Encrypt before you send.
Emailing sensitive files in the clear is still the #1 way data leaks from small businesses. Encryption takes thirty seconds and zero training.
Email was never designed to be private. Attachments bounce through multiple mail servers, backups, and spam filters. A single forwarded-to-the-wrong-address email with tax returns, PII, or contracts can become a compliance incident overnight. Encrypting before you send costs you thirty seconds and removes the problem entirely.
What the default exposes
When you email a PDF of someone's tax return to an unencrypted Gmail account, that file sits in multiple places in plain text. If any of those accounts or systems is later compromised, your attachment is exposed. For regulated data — HIPAA, financial records, client SSNs, legal documents — that's a breach in the eyes of most regulators.
Real leaks we've traced
“An accounting firm sent year-end tax returns to a client's Gmail address as unencrypted PDFs.”
Red flag: A year later, the client's Gmail was breached via an unrelated password leak. All the tax returns sat in the inbox. Regulator inquiry ensued.
“A small medical office emailed patient lab results to a referring physician via standard email.”
Red flag: A typo sent the results to the wrong inbox. No encryption, no way to recall. HIPAA breach reported.
What actually works for small teams
- Microsoft 365 Message Encryption — type "encrypt" in the subject and Outlook handles the rest.
- Password-protected PDFs — Acrobat and macOS Preview both support this natively. Share the password via a different channel (text, Signal).
- Secure share links — SharePoint, OneDrive, Google Drive, or Dropbox links with an expiry and a password beat email attachments.
- For very sensitive data, use end-to-end encrypted email (Proton, Tutanota, or configured S/MIME).
We'll turn this on for you.
Microsoft 365 message encryption takes us ten minutes to configure for a client tenant. If it isn't on, ask us.
- 1Turn on Microsoft 365 Message Encryption in your tenant (admin action).
- 2Train staff: any PDF containing SSNs, financials, medical info, or legal documents gets a password.
- 3Send passwords via a different channel than the document — text or Signal, not the same email.
- 4For ongoing exchanges, use secure share links with expiry and access control instead of attachments.
- 5Add an internal 'encrypt anything sensitive' policy to your data-handling doc.
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
Backup basics that actually work.
Most small businesses have backups. Far fewer have backups that actually restore. Here's the 3-2-1 rule and the test that separates real from theater.
ReadTip #32 · Data protectionData classification in 10 minutes.
You don't need a 40-page policy. Three labels — Public, Internal, Confidential — cover most of what small businesses actually need.
Read