In January, a mid-sized email hosting provider disclosed a breach that had gone undetected for 11 weeks. During that time, attackers had access to mailbox contents, contact lists, and stored attachments for approximately 40,000 accounts.
I spoke to three business owners affected by the breach. Their stories were remarkably similar, and remarkably painful.
The Immediate Fallout
The first thing that happens is confusion. You get a notification from your provider - usually worded in the most reassuring language possible - telling you that "a security incident" occurred. You read it twice, trying to figure out how bad it actually is.
Then the paranoia sets in. What was in your emails? Client contracts with confidential terms. Financial discussions. Personal information. Passwords shared over email (we all know you shouldn't, but everyone does it). Login links. Attachments containing sensitive documents.
One of the business owners I spoke to - a solicitor - had to notify 200 clients that their confidential communications may have been compromised. Some of those communications involved ongoing legal cases. The professional liability implications were staggering.
The Slow-Burn Damage
The immediate breach is bad. What follows is worse.
Credential stuffing. Attackers take the email addresses and passwords from the breach and try them on every other service - banking, social media, cloud storage. Since people reuse passwords, this often works.
Targeted phishing. Armed with real email contents and contact lists, attackers craft incredibly convincing phishing campaigns. "Hey Sarah, following up on the contract we discussed last week..." - except it's not from the person Sarah thinks.
Business email compromise. The attackers know your business relationships, your communication style, your current deals. They use this intelligence to redirect payments, extract information, and manipulate your contacts.
What Determines Your Exposure
Not all email hosting is equally vulnerable. The differences come down to infrastructure decisions that you can evaluate before you choose a provider:
Encryption at rest. Are your stored emails encrypted on the server? If they are, a breach of the server doesn't automatically mean a breach of your content.
Access controls. How does the provider restrict internal access to your data? A good provider has strict access logs, role-based permissions, and principle-of-least-privilege policies.
Patch management. How quickly does the provider apply security updates? The January breach I mentioned exploited a vulnerability that had been patched two months earlier. The provider hadn't applied the update.
Breach detection. 11 weeks undetected. That's not unusual - the industry average for breach detection is still measured in weeks, not hours. Providers with proper intrusion detection systems and security monitoring catch breaches faster and limit the damage.
Choosing With Your Eyes Open
You can't eliminate the risk of a breach entirely. But you can dramatically reduce your exposure by choosing a provider that takes security seriously - not just in their marketing, but in their infrastructure.
Ask about encryption. Ask about their update policy. Ask when their last security audit was. The providers worth trusting will have clear, specific answers. The ones that deflect or speak in vague reassurances are the ones you should avoid.
Your email is the central nervous system of your business. Choose its home carefully.
