How to Secure Your Business Email Account in 10 Minutes

How to Secure Your Business Email Account in 10 Minutes

Your email account is the master key to your digital life. Reset your password? Goes to email. Verify a new account? Goes to email. Recover access to banking or accounting software? Goes to email.

If a criminal gets into your email, they've got a skeleton key to almost everything. Here's how to lock it down in under 10 minutes.

Step 1: Enable multi-factor authentication (2 minutes)

Go to your email security settings right now and turn on MFA. For Microsoft 365: Admin Center > Azure Active Directory > Security > MFA. For Google Workspace: Admin console > Security > 2-Step Verification.

If you're using a personal Gmail or Outlook for business (which is itself a risk — but that's another article), go to your account's Security settings.

Choose an authenticator app over SMS where possible.

Step 2: Check your recovery options (2 minutes)

Make sure your recovery phone number and backup email are current and actually controlled by you. Criminals who get access to your recovery phone number or backup email can lock you out of your account.

While you're there, review any active sessions. If you see unfamiliar devices or locations accessing your account, revoke their access immediately.

Step 3: Check your email forwarding rules (2 minutes)

This is critically important and often overlooked. A common post-compromise move: criminals set up a forwarding rule that silently sends copies of all your emails to their address. They then watch for passwords, invoices, and sensitive information — sometimes for months.

In Gmail: Settings > See all settings > Forwarding and POP/IMAP. In Outlook: Settings > Mail > Forwarding. Look for any rules you didn't create. Delete them.

Also check your filter rules — criminals sometimes set rules that automatically mark certain emails as read and move them to trash so you never see them.

Step 4: Review connected apps (2 minutes)

Third-party apps connected to your email account can have significant access. Review them and revoke anything you don't recognise or no longer use.

In Gmail: myaccount.google.com > Security > Third-party apps with account access. In Microsoft: myapps.microsoft.com.

Step 5: Set a strong, unique password (2 minutes)

If your email password is shared with any other account, change it now to something unique and strong (16+ characters, generated by a password manager).

Bonus: Enable email authentication for your domain

If you run a business domain, ask your IT provider to configure SPF, DKIM, and DMARC records. These make it much harder for criminals to send phishing emails that appear to come from your domain.

Ten minutes, done. Your email is significantly more secure than it was.

Learn more about securing your digital life at Phishbate →