By Nadine Hoogerwerf, Zivver CISO
Despite debuting more than half a century ago, email remains the primary communication channel for businesses the world over. However, it wasn’t designed to be a secure communication platform; it was simply developed as a means of transferring information as quickly as possible. As a result, legislators have sought to address commonly exploited email flaws and better protect sensitive data in transit.
Email security is now a compliance imperative, not just a cybersecurity concern. This sentiment has been echoed by IT Leaders, as globally the secure communication regulatory environment tightens in an effort to tackle malicious threats and the risks related to data loss prevention, human error and security awareness.
Whether it is the Cybersecurity and Resilience Bill in the UK to protect critical infrastructure, HIPAA in the United States for strict patient data protection, or NIS2 mandating cybersecurity for critical infrastructure, the global trend in secure communication is towards stricter, evolving regulations. These demand greater time and investment from companies to avoid non-compliance which means email security is no longer just about protection from cyber threats — it is about ensuring regulatory compliance and embedding security as a cultural norm in the workplace.
The Compliance Gap in Email Security
The primary function of email is speed and convenience, not security, which means it lacks built-in encryption, risk management and access control. We have seen email security repeatedly exploited through phishing and malware attacks, and it is considered the leading cause of outbound data loss through human error. A notable example is the 2021 cyberattack on the UK Electoral Commission, where attackers gained access to the commission’s email servers and exfiltrated sensitive data on 40 million voters. The breach, which remained undetected for over a year, exposed personal information and raised concerns about election integrity. Investigators suggested that the initial compromise was likely due to a phishing attack, highlighting the ongoing risks of unsecured email communications.
With standard email platforms lacking the advanced security needed to address both internal and external threats, 2025 brings with it new regulatory frameworks established in Europe, the UK and the US. These are forcing businesses to close the security gap or risk hefty regulatory fines, legal liabilities for executives under new EU and US laws, reputation damage and a decline in consumer trust.
Key Legislative Requirements for Secure Email Management
While there are variations in regulatory frameworks across regions, legislators worldwide have identified six key pillars requiring immediate attention to achieve email compliance.
- Proactive Risk Management: Organisations must integrate risk assessment, incident response, and continuous monitoring to pre-empt threats and maintain compliance.
- Intelligent Information Classification: Smart classification systems protect sensitive data with tailored security controls.
- Unbreakable Information Transfer: Encryption and traceability ensure confidentiality and prevent tampering.
- Tightened Access Control: Strong authentication measures like MFA limit access to verified individuals.
- Culture of Cyber Awareness: Regular training helps employees recognise threats and maintain compliance.
- Data Leakage Prevention: AI-driven tools flag and quarantine sensitive emails before breaches occur.
Despite these common regulatory mandates, our own research shows organisations lack visibility into email security risks. This is shared by the 77% of IT leaders who don’t know whether their messages are encrypted. While reinforcing the minimum security procedures is a straightforward way to close the compliance gap, the lack of awareness amongst indicates a startling lack of over insight.
Our report also uncovered an alarming lack of transparency when it comes to reporting email related incidents. While IT Leaders estimate that only 34% of outbound email incidents are formally reported, many employees handle mistakes informally, with 56% of employees admitting they would not report the incident to that department or their line manager. This severely undermines the integrity of an organisation’s email system, leaving the IT team in the dark and forcing them to play catch up in the event of a breach.
This highlights the value in addressing the cultural issues that lead to a lack of diligent reporting. Improving IT visibility hinges upon a culture of openness and transparency, which can be facilitated through clear reporting channels, a no-blame culture and regular reminders and training about common security pitfalls.
Common vulnerabilities and Making Compliance a Cultural Norm
While employees may seem to be the common denominator in common vulnerabilities, their performance is ultimately shaped by the environment they work in. A majority of employees (54%) agree that email mistakes are caused by time pressures and information overload, with 40% citing too many messages or communications tools. This reinforces the need to change how organisation view security and compliance, which are often seen as burdens.
Key decision-makers must take the initiative to equip employees with the right tools, training and processes to strengthen cyber resilience, ensure compliance and reduce compliance fatigue. When asked what their primary email security focus would be over the next two to three years, almost one-third of IT leaders (31%) said they would prioritise compliance with data protection regulations, and 28% said they would be looking for an “all encompassing” solution for inbound and outbound security. If these measures are combined with a clear and supportive reporting culture, then we can begin to develop a security-first culture fit for the email challenges of 2025.