Email is where critical business activity happens – approvals, payments, client instructions, and sensitive conversations. It is also the most common entry point for cyberattacks.
For Baltimore SMBs and professional services firms, the risk is growing. Attackers target organizations that handle valuable data and financial transactions, knowing a single convincing email can cause serious damage.
That’s why email remains a central focus of cybersecurity in Baltimore.
This checklist helps business owners and IT leads quickly evaluate whether their email security measures meet current threat standards.
The 12-Point Email Security Checklist
Check the questions below to assess whether your current protections meet modern threat standards.
☐ Multi-Factor Authentication (MFA) Enabled
Is MFA required for all email accounts, not just administrators? MFA blocks most account takeover attempts – even when credentials are stolen through phishing or data breaches.
- App-based authenticators provide stronger protection than SMS
- MFA should be mandatory for every mailbox, without exception
☐ Advanced Email Filtering in Place
Do you use filtering beyond basic spam protection? Modern attacks routinely bypass traditional spam filters. Advanced email security platforms use behavioral analysis, real-time link scanning, and attachment sandboxing.
These tools are essential for detecting impersonation attempts, weaponized attachments, and sophisticated phishing campaigns.
☐ Email Authentication Protocols Configured
Are SPF, DKIM, and DMARC properly set up and enforced? These protocols prevent attackers from spoofing your domain and impersonating your business. When configured correctly, they:
- Protect inbound email by validating sender authenticity
- Protect outbound email by stopping others from using your domain fraudulently
☐ Password Policies Enforced
Are weak, reused, or compromised passwords blocked system-wide? Strong password hygiene significantly reduces credential theft risk. IT consulting in Baltimore includes:
- Enforced complexity requirements
- Blocking previously breached passwords
- Encouraging or requiring a secure password manager for staff
☐ Encryption for Sensitive Communications
Is email encryption used when sending confidential or regulated data? Unencrypted email travels like a postcard – any system that handles it can potentially read it.
Professional services firms handling legal communications, financial records, and personally identifiable information should encrypt sensitive messages to meet compliance and client trust expectations.
☐ Mobile Device Email Security
Are mobile devices accessing email properly secured? Lost or stolen phones should not result in compromised business communications. Ensure:
- Device encryption is enabled
- Strong passcodes or biometrics are enforced
- Remote wipe is available
- BYOD devices meet minimum security standards
☐ Email Backup and Retention Policies
Can you recover email data after deletion, ransomware, or account compromise? Independent email backups – separate from your primary email platform – are critical for business continuity.
Backups should include emails, contacts, and calendars. Each of these should also be tested regularly to confirm recovery works as expected.
☐ Staff Training on Email Threats
Do employees receive regular training on recognizing and reporting suspicious emails? Technology cannot prevent staff from willingly cooperating with attackers. Ongoing awareness training should:
- Use current threat examples
- Encourage reporting without fear of blame
- Be delivered at least quarterly
Industry data shows that email spoofing was the top phishing attack vector in 2025, accounting for 75% of all phishing-related complaints received by the FBI IC3.
☐ Executive and High-Value Account Extra Protection
Are leadership, finance, and HR accounts more tightly protected? Attackers prioritize accounts with authority and access.
Expert IT support ensures these users should have stronger MFA enforcement, more frequent credential reviews, and enhanced monitoring for suspicious activity.
☐ Email Access Monitoring and Alerts
Are suspicious behaviors detected and flagged automatically? Look for alerts tied to:
- Logins from unusual locations
- Creation of forwarding rules
- Bulk email downloads
- After-hours access from unknown devices
☐ Verification Procedures for Sensitive Requests
Are high-risk requests verified through a secondary channel? Payment changes, wire transfers, credential requests, and unusual directives should never rely on email alone. Verification should include a phone call using known numbers and in-person confirmation where possible.
☐ Regular Security Audits and Updates
When was your last full email security review? Threats evolve constantly, and configurations drift over time. IT support in Baltimore includes quarterly internal reviews and annual professional cybersecurity assessments – covering technical controls, access permissions, and staff readiness.
Scoring Your Checklist
- 0-6 items checked: Critical gaps exist. Attackers are likely to exploit weaknesses. Immediate action is needed – especially around MFA, filtering, and training.
- 7-9 items checked: Basic protection is in place, but there is meaningful room for improvement. Prioritize gaps based on industry risk; professional services firms should focus on encryption and verification procedures.
- 10-11 items checked: A strong email security posture. Focus on maintaining controls and staying current with evolving threats.
- 12 items checked: Excellent, comprehensive protection. Continue quarterly reviews to preserve this standard as threats change.
What to Do With Your Results
Use your checklist score to guide clear, practical next steps. The goal is to reduce risk quickly where exposure is highest, then strengthen and maintain your overall email security posture over time.
Address Immediately (If Missing)
- MFA to prevent account takeover
- Advanced email filtering to block phishing, impersonation, and malicious attachments
- Regular staff training so employees can recognize and report threats
Strengthen and Optimize
- Email authentication protocols to prevent domain spoofing
- Encryption for sensitive communications, especially for client and financial data
- Mobile device security for any phone or tablet accessing business email
Maintain and Review
- Regular security reviews and audits to catch configuration drift
- Updated training content reflecting current attack methods
- Routine backup testing to confirm email data can be restored when needed
Why Email Security Matters More for Baltimore Professional Services
Professional services firms face heightened exposure because they:
- Handle confidential client information
- Process high-value financial transactions
- Operate on trust-based advisor relationships that attackers exploit
- Must meet strict compliance and regulatory obligations
- Face severe reputational damage after breaches
- Often lack dedicated in-house cybersecurity teams
Book a Cyber-Risk Consultation Today
Email security requires a layered approach that combines technical controls, clear cybersecurity policies, and trained staff who know how to spot threats.
Book a cyber-risk consultation with us today to find out how our expert IT support in Baltimore can elevate your business.
Frequently Asked Questions
What is the biggest email security risk for Baltimore SMBs?
Phishing and business email compromise remain the most common threats, often exploiting weak MFA or poor verification processes.
Do small firms really need advanced email security tools?
Yes. Attackers increasingly target smaller organizations because they often lack enterprise-grade protections.
How often should email security be reviewed?
At minimum, quarterly internal reviews and an annual professional assessment are recommended.
Can business IT support providers in Baltimore help with implementation?
Yes. Managed providers can assess gaps, deploy controls, train staff, and maintain ongoing protection.
