing safe links, safe attachments, and anti-impersonation protection.
- Look for suspicious inbox rules: Compromised accounts frequently have forwarding rules set to external addresses or rules that auto-delete specific emails (like security alerts). Review inbox rules for all administrator accounts.
- Test your users: Send a simulated phishing email through Microsoft Attack Simulator or KnowBe4’s free trial. The click rate among staff who have never been trained is typically higher than leadership expects.
- Confirm MFA is enforced on all mailboxes: Multi-factor authentication doesn’t prevent phishing, but it prevents credential theft from resulting in account access. If any mailbox accepts password-only login, it’s one leaked credential away from compromise.
Email security for small business isn’t a product you buy once. It’s a set of ongoing controls: authentication records maintained and enforced, advanced filtering tuned to your environment, users trained and tested, and someone monitoring alerts and responding when something gets through. If your MSP isn’t doing all of this actively, there are gaps in your coverage.
At Balanced+, email security is part of every managed cybersecurity and managed IT engagement we run: Defender for Office 365 configuration and tuning, DMARC implementation and monitoring, phishing simulations, and a defined incident response process for compromised accounts. If you’re not sure where your current email setup stands, reach out for a no-obligation assessment and we’ll tell you exactly what we find.
Frequently Asked Questions
What does email security for small business include?
Effective email security for small business includes spam and malware filtering, anti-phishing protection, email authentication records (SPF, DKIM, DMARC), safe attachment sandboxing, email encryption for sensitive communications, and phishing simulation training for staff. Most small businesses on standard Microsoft 365 plans have only basic filtering in place and are missing several of these layers.
Is Microsoft 365 email secure enough for small businesses?
Microsoft 365’s built-in protection (Exchange Online Protection) is a reasonable baseline for spam and known malware, but it has significant gaps for targeted phishing, business email compromise, and zero-day attachment threats. Microsoft 365 Business Premium adds Defender for Office 365, which closes most of those gaps. Businesses on Basic or Standard plans are running minimal protection and should consider upgrading or adding a third-party email security layer.
What is DMARC and does my small business need it?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS record that tells receiving mail servers what to do with emails that fail authentication checks: monitor, quarantine, or reject them. Without DMARC enforcement, attackers can send emails that appear to come from your domain, enabling vendor fraud and impersonation attacks. Every business that uses email should have SPF, DKIM, and DMARC configured, with DMARC ultimately set to “reject.”
How much does email security cost for a small business in Canada?
Microsoft 365 Business Premium, which includes Defender for Office 365, runs approximately CAD $28 to $32 per user per month. Dedicated phishing simulation platforms like KnowBe4 add roughly $15 to $25 per user per year at small-business pricing. A managed provider handling configuration, monitoring, and incident response typically bundles email security into a broader managed IT or cybersecurity contract, which is often more cost-effective than licensing tools independently.
Sources
- Data Breach Investigations Report 2024, Verizon, 2024
- Internet Crime Report 2023, FBI Internet Crime Complaint Center (IC3), 2023
- Canadian Anti-Fraud Centre, Government of Canada
- Personal Information Protection and Electronic Documents Act (PIPEDA), Office of the Privacy Commissioner of Canada
- Information and Privacy Commissioner of Ontario, IPC Ontario
- DMARC Lookup Tool, MXToolbox
