Email security for small business: stopping BEC and phishing on a budget
A plain-English small-business email security guide focused on the cheap controls that cut business email compromise and phishing risk first.
Read articleSecurity Awareness
Plain-English 2026 buyer guide to the three email-security architectures small businesses actually pick between: built-in Defender or Google Workspace, an API-integrated layer, or a full gateway.
If you're an SMB running Microsoft 365 or Google Workspace and you're deciding what email security to buy in 2026, three architectures are on the table: the built-in tier (Defender for Office 365 or Google Workspace advanced protection), an API-integrated layer that sits behind the platform, and a full gateway that takes over your MX record.
The right answer for most small businesses is not to buy one of the second two first. Configure the built-in tier correctly, then decide whether the mailbox is important enough to add a second layer.
If you're still working through the cheap controls — MFA on every mailbox, a written callback rule for money movement, SPF/DKIM/DMARC on your sending domain, a phishing-reporting workflow — start with email security for small business: BEC and phishing on a budget. This piece is for the buyer past that stage.
The FBI's 2025 IC3 Annual Report still lists business email compromise as one of the most financially damaging online crime categories — 24,768 complaints and $3,046,598,558 in reported losses in the report window.
Sources: FBI BEC overview, FBI 2025 IC3 Annual Report
That's the reason this decision matters. Email is still the workhorse of financial loss for SMBs.
Every SMB email-security decision comes down to a picture: where does the filter sit relative to your mailbox?
The security that ships with your platform. On Microsoft 365 that's Defender for Office 365 (Plan 1 or Plan 2, or Business Premium). On Google Workspace it's the advanced phishing and malware settings plus the Security Sandbox.
Mail flows: sender → Microsoft or Google → Defender / Google filtering → your mailbox. There's no separate box in the path. The filter runs inside the platform you already own.
Sources: Microsoft Defender for Office 365 overview, Google Workspace advanced phishing and malware protection
A third-party product that watches your mailbox after Microsoft or Google delivers the message, using the platform's API. It inspects the mail post-delivery, and can move, quarantine, or annotate it in place without changing MX records.
Mail flows: sender → Microsoft or Google → your mailbox → API layer notices the delivery, inspects, remediates.
This is the newer architecture. It skips the MX cutover, sees what the platform saw plus its own signal, and can re-check messages after delivery (useful for links that weaponize later or accounts that get compromised after receiving a message).
An old-school secure email gateway — Proofpoint, Mimecast, Barracuda, Cisco Secure Email, and others in that pattern. You change your MX record so the internet delivers mail to the gateway first. The gateway filters, then forwards clean mail to your Microsoft or Google tenant.
Mail flows: sender → gateway → Microsoft or Google → your mailbox.
The gateway sits in the mail path. It can block delivery entirely, do heavy inspection before mail reaches the platform, and enforce complex policies. It's also the architecture with the most operational surface: MX cutover, DNS complexity, a separate quarantine, a separate admin console.
The built-in tier is not the free tier. It's the tier you're already paying for or one small license upgrade away.
On Microsoft 365, Defender for Office 365 covers anti-phishing, Safe Links (URL rewriting and time-of-click checks), Safe Attachments (detonation), impersonation protection, and post-delivery investigation. Plan 2 adds Threat Explorer and Attack Simulation Training. Business Premium bundles Plan 1.
Sources: Microsoft Defender for Office 365 Plan 1 vs Plan 2 comparison, Safe Links in Defender for Office 365, Safe Attachments in Defender for Office 365
On Google Workspace, admins can turn on the advanced phishing and malware protection settings — attachment scanning, external image warnings, spoof protection, unauthenticated-sender warnings — and enable the Security Sandbox for pre-delivery attachment detonation on Enterprise Standard and above.
Sources: Google Workspace advanced phishing and malware protection, Google Workspace Security Sandbox
The most common failure I see on the built-in tier is not that it's inadequate. It's that it's off. Safe Links is licensed but not enabled. Attachment sandboxing is available but never turned on. Anti-phishing policies were created once and never tuned.
The first honest question before you buy a third-party product is whether the tier you already own is fully turned on and tuned.
An API layer is the architecture that most modern email-security vendors have moved to. It runs behind Microsoft or Google, inspects mail after delivery, and can remediate in place.
The category exists because:
Where the API layer earns its cost:
Gateways are not obsolete. They're right for a narrower set of buyers than they used to be.
Reach for a gateway when:
Gateways carry operational overhead. MX cutover is a one-time project, but the separate admin console, separate quarantine flow, and separate licensing renewal live with you forever.
Whichever architecture you pick, one control shows up on almost every 2026 cyber-insurance questionnaire: link rewriting, time-of-click URL analysis, and attachment sandboxing on inbound mail.
That's control #15 in the 2026 cyber-insurance questionnaire breakdown. The carrier is asking whether phishing payloads that weaponize after delivery — links that were benign at scan time, attachments that reveal their payload at open time — get caught.
Defender for Office 365 answers this with Safe Links and Safe Attachments. Google Workspace answers it with the advanced phishing/malware settings and the Security Sandbox. Third-party layers (API or gateway) answer it with their own URL detonation and attachment analysis.
Underwriters will accept any of the three, but only if the setting is actually enforced. The deep-dive on control #15 walks through what the questionnaire is really testing and what evidence carriers expect.
For a typical SMB in 2026, the decision looks like this.
Step 1. Are the cheap controls in place? MFA on every mailbox, a callback rule for money movement, SPF/DKIM/DMARC at enforcement, a phishing-reporting workflow. If not, fix those first. Buying advanced filtering while the cheap controls are broken is a common and expensive mistake.
Step 2. Is the built-in tier fully turned on? Defender for Office 365 anti-phishing, Safe Links, Safe Attachments, and impersonation protection enabled and tuned. Google Workspace advanced phishing/malware settings on, Security Sandbox enabled where the license permits.
Step 3. Is the mailbox a high-value target? Any business handling wires, closings, refunds, escrow, or bank-detail changes for clients qualifies. Any regulated vertical (dental, law, accounting, health) qualifies. If yes, evaluate an API-integrated layer.
Step 4. Do you need to block delivery, run heavy compliance inspection, or satisfy a control-language requirement for a specific gateway model? If yes, evaluate a gateway. If no, an API-integrated layer is usually the lower-friction answer.
That's the whole framework. It's not exciting. It's honest.
Most SMB email tenants are on Microsoft 365 or Google Workspace, and the starting layer differs.
On Microsoft 365, the pattern is: Defender for Office 365 first (Plan 1 or Plan 2, or Business Premium's bundled Plan 1), tuned properly. Add an API layer if the mailbox is a high-value target or the carrier wants a named third-party. Reach for a gateway only for compliance or heavy inspection reasons.
On Google Workspace, the pattern is similar: advanced phishing/malware settings on, Security Sandbox where licensed, then the same second-layer question.
The choice between the two email platforms is a separate decision — one this article isn't picking a winner in. Both platforms can be secured to a level that clears standard 2026 cyber-insurance questions. What matters is whether the setting is on and enforced, not the vendor logo.
We're not selling a specific email-security product on this page. We operate the practitioner-side program: tune the built-in tier before recommending anything third-party, evaluate the second-layer question against the client's real threat surface and their cyber-insurance answers, and produce the evidence pack behind whichever architecture the client picks.
The natural companion services are Managed ITDR — identity-layer monitoring for mailbox rules, impossible-travel sign-ins, and OAuth abuse that shows up after a successful phish — and the Cyber Insurance Readiness Sprint that maps the current email posture to the carrier's questionnaire.
If you want a shorter version of this decision compressed to a briefing, book a 30-minute call. We'll walk through the tenant configuration, the answer to control #15, and whether adding a second layer changes your renewal answer.
No. For most 5–200-seat M365 or Google Workspace tenants, the right first step is to configure the built-in tier correctly and add a second layer only when the mailbox is a high-value target or the carrier demands a named third-party. A full MX-redirecting gateway is usually the answer for compliance or industry-specific requirements, not for a typical SMB.
A gateway sits in front of your mailbox by taking over the MX record — mail hits it first, gets filtered, then flows to Microsoft or Google. An API-integrated layer receives mail after Microsoft or Google delivers it, then inspects and remediates in place using the mailbox API. Built-in means the protection that ships with the platform: Defender for Office 365 or Google Workspace advanced protection.
For many small businesses on Microsoft 365, Defender for Office 365 Plan 1 or Plan 2 configured correctly is enough to answer most cyber-insurance questions and stop the common phishing patterns. It becomes not-enough when the mailbox is a high-value target, the business has failed a real BEC attempt, or the Defender features are licensed but not enforced.
Add a third-party layer when the built-in tier is fully turned on and still missing detections, when the business is in a target vertical (law, dental, accounting, wire-fraud-exposed operations), or when the cyber-insurance renewal explicitly asks for link rewriting, time-of-click URL analysis, and attachment sandboxing beyond what the built-in tier is delivering.
Yes. Underwriters ask about DMARC enforcement, link protection and sandboxing, and phishing-resistant MFA on email. Some questionnaires accept Microsoft Defender or Google Workspace advanced protection as an answer to the link-protection and sandboxing question; others want a named dedicated product. Confirm what the carrier accepts before locking in the architecture.
On Microsoft 365, the natural starting layer is Defender for Office 365, tuned properly with anti-phishing, Safe Links, and Safe Attachments. On Google Workspace, the equivalent starting layer is the advanced phishing and malware settings plus the Security Sandbox. In both platforms, the choice to add an API-integrated layer or move to a gateway is a second decision, not the first.
Last updated
July 18, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
No. For most 5–200-seat M365 or Google Workspace tenants, the right first step is to configure the built-in tier correctly — Defender for Office 365 or Google Workspace advanced protection — and add an API-integrated layer only when the mailbox is a high-value target. A full MX-redirecting gateway is usually the answer for compliance, industry-specific handling, or heavy inbound volume, not for a typical SMB.
A gateway sits in front of your mailbox by taking over your MX record — mail hits it first, gets filtered, then flows to Microsoft or Google. An API-integrated layer receives mail after Microsoft or Google delivers it, then inspects and remediates in place using the mailbox API. Built-in means the protection that ships with the platform: Defender for Office 365 or Google Workspace advanced protection.
For many small businesses on Microsoft 365, Defender for Office 365 Plan 1 or Plan 2 configured correctly is enough to answer most cyber-insurance questions and stop the common phishing patterns. It becomes not-enough when the business is a high-value target, has failed a real BEC attempt, or cannot enforce the Defender features because of licensing gaps.
Add a third-party layer when the built-in tier is fully turned on and still missing detections, when the business is in a target vertical (law, dental, accounting, wire-fraud-exposed operations), or when the cyber-insurance renewal explicitly asks for link rewriting, time-of-click URL analysis, and attachment sandboxing beyond the level the built-in tier delivers.
Yes. Underwriters ask about DMARC enforcement, link protection and sandboxing, and phishing-resistant MFA on email. Some questionnaires accept Microsoft Defender or Google Workspace advanced protection as an answer to the link-protection and sandboxing question; others want a named dedicated product. Confirm what the carrier accepts before locking in the architecture.
On Microsoft 365, the natural starting layer is Defender for Office 365, tuned properly with anti-phishing, Safe Links, and Safe Attachments. On Google Workspace, the equivalent starting layer is the advanced phishing and malware settings plus the Security Sandbox. In both platforms, the choice to add an API-integrated layer or move to a gateway is a second decision, not the first.
Related reading
A plain-English small-business email security guide focused on the cheap controls that cut business email compromise and phishing risk first.
Read articleA practical walkthrough of cyber insurance for first-time SMB buyers in 2026 — what the policy covers, what the questionnaire asks, the controls carriers review, and how to pass the application without overspending.
Read articleThe 22 cyber-insurance underwriting controls carriers ask about in 2026 — what each one asks, why carriers care, and how to answer without overcommitting your stack.
Read article